Closed Bug 420991 Opened 16 years ago Closed 15 years ago

libPKIX returns wrong NSS error code

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.12.4

People

(Reporter: nelson, Assigned: alvolkov.bgs)

References

Details

(Keywords: regression, Whiteboard: PKIX SUN_MUST_HAVE MOZ)

Attachments

(1 file, 4 obsolete files)

Patch v3 - make cert selector to report the reason why a cert was filtered out (checked in)
41.64 KB, patch
nelson
: review+
Details | Diff | Splinter Review 
There are some certs attached to bug 390381 that constitute a chain.
The SSL server cert in that chain is now expired. 

Whenever I attempt to validate that chain with libPKIX using either of the 
two commands shown below, the validation fails (as expected).  The error code 
returned is  -8164: This certificate is not valid.

It SHOULD be -8181: Peer's Certificate has expired.

> NSS_ENABLE_PKIX_VERIFY=1 vfychain -u 1 -v cert.000 cert.001
That commend uses libPKIX the old CERT_VerifyCert API.

> vfychain -u 1 -v -p cert.000 cert.001
tests the above chain using the new CERT_PKIXVerifyCert function

This is Major because if NSS returns meaningless error codes, we will be 
INUNDATED with unwanted questions asking "what does this mean?"
Priority: -- → P1
Whiteboard: NSS312 PKIX
Generalizing the subject of the bug.

Found another case, when pkix return incorrect nss error code. Cert is attached.

Returns:
 -8174 - security library: bad database.

Should be:
 -8179: Peer's Certificate issuer is not recognized.
Summary: libPKIX returns wrong NSS error code for expired cert → libPKIX returns wrong NSS error code
Attached file Cert1 (obsolete) — 

    
    

    
  
There are many cases where the wrong error code is reported.  If we try to 
combine all of them into just one bug, that bug will never get completely
fixed.  So, let's create separate bugs for other cases where the wrong 
error code is returned.  
No longer blocks: NSS312regressions
Priority: P1 → P2
Whiteboard: NSS312 PKIX → PKIX
Target Milestone: 3.12 → 3.12.1

    
    

    
  
Comment on attachment 312399 [details]
Cert1

libpkix now produce the correct error code while validating the cert.

        Attachment #312399 -
        Attachment is obsolete: true

    
  
OS: Windows XP → All

    
  
Target Milestone: 3.12.1 → 3.12.2

    
  
Whiteboard: PKIX → PKIX SUN_MUST_HAVE
Target Milestone: 3.12.2 → 3.12.3
Blocks: psm-pkix

    
  
Whiteboard: PKIX SUN_MUST_HAVE → PKIX SUN_MUST_HAVE MOZ

    
    

    
  
Found one more case when returned error code is incorrect. This happens when validating a cert that was not approved for a particular usage of a key defined in extended key usage extension. In this case libpkix report the default error code that tells that certificate issuer was not found. Instead, it should report

    -8101 = Certificate type not approved for application.

    
    

    
  


  
The patch modifies cert selector to return pkix error every time it rejected a cert. Passing verify node into cert selector will help deliver multiple cert selector errors to the upper level of the code.

        Attachment #370942 -
        Flags: review?(nelson)
Target Milestone: 3.12.3 → 3.12.4

    
    

    
  


  
Code is adjusted to new changes to cert selector api.

        Attachment #370942 -
        Attachment is obsolete: true

        Attachment #371726 -
        Flags: review?(nelson)

        Attachment #370942 -
        Flags: review?(nelson)

    
    

    
  
A memory leak was found during the review. r-

    
  

        Attachment #371726 -
        Flags: review?(nelson) → review-

    
    

    
  


  
Fix memory leak(leaking pkix error object) that may happen in case of error returned by cert selector.

        Attachment #371726 -
        Attachment is obsolete: true

        Attachment #371749 -
        Flags: review?(nelson)

        Attachment #371749 -
        Flags: review?(nelson) → review+

    
    

    
  
Comment on attachment 371749 [details] [diff] [review]
Patch v3 - make cert selector to report the reason why a cert was filtered out (checked in)

r=nelson

    
  

        Attachment #371749 -
        Attachment description: Patch v3 - make cert selector to report the reason why a cert was filtered out → Patch v3 - make cert selector to report the reason why a cert was filtered out (checked in)

    
  
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
Alexei,
Your checkin broke the build.

cc -o SunOS5.10_i86pc_DBG.OBJ/pkix_targetcertchecker.o -c -g -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT -Di386 -DSOLARIS2_10 -D_SVID_GETTOD  -xs -DXP_UNIX -DDEBUG -UNDEBUG -DDEBUG_jp96085 -DNSS_ENABLE_ECC -DNSS_ECC_MORE_THAN_SUITE_B -DUSE_UTIL_DIRECTLY -I/usr/dt/include -I/usr/openwin/include -I../../../../../../dist/SunOS5.10_i86pc_DBG.OBJ/include -I../../../../../../dist/public/nss -I../../../../../../dist/private/nss -I../../../../../../dist/public/dbm  pkix_targetcertchecker.c
"pkix_targetcertchecker.c", line 382: prototype mismatch: 4 args passed, 3 expected
cc: acomp failed for pkix_targetcertchecker.c
gmake[4]: *** [SunOS5.10_i86pc_DBG.OBJ/pkix_targetcertchecker.o] Error 2
gmake[4]: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib/libpkix/pkix/checker'
gmake[3]: *** [libs] Error 2
gmake[3]: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib/libpkix/pkix'
gmake[2]: *** [libs] Error 2
gmake[2]: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib/libpkix'
gmake[1]: *** [libs] Error 2
gmake[1]: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib'
gmake: *** [libs] Error 2
28.57u 5.02s 0:52.22 64.3%

    
  
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Fix build (obsolete)
        — Splinter Review
      

    


  
I am not sure if this is the correct fix, and I have not tested the runtime yet. But at least it will build.

        Attachment #372130 -
        Flags: review?(alexei.volkov.bugs)

    
  

        Attachment #372130 -
        Attachment is obsolete: true

        Attachment #372130 -
        Flags: review?(alexei.volkov.bugs)

    
    

    
  
Comment on attachment 372130 [details] [diff] [review]
Fix build

Cancelling review, since Alexei checked in a fix.
all.sh is green on my machine (without IOPR or NIST PKITS tests).

    
  
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Hardware: x86 → All

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: