482471 - Vfychain doesn't find alternative cert path if one is not accessible.

Status: NEW

(NSS :: Libraries, enhancement, P5)

Description

[Slavomir Katuscak]

Scenarion:

RootCA->CA1->Bridge->EE1
      ->CA2-^  

Both CA's are signed by Root CA, CA2 has newer issuing time then CA1 and, Bridge signed by both CA's using AIA, for CA1 AIA path is correct, for CA2 is pointing to non-existing file. 

When trying to check EE1 certificate, vfychain returns unpredictable results, sometimes if passes, sometimes fails.

Comment 1

[Slavomir Katuscak]

Attachment: Scenario file.

Scenario file to reproduce. For test copy to nss/tests/chains/scenarios and set nss/tests/chains/scenarios/scenarios to test only this file.

Results are unpredictable, sometimes passes sometimes fails. Looks like algorithm set randomly which path to choose (which CA use to verify patch) and if one with invalid AIA is chosen, it doesn't try second one.

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Slavo, please provide the full vfyserv commands for a sample run that 
fails and for a sample run that succeeds.

Comment 3

[Slavomir Katuscak]

Attachment: Logs from testing.

I'm attaching logs from 2 runs of the same tests including all commands + input data, once it passed, once it failed.

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

This bug report contains neither a vfychain command or the sample certs 
with which to reproduce it.  Consequently, one cannot know if it is a 
libraries bug, or a tools bug, and if it is high priority or low.  
So, I am removing the target milestone.  If it's still in this state at 
the end of April, I will resolve it as incomplete.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee is inactive on Bugzilla, so the assignee is being reset.