Closed Bug 511628 Opened 15 years ago Closed 15 years ago

certutil -O only lists trusted certs in a chain

Categories

(NSS :: Tools, defect)

Product:
NSS
Component:
Tools
Version:
3.12.4
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: KaiE, Unassigned)

Details

(Keywords: regression) 

This was seen with a prerelease (beta) of 3.12.4

I'm forwarding this bug report from
https://bugzilla.redhat.com/show_bug.cgi?id=509132
:

Description of problem:

certutil -O is used to print the chain of a certificate.

#  certutil -O -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM/
"CA certificate" [CN=IPA Test Certificate Authority]

  "Server-Cert" [CN=saturn.example.com,OU=Fedora Directory Server]

In previous versions of nss this will print the entire chain whether the CA
certs are trusted or not. With F-11 this only includes those certs that are
trusted:

The previous call was made with a trusted CA cert.

# certutil -L -d /etc/dirsrv/slapd-GREYOAK-COM/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Server-Cert                                                  u,u,u
CA certificate                                               CT,, 

If we remove the trust and re-run the command then then CA drops from the list:

# certutil -M -t ,,, -n "CA certificate" -d /etc/dirsrv/slapd-EXAMPLE-COM/
# certutil -O -n Server-Cert -d /etc/dirsrv/slapd-EXAMPLE-COM/
"Server-Cert" [CN=saturn.example.com,OU=Fedora Directory Server]
This was a fun bug to investigate.  Even though I've worked on certutil for  over 10 years, my first reaction was "What in the world does the -O option do?" I think I'd never seen it before.  

Once I saw how it worked, I believe I understood the issue.  I'll bet that the reporter's missing "CA" cert is not a CA cert at all.  

Prior to NSS 3.12, old versions of NSS treated any self-signed cert as a 
root CA cert, (not necessarily a TRUSTED root CA cert, but as a root CA) 
even if it was an X.509 v3 cert which lacked the basicConstraints extension that makes it a CA certificate.  That was deemed a security risk, and was 
fixed in NSS 3.12.  NSS 3.12 will not treat an X.509 v3 certificate as a CA 
certificate unless it has a basicConstraints extension marking it as a CA 
certificate, even if it is self-signed.  

If you can confirm that the reporters certificate lacked a proper basicConstraints extension, then this bug is invalid.
Yes, the cert in question is missing the CA basicConstraint. Closing as invalid.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.