Closed Bug 420991 Opened 12 years ago Closed 11 years ago
PKIX returns wrong NSS error code
There are some certs attached to bug 390381 that constitute a chain. The SSL server cert in that chain is now expired. Whenever I attempt to validate that chain with libPKIX using either of the two commands shown below, the validation fails (as expected). The error code returned is -8164: This certificate is not valid. It SHOULD be -8181: Peer's Certificate has expired. > NSS_ENABLE_PKIX_VERIFY=1 vfychain -u 1 -v cert.000 cert.001 That commend uses libPKIX the old CERT_VerifyCert API. > vfychain -u 1 -v -p cert.000 cert.001 tests the above chain using the new CERT_PKIXVerifyCert function This is Major because if NSS returns meaningless error codes, we will be INUNDATED with unwanted questions asking "what does this mean?"
Priority: -- → P1
Whiteboard: NSS312 PKIX
Generalizing the subject of the bug. Found another case, when pkix return incorrect nss error code. Cert is attached. Returns: -8174 - security library: bad database. Should be: -8179: Peer's Certificate issuer is not recognized.
Summary: libPKIX returns wrong NSS error code for expired cert → libPKIX returns wrong NSS error code
There are many cases where the wrong error code is reported. If we try to combine all of them into just one bug, that bug will never get completely fixed. So, let's create separate bugs for other cases where the wrong error code is returned.
No longer blocks: NSS312regressions
Priority: P1 → P2
Whiteboard: NSS312 PKIX → PKIX
Target Milestone: 3.12 → 3.12.1
Comment on attachment 312399 [details] Cert1 libpkix now produce the correct error code while validating the cert.
Attachment #312399 - Attachment is obsolete: true
Target Milestone: 3.12.2 → 3.12.3
Whiteboard: PKIX SUN_MUST_HAVE → PKIX SUN_MUST_HAVE MOZ
Found one more case when returned error code is incorrect. This happens when validating a cert that was not approved for a particular usage of a key defined in extended key usage extension. In this case libpkix report the default error code that tells that certificate issuer was not found. Instead, it should report -8101 = Certificate type not approved for application.
The patch modifies cert selector to return pkix error every time it rejected a cert. Passing verify node into cert selector will help deliver multiple cert selector errors to the upper level of the code.
Target Milestone: 3.12.3 → 3.12.4
Code is adjusted to new changes to cert selector api.
A memory leak was found during the review. r-
Fix memory leak(leaking pkix error object) that may happen in case of error returned by cert selector.
Attachment #371749 - Flags: review?(nelson) → review+
Comment on attachment 371749 [details] [diff] [review] Patch v3 - make cert selector to report the reason why a cert was filtered out (checked in) r=nelson
Attachment #371749 - Attachment description: Patch v3 - make cert selector to report the reason why a cert was filtered out → Patch v3 - make cert selector to report the reason why a cert was filtered out (checked in)
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Alexei, Your checkin broke the build. cc -o SunOS5.10_i86pc_DBG.OBJ/pkix_targetcertchecker.o -c -g -KPIC -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT -Di386 -DSOLARIS2_10 -D_SVID_GETTOD -xs -DXP_UNIX -DDEBUG -UNDEBUG -DDEBUG_jp96085 -DNSS_ENABLE_ECC -DNSS_ECC_MORE_THAN_SUITE_B -DUSE_UTIL_DIRECTLY -I/usr/dt/include -I/usr/openwin/include -I../../../../../../dist/SunOS5.10_i86pc_DBG.OBJ/include -I../../../../../../dist/public/nss -I../../../../../../dist/private/nss -I../../../../../../dist/public/dbm pkix_targetcertchecker.c "pkix_targetcertchecker.c", line 382: prototype mismatch: 4 args passed, 3 expected cc: acomp failed for pkix_targetcertchecker.c gmake: *** [SunOS5.10_i86pc_DBG.OBJ/pkix_targetcertchecker.o] Error 2 gmake: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib/libpkix/pkix/checker' gmake: *** [libs] Error 2 gmake: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib/libpkix/pkix' gmake: *** [libs] Error 2 gmake: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib/libpkix' gmake: *** [libs] Error 2 gmake: Leaving directory `/h/monstre/export/home/julien/nss/virgin/mozilla/security/nss/lib' gmake: *** [libs] Error 2 28.57u 5.02s 0:52.22 64.3%
I am not sure if this is the correct fix, and I have not tested the runtime yet. But at least it will build.
Comment on attachment 372130 [details] [diff] [review] Fix build Cancelling review, since Alexei checked in a fix. all.sh is green on my machine (without IOPR or NIST PKITS tests).
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.