494226 - The meaning of SEC_ERROR_CERT_NOT_VALID is ambiguous

Status: RESOLVED INACTIVE

(NSS :: Libraries, defect, P5)

Description

[Wan-Teh Chang]

The meaning of the error code, SEC_ERROR_CERT_NOT_VALID,
"This certificate is not valid." is ambiguous without
clarification.

When the Chromium browser tried to use CERT_PKIXVerifyCert
(of NSS 3.12.0.3 on Ubuntu 8.04), it got
SEC_ERROR_CERT_NOT_VALID for an expired certificate.

So we need to do two things:
1. CERT_PKIXVerifyCert needs to report SEC_ERROR_EXPIRED_CERTIFICATE
for expired certicates.
2. We need to clarify what exactly SEC_ERROR_CERT_NOT_VALID
should mean in documentation and code.

Reporting the correct certificate error is crucial to a browser.

Below are the details of my investigation.

I inspected the *current* NSS source code to find out
what exactly SEC_ERROR_CERT_NOT_VALID means.  I found
that it is only set by Stan and libpkix.

Stan:

The Stan error code NSS_ERROR_INVALID_CERTIFICATE is
mapped to SEC_ERROR_CERT_NOT_VALID by default:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certdb/stanpcertdb.c&rev=1.83&mark=208#208

But in practice I believe NSS_ERROR_INVALID_CERTIFICATE is
mapped to SEC_ERROR_REUSED_ISSUER_AND_SERIAL because of the
following code:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/dev/devtoken.c&rev=1.51&mark=535-537,548#535

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certdb/stanpcertdb.c&rev=1.83&mark=326-327#314

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/pk11wrap/pk11cert.c&rev=1.170&mark=922-923#910

Libpkix:

CERT_PKIXVerifyCert sets the error code
SEC_ERROR_CERT_NOT_VALID if either PKIX_PL_NssContext_Create
or PKIX_ProcessingParams_Create fails:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certhigh/certvfypkix.c&rev=1.42&mark=2089,2101#2086

I don't know how those two functions could fail, so I'm
not sure if it's appropriate to set the error
SEC_ERROR_CERT_NOT_VALID on their failure.

But the more serious problem is that Libpkix maps
PKIX_CERTCHECKVALIDITYFAILED to SEC_ERROR_CERT_NOT_VALID:

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/libpkix/include/pkix_errorstrings.h&rev=1.31&mark=145#145

And PKIX_CERTCHECKVALIDITYFAILED seems to mean the certificate
is not in its validity period (expired, or not yet valid):

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/libpkix/pkix/checker/pkix_expirationchecker.c&rev=1.1&mark=72-73#49

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c&rev=1.11&mark=401-403#383

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/libpkix/pkix/certsel/pkix_certselector.c&rev=1.11&mark=1302-1304#1301

(Note: I don't know what this case does:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/libpkix/pkix/top/pkix_build.c&rev=1.57&mark=3373#3354 )

For a certificate not in its validity period, classic NSS
certificate verification functions report the error code
SEC_ERROR_EXPIRED_CERTIFICATE.

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

This bug is a duplicate of bug 491174, which also documents the wrong error
code is used by libPKIX for expired certs.  

However, this bug also points out that SEC_ERROR_CERT_NOT_VALID is ambiguous.
So, rather than changing this bug to be a duplicate, I will change its scope
to be about the ambiguity of SEC_ERROR_CERT_NOT_VALID.

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee didn't login in Bugzilla in the last 7 months and this bug has severity 'major'.
:beurdouche, could you have a look please?
For more information, please visit auto_nag documentation.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.