Closed Bug 585518 Opened 10 years ago Closed 9 years ago

AddTrust Qualified CA Root serial wrong in certdata.txt trust entry

Categories

(NSS :: CA Certificates Code, task, P2, minor)

Tracking

(Not tracked)

RESOLVED FIXED
3.12.9

People

(Reporter: sburford, Assigned: KaiE)

References

()

Details

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.14 Safari/534.3
Build Identifier: mozilla/security/nss/lib/ckfw/builtins/certdata.txt#1.64

The CKO_CERTIFICATE entry for "AddTrust Qualified Certificates Root" in http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/certdata.txt&rev=1.64 has a CKA_SERIAL_NUMBER of \001 while the CKO_CERTIFICATE entry has a CKA_SERIAL_NUMBER of \002\001\000.

According to OpenSSL's interpretation of the certificate contained in certdata.txt the true serial number is \001.

This is the only serial number mismatch within this file.

Reproducible: Always

Steps to Reproduce:
1. Go to http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ckfw/builtins/certdata.txt&rev=1.64
2. Find the two (cert + trust) entries for "AddTrust Qualified Certificates Root"
2. Note that line 4554 lists \001 as the CKA_SERIAL_NUMBER.
3. Note that line 4689 lists \002\001\000 as the CKA_SERIAL_NUMBER.
Actual Results:  
For the "AddTrust Qualified Certificates Root":
Cert entry line 4554 lists \001 as the CKA_SERIAL_NUMBER.
Trust entry line 4689 lists \002\001\000 as the CKA_SERIAL_NUMBER.

Expected Results:  
For the "AddTrust Qualified Certificates Root":
Cert entry line 4554 lists \001 as the CKA_SERIAL_NUMBER.
Trust entry line 4689 lists \001 as the CKA_SERIAL_NUMBER.

Workaround is to not compare serial numbers when matching certs and trust entries.  Obviously nobody else does.
(In reply to comment #0)
> This is the only serial number mismatch within this file.

Indeed. Apparently the entry for this root was missed when the changes in r1.26 ("Make the Serial Numbers DER Wrapped rather than raw serial numbers") were applied, back in 2002.

> Expected Results:  
> For the "AddTrust Qualified Certificates Root":
> Cert entry line 4554 lists \001 as the CKA_SERIAL_NUMBER.
> Trust entry line 4689 lists \001 as the CKA_SERIAL_NUMBER.

Should be the other way round, actually - \002\001\001.

> Workaround is to not compare serial numbers when matching certs and trust
> entries.  Obviously nobody else does.

In this specific case, it's probably more the situation of an "orphaned" root: to my knowledge, Comodo - its current owner - has never actively used this root (and will never do so, most likely).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: nobody → kaie
I confirm the mismatch and it should be fixed.

Sean says, correct serial number should be \001

Kaspar says, correct serial number should be \002\001\001

Who's right? Do have any references?
Attached patch Patch v1Splinter Review
I'd like to ask either Bob or Nelson to review this.

The revision r.26 was done by Bob in 2002, so he might remember it.
Attachment #467488 - Flags: superreview?(rrelyea)
Attachment #467488 - Flags: review?(nelson)
Comment on attachment 467488 [details] [diff] [review]
Patch v1

r=nelson
Attachment #467488 - Flags: review?(nelson) → review+
Duplicate of this bug: 599861
Attachment #467488 - Flags: superreview?(rrelyea) → superreview+
cvs trunk commit:

cvs commit: Examining .
Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.69; previous revision: 1.68
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.66; previous revision: 1.65
done
We try to keep the roots module synchronized between trunk and branch, therefore, 3.12 branch commit:

cvs commit: Examining .
Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.67.2.2; previous revision: 1.67.2.1
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.64.2.2; previous revision: 1.64.2.1
done
fixed
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.12.9
This was the first change to the roots module after the last release of NSS.

Therefore we must increase the version number.

trunk checkin:

Checking in nssckbi.h;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v  <--  nssckbi.h
new revision: 1.26; previous revision: 1.25
done


3.12 branch checkin:

Checking in nssckbi.h;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v  <--  nssckbi.h
new revision: 1.24.2.2; previous revision: 1.24.2.1
done
Depends on: 613394
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.