Open
Bug 44838
Opened 24 years ago
Updated 2 years ago
verifying object signing CA certs
Categories
(NSS :: Libraries, defect, P3)
Tracking
(Not tracked)
NEW
People
(Reporter: bugz, Unassigned)
Details
There does not appear to be a mechanism for verifying Object Signing CA certs in
NSS. This causes PSM to fail to verify a self-signed cert whose only usage is
issuing Object Signing certs. Also, certutil cannot verify such certs
correctly.
|
||
Comment 1•24 years ago
|
||
Yes, seems so.
Came to the same results when testing object signing certs.
Additionally: obj signing certs generated with openssl which are signed by a
self signing (CA) cert seem to fail also. Must be a followup problem of failing
to test the self signed cert.
Tested with openssl and signtool certs on M16.
|
|
||
Comment 2•24 years ago
|
||
Nope, sorry.
Both certs work now.
It seems that a signtool generated self signed cert is tested and checked, at
least in M16 and above.
So we might close the bug, if anyone can additionally confirm the right behavior.
Votes reset.
|
Reporter | |
Comment 3•24 years ago
|
||
It doesn't look to me like verification of CA certs is handled correctly at:
http://lxr.mozilla.org/mozilla/source/security/nss/lib/certhigh/certvfy.c#986
I think that the cases certUsageSSLCA, certUsageEmailCA, and certUsageObjSignCA
should be handled together (the last two would have to be created). They should
then call:
rv = CERT_KeyUsageAndTypeForCertUsage(certUsage, PR_TRUE,
&requiredKeyUsage,
&requiredCertType);
where they would be handled accordingly. I also think the case for
certUsageSSLCA at
http://lxr.mozilla.org/mozilla/source/security/nss/lib/certdb/certdb.c#994
should be removed, since it is handled above for CA certs (at that point it is
assumed to not be a CA cert).
bob, any thoughts?
Target Milestone: --- → 3.2
|
||
Comment 4•24 years ago
|
||
Object Signing verification is handled differently from SSL and S/MIME because
it was added after many certs were issued. If a cert or intermediate doesn't
explicitly say what it supports, NSS will assume it supports SSL and S/MIME.
This is reasonable because most CA issuers expect their certs to be used in
these environments unless the do something special to prevent it. Object Signing
certs are another matter. Not all Verisign Class 1 certs should be valid for
Object Signing. Therefore, unless a cert is specifically issued to do object
signing, it isn't considered valid for that.
bob
|
|
Reporter | |
Comment 5•24 years ago
|
||
So how do we verify a CA cert that is only used for issuing object signing
certs? We need to have a mechanism for this, otherwise PSM will show such certs
to be invalid (which it currently does). We could use certUsageAnyCA, but that
isn't handled in CERT_VerifyCert either. Should I add it?
|
|
||
Comment 6•24 years ago
|
||
It's a hole we've had for a while. Communicator without PSM will also validate
an object signing only cert as invalid.
|
||
Updated•24 years ago
|
QA Contact: lord → sonmi
|
|
||
Updated•24 years ago
|
Target Milestone: 3.2 → 3.3
|
|
||
Updated•23 years ago
|
Target Milestone: 3.3 → 3.4
|
|
||
Comment 7•23 years ago
|
||
Ian, do you think you will be able to get to this
bug in 3.4, or should I push it to 4.0?
|
|
Reporter | |
Comment 8•23 years ago
|
||
This is a 4.0 bug. It's not worth fixing in 3.4. It's really just something to
keep in mind while implementing 4.0.
Target Milestone: 3.4 → 4.0
|
|
||
Comment 9•22 years ago
|
||
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
|
||
Updated•19 years ago
|
QA Contact: bishakhabanerjee → jason.m.reid
|
|
||
Updated•19 years ago
|
Assignee: bugz → nobody
QA Contact: jason.m.reid → libraries
Target Milestone: 4.0 → ---
Version: 3.2 → 3.3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•