Closed
Bug 472319
Opened 15 years ago
Closed 15 years ago
Vfychain validates chain even if revoked certificate.
Categories
(NSS :: Tools, defect, P1)
NSS
Tools
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.3
People
(Reporter: slavomir.katuscak+mozilla, Assigned: alvolkov.bgs)
Details
(Whiteboard: PKIX SUN_MUST_HAVE)
Attachments
(2 files)
668 bytes,
text/plain
|
Details | |
1.43 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
I tried many experiments how to generate CRL and create tests where vfychain would not validate cert because of revoked CRL, but I always got chain validated. I also tried to use this tests for revoked certs generated by cert.sh, but vfychain again returned positive result even if tests should fail. Seems that vfychain CRL check doesn't work or I'm doing something wrong. In first case please fix this ASAP, in second please let me know what I'm doing wrong. I prepared short script with steps: 1. Generate DB + CA. 2. Generate EE cert request + sign it + import cert to DB. 3. Verify EE cert (should pass). 4. Revoke EE cert. 5. Verify EE cert again (should fail but passes). I'm attaching this script, if there is a bug, please send me correct version where second verify check would fail.
Reporter | ||
Comment 1•15 years ago
|
||
Assignee | ||
Comment 2•15 years ago
|
||
Slavo, please use the patch. The state structure in pkix_build.c has a couple confusing variable that are pointers to a different certs obtained during chain building. I've misused one of them. state need to be cleaned up, but it will be in the main patch.
Reporter | ||
Comment 3•15 years ago
|
||
Alexei, I tried your patch but it didn't help, vfychain still says that chain is OK. Is there any existing main patch that works ?
Assignee | ||
Comment 4•15 years ago
|
||
Slavo, I've forgotten to tell you to replace the word "chain" in your vfychain command to "leaf". EE is a leaf cert, so crl leaf settings should be applied.
Assignee | ||
Updated•15 years ago
|
Priority: -- → P1
Whiteboard: PKIX SUN_MUST_HAVE
Assignee | ||
Comment 5•15 years ago
|
||
Comment on attachment 355893 [details] [diff] [review] Fix use of wrong member of the state structure Nelson, please review. This bug effects only chains that consist only of two certs with the condition of having an explicit set of trust anchors. There are two places of misuse both of them however have to do with an attempt of trying to chain to one of the trust anchor. In both cases we found a trusted anchor to which we chain, and we want to check the cert status. First chunk though related to general case when build function has gone though multiple steps of chain construction and it found a link to a trust anchor. In the second chunk the function has found that EE cert is linked to one of the trust anchor directly and now needs to verify revocation status of the cert.
Attachment #355893 -
Attachment description: Fix use of wrong member of the state structure(not for review) → Fix use of wrong member of the state structure
Attachment #355893 -
Flags: review?(nelson)
Reporter | ||
Comment 6•15 years ago
|
||
So there is another problem, crlutil ignores local time zone - that's why it works in US and doesn't work in Europe. I just reported this as bug 473169.
Comment 7•15 years ago
|
||
Comment on attachment 355893 [details] [diff] [review] Fix use of wrong member of the state structure r=nelson
Attachment #355893 -
Flags: review?(nelson) → review+
Assignee | ||
Comment 8•15 years ago
|
||
Patch is integrated
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•