Closed Bug 481656 Opened 15 years ago Closed 4 years ago

Change cert viewer to validate/build cert chains the same way they are used for trust decisions

Categories

(Core :: Security: PSM, enhancement, P3)

x86
Linux
enhancement

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: KaiE, Unassigned)

References

Details

(Whiteboard: [psm-cert-manager][psm-backlog])

Cert viewer displays the chain to the issuer.

Nowadays there maybe be multiple possible chains, and the chain using the classic NSS code might display the "wrong chain".

The "right chain" is the one that will be prefered by NSS libPKIX verification code, the chain that resulted in a successful verification.

Bug 479393 is supposed to change all of PSM's verifications to make use of the new libPKIX verif. engine.

The displayed chain should be identical to the chain used when verifying the cert.
Implementing this will require changing the way that PSM gets the cert 
chain it displays.  The existing NSS methods for getting/constructing a 
cert chain, including 
- repeated calls to CERT_FindCertIssuer (as done by CERT_GetCertChainFromCert)
- a single call  to CERT_GetCertChainFromCert
- a single call  to CERT_CertChainFromCert
all have the properties that
- they do not require the chain to be complete or valid
- they may return incomplete and/or invalid chains
- they do not necessarily return the same chain as validated by libPKIX.

IMO, the only way to get a cert chain that is the one validated by libPKIX
is to have libPKIX output that chain as a side effect of doing a chain 
validation.  Obviously, it will be necessary to use the new 
CERT_PKIXVerifyCert API to get this output, as the old API has no way to 
output it.  

I don't recall whether CERT_PKIXVerifyCert already has a way to output the
validated chain, or not.  If not, we would need to add that capability. 
That would necessitate an NSS RFE which would block this PSM RFE. 

Alexei, can you enlighten us about that question/issue?
Does CERT_PKIXVerifyCert already have a way to output the verified chain?
Also, Does it have a way to output an unverified chain?
Assignee: kaie → nobody
Whiteboard: [psm-cert-manager]
Ideally this bug should have a patch at the same time as 479393 gets done. Adding dependency.
Blocks: psm-pkix
No longer blocks: psm-pkix
When libpkix is enabled, the libpkix-based path building and/or validation logic must be used. When libpkix is disabled, the non-libpkix path building and/or validation logic must be used.

The certificate viewer already potentially displays EV certificate chains (which are always built using libpkix already) differently than the code that makes trust decisions in PSM, basically because of bug 650307.

> Does CERT_PKIXVerifyCert already have a way to output the verified chain?

Yes, it does.

> Does it have a way to output an unverified chain?

This still needs to be investigated.
Depends on: 650307
Summary: Change cert viewer to obtain displayed cert chain using libpkix → Change cert viewer to validate/build a cert chains the same way they are used for trust decisions
Summary: Change cert viewer to validate/build a cert chains the same way they are used for trust decisions → Change cert viewer to validate/build cert chains the same way they are used for trust decisions
Assignee: nobody → bsmith
Brian and I think this does not block "switch to pkix by default", but it should be fixed soon; moving it to a tracker bug for major PKIX related issues.
Blocks: pkix-major
No longer blocks: pkix-default
Assignee: bsmith → nobody
Whiteboard: [psm-cert-manager] → [psm-cert-manager][psm-backlog]

The new certificate viewer shows either the validated chain from the connection (if successful) or the chain sent by the server (if verification was unsuccessful).

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.