Closed Bug 473944 Opened 15 years ago Closed 15 years ago

Trust anchor is not trusted when requireFreshInfo flag is set.

Categories

(NSS :: Tools, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
3.12.3

People

(Reporter: slavomir.katuscak+mozilla, Assigned: alvolkov.bgs)

Details

(Whiteboard: PKIX)

Attachments

(4 files, 6 obsolete files)

Root cert is NOT revoked - when I set leaf test and only check root cert I got 2 errors - one that root is revoked and one that it's not trusted (even if set as trust anchor). Both of these errors are wrong.

vfychain -d AllDB -pp -vv  -g leaf -h requireFreshInfo -m crl    Root.der  -t Root.der
Chain is bad, -8172 = Peer's certificate issuer has been marked as not trusted by the user.
PROBLEM WITH THE CERT CHAIN:
CERT 1. Root [Certificate Authority]:
  ERROR -8180: Peer's Certificate has been revoked.
  ERROR -8172: Peer's certificate issuer has been marked as not trusted by the user.
    CN=Root ROOT CA,O=Root,C=US

When I set chain instead of leaf then it's OK when I test only this one cert. But when there is a chain of more certs, I still receive message that root is not trusted:

vfychain -d AllDB -pp -vv  -g chain -h requireFreshInfo -m crl    EE12CA1.der  -t Root.der
Chain is bad, -8172 = Peer's certificate issuer has been marked as not trusted by the user.
PROBLEM WITH THE CERT CHAIN:
CERT 4. Root [Certificate Authority]:
  ERROR -8172: Peer's certificate issuer has been marked as not trusted by the user.
    CN=Root ROOT CA,O=Root,C=US

Without requireFreshInfo flag, CRL info from other CA databases than main DB set by -d parameter is not fetched and revoked certificates are not recognized as revoked.
Alexei, please try to run this tests config (would work with patch from bug 473790). There are 2 problems, trust anchor is not trusted (seems that message that Root is not trusted is there even if is not set as trust anchor) and certificate EE1 that is not revoked is marked as revoked.

I need to know if my steps are wrong, or if there is a bug in code. Thanks.
Slavo, please try this patch. You should get cert revoked status in both cases.
The patch removed a bunch of duplicate code and makes sure libpkix returns a proper error.

The cert is considered to be revoked, because you requested to make it revoked if there is not fresh info is available in db. So, since you have not installed crl into it -> there is not fresh revocation info in the db -> cert reported as revoked.
Attachment #357883 - Attachment is obsolete: true
(In reply to comment #3)
> The cert is considered to be revoked, because you requested to make it revoked
> if there is not fresh info is available in db. So, since you have not installed
> crl into it -> there is not fresh revocation info in the db -> cert reported as
> revoked.

I don't really understand this. Where should I install crl and how ? If I set some cert as trust anchor it should mean that I trust this cert, so how it's possible that it's reported as revoked ?
(In reply to comment #4)
> (In reply to comment #3)
> I don't really understand this. Where should I install crl and how ? If I set
> some cert as trust anchor it should mean that I trust this cert, so how it's
> possible that it's reported as revoked ?

Have you applied the patch? I guess not.

By specifying "requireFreshInfo" flag, you have asked libpkix to revoke the cert if there is no fresh/current revocation information available. There was no crl and ocsp informaion, so the cert was considered to be revoked. It has nothing do to with trust.

The error message that you see is confusing. The patch should fix it.
Attachment #357888 - Attachment description: Patch v2 - remove dup code(Not for review) → Patch v2 - simplify code by removing duplicated block of code.
Attachment #357888 - Flags: review?(nelson)
Attachment #357888 - Flags: review?(nelson)
Attached patch Patch v3 - code clean up (obsolete) — Splinter Review
This simplifies chain checks against user defined trust anchors. Patch v2 was based on assumption, that all certs as placed in trust domain temporary cache, which is not the case.

This patch fixes the problem that patch v2 has by appending trust anchor that passed validation criteria into the beginning of the candidate cert list.
Attachment #357888 - Attachment is obsolete: true
Attachment #358439 - Flags: review?(nelson)
Whiteboard: PKIX
Attachment #358439 - Attachment is obsolete: true
Attachment #360215 - Flags: review?(nelson)
Attachment #358439 - Flags: review?(nelson)
Attachment #360215 - Attachment is obsolete: true
Attachment #360333 - Flags: review?(nelson)
Attachment #360215 - Flags: review?(nelson)
Attachment #360334 - Flags: review?(nelson)
Attachment #360333 - Flags: review?(nelson) → review+
Comment on attachment 360333 [details] [diff] [review]
Patch v5(v4 againt old file revision) - fixes for the problems found during the review

r=nelson
Attachment #360334 - Attachment is obsolete: true
Attachment #360537 - Flags: review?(nelson)
Attachment #360334 - Flags: review?(nelson)
Attachment #360537 - Attachment is obsolete: true
Attachment #360538 - Flags: review?(nelson)
Attachment #360537 - Flags: review?(nelson)
Comment on attachment 360538 [details] [diff] [review]
Patch v3 - Additional changes required by patch v5

r=nelson, assuming that all the NSS tests still pass with this change.
Attachment #360538 - Flags: review?(nelson) → review+
committed.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
after two set of certs(trusted and not trusted) are found, need to make sure, that in the merged list we only have one copy of each certificate. The preference goes to a certificate from a list of user trusted anchors.
Attachment #364982 - Flags: review?(nelson)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment on attachment 364982 [details] [diff] [review]
Supl patch v1 - new changes required by main patch

r=nelson
Attachment #364982 - Flags: review?(nelson) → review+
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.