Closed
Bug 511628
Opened 15 years ago
Closed 15 years ago
certutil -O only lists trusted certs in a chain
Categories
(NSS :: Tools, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: KaiE, Unassigned)
Details
(Keywords: regression)
This was seen with a prerelease (beta) of 3.12.4 I'm forwarding this bug report from https://bugzilla.redhat.com/show_bug.cgi?id=509132 : Description of problem: certutil -O is used to print the chain of a certificate. # certutil -O -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM/ "CA certificate" [CN=IPA Test Certificate Authority] "Server-Cert" [CN=saturn.example.com,OU=Fedora Directory Server] In previous versions of nss this will print the entire chain whether the CA certs are trusted or not. With F-11 this only includes those certs that are trusted: The previous call was made with a trusted CA cert. # certutil -L -d /etc/dirsrv/slapd-GREYOAK-COM/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u CA certificate CT,, If we remove the trust and re-run the command then then CA drops from the list: # certutil -M -t ,,, -n "CA certificate" -d /etc/dirsrv/slapd-EXAMPLE-COM/ # certutil -O -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM/ "Server-Cert" [CN=saturn.example.com,OU=Fedora Directory Server]
Comment 1•15 years ago
|
||
This was a fun bug to investigate. Even though I've worked on certutil for over 10 years, my first reaction was "What in the world does the -O option do?" I think I'd never seen it before. Once I saw how it worked, I believe I understood the issue. I'll bet that the reporter's missing "CA" cert is not a CA cert at all. Prior to NSS 3.12, old versions of NSS treated any self-signed cert as a root CA cert, (not necessarily a TRUSTED root CA cert, but as a root CA) even if it was an X.509 v3 cert which lacked the basicConstraints extension that makes it a CA certificate. That was deemed a security risk, and was fixed in NSS 3.12. NSS 3.12 will not treat an X.509 v3 certificate as a CA certificate unless it has a basicConstraints extension marking it as a CA certificate, even if it is self-signed. If you can confirm that the reporters certificate lacked a proper basicConstraints extension, then this bug is invalid.
Comment 2•15 years ago
|
||
Yes, the cert in question is missing the CA basicConstraint. Closing as invalid.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•