cert_VerifyCertChainPkix returns empty log for self-signed certificate, sec_error_invalid_args result in UI

RESOLVED WORKSFORME

Status

NSS
Libraries
P1
major
RESOLVED WORKSFORME
10 years ago
7 years ago

People

(Reporter: mayhemer, Assigned: Alexei Volkov)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX MOZ)

This was revealed after bug 479393 was landed by a chrome mochitest for bug 413909 which is using a self signed certificate.

Problem is that call to PKIX_BuildChain fails when called from cert_VerifyCertChainPkix during server certificate verification. This leads to error code PKIX_NULLARGUMENT and an empty log.

Fix for bug 444404 doesn't help.

I so far discovered this:
- certsFound list in pkix_Build_GatherCerts is empty after the 'while
(state->certStoreIndex < state->buildConstants.numCertStores)' cycle
- then in pkix_BuildForwardDepthFirstSearch state->status goes to BUILD_TRYAIA and then to BUILD_AIAPENDING
- BUILD_AIAPENDING branch is not executed because 'state->buildConstants.aiaMgr' is null
- cycle ends and result is pkixErrorCode = PKIX_SECERRORUNKNOWNISSUER
- in cert_VerifyCertChainPkix we then get error with errCode = PKIX_NULLARGUMENT
- the log is empty and nsNSSIOLayer code decides there is nothing wrong with certificate
- get ###!!! ASSERTION: why did NSS call our bad cert handler if all looks good? Let's cancel the connection: 'Not Reached', file d:/mozilla/mozilla-central/security/manager/ssl/src/nsNSSIOLayer.cpp, line
2997

The server certificate for the test is outlined in bug 479393 comment 9.
Priority: -- → P1
Honza, can you supply steps to reproduce that don't involve "mochitest" ?
Honza, did the fix for Bug 484466: 
   sec_error_invalid_args with NSS_ENABLE_PKIX_VERIFY=1
have any impact on this issue?
Whiteboard: PKIX
Target Milestone: --- → 3.12.3
(Assignee)

Updated

9 years ago
Whiteboard: PKIX → PKIX MOZ
(In reply to comment #1)
> Honza, can you supply steps to reproduce that don't involve "mochitest" ?

It probably means to find a server with a self signed certificate or build the ssltunnel program and chain it with an http server.

(In reply to comment #2)
> Honza, did the fix for Bug 484466: 
>    sec_error_invalid_args with NSS_ENABLE_PKIX_VERIFY=1
> have any impact on this issue?

The patch could not be applied to mozilla-central's nss copy, it's probably for nss cvs trunk, and I cannot find a place where to apply it manually. So, to check it I have to do it with nss trunk and find some other way then mochitest.

Guys, how are you testing nss? Is there some test suit or infrastructure for it where a test for bug like this could be added? I actually need server and a program based on nss to test this.
According to bug 479393 comment 20 this looks like no more reproducible bug.
(Assignee)

Comment 5

9 years ago
(In reply to comment #4)
> According to bug 479393 comment 20 this looks like no more reproducible bug.
Thanks for checking!

(In reply to comment #3)
> Guys, how are you testing nss? Is there some test suit or infrastructure for it
> where a test for bug like this could be added? I actually need server and a
> program based on nss to test this.
We testing nss in a varaiety of ways, but the part that had the problem related to this bug is mostly tested by vfychain. The suite is called "chains". Please check an examples at nss/tests/chains/scenarios/bridge.cfg. This is scenario file for test run by chains.sh script.

If you need to run ssl+validation test, you may use combination of selfserv and tstclnt programs. Examples of tests can be found in nss/tests/ssl/ssl.sh script.
(Assignee)

Comment 6

9 years ago
no longer a reproducible bug. Closing...
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.