Closed Bug 436599 Opened 16 years ago Closed 16 years ago

PKIX: AIA extension is not used in some Bridge CA / known certs configuration

Categories

(NSS :: Libraries, defect, P1)

3.12
defect

Tracking

(Not tracked)

RESOLVED FIXED
3.12.2

People

(Reporter: christophe.ravel.bugs, Assigned: alvolkov.bgs)

Details

(Whiteboard: PKIX SUN_MUST_HAVE)

Attachments

(6 files, 1 obsolete file)

Here is the PKI configuration:

   Army        Navy
      \      /
       Bridge
         |
        CA1 (with AIA extension to Navy issued Bridge cert only)
         |
        EE1

Entity Army
  Type: Root CA

Entity Navy
  Type: Root CA

Entity Bridge
  Type: Bridge CA
  Issuer1: Army (cert referenced as ArmyBridge below)
  Issuer2: Navy (cert referenced as NavyBridge below)

Entity CA1
  Type: Intermediate CA
  Issuer: Bridge
    AIA extension: Navy issued cert for Bridge

Entity EE1
  Type: End Entity
  Issuer: CA1

---------
The test is to verify the EE1 cert given a list of know certs and a trusted anchor

Case 1:
Known certs: EE1, CA1, Navy
Trusted anchor: Navy

In this case, the missing NavyBridge cert is fetched using the AIA extension and the chain is validated.

Case 2:
Known certs: EE1, CA1, ArmyBridge, Navy
Trusted anchor: Navy

This case is similar to case #1, except that we provide an extra cert (ArmyBridge). In this case, the AIA extension is not used and the validation of the chain fails.

It looks like libpkix is "fooled" into looking at the Army branch and doesn't go back to the CA1 cert to fetch the NavyBridge cert using the AIA extension.

More details to come...
Whiteboard: PKIX
NSS_DIR should be set to the location of NSS (where bin and lib are).
Example: export NSS_DIR=/mozilla/dist/SunOS5.10_DBG.OBJ

You need a running web server to run this test.
You also have to modify AIA_FILE and AIA_HTTP inside the script to match your environment (see instructions inside the script).
NSS_DIR should be set to the location of NSS (where bin and lib are).
Example: export NSS_DIR=/mozilla/dist/SunOS5.10_DBG.OBJ

You have to run the createPKI_bug436599.sh shell script first.
BTW, I'm not sure that "Case 2" in comment 0 is incorrect behavior.  
It could be that fetching certs via AIA is only done when we have NO 
cert for the issuer.  
The questions are:
a) Do the standards tell us what is the correct/expected behavior here?
b) if not, what do we collectively think is the right behavior?
I can see arguments for and against fetching certs in "Case 2".
Attached image PKI configuration
Graphical representation of the PKI configuration.
Attached image Test case 1
Graphical representation of the test case #1.
Attached image Test case 2
Graphical representation of the test case #2.
Results from the test:

$ ./test_bug436599.sh 
Chain is good!
Root Certificate Subject:: "CN=Navy ROOT CA,O=Navy,C=US"
Certificate 1 Subject: "CN=EE1 EE,O=CA1,C=US"
Certificate 2 Subject: "CN=CA1 INTERMEDIATE,O=CA1,C=US"
Certificate 3 Subject: "CN=Bridge BRIDGE,O=Bridge,C=US"
-----------------------------------------------
vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der -t NavyRoot.der
RESULT: PASS
===============================================
Chain is bad, -8179 = Peer's Certificate issuer is not recognized.
-----------------------------------------------
vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der ArmyBridgecert.der -t NavyRoot.der
RESULT: FAIL
===============================================

Note: the vfychain command executed appears below its output in the log above.
Test cases are separated by ====== 
Test output is separated from summary by -------

Priority: -- → P1
Target Milestone: --- → 3.12.1
I am refreshed my workspace on June 12th and the test above is now passing:

===============================================
Chain is good!
Root Certificate Subject:: "CN=Navy ROOT CA,O=Navy,C=US"
Certificate 1 Subject: "CN=EE1 EE,O=CA1,C=US"
Certificate 2 Subject: "CN=CA1 INTERMEDIATE,O=CA1,C=US"
Certificate 3 Subject: "CN=Bridge BRIDGE,O=Bridge,C=US"
-----------------------------------------------
vfychain -d EE1DB -pp -v -f CA1EE1cert.der BridgeCA1cert.der ArmyBridgecert.der -t NavyRoot.der
RESULT: PASS
===============================================

Is there any recent change in the libpkix code that could explain that ?
I'm not sure why you had this test passed.

The problem is again with in pkix_BuildForwardDepthFirstSearch function: after taking a cert from the local cert store it does not go back to try to get more certs through AIA.

Patch is coming...
Comment on attachment 327845 [details] [diff] [review]
Patch v1 - fetch certs through AIA after trying cert all local certs (checked in)

After looking at this patch, it appears to me that there is a state
machine being used here, one with 21 states defined in an enum at
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.h&rev=1.5#53

It appears that this patch wants to introduce a new transition in the 
state diagram, a transition to the BUILD_TRYAIA state.  I'm a little
surprised that the conditions for making this transition do not seem
to examine the value of that state variable (state->status), and it
is not clear to me what existing state is expected when this transition
occurs.  In other words, This transition to TO the state BUILD_TRYAIA,
but it's not clear what state it's coming FROM.  

Are the meanings of those 21 states defined anywhere?
Is there a state transition diagram or matrix somewhere?

These things might help to determine if the proposed change is correct.
Comment on attachment 327845 [details] [diff] [review]
Patch v1 - fetch certs through AIA after trying cert all local certs (checked in)

r=nelson
Attachment #327845 - Flags: review?(nelson) → review+
checked in.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
This test is still failing. Reopening.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 3.12.1 → 3.12.2
Attached patch Temporary workaround. (obsolete) — Splinter Review
Temporary workaround - will expect failure as expected result - this would prevent Tinderbox failures.
Attachment #346471 - Flags: review?(alexei.volkov.bugs)
Attachment #327845 - Attachment description: Patch v1 - fetch certs through aia after trying cert all local certs → Patch v1 - fetch certs through AIA after trying cert all local certs (checked in)
Whiteboard: PKIX → PKIX SUN_MUST_HAVE
Comment on attachment 346471 [details] [diff] [review]
Temporary workaround.

Real fix for the problem is waiting Nelson's review(see bug 432260).
Attachment #346471 - Attachment is obsolete: true
Attachment #346471 - Flags: review?(alexei.volkov.bugs)
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: