Last Comment Bug 472319 - Vfychain validates chain even if revoked certificate.
: Vfychain validates chain even if revoked certificate.
Product: NSS
Classification: Components
Component: Tools (show other bugs)
: trunk
: All All
P1 critical (vote)
: 3.12.3
Assigned To: Alexei Volkov
Depends on:
  Show dependency treegraph
Reported: 2009-01-06 08:14 PST by Slavomir Katuscak
Modified: 2009-01-20 16:06 PST (History)
0 users
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

Example script. (668 bytes, text/plain)
2009-01-06 08:16 PST, Slavomir Katuscak
no flags Details
Fix use of wrong member of the state structure (1.43 KB, patch)
2009-01-07 16:54 PST, Alexei Volkov
nelson: review+
Details | Diff | Splinter Review

Description User image Slavomir Katuscak 2009-01-06 08:14:27 PST
I tried many experiments how to generate CRL and create tests where vfychain would not validate cert because of revoked CRL, but I always got chain validated. I also tried to use this tests for revoked certs generated by, but vfychain again returned positive result even if tests should fail. 

Seems that vfychain CRL check doesn't work or I'm doing something wrong. In first case please fix this ASAP, in second please let me know what I'm doing wrong. 

I prepared short script with steps:
1. Generate DB + CA.
2. Generate EE cert request + sign it + import cert to DB.
3. Verify EE cert (should pass).
4. Revoke EE cert.
5. Verify EE cert again (should fail but passes).

I'm attaching this script, if there is a bug, please send me correct version where second verify check would fail.
Comment 1 User image Slavomir Katuscak 2009-01-06 08:16:52 PST
Created attachment 355587 [details]
Example script.
Comment 2 User image Alexei Volkov 2009-01-07 16:54:54 PST
Created attachment 355893 [details] [diff] [review]
Fix use of wrong member of the state structure

Slavo, please use the patch.

The state structure in pkix_build.c has a couple confusing variable that are pointers to a different certs obtained during chain building. I've misused one of them. state need to be cleaned up, but it will be in the main patch.
Comment 3 User image Slavomir Katuscak 2009-01-08 03:30:36 PST
Alexei, I tried your patch but it didn't help, vfychain still says that chain is OK. Is there any existing main patch that works ?
Comment 4 User image Alexei Volkov 2009-01-08 10:47:40 PST
Slavo, I've forgotten to tell you to replace the word "chain" in your vfychain command to "leaf". EE is a leaf cert, so crl leaf settings should be applied.
Comment 5 User image Alexei Volkov 2009-01-09 16:10:46 PST
Comment on attachment 355893 [details] [diff] [review]
Fix use of wrong member of the state structure

Nelson, please review. 

This bug effects only chains that consist only of two certs with the condition of having an explicit set of trust anchors.

There are two places of misuse both of them however have to do with an attempt of trying to chain to one of the trust anchor. In both cases we found a trusted anchor to which we chain, and we want to check the cert status.

First chunk though related to general case when build function has gone though multiple steps of chain construction and it found a link to a trust anchor. 

In the second chunk the function has found that EE cert is linked to one of the trust anchor directly and now needs to verify revocation status of the cert.
Comment 6 User image Slavomir Katuscak 2009-01-12 09:00:38 PST
So there is another problem, crlutil ignores local time zone - that's why it works in US and doesn't work in Europe. I just reported this as bug 473169.
Comment 7 User image Nelson Bolyard (seldom reads bugmail) 2009-01-13 17:29:50 PST
Comment on attachment 355893 [details] [diff] [review]
Fix use of wrong member of the state structure

Comment 8 User image Alexei Volkov 2009-01-20 16:06:24 PST
Patch is integrated

Note You need to log in before you can comment on or make changes to this bug.