Six tests fail when running all.sh

RESOLVED DUPLICATE of bug 488646

Status

RESOLVED DUPLICATE of bug 488646
9 years ago
9 years ago

People

(Reporter: wtc, Assigned: slavomir.katuscak+mozilla)

Tracking

3.12.3
3.12.4

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX)

(Reporter)

Description

9 years ago
If I run all.sh on a non-ECC build, I get six test failures.  For example,
on Mac OS X with NSS 3.12.3.1 and NSPR 4.7.1, these tests fail:

#1779: RealCerts: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -o OID.2.16.840.1.113733.1.7.23.6

#1875: OCSP: Verifying certificate(s) OCSPEE12.cert OCSPCA1.cert with flags -g leaf -m ocsp -d OCSPRootDB -t OCSPRoot

#3237: RealCerts: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -o OID.2.16.840.1.113733.1.7.23.6

#3333: OCSP: Verifying certificate(s) OCSPEE12.cert OCSPCA1.cert with flags -g leaf -m ocsp -d OCSPRootDB -t OCSPRoot

#5266: RealCerts: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -o OID.2.16.840.1.113733.1.7.23.6

#5362: OCSP: Verifying certificate(s) OCSPEE12.cert OCSPCA1.cert with flags -g leaf -m ocsp -d OCSPRootDB -t OCSPRoot

The output.log and results.html files are attached.
(Reporter)

Comment 1

9 years ago
I can't attach output.log because it exceeds the 2MB limit of attachments.

I also found that these six tests also fail in Extended ECC builds.

The six tests seem to be three variants of two tests, with white, blue, and yellow
backgrounds in the results.html page.  Here are excerpts of the first two test
failures from output.log for Mac OS X Extended ECC debug build with
NSS 3.12.3.1 and NSPR 4.7.5:

chains.sh: Verifying certificate(s)  PayPalEE.cert with flags  -d AllDB   -o OID.2.16.840.1.113733.1.7.23.6
vfychain -d AllDB -pp -vv    -o OID.2.16.840.1.113733.1.7.23.6  /Users/wtc/nss-3.12.3.1-2/mozilla/security/nss/tests/libpkix/certs/PayPalEE.cert
Chain is bad, -8164 = This certificate is not valid.
PROBLEM WITH THE CERT CHAIN:
CERT 0. PayPalEE :
  ERROR -8181: Peer's Certificate has expired.

Returned value is 1, expected result is pass
chains.sh: #2997: RealCerts: Verifying certificate(s)  PayPalEE.cert with flags  -d AllDB   -o OID.2.16.840.1.113733.1.7.23.6  - FAILED

chains.sh: Verifying certificate(s)  OCSPEE12.cert OCSPCA1.cert with flags  -g l
eaf -m ocsp -d OCSPRootDB    -t OCSPRoot
vfychain -d OCSPRootDB -pp -vv  -g leaf -m ocsp    /Users/wtc/nss-3.12.3.1-2/moz
illa/security/nss/tests/libpkix/certs/OCSPEE12.cert /Users/wtc/nss-3.12.3.1-2/mo
zilla/security/nss/tests/libpkix/certs/OCSPCA1.cert  -t OCSPRoot
Chain is good!
Root Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 219193145 (0xd109f39)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=OCSPRoot ROOT CA,O=OCSPRoot,C=US"
        Validity:
            Not Before: Thu Feb 19 18:31:46 2009
            Not After : Wed Feb 19 18:31:46 2059
        Subject: "CN=OCSPRoot ROOT CA,O=OCSPRoot,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    ef:28:1c:84:50:5a:2e:bb:7a:ad:5e:2e:fb:61:03:ba:
                    44:c9:a9:8d:35:fa:78:6c:ac:7b:57:e2:7f:9e:f9:63:                    70:15:a9:1c:8a:8d:bb:23:d1:11:7c:37:6c:ca:b0:ea:
                    60:89:57:06:b1:d3:4c:8c:85:e4:21:57:ea:f6:a3:cd:                    61:cc:51:ba:b5:3c:1f:0e:e4:55:6e:0f:04:a0:7a:69:
                    06:9a:b2:d6:3a:5e:d0:fa:07:12:c4:d3:99:3e:a1:bc:                    06:de:3a:d1:24:c5:24:c8:03:f2:66:24:76:93:12:ed:                    4e:cc:f9:e9:f5:3b:e5:4a:d3:63:af:01:13:83:ce:f3
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Type
            Data: <SSL CA,S/MIME CA,ObjectSigning CA>

            Name: Certificate Basic Constraints
            Data: Is a CA with no maximum path length.

            Name: Certificate Key Usage
            Usages: Certificate Signing
                    CRL Signing

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        b4:2f:33:72:87:24:78:9a:4c:24:ac:6e:92:a7:0e:7f:
        32:92:67:79:7b:76:82:88:a5:3c:fd:27:cc:2b:50:f6:
        c4:d2:60:e5:42:20:10:25:07:27:aa:de:ae:f7:20:23:
        6d:ae:6b:75:25:b6:eb:b3:2c:cb:3e:3b:46:8a:61:de:
        6d:8e:0b:de:d4:46:6a:d6:01:44:89:8b:67:b4:47:bc:
        43:be:da:4f:e9:6c:58:a9:c7:90:16:c6:ed:c1:3f:48:
        7a:47:55:27:ed:b8:6c:17:6f:56:c5:6e:2a:8b:f3:67:
        a2:65:6c:b9:f6:71:cd:65:14:4a:40:ea:f1:8f:84:6f
    Fingerprint (MD5):
        35:8F:91:0E:79:08:B0:8B:CF:1D:03:B5:E0:53:B8:B0
    Fingerprint (SHA1):
        85:7B:73:CA:B7:90:27:C4:C3:D1:61:C0:C3:4F:05:20:C6:73:19:AE

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
        Object Signing Flags:
            Valid CA
            Trusted CA

Certificate 1 Subject: "CN=OCSPEE12 EE,O=OCSPEE12,C=US"
Certificate 2 Subject: "CN=OCSPCA1 Intermediate,O=OCSPCA1,C=US"
Returned value is 0, expected result is fail
chains.sh: #3093: OCSP: Verifying certificate(s)  OCSPEE12.cert OCSPCA1.cert with flags  -g leaf -m ocsp -d OCSPRootDB    -t OCSPRoot - FAILED
Summary: Six tests fail when running all.sh on non-ECC builds → Six tests fail when running all.sh
Wan-Teh, if these 6 tests fail in non-ECC and extended ECC builds, then 
why are all the Tinderboxes green?

Updated

9 years ago
Assignee: nobody → slavomir.katuscak
Whiteboard: PKIX
(Assignee)

Comment 3

9 years ago
Wan-Teh, there are 2 different problems:

One is expired PayPalEE certificate, this certificate is already updated in
trunk for a longer time, Christophe updated it also in 3.12.3.1 minibranch few
days ago.

Second problem is duplicate of 488646, this is also already fixed in trunk.
(Reporter)

Comment 4

9 years ago
Slavo, thanks.  Would be nice to add the fix for bug 488646
to your 3.12.3.2 release.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Target Milestone: --- → 3.12.4
Duplicate of bug: 488646
You need to log in before you can comment on or make changes to this bug.