Closed Bug 491174 Opened 12 years ago Closed 12 years ago

CERT_PKIXVerifyCert reports wrong error code when EE cert is expired

Categories

(NSS :: Libraries, defect, P1)

3.12.3
defect

Tracking

(Not tracked)

RESOLVED FIXED
3.12.4

People

(Reporter: nelson, Assigned: alvolkov.bgs)

Details

(Whiteboard: PKIX)

Attachments

(1 file)

When an EE cert is expired, the most important result to report is that fact.
But libPKIX returns -8164 = This certificate is not valid.

To demonstrate this, use the recently expired www.paypal.com cert and this 
command:

vfychain -d AllDB -pp -vv -o OID.2.16.840.1.113733.1.7.23.6 .../PayPalEE.cert 
Chain is bad, -8164 = This certificate is not valid.
PROBLEM WITH THE CERT CHAIN:
CERT 0. PayPalEE :
  ERROR -8164: This certificate is not valid.
Whiteboard: PKIX
I also wonder if this happens with vfychain and just one -p option.
Priority: -- → P1
Summary: libPKIX reports wrong error code when EE cert is expired → CERT_PKIXVerifyCert reports wrong error code when EE cert is expired
Target Milestone: --- → 3.12.4
Libpkix to nss error code conversion function traverses linked list of libpkix error objects and stops on the first one that has nss error code set. It so happened that the libpkix error object that had SEC_ERROR_EXPIRED_CERTIFICATE error code(CERTCHECKCERTVALIDTIMESFAILED libpkix error object) was preceded by the error object that had SEC_ERROR_CERT_NOT_VALID NSS code(CERTCHECKVALIDITYFAILED libpkix error object).

This is the reason why the converted was reporting SEC_ERROR_CERT_NOT_VALID, and not the SEC_ERROR_CERT_NOT_VALID.

The fix is to remove association of between CERTCHECKVALIDITYFAILED error object and SEC_ERROR_CERT_NOT_VALID error code.
Attachment #381175 - Flags: review?(nelson)
Attachment #381175 - Flags: review?(nelson) → review+
Comment on attachment 381175 [details] [diff] [review]
Patch v1 - report correct error when EE cert is expired(committed)

I'm willing to try this. 
I wonder if it will have any unintended side effects.
(In reply to comment #3)
> (From update of attachment 381175 [details] [diff] [review])
> I'm willing to try this. 
> I wonder if it will have any unintended side effects.
I've checked the affect of this change. All the potential errors that can be returned by the match function invocation in this particular place have valid pkix to nss code mappings.
Attachment #381175 - Attachment description: Patch v1 - report correct error when EE cert is expired → Patch v1 - report correct error when EE cert is expired(committed)
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
OS: Windows XP → All
Hardware: x86 → All
You need to log in before you can comment on or make changes to this bug.