470479 - IO timeout during cert fetching makes libpkix abort validation.

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P2)

Description

[Alexei Volkov]

It seems that PKIX_BuildChain stops all operation and immediately returns error
when IO occurs during cert chain fetching. Neet to follow up this bug.

vfychain -d UserDB -pp -vv -f UserCA2.der CA2CA1.der -t Root.der
Chain is bad, -5990 = I/O operation timed out.
PROBLEM WITH THE CERT CHAIN:
CERT 2. CN=CA2 Intermediate,O=CA2,C=US [Certificate Authority]:
  ERROR -5990: I/O operation timed out.
execution completed, exit code is 1
Returned value is 1, expected result is pass
chains.sh: #1036: AIA: Verifying certificate(s)  UserCA2.der CA2CA1.der with flags -d UserDB -f   -t Root.der - FAILED

Comment 2

[Alexei Volkov]

I've just verified, that libpkix correctly continues path building in case of connection error that happens during cert fetching failure. But we need to have a test that supports this finding.

Slavo, please create a chain test with the following conditions:
          Bridge Cert 2 with invalid AIA url
        /
EE - CA 
        \ Bridge Cert 1 with valid AIA url - Root CA

The issuing time of Bridge Cert 2 should indicate that the cert is newer than
Bridge Cert 1. With this conditions libpkix will try to fetch a cert from
invalid location before it will be able to construct a valid chain.

Comment 3

[Slavomir Katuscak]

Attachment: Patch v1. (checked in)

Patch to workaround this failure. If network connection times out, then special unknown status is reported, that would be not reported as error (tree stays green) but can be reported via TinderboxPrint as text message. 

Patch also contains some modifications required for screnario suggested in comment #2. I'm going to prepare this scenario as a separate bug id.

Comment 4

[Slavomir Katuscak]

Created bug 482471 for comment #2.

Comment 5

[Alexei Volkov]

Comment on attachment 366556 [details] [diff] [review]
Patch v1. (checked in)

r=alexei

Comment 6

[Slavomir Katuscak]

Comment on attachment 366556 [details] [diff] [review]
Patch v1. (checked in)

Checking in chains/chains.sh;
/cvsroot/mozilla/security/nss/tests/chains/chains.sh,v  <--  chains.sh
new revision: 1.14; previous revision: 1.13
done
Checking in common/init.sh;
/cvsroot/mozilla/security/nss/tests/common/init.sh,v  <--  init.sh
new revision: 1.71; previous revision: 1.70
done

Comment 7

[Slavomir Katuscak]

Today I found out on Tinderbox results that previous patch doesn't work correctly on standard tests (memory leak testing is OK) because error messages sent to error output are not detected.

Comment 8

[Slavomir Katuscak]

Attachment: Patch v2. (checked in)

Added checking on error output and also checking for error 8030.

Comment 9

[Slavomir Katuscak]

Comment on attachment 371424 [details] [diff] [review]
Patch v2. (checked in)

Checking in chains.sh;
/cvsroot/mozilla/security/nss/tests/chains/chains.sh,v  <--  chains.sh
new revision: 1.16; previous revision: 1.15
done