Closed
Bug 491174
Opened 14 years ago
Closed 14 years ago
CERT_PKIXVerifyCert reports wrong error code when EE cert is expired
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.4
People
(Reporter: nelson, Assigned: alvolkov.bgs)
Details
(Whiteboard: PKIX)
Attachments
(1 file)
|
1.15 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
When an EE cert is expired, the most important result to report is that fact. But libPKIX returns -8164 = This certificate is not valid. To demonstrate this, use the recently expired www.paypal.com cert and this command: vfychain -d AllDB -pp -vv -o OID.2.16.840.1.113733.1.7.23.6 .../PayPalEE.cert Chain is bad, -8164 = This certificate is not valid. PROBLEM WITH THE CERT CHAIN: CERT 0. PayPalEE : ERROR -8164: This certificate is not valid.
|
Reporter | |
Updated•14 years ago
|
Whiteboard: PKIX
|
|
Reporter | |
Comment 1•14 years ago
|
||
I also wonder if this happens with vfychain and just one -p option.
Priority: -- → P1
Summary: libPKIX reports wrong error code when EE cert is expired → CERT_PKIXVerifyCert reports wrong error code when EE cert is expired
|
|
Reporter | |
Updated•14 years ago
|
Target Milestone: --- → 3.12.4
|
Assignee | |
Comment 2•14 years ago
|
||
Libpkix to nss error code conversion function traverses linked list of libpkix error objects and stops on the first one that has nss error code set. It so happened that the libpkix error object that had SEC_ERROR_EXPIRED_CERTIFICATE error code(CERTCHECKCERTVALIDTIMESFAILED libpkix error object) was preceded by the error object that had SEC_ERROR_CERT_NOT_VALID NSS code(CERTCHECKVALIDITYFAILED libpkix error object). This is the reason why the converted was reporting SEC_ERROR_CERT_NOT_VALID, and not the SEC_ERROR_CERT_NOT_VALID. The fix is to remove association of between CERTCHECKVALIDITYFAILED error object and SEC_ERROR_CERT_NOT_VALID error code.
Attachment #381175 -
Flags: review?(nelson)
|
|
Reporter | |
Updated•14 years ago
|
Attachment #381175 -
Flags: review?(nelson) → review+
|
|
Reporter | |
Comment 3•14 years ago
|
||
Comment on attachment 381175 [details] [diff] [review] Patch v1 - report correct error when EE cert is expired(committed) I'm willing to try this. I wonder if it will have any unintended side effects.
|
|
Assignee | |
Comment 4•14 years ago
|
||
(In reply to comment #3) > (From update of attachment 381175 [details] [diff] [review]) > I'm willing to try this. > I wonder if it will have any unintended side effects. I've checked the affect of this change. All the potential errors that can be returned by the match function invocation in this particular place have valid pkix to nss code mappings.
|
|
Assignee | |
Updated•14 years ago
|
Attachment #381175 -
Attachment description: Patch v1 - report correct error when EE cert is expired → Patch v1 - report correct error when EE cert is expired(committed)
|
|
Assignee | |
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•14 years ago
|
OS: Windows XP → All
Hardware: x86 → All
You need to log in
before you can comment on or make changes to this bug.
Description
•