Closed
Bug 411614
Opened 17 years ago
Closed 17 years ago
Explicit Policy does not seem to work.
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12
People
(Reporter: rrelyea, Assigned: alvolkov.bgs)
References
Details
(Whiteboard: NSS312B1)
Attachments
(11 files)
4.79 KB,
text/plain
|
Details | |
5.30 KB,
text/plain
|
Details | |
3.55 KB,
text/plain
|
Details | |
3.70 KB,
text/plain
|
Details | |
3.36 KB,
text/plain
|
Details | |
2.34 KB,
text/plain
|
Details | |
2.43 KB,
text/plain
|
Details | |
1.36 KB,
text/plain
|
Details | |
1.53 KB,
text/plain
|
Details | |
1.73 KB,
text/plain
|
Details | |
759 bytes,
patch
|
alvolkov.bgs
:
review+
nelson
:
review+
|
Details | Diff | Splinter Review |
I have assumed that ExplicitPolicy means that intermediates must have either the AnyPolicy oid or every explicit Policy it supports up the chain.
This does not seem to be the case in our pkix code. It seems to accept certificates which do not explicitly have any policy specified. This is causing us to select the wrong path when validating EV certs. The PKIX code is happily accepting chains with no policy to validate a specifically requested policy.
Reporter | ||
Comment 1•17 years ago
|
||
This bug is resulting in
[Bug 406755] EV certs not recognized as EV with some cross-certification scenarios
One test case is to try the test scenarios in the bug.
I have also extracted the failing chains and will attach them to this bug.
Reporter | ||
Comment 2•17 years ago
|
||
Reporter | ||
Comment 3•17 years ago
|
||
Reporter | ||
Comment 4•17 years ago
|
||
Reporter | ||
Comment 5•17 years ago
|
||
Reporter | ||
Comment 6•17 years ago
|
||
Reporter | ||
Comment 7•17 years ago
|
||
Reporter | ||
Updated•17 years ago
|
Attachment #296276 -
Attachment mime type: application/certificate → application/x-certificate
Reporter | ||
Updated•17 years ago
|
Attachment #296276 -
Attachment mime type: application/x-certificate → text/plain
Reporter | ||
Comment 8•17 years ago
|
||
Reporter | ||
Comment 9•17 years ago
|
||
Reporter | ||
Comment 10•17 years ago
|
||
Reporter | ||
Comment 11•17 years ago
|
||
Reporter | ||
Comment 12•17 years ago
|
||
This collection of certificates represents 2 possible validations paths.
On path is valid for the policy oid OID.2.16.840.1.114412.2.1.
The other patch should not be valid for that policy oid if explicit is set.
The path that should be valid is:
Digicert Leaf Cert
^
|
Digicert EV Intermediate Cert
^
|
Digicert EV Root Cert
libPKIX will correctly validate this path, however it also claims the following
path is valid:
Digicert Leaf Cert
^
|
Digicert EV Intermediate Cert
^
|
Digicert EV Cross Cert with Entrust
^
|
Entrust Root Cert
Even though the 'Digicert EV Cross Cert with Entrust' has no explicit policies.
bob
Updated•17 years ago
|
Severity: normal → major
Priority: -- → P1
Whiteboard: NSS312B1
Version: 3.12 → trunk
Reporter | ||
Comment 13•17 years ago
|
||
The order of the arguments to the init checker function was incorrect, changing the meaning of 'initExplicit' to 'initInhibitAnyPolicy'.
Alexi, we should check that initInhibitAnyPolicy actually works, since we should have tripped over that issue when validating Verisign EV chains.
With this fix, LibPKIX will correctly select the EV validation chains over the non-EV. (I'm now able to consistantly validate digitcert and trustwave EV sites).
Attachment #296435 -
Flags: review?(alexei.volkov.bugs)
Comment 14•17 years ago
|
||
Comment on attachment 296435 [details] [diff] [review]
use correct order when passing policy args to the checker init function
This patch is correct. Was that the whole problem?
Attachment #296435 -
Flags: review+
Reporter | ||
Comment 15•17 years ago
|
||
It appears to be. Making the change causes the bad paths to be rejected, leaving only good paths. This patch with the patch in bug 406755, and downloading and trusting the new Secure Trust CA causes all the links in the bug to (correctly) validate as EV.
Assignee | ||
Updated•17 years ago
|
Attachment #296435 -
Flags: review?(alexei.volkov.bugs) → review+
Comment 16•17 years ago
|
||
In reply to comment 13:
> we should check that initInhibitAnyPolicy actually works, since we
> should have tripped over that issue when validating Verisign EV chains.
I think you're suggesting that a Verisign EV cert whose issuer cert
contains a certificatePolicies extension bearing the special anyPolicy
should fail validation if initInhibitAnyPolicy is true. I don't agree.
The InhibitAnyPolicy feature effectively causes the anyPolicy policy to
be ignored. So, when anyPolicy is inhibited, a cert whose only policy
OID is anyPolicy will be treated like a cert that has no policy OID.
This will not cause the path validation to fail UNLESS explicit policy
checking is also enabled. In other words, InhibitAnyPolicy is pretty
meaningless unless we're doing explicit policy checking.
As I understand it, the bug was causing the inhibitAnyPolicy and
explicitPolicy bits to be interchanged, so that an attempt to set
explicitPolicy was actually setting inhibitAnyPolicy but was NOT
setting explicit policy. Consequently, since it was not doing
explicit policy checking, the NULL policy tree caused by the inhibited
anyPolicy was not fatal to the validation. (I hope I've expressed that
clearly.)
Nevertheless, this clearly shows that we need to test the various
combinations of policy checking flags. I filed bug 411795 about that.
Reporter | ||
Comment 17•17 years ago
|
||
yes, you are right! That completely explains what we are seeing. (phew!)
bob
Reporter | ||
Comment 18•17 years ago
|
||
patch checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•