Closed
Bug 603615
Opened 14 years ago
Closed 5 months ago
'C" trust flag doesn't work as expected
Categories
(NSS :: Libraries, defect, P5)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
INACTIVE
People
(Reporter: u238590, Unassigned)
Details
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3 Build Identifier: 3.12.8 'C' trust flag has no effect on intermediate CA certificate. The whole cert chain was sent out instead of the expected behavior stopping at the intermediate cert (when 'C' flag is set). Reproducible: Always Steps to Reproduce: 1. ./gencert 2. $/share/builds/components/security/SECURITY_3.12.8_20100916/SunOS5.10_DBG.OBJ/bin/certutil -L -d . -------------------------------------------------------------------- Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI rootCAcert Cu,Cu,Cu Server-Cert u,u,u intermediateCAcert Cu,Cu,Cu -------------------------------------------------------------------- 3. $ /share/builds/components/security/SECURITY_3.12.8_20100916/SunOS5.10_DBG.OBJ/bin/selfserv -p 1894 -d . -n "Server-Cert" -S -v 4. on another terminal run client $ openssl s_client -connect localhost:1894 -showcerts Actual Results: 'C' trust flag has no effect on intermediate CA certificate. The whole cert chain was sent out instead of the expected behavior stopping at the intermediate cert (when 'C' flag is set). Here is openssl output : $ openssl s_client -connect localhost:1894 -showcerts CONNECTED(00000003) --- Certificate chain 0 s:/C=US/O=TestCentral/CN=*.red.iplanet.com i:/C=US/O=TestCentral/CN=Intermediate CA -----BEGIN CERTIFICATE----- MIICFDCCAX2gAwIBAgIBZTANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJVUzEU MBIGA1UEChMLVGVzdENlbnRyYWwxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAe Fw0xMDEwMTIxMTAyMjRaFw0yMDEwMTIxMTAyMjRaMD8xCzAJBgNVBAYTAlVTMRQw EgYDVQQKEwtUZXN0Q2VudHJhbDEaMBgGA1UEAwwRKi5yZWQuaXBsYW5ldC5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALQxQ+JPwD8LELBB66vi1tpoZ1+m 38s10ZmbzZEwOQTeJqTocof6ugW3LjEnrnYGR2FKjFAWu/fQrShJ63pNsoQ7/M/e s9YeoRMl6cpPpLMlGvqf7/3Km1/cTWmXY1Ljd20RdBVy8lciVJLD66mJJB2NLsHa doS0sjLNYF3lrvpJAgMBAAGjIjAgMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8E BAMCBSAwDQYJKoZIhvcNAQEFBQADgYEAdK6N+VmRnjxXUL8PEKQfA2eQYAOjYpNZ drq+QZc5PT1p0PrBsWcNlSdoREIf7aYnMpsrj10jUqFAj2SrEFK4gHYdN+Em16ZK 3N96Ej7gs0hG4ilQu58qKIlVaBvZCR/FRMQyv2dgwI8Q/E/GYxOw3V80+pPcSJpH iMXmXTaHNiQ= -----END CERTIFICATE----- 1 s:/C=US/O=TestCentral/CN=Intermediate CA i:/C=US/O=TestCentral/CN=RootCA -----BEGIN CERTIFICATE----- MIICHTCCAYagAwIBAgIBZTANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQGEwJVUzEU MBIGA1UEChMLVGVzdENlbnRyYWwxDzANBgNVBAMTBlJvb3RDQTAeFw0xMDEwMTIx MTAyMjNaFw0yMDEwMTIxMTAyMjNaMD0xCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtU ZXN0Q2VudHJhbDEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3 DQEBAQUAA4GNADCBiQKBgQC+18ORhw3DtArM8+wf5iWUrHMrIgx2jqrZ3NIloAoX JexNtG/D1wNEN7JtOt0lYF2t0DX7bJO4IjdI7Zo8+vwvupSrJYjYu17V6TNIzt5w BWx3AxDNT9agOFUH/+KzjpnwC4yGcNlOTEjr+LCMVQKNjf0dyHa+GwDBSkj3dCMS 6QIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcwEgYDVR0TAQH/BAgwBgEB/wIB CjALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEARi8VoMVgxUWQduoRi94Q pm9YUuheHPTnrdhCRPBRb+3bUWNuKA3TuV61VleFwjvcphvdA+ZrivXwHji11NSr COplPZ6jdqzQ7l2EkJVIkF+9qkVlJcvbBiZ9es5PJFHZA0Aq34UIgBbbqlY8CGvH Cm2IT54ulVloD+CrhndGkak= -----END CERTIFICATE----- 2 s:/C=US/O=TestCentral/CN=RootCA i:/C=US/O=TestCentral/CN=RootCA -----BEGIN CERTIFICATE----- MIICFDCCAX2gAwIBAgIBZDANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQGEwJVUzEU MBIGA1UEChMLVGVzdENlbnRyYWwxDzANBgNVBAMTBlJvb3RDQTAeFw0xMDEwMTIx MTAyMjJaFw0yMDEwMTIxMTAyMjJaMDQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtU ZXN0Q2VudHJhbDEPMA0GA1UEAxMGUm9vdENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDCDNFjOuw8GBlRboKvXgkZ2iH7+I82BKPVIGhB+qWt3jMf6x09Hz4S EVR1a9Tw/sNuNQ3YpGinLVAWOgVimYrfvgsUORvwCakE3iGVH4ztDbSupw8/VLsh mCzRqcB24zlOYZ2lIqIUyH7EtC96rII3kXyGaALBeTsi11xYT8osVQIDAQABozYw NDARBglghkgBhvhCAQEEBAMCAAcwEgYDVR0TAQH/BAgwBgEB/wIBCjALBgNVHQ8E BAMCAgQwDQYJKoZIhvcNAQEFBQADgYEAExesOgR3+PjxEdq1dJ1PGP4hypo2kw8T MXZywfe9Cy5yiR2co7ZyYNaXJd7I8BPF8ZIHu5bnXq3X2EgKuy1FSqK3UNAMZsYL BBKXKdA+3T03+iC3HgQ0M9ZeOIdwp/u2wGpdAwUauGc/j4PJkYf/tHggUhL36xaA 87BN7Yv5kO8= -----END CERTIFICATE----- --- Server certificate subject=/C=US/O=TestCentral/CN=*.red.iplanet.com issuer=/C=US/O=TestCentral/CN=Intermediate CA --- No client certificate CA names sent --- SSL handshake has read 1766 bytes and written 309 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 6165AC305CACA6B92A612F9C5186563BDE600353B995E12BDB4FDDB6F202A4B4 Session-ID-ctx: Master-Key: C47F6B483263EB4DF59BB7AA1A5E02C6A520BE5343F98DB0CC7DBD8361821EC40F17FB524F146159FEAB56E50E7AD21E Key-Arg : None Start Time: 1286890313 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- HTTP/1.0 200 OK Server: Generic Web Server Date: Tue, 26 Aug 1997 22:10:05 GMT Content-type: text/plain EOF closed Expected Results: As per notes from Nelson Bolyard's Brown bag : http://blogs.sun.com/meena/entry/notes_about_trust_flags ~~~~~~~~~~~~~~~~~~~~~~~~~~ We can take any intermediate CA cert and mark it with a "C" so it will be treated as a root CA. NSS will build chain to send out as far as it sees "C" flag. gencert - Script used to generate certificates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/bin/ksh NSSDIR=/share/builds/components/security/SECURITY_3.12.8_20100916/SunOS5.10_DBG.OBJ/ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$NSSDIR/lib CERTUTIL=$NSSDIR/bin/certutil ROOTCA_CERTDN="CN=RootCA, O=TestCentral, C=US" INTCA_CERTDN="CN=Intermediate CA, O=TestCentral, C=US" SERVER_CERTDN="CN=*.red.iplanet.com, O=TestCentral, C=US" echo "" echo "#####################################################################" echo "Generating cert DB" echo "#####################################################################" $CERTUTIL -N -d . -f pw.txt echo "" echo "#####################################################################" echo "Generating root CA certificate" echo "#####################################################################" (ps -elf; date; netstat -a) > noise # 5 9 n -> Cert signing key # y 10 y -> basic constraints: CA cert # 5 6 7 9 n -> SSL, S/MIME, Object signing CA echo "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | \ $CERTUTIL -S -d . -n rootCAcert -s "$ROOTCA_CERTDN" -x -t Cu,Cu,Cu -g 1024 -m 100 -v 120 -z noise -2 -1 -5 echo "" echo "#####################################################################" echo "Generating intermediate CA certificate request" echo "#####################################################################" (ps -elf; date; netstat -a) > noise $CERTUTIL -R -d . -s "$INTCA_CERTDN" -o tmpcertreq -g 1024 -z noise echo "" echo "#####################################################################" echo "Generating intermediate CA certificate" echo "#####################################################################" (ps -elf; date; netstat -a) > noise # 5 9 n -> Cert signing key # y 10 y -> basic constraints: CA cert # 5 6 7 9 n -> SSL, S/MIME, Object signing CA echo "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | \ $CERTUTIL -C -d . -c rootCAcert -i tmpcertreq -o tmpcert.der -m 101 -v 120 -z noise -2 -1 -5 echo "" echo "#####################################################################" echo "Importing Intermediate CA certificate into server cert DB" echo "#####################################################################" $CERTUTIL -A -d . -n intermediateCAcert -t Cu,Cu,Cu -i tmpcert.der echo "" echo "#####################################################################" echo "Generating server certificate request" echo "#####################################################################" (ps -elf; date; netstat -a) > noise $CERTUTIL -R -d . -s "$SERVER_CERTDN" -o tmpcertreq -g 1024 -z noise echo "" echo "#####################################################################" echo "Generating server certificate" echo "#####################################################################" echo "2\n9\nn\n1\n9\nn\n" | \ $CERTUTIL -C -d . -c intermediateCAcert -i tmpcertreq -o tmpcert.der -m 101 -v 120 -1 -5 echo "" echo "#####################################################################" echo "Importing server certificate into server cert DB" echo "#####################################################################" $CERTUTIL -A -d . -n Server-Cert -t u,u,u -i tmpcert.der echo "" echo "#####################################################################" echo "Clean up" echo "#####################################################################" rm noise tmpcert.der tmpcertreq
Updated•2 years ago
|
Severity: normal → S3
Updated•5 months ago
|
Severity: S3 → S4
Status: UNCONFIRMED → RESOLVED
Closed: 5 months ago
Priority: -- → P5
Resolution: --- → INACTIVE
You need to log in
before you can comment on or make changes to this bug.
Description
•