Closed
Bug 436599
Opened 17 years ago
Closed 17 years ago
PKIX: AIA extension is not used in some Bridge CA / known certs configuration
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.2
People
(Reporter: christophe.ravel.bugs, Assigned: alvolkov.bgs)
Details
(Whiteboard: PKIX SUN_MUST_HAVE)
Attachments
(6 files, 1 obsolete file)
PKI configuration
Here is the PKI configuration:
Army Navy
\ /
Bridge
|
CA1 (with AIA extension to Navy issued Bridge cert only)
|
EE1
Entity Army
Type: Root CA
Entity Navy
Type: Root CA
Entity Bridge
Type: Bridge CA
Issuer1: Army (cert referenced as ArmyBridge below)
Issuer2: Navy (cert referenced as NavyBridge below)
Entity CA1
Type: Intermediate CA
Issuer: Bridge
AIA extension: Navy issued cert for Bridge
Entity EE1
Type: End Entity
Issuer: CA1
---------
The test is to verify the EE1 cert given a list of know certs and a trusted anchor
Case 1:
Known certs: EE1, CA1, Navy
Trusted anchor: Navy
In this case, the missing NavyBridge cert is fetched using the AIA extension and the chain is validated.
Case 2:
Known certs: EE1, CA1, ArmyBridge, Navy
Trusted anchor: Navy
This case is similar to case #1, except that we provide an extra cert (ArmyBridge). In this case, the AIA extension is not used and the validation of the chain fails.
It looks like libpkix is "fooled" into looking at the Army branch and doesn't go back to the CA1 cert to fetch the NavyBridge cert using the AIA extension.
More details to come...
|
Reporter | |
Updated•17 years ago
|
Whiteboard: PKIX
|
|
Reporter | |
Comment 1•17 years ago
|
||
NSS_DIR should be set to the location of NSS (where bin and lib are).
Example: export NSS_DIR=/mozilla/dist/SunOS5.10_DBG.OBJ
You need a running web server to run this test.
You also have to modify AIA_FILE and AIA_HTTP inside the script to match your environment (see instructions inside the script).
|
|
Reporter | |
Comment 2•17 years ago
|
||
NSS_DIR should be set to the location of NSS (where bin and lib are).
Example: export NSS_DIR=/mozilla/dist/SunOS5.10_DBG.OBJ
You have to run the createPKI_bug436599.sh shell script first.
|
|
||
Comment 3•17 years ago
|
||
BTW, I'm not sure that "Case 2" in comment 0 is incorrect behavior.
It could be that fetching certs via AIA is only done when we have NO
cert for the issuer.
The questions are:
a) Do the standards tell us what is the correct/expected behavior here?
b) if not, what do we collectively think is the right behavior?
I can see arguments for and against fetching certs in "Case 2".
|
|
Reporter | |
Comment 4•17 years ago
|
||
Graphical representation of the PKI configuration.
|
|
Reporter | |
Comment 5•17 years ago
|
||
Graphical representation of the test case #1.
|
|
Reporter | |
Comment 6•17 years ago
|
||
Graphical representation of the test case #2.
|
|
Reporter | |
Comment 7•17 years ago
|
||
Results from the test:
$ ./test_bug436599.sh
Chain is good!
Root Certificate Subject:: "CN=Navy ROOT CA,O=Navy,C=US"
Certificate 1 Subject: "CN=EE1 EE,O=CA1,C=US"
Certificate 2 Subject: "CN=CA1 INTERMEDIATE,O=CA1,C=US"
Certificate 3 Subject: "CN=Bridge BRIDGE,O=Bridge,C=US"
-----------------------------------------------
vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der -t NavyRoot.der
RESULT: PASS
===============================================
Chain is bad, -8179 = Peer's Certificate issuer is not recognized.
-----------------------------------------------
vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der ArmyBridgecert.der -t NavyRoot.der
RESULT: FAIL
===============================================
Note: the vfychain command executed appears below its output in the log above.
Test cases are separated by ======
Test output is separated from summary by -------
|
|
||
Updated•17 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.12.1
|
|
Reporter | |
Comment 8•17 years ago
|
||
I am refreshed my workspace on June 12th and the test above is now passing:
===============================================
Chain is good!
Root Certificate Subject:: "CN=Navy ROOT CA,O=Navy,C=US"
Certificate 1 Subject: "CN=EE1 EE,O=CA1,C=US"
Certificate 2 Subject: "CN=CA1 INTERMEDIATE,O=CA1,C=US"
Certificate 3 Subject: "CN=Bridge BRIDGE,O=Bridge,C=US"
-----------------------------------------------
vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der ArmyBridgecert.der -t NavyRoot.der
RESULT: PASS
===============================================
Is there any recent change in the libpkix code that could explain that ?
|
|
Assignee | |
Comment 9•17 years ago
|
||
I'm not sure why you had this test passed.
The problem is again with in pkix_BuildForwardDepthFirstSearch function: after taking a cert from the local cert store it does not go back to try to get more certs through AIA.
Patch is coming...
|
|
Assignee | |
Comment 10•17 years ago
|
||
Attachment #327845 -
Flags: review?(nelson)
|
|
||
Comment 11•17 years ago
|
||
Comment on attachment 327845 [details] [diff] [review]
Patch v1 - fetch certs through AIA after trying cert all local certs (checked in)
After looking at this patch, it appears to me that there is a state
machine being used here, one with 21 states defined in an enum at
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.h&rev=1.5#53
It appears that this patch wants to introduce a new transition in the
state diagram, a transition to the BUILD_TRYAIA state. I'm a little
surprised that the conditions for making this transition do not seem
to examine the value of that state variable (state->status), and it
is not clear to me what existing state is expected when this transition
occurs. In other words, This transition to TO the state BUILD_TRYAIA,
but it's not clear what state it's coming FROM.
Are the meanings of those 21 states defined anywhere?
Is there a state transition diagram or matrix somewhere?
These things might help to determine if the proposed change is correct.
|
|
||
Comment 12•17 years ago
|
||
Comment on attachment 327845 [details] [diff] [review]
Patch v1 - fetch certs through AIA after trying cert all local certs (checked in)
r=nelson
Attachment #327845 -
Flags: review?(nelson) → review+
|
|
Assignee | |
Comment 13•17 years ago
|
||
checked in.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Comment 14•17 years ago
|
||
This test is still failing. Reopening.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 3.12.1 → 3.12.2
|
|
||
Comment 15•17 years ago
|
||
Temporary workaround - will expect failure as expected result - this would prevent Tinderbox failures.
Attachment #346471 -
Flags: review?(alexei.volkov.bugs)
|
|
||
Updated•17 years ago
|
Attachment #327845 -
Attachment description: Patch v1 - fetch certs through aia after trying cert all local certs → Patch v1 - fetch certs through AIA after trying cert all local certs (checked in)
|
|
Assignee | |
Updated•17 years ago
|
Whiteboard: PKIX → PKIX SUN_MUST_HAVE
|
|
Assignee | |
Comment 16•17 years ago
|
||
Comment on attachment 346471 [details] [diff] [review]
Temporary workaround.
Real fix for the problem is waiting Nelson's review(see bug 432260).
Attachment #346471 -
Attachment is obsolete: true
Attachment #346471 -
Flags: review?(alexei.volkov.bugs)
|
|
Assignee | |
Updated•17 years ago
|
Status: REOPENED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•