Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Vfychain validates chain even if revoked certificate.

RESOLVED FIXED in 3.12.3

Status

NSS
Tools
P1
critical
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Slavomir Katuscak, Assigned: Alexei Volkov)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX SUN_MUST_HAVE)

Attachments

(2 attachments)

(Reporter)

Description

9 years ago
I tried many experiments how to generate CRL and create tests where vfychain would not validate cert because of revoked CRL, but I always got chain validated. I also tried to use this tests for revoked certs generated by cert.sh, but vfychain again returned positive result even if tests should fail. 

Seems that vfychain CRL check doesn't work or I'm doing something wrong. In first case please fix this ASAP, in second please let me know what I'm doing wrong. 

I prepared short script with steps:
1. Generate DB + CA.
2. Generate EE cert request + sign it + import cert to DB.
3. Verify EE cert (should pass).
4. Revoke EE cert.
5. Verify EE cert again (should fail but passes).

I'm attaching this script, if there is a bug, please send me correct version where second verify check would fail.
(Reporter)

Comment 1

9 years ago
Created attachment 355587 [details]
Example script.
(Assignee)

Comment 2

9 years ago
Created attachment 355893 [details] [diff] [review]
Fix use of wrong member of the state structure

Slavo, please use the patch.

The state structure in pkix_build.c has a couple confusing variable that are pointers to a different certs obtained during chain building. I've misused one of them. state need to be cleaned up, but it will be in the main patch.
(Reporter)

Comment 3

9 years ago
Alexei, I tried your patch but it didn't help, vfychain still says that chain is OK. Is there any existing main patch that works ?
(Assignee)

Comment 4

9 years ago
Slavo, I've forgotten to tell you to replace the word "chain" in your vfychain command to "leaf". EE is a leaf cert, so crl leaf settings should be applied.
(Assignee)

Updated

9 years ago
Priority: -- → P1
Whiteboard: PKIX SUN_MUST_HAVE
(Assignee)

Comment 5

9 years ago
Comment on attachment 355893 [details] [diff] [review]
Fix use of wrong member of the state structure

Nelson, please review. 

This bug effects only chains that consist only of two certs with the condition of having an explicit set of trust anchors.

There are two places of misuse both of them however have to do with an attempt of trying to chain to one of the trust anchor. In both cases we found a trusted anchor to which we chain, and we want to check the cert status.

First chunk though related to general case when build function has gone though multiple steps of chain construction and it found a link to a trust anchor. 

In the second chunk the function has found that EE cert is linked to one of the trust anchor directly and now needs to verify revocation status of the cert.
Attachment #355893 - Attachment description: Fix use of wrong member of the state structure(not for review) → Fix use of wrong member of the state structure
Attachment #355893 - Flags: review?(nelson)
(Reporter)

Comment 6

9 years ago
So there is another problem, crlutil ignores local time zone - that's why it works in US and doesn't work in Europe. I just reported this as bug 473169.
Comment on attachment 355893 [details] [diff] [review]
Fix use of wrong member of the state structure

r=nelson
Attachment #355893 - Flags: review?(nelson) → review+
(Assignee)

Comment 8

9 years ago
Patch is integrated
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.