The default bug view has changed. See this FAQ.

PKIX: AIA extension is not used in some Bridge CA / known certs configuration

RESOLVED FIXED in 3.12.2

Status

NSS
Libraries
P1
normal
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Christophe Ravel, Assigned: Alexei Volkov)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX SUN_MUST_HAVE)

Attachments

(6 attachments, 1 obsolete attachment)

(Reporter)

Description

9 years ago
Here is the PKI configuration:

   Army        Navy
      \      /
       Bridge
         |
        CA1 (with AIA extension to Navy issued Bridge cert only)
         |
        EE1

Entity Army
  Type: Root CA

Entity Navy
  Type: Root CA

Entity Bridge
  Type: Bridge CA
  Issuer1: Army (cert referenced as ArmyBridge below)
  Issuer2: Navy (cert referenced as NavyBridge below)

Entity CA1
  Type: Intermediate CA
  Issuer: Bridge
    AIA extension: Navy issued cert for Bridge

Entity EE1
  Type: End Entity
  Issuer: CA1

---------
The test is to verify the EE1 cert given a list of know certs and a trusted anchor

Case 1:
Known certs: EE1, CA1, Navy
Trusted anchor: Navy

In this case, the missing NavyBridge cert is fetched using the AIA extension and the chain is validated.

Case 2:
Known certs: EE1, CA1, ArmyBridge, Navy
Trusted anchor: Navy

This case is similar to case #1, except that we provide an extra cert (ArmyBridge). In this case, the AIA extension is not used and the validation of the chain fails.

It looks like libpkix is "fooled" into looking at the Army branch and doesn't go back to the CA1 cert to fetch the NavyBridge cert using the AIA extension.

More details to come...
(Reporter)

Updated

9 years ago
Whiteboard: PKIX
(Reporter)

Comment 1

9 years ago
Created attachment 323143 [details]
Shell script to create the PKI environment

NSS_DIR should be set to the location of NSS (where bin and lib are).
Example: export NSS_DIR=/mozilla/dist/SunOS5.10_DBG.OBJ

You need a running web server to run this test.
You also have to modify AIA_FILE and AIA_HTTP inside the script to match your environment (see instructions inside the script).
(Reporter)

Comment 2

9 years ago
Created attachment 323144 [details]
Shell script to run the test

NSS_DIR should be set to the location of NSS (where bin and lib are).
Example: export NSS_DIR=/mozilla/dist/SunOS5.10_DBG.OBJ

You have to run the createPKI_bug436599.sh shell script first.
BTW, I'm not sure that "Case 2" in comment 0 is incorrect behavior.  
It could be that fetching certs via AIA is only done when we have NO 
cert for the issuer.  
The questions are:
a) Do the standards tell us what is the correct/expected behavior here?
b) if not, what do we collectively think is the right behavior?
I can see arguments for and against fetching certs in "Case 2".
(Reporter)

Comment 4

9 years ago
Created attachment 323158 [details]
PKI configuration

Graphical representation of the PKI configuration.
(Reporter)

Comment 5

9 years ago
Created attachment 323159 [details]
Test case 1

Graphical representation of the test case #1.
(Reporter)

Comment 6

9 years ago
Created attachment 323160 [details]
Test case 2

Graphical representation of the test case #2.
(Reporter)

Comment 7

9 years ago
Results from the test:

$ ./test_bug436599.sh 
Chain is good!
Root Certificate Subject:: "CN=Navy ROOT CA,O=Navy,C=US"
Certificate 1 Subject: "CN=EE1 EE,O=CA1,C=US"
Certificate 2 Subject: "CN=CA1 INTERMEDIATE,O=CA1,C=US"
Certificate 3 Subject: "CN=Bridge BRIDGE,O=Bridge,C=US"
-----------------------------------------------
vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der -t NavyRoot.der
RESULT: PASS
===============================================
Chain is bad, -8179 = Peer's Certificate issuer is not recognized.
-----------------------------------------------
vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der ArmyBridgecert.der -t NavyRoot.der
RESULT: FAIL
===============================================

Note: the vfychain command executed appears below its output in the log above.
Test cases are separated by ====== 
Test output is separated from summary by -------

Priority: -- → P1
Target Milestone: --- → 3.12.1
(Reporter)

Comment 8

9 years ago
I am refreshed my workspace on June 12th and the test above is now passing:

===============================================
Chain is good!
Root Certificate Subject:: "CN=Navy ROOT CA,O=Navy,C=US"
Certificate 1 Subject: "CN=EE1 EE,O=CA1,C=US"
Certificate 2 Subject: "CN=CA1 INTERMEDIATE,O=CA1,C=US"
Certificate 3 Subject: "CN=Bridge BRIDGE,O=Bridge,C=US"
-----------------------------------------------
vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der ArmyBridgecert.der -t NavyRoot.der
RESULT: PASS
===============================================

Is there any recent change in the libpkix code that could explain that ?
(Assignee)

Comment 9

9 years ago
I'm not sure why you had this test passed.

The problem is again with in pkix_BuildForwardDepthFirstSearch function: after taking a cert from the local cert store it does not go back to try to get more certs through AIA.

Patch is coming...
(Assignee)

Comment 10

9 years ago
Created attachment 327845 [details] [diff] [review]
Patch v1 - fetch certs through AIA after trying cert all local certs (checked in)
Attachment #327845 - Flags: review?(nelson)
Comment on attachment 327845 [details] [diff] [review]
Patch v1 - fetch certs through AIA after trying cert all local certs (checked in)

After looking at this patch, it appears to me that there is a state
machine being used here, one with 21 states defined in an enum at
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.h&rev=1.5#53

It appears that this patch wants to introduce a new transition in the 
state diagram, a transition to the BUILD_TRYAIA state.  I'm a little
surprised that the conditions for making this transition do not seem
to examine the value of that state variable (state->status), and it
is not clear to me what existing state is expected when this transition
occurs.  In other words, This transition to TO the state BUILD_TRYAIA,
but it's not clear what state it's coming FROM.  

Are the meanings of those 21 states defined anywhere?
Is there a state transition diagram or matrix somewhere?

These things might help to determine if the proposed change is correct.
Comment on attachment 327845 [details] [diff] [review]
Patch v1 - fetch certs through AIA after trying cert all local certs (checked in)

r=nelson
Attachment #327845 - Flags: review?(nelson) → review+
(Assignee)

Comment 13

9 years ago
checked in.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 14

9 years ago
This test is still failing. Reopening.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 3.12.1 → 3.12.2

Comment 15

9 years ago
Created attachment 346471 [details] [diff] [review]
Temporary workaround.

Temporary workaround - will expect failure as expected result - this would prevent Tinderbox failures.
Attachment #346471 - Flags: review?(alexei.volkov.bugs)
Attachment #327845 - Attachment description: Patch v1 - fetch certs through aia after trying cert all local certs → Patch v1 - fetch certs through AIA after trying cert all local certs (checked in)
(Assignee)

Updated

9 years ago
Whiteboard: PKIX → PKIX SUN_MUST_HAVE
(Assignee)

Comment 16

9 years ago
Comment on attachment 346471 [details] [diff] [review]
Temporary workaround.

Real fix for the problem is waiting Nelson's review(see bug 432260).
Attachment #346471 - Attachment is obsolete: true
Attachment #346471 - Flags: review?(alexei.volkov.bugs)
(Assignee)

Updated

9 years ago
Status: REOPENED → RESOLVED
Last Resolved: 9 years ago9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.