Closed
Bug 481656
Opened 16 years ago
Closed 5 years ago
Change cert viewer to validate/build cert chains the same way they are used for trust decisions
Categories
(Core :: Security: PSM, enhancement, P3)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: KaiE, Unassigned)
References
Details
(Whiteboard: [psm-cert-manager][psm-backlog])
Cert viewer displays the chain to the issuer.
Nowadays there maybe be multiple possible chains, and the chain using the classic NSS code might display the "wrong chain".
The "right chain" is the one that will be prefered by NSS libPKIX verification code, the chain that resulted in a successful verification.
Bug 479393 is supposed to change all of PSM's verifications to make use of the new libPKIX verif. engine.
The displayed chain should be identical to the chain used when verifying the cert.
Comment 1•16 years ago
|
||
Implementing this will require changing the way that PSM gets the cert
chain it displays. The existing NSS methods for getting/constructing a
cert chain, including
- repeated calls to CERT_FindCertIssuer (as done by CERT_GetCertChainFromCert)
- a single call to CERT_GetCertChainFromCert
- a single call to CERT_CertChainFromCert
all have the properties that
- they do not require the chain to be complete or valid
- they may return incomplete and/or invalid chains
- they do not necessarily return the same chain as validated by libPKIX.
IMO, the only way to get a cert chain that is the one validated by libPKIX
is to have libPKIX output that chain as a side effect of doing a chain
validation. Obviously, it will be necessary to use the new
CERT_PKIXVerifyCert API to get this output, as the old API has no way to
output it.
I don't recall whether CERT_PKIXVerifyCert already has a way to output the
validated chain, or not. If not, we would need to add that capability.
That would necessitate an NSS RFE which would block this PSM RFE.
Alexei, can you enlighten us about that question/issue?
Does CERT_PKIXVerifyCert already have a way to output the verified chain?
Also, Does it have a way to output an unverified chain?
Reporter | ||
Updated•14 years ago
|
Assignee: kaie → nobody
Whiteboard: [psm-cert-manager]
Reporter | ||
Comment 2•14 years ago
|
||
Ideally this bug should have a patch at the same time as 479393 gets done. Adding dependency.
Blocks: psm-pkix
Updated•14 years ago
|
Blocks: pkix-default
Comment 3•14 years ago
|
||
When libpkix is enabled, the libpkix-based path building and/or validation logic must be used. When libpkix is disabled, the non-libpkix path building and/or validation logic must be used.
The certificate viewer already potentially displays EV certificate chains (which are always built using libpkix already) differently than the code that makes trust decisions in PSM, basically because of bug 650307.
> Does CERT_PKIXVerifyCert already have a way to output the verified chain?
Yes, it does.
> Does it have a way to output an unverified chain?
This still needs to be investigated.
Depends on: 650307
Summary: Change cert viewer to obtain displayed cert chain using libpkix → Change cert viewer to validate/build a cert chains the same way they are used for trust decisions
Updated•14 years ago
|
Summary: Change cert viewer to validate/build a cert chains the same way they are used for trust decisions → Change cert viewer to validate/build cert chains the same way they are used for trust decisions
Updated•14 years ago
|
Assignee: nobody → bsmith
Reporter | ||
Comment 4•13 years ago
|
||
Brian and I think this does not block "switch to pkix by default", but it should be fixed soon; moving it to a tracker bug for major PKIX related issues.
Updated•13 years ago
|
Assignee: bsmith → nobody
Updated•9 years ago
|
Whiteboard: [psm-cert-manager] → [psm-cert-manager][psm-backlog]
Updated•7 years ago
|
Priority: -- → P3
Comment 7•5 years ago
|
||
The new certificate viewer shows either the validated chain from the connection (if successful) or the chain sent by the server (if verification was unsuccessful).
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•