Closed Bug 472319 Opened 15 years ago Closed 15 years ago

Vfychain validates chain even if revoked certificate.

Categories

(NSS :: Tools, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED
3.12.3

People

(Reporter: slavomir.katuscak+mozilla, Assigned: alvolkov.bgs)

Details

(Whiteboard: PKIX SUN_MUST_HAVE)

Attachments

(2 files)

I tried many experiments how to generate CRL and create tests where vfychain would not validate cert because of revoked CRL, but I always got chain validated. I also tried to use this tests for revoked certs generated by cert.sh, but vfychain again returned positive result even if tests should fail. 

Seems that vfychain CRL check doesn't work or I'm doing something wrong. In first case please fix this ASAP, in second please let me know what I'm doing wrong. 

I prepared short script with steps:
1. Generate DB + CA.
2. Generate EE cert request + sign it + import cert to DB.
3. Verify EE cert (should pass).
4. Revoke EE cert.
5. Verify EE cert again (should fail but passes).

I'm attaching this script, if there is a bug, please send me correct version where second verify check would fail.
Attached file Example script.
Slavo, please use the patch.

The state structure in pkix_build.c has a couple confusing variable that are pointers to a different certs obtained during chain building. I've misused one of them. state need to be cleaned up, but it will be in the main patch.
Alexei, I tried your patch but it didn't help, vfychain still says that chain is OK. Is there any existing main patch that works ?
Slavo, I've forgotten to tell you to replace the word "chain" in your vfychain command to "leaf". EE is a leaf cert, so crl leaf settings should be applied.
Priority: -- → P1
Whiteboard: PKIX SUN_MUST_HAVE
Comment on attachment 355893 [details] [diff] [review]
Fix use of wrong member of the state structure

Nelson, please review. 

This bug effects only chains that consist only of two certs with the condition of having an explicit set of trust anchors.

There are two places of misuse both of them however have to do with an attempt of trying to chain to one of the trust anchor. In both cases we found a trusted anchor to which we chain, and we want to check the cert status.

First chunk though related to general case when build function has gone though multiple steps of chain construction and it found a link to a trust anchor. 

In the second chunk the function has found that EE cert is linked to one of the trust anchor directly and now needs to verify revocation status of the cert.
Attachment #355893 - Attachment description: Fix use of wrong member of the state structure(not for review) → Fix use of wrong member of the state structure
Attachment #355893 - Flags: review?(nelson)
So there is another problem, crlutil ignores local time zone - that's why it works in US and doesn't work in Europe. I just reported this as bug 473169.
Comment on attachment 355893 [details] [diff] [review]
Fix use of wrong member of the state structure

r=nelson
Attachment #355893 - Flags: review?(nelson) → review+
Patch is integrated
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.