Closed Bug 420991 Opened 12 years ago Closed 11 years ago

libPKIX returns wrong NSS error code

Categories

(NSS :: Libraries, defect, P2, major)

Tracking

(Not tracked)

RESOLVED FIXED
3.12.4

People

(Reporter: nelson, Assigned: alvolkov.bgs)

References

Details

(Keywords: regression, Whiteboard: PKIX SUN_MUST_HAVE MOZ)

Attachments

(1 file, 4 obsolete files)

There are some certs attached to bug 390381 that constitute a chain.
The SSL server cert in that chain is now expired. 

Whenever I attempt to validate that chain with libPKIX using either of the 
two commands shown below, the validation fails (as expected).  The error code 
returned is  -8164: This certificate is not valid.

It SHOULD be -8181: Peer's Certificate has expired.

> NSS_ENABLE_PKIX_VERIFY=1 vfychain -u 1 -v cert.000 cert.001
That commend uses libPKIX the old CERT_VerifyCert API.

> vfychain -u 1 -v -p cert.000 cert.001
tests the above chain using the new CERT_PKIXVerifyCert function

This is Major because if NSS returns meaningless error codes, we will be 
INUNDATED with unwanted questions asking "what does this mean?"
Priority: -- → P1
Whiteboard: NSS312 PKIX
Generalizing the subject of the bug.

Found another case, when pkix return incorrect nss error code. Cert is attached.

Returns:
 -8174 - security library: bad database.

Should be:
 -8179: Peer's Certificate issuer is not recognized.
Summary: libPKIX returns wrong NSS error code for expired cert → libPKIX returns wrong NSS error code
Attached file Cert1 (obsolete) —
There are many cases where the wrong error code is reported.  If we try to 
combine all of them into just one bug, that bug will never get completely
fixed.  So, let's create separate bugs for other cases where the wrong 
error code is returned.  
No longer blocks: NSS312regressions
Priority: P1 → P2
Whiteboard: NSS312 PKIX → PKIX
Target Milestone: 3.12 → 3.12.1
Comment on attachment 312399 [details]
Cert1

libpkix now produce the correct error code while validating the cert.
Attachment #312399 - Attachment is obsolete: true
OS: Windows XP → All
Target Milestone: 3.12.1 → 3.12.2
Whiteboard: PKIX → PKIX SUN_MUST_HAVE
Target Milestone: 3.12.2 → 3.12.3
Blocks: psm-pkix
Whiteboard: PKIX SUN_MUST_HAVE → PKIX SUN_MUST_HAVE MOZ
Found one more case when returned error code is incorrect. This happens when validating a cert that was not approved for a particular usage of a key defined in extended key usage extension. In this case libpkix report the default error code that tells that certificate issuer was not found. Instead, it should report

    -8101 = Certificate type not approved for application.
The patch modifies cert selector to return pkix error every time it rejected a cert. Passing verify node into cert selector will help deliver multiple cert selector errors to the upper level of the code.
Attachment #370942 - Flags: review?(nelson)
Target Milestone: 3.12.3 → 3.12.4
Code is adjusted to new changes to cert selector api.
Attachment #370942 - Attachment is obsolete: true
Attachment #371726 - Flags: review?(nelson)
Attachment #370942 - Flags: review?(nelson)
A memory leak was found during the review. r-
Attachment #371726 - Flags: review?(nelson) → review-
Fix memory leak(leaking pkix error object) that may happen in case of error returned by cert selector.
Attachment #371726 - Attachment is obsolete: true
Attachment #371749 - Flags: review?(nelson)
Attachment #371749 - Flags: review?(nelson) → review+
Comment on attachment 371749 [details] [diff] [review]
Patch v3 - make cert selector to report the reason why a cert was filtered out (checked in)

r=nelson
Attachment #371749 - Attachment description: Patch v3 - make cert selector to report the reason why a cert was filtered out → Patch v3 - make cert selector to report the reason why a cert was filtered out (checked in)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Alexei,
Your checkin broke the build.

cc -o SunOS5.10_i86pc_DBG.OBJ/pkix_targetcertchecker.o -c -g -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT -Di386 -DSOLARIS2_10 -D_SVID_GETTOD  -xs -DXP_UNIX -DDEBUG -UNDEBUG -DDEBUG_jp96085 -DNSS_ENABLE_ECC -DNSS_ECC_MORE_THAN_SUITE_B -DUSE_UTIL_DIRECTLY -I/usr/dt/include -I/usr/openwin/include -I../../../../../../dist/SunOS5.10_i86pc_DBG.OBJ/include -I../../../../../../dist/public/nss -I../../../../../../dist/private/nss -I../../../../../../dist/public/dbm  pkix_targetcertchecker.c
"pkix_targetcertchecker.c", line 382: prototype mismatch: 4 args passed, 3 expected
cc: acomp failed for pkix_targetcertchecker.c
gmake[4]: *** [SunOS5.10_i86pc_DBG.OBJ/pkix_targetcertchecker.o] Error 2
gmake[4]: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib/libpkix/pkix/checker'
gmake[3]: *** [libs] Error 2
gmake[3]: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib/libpkix/pkix'
gmake[2]: *** [libs] Error 2
gmake[2]: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib/libpkix'
gmake[1]: *** [libs] Error 2
gmake[1]: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib'
gmake: *** [libs] Error 2
28.57u 5.02s 0:52.22 64.3%
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch Fix build (obsolete) — Splinter Review
I am not sure if this is the correct fix, and I have not tested the runtime yet. But at least it will build.
Attachment #372130 - Flags: review?(alexei.volkov.bugs)
Attachment #372130 - Attachment is obsolete: true
Attachment #372130 - Flags: review?(alexei.volkov.bugs)
Comment on attachment 372130 [details] [diff] [review]
Fix build

Cancelling review, since Alexei checked in a fix.
all.sh is green on my machine (without IOPR or NIST PKITS tests).
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Hardware: x86 → All
You need to log in before you can comment on or make changes to this bug.