Closed
Bug 436599
Opened 16 years ago
Closed 16 years ago
PKIX: AIA extension is not used in some Bridge CA / known certs configuration
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.2
People
(Reporter: christophe.ravel.bugs, Assigned: alvolkov.bgs)
Details
(Whiteboard: PKIX SUN_MUST_HAVE)
Attachments
(6 files, 1 obsolete file)
Here is the PKI configuration: Army Navy \ / Bridge | CA1 (with AIA extension to Navy issued Bridge cert only) | EE1 Entity Army Type: Root CA Entity Navy Type: Root CA Entity Bridge Type: Bridge CA Issuer1: Army (cert referenced as ArmyBridge below) Issuer2: Navy (cert referenced as NavyBridge below) Entity CA1 Type: Intermediate CA Issuer: Bridge AIA extension: Navy issued cert for Bridge Entity EE1 Type: End Entity Issuer: CA1 --------- The test is to verify the EE1 cert given a list of know certs and a trusted anchor Case 1: Known certs: EE1, CA1, Navy Trusted anchor: Navy In this case, the missing NavyBridge cert is fetched using the AIA extension and the chain is validated. Case 2: Known certs: EE1, CA1, ArmyBridge, Navy Trusted anchor: Navy This case is similar to case #1, except that we provide an extra cert (ArmyBridge). In this case, the AIA extension is not used and the validation of the chain fails. It looks like libpkix is "fooled" into looking at the Army branch and doesn't go back to the CA1 cert to fetch the NavyBridge cert using the AIA extension. More details to come...
Reporter | ||
Updated•16 years ago
|
Whiteboard: PKIX
Reporter | ||
Comment 1•16 years ago
|
||
NSS_DIR should be set to the location of NSS (where bin and lib are). Example: export NSS_DIR=/mozilla/dist/SunOS5.10_DBG.OBJ You need a running web server to run this test. You also have to modify AIA_FILE and AIA_HTTP inside the script to match your environment (see instructions inside the script).
Reporter | ||
Comment 2•16 years ago
|
||
NSS_DIR should be set to the location of NSS (where bin and lib are). Example: export NSS_DIR=/mozilla/dist/SunOS5.10_DBG.OBJ You have to run the createPKI_bug436599.sh shell script first.
Comment 3•16 years ago
|
||
BTW, I'm not sure that "Case 2" in comment 0 is incorrect behavior. It could be that fetching certs via AIA is only done when we have NO cert for the issuer. The questions are: a) Do the standards tell us what is the correct/expected behavior here? b) if not, what do we collectively think is the right behavior? I can see arguments for and against fetching certs in "Case 2".
Reporter | ||
Comment 4•16 years ago
|
||
Graphical representation of the PKI configuration.
Reporter | ||
Comment 5•16 years ago
|
||
Graphical representation of the test case #1.
Reporter | ||
Comment 6•16 years ago
|
||
Graphical representation of the test case #2.
Reporter | ||
Comment 7•16 years ago
|
||
Results from the test: $ ./test_bug436599.sh Chain is good! Root Certificate Subject:: "CN=Navy ROOT CA,O=Navy,C=US" Certificate 1 Subject: "CN=EE1 EE,O=CA1,C=US" Certificate 2 Subject: "CN=CA1 INTERMEDIATE,O=CA1,C=US" Certificate 3 Subject: "CN=Bridge BRIDGE,O=Bridge,C=US" ----------------------------------------------- vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der -t NavyRoot.der RESULT: PASS =============================================== Chain is bad, -8179 = Peer's Certificate issuer is not recognized. ----------------------------------------------- vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der ArmyBridgecert.der -t NavyRoot.der RESULT: FAIL =============================================== Note: the vfychain command executed appears below its output in the log above. Test cases are separated by ====== Test output is separated from summary by -------
Updated•16 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.12.1
Reporter | ||
Comment 8•16 years ago
|
||
I am refreshed my workspace on June 12th and the test above is now passing: =============================================== Chain is good! Root Certificate Subject:: "CN=Navy ROOT CA,O=Navy,C=US" Certificate 1 Subject: "CN=EE1 EE,O=CA1,C=US" Certificate 2 Subject: "CN=CA1 INTERMEDIATE,O=CA1,C=US" Certificate 3 Subject: "CN=Bridge BRIDGE,O=Bridge,C=US" ----------------------------------------------- vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der ArmyBridgecert.der -t NavyRoot.der RESULT: PASS =============================================== Is there any recent change in the libpkix code that could explain that ?
Assignee | ||
Comment 9•16 years ago
|
||
I'm not sure why you had this test passed. The problem is again with in pkix_BuildForwardDepthFirstSearch function: after taking a cert from the local cert store it does not go back to try to get more certs through AIA. Patch is coming...
Assignee | ||
Comment 10•16 years ago
|
||
Attachment #327845 -
Flags: review?(nelson)
Comment 11•16 years ago
|
||
Comment on attachment 327845 [details] [diff] [review] Patch v1 - fetch certs through AIA after trying cert all local certs (checked in) After looking at this patch, it appears to me that there is a state machine being used here, one with 21 states defined in an enum at http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.h&rev=1.5#53 It appears that this patch wants to introduce a new transition in the state diagram, a transition to the BUILD_TRYAIA state. I'm a little surprised that the conditions for making this transition do not seem to examine the value of that state variable (state->status), and it is not clear to me what existing state is expected when this transition occurs. In other words, This transition to TO the state BUILD_TRYAIA, but it's not clear what state it's coming FROM. Are the meanings of those 21 states defined anywhere? Is there a state transition diagram or matrix somewhere? These things might help to determine if the proposed change is correct.
Comment 12•16 years ago
|
||
Comment on attachment 327845 [details] [diff] [review] Patch v1 - fetch certs through AIA after trying cert all local certs (checked in) r=nelson
Attachment #327845 -
Flags: review?(nelson) → review+
Assignee | ||
Comment 13•16 years ago
|
||
checked in.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 14•16 years ago
|
||
This test is still failing. Reopening.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 3.12.1 → 3.12.2
Comment 15•16 years ago
|
||
Temporary workaround - will expect failure as expected result - this would prevent Tinderbox failures.
Attachment #346471 -
Flags: review?(alexei.volkov.bugs)
Updated•16 years ago
|
Attachment #327845 -
Attachment description: Patch v1 - fetch certs through aia after trying cert all local certs → Patch v1 - fetch certs through AIA after trying cert all local certs (checked in)
Assignee | ||
Updated•16 years ago
|
Whiteboard: PKIX → PKIX SUN_MUST_HAVE
Assignee | ||
Comment 16•16 years ago
|
||
Comment on attachment 346471 [details] [diff] [review] Temporary workaround. Real fix for the problem is waiting Nelson's review(see bug 432260).
Attachment #346471 -
Attachment is obsolete: true
Attachment #346471 -
Flags: review?(alexei.volkov.bugs)
Assignee | ||
Updated•16 years ago
|
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•