Closed Bug 461544 Opened 16 years ago Closed 15 years ago

dsa parameters are not properly propagated through a chain of certs

Categories

(NSS :: Libraries, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED
3.12.3

People

(Reporter: alvolkov.bgs, Assigned: alvolkov.bgs)

References

Details

(Whiteboard: PKIX SUN_MUST_HAVE)

Attachments

(1 file)

Code that deals with dsa params propagation in libpkix is located in pkix_build.c.
If dsaParams are missing on the cert, signature check on the child certificate is delayed until complete cert chain validation when trusted anchor is found.

Now, the code is capable only to propagate params from the parent cert only. The code will fail in the case, when parent certificate does not have dsa params as well.

The propagation happens in function pkix_Build_ValidationCheckers.

Slavo, please to add a number of tests to our generated chain tests that will create chains with multiple dsa certs. We only do rsa certs today. A first scenario would be just to generate and validate a chain of dsa certs. Next, would be a mixed chain on rsa/dsa certs. And the last test would be to have a chain with multiple dsa certs where some of them do not have dsa params.
Priority: -- → P1
Whiteboard: PKIX SUN_MUST_HAVE
Target Milestone: 3.12.1 → 3.12.3
Assignee: alexei.volkov.bugs → slavomir.katuscak
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #350462 - Flags: review?(alexei.volkov.bugs)
Comment on attachment 350462 [details] [diff] [review]
Patch v1. (checked in)

r+. Have these tests is certainly a good step forward. But the bug can not be closed. One of the goal of these tests is to make sure dsa parameters get properly propagated through the cert chain. But, NSS tools do not allow to create a dsa certificate without PQG parameters in it. certutil changes are needed before more test can be added.
Attachment #350462 - Flags: review?(alexei.volkov.bugs) → review+
Checking in chains.sh;
/cvsroot/mozilla/security/nss/tests/chains/chains.sh,v  <--  chains.sh
new revision: 1.11; previous revision: 1.10
done
RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/dsa.cfg,v
done
Checking in scenarios/dsa.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/dsa.cfg,v  <--  dsa.cfg
initial revision: 1.1
done
Checking in scenarios/scenarios;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v  <--  scenarios
new revision: 1.2; previous revision: 1.1
done
Attachment #350462 - Attachment description: Patch v1. → Patch v1. (checked in)
Depends on: 469121
This bug says that libPKIX does not properly propagate DSA PQG parameters.
It is a bug against NSS shared libraries.
So, I'm reassigning it to Alexei to make sure it stays on his radar.

Comment 2 seems to say that we also do not have adequate test tools for
constructing chains of certs with which to test this feature.  If that is 
so, then a different bug must be filed against NSS tools, requesting that
certutil be enhanced.  Perhaps that bug should be marked as "blocking" 
this one (although I really don't believe it blocks this bug).
Assignee: slavomir.katuscak → alexei.volkov.bugs
Target Milestone: 3.12.3 → 3.12.4
This was fixed in 3.12.3
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: 3.12.4 → 3.12.3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: