Last Comment Bug 603615 - 'C" trust flag doesn't work as expected
: 'C" trust flag doesn't work as expected
Status: UNCONFIRMED
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: nobody
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-12 07:09 PDT by Meena Vyas
Modified: 2010-10-12 07:11 PDT (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Meena Vyas 2010-10-12 07:09:44 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3
Build Identifier: 3.12.8

'C' trust flag has no effect on intermediate CA certificate. The whole cert chain was sent out instead of the expected behavior stopping at the intermediate cert (when 'C'  flag is set).


Reproducible: Always

Steps to Reproduce:
1. ./gencert
2.  $/share/builds/components/security/SECURITY_3.12.8_20100916/SunOS5.10_DBG.OBJ/bin/certutil -L -d .
--------------------------------------------------------------------
Certificate Nickname                                         Trust Attributes
                                                                   SSL,S/MIME,JAR/XPI
rootCAcert                                                        Cu,Cu,Cu
Server-Cert                                                        u,u,u
intermediateCAcert                                           Cu,Cu,Cu
--------------------------------------------------------------------

3. $ /share/builds/components/security/SECURITY_3.12.8_20100916/SunOS5.10_DBG.OBJ/bin/selfserv -p 1894 -d .  -n "Server-Cert" -S -v

4. on another terminal run client $ openssl s_client -connect localhost:1894 -showcerts
Actual Results:  
'C' trust flag has no effect on intermediate CA certificate. The whole cert chain was sent out instead of the expected behavior stopping at the intermediate cert (when 'C'  flag is set).
 
Here is openssl output :

$ openssl s_client -connect localhost:1894 -showcerts

CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/O=TestCentral/CN=*.red.iplanet.com
   i:/C=US/O=TestCentral/CN=Intermediate CA
-----BEGIN CERTIFICATE-----
MIICFDCCAX2gAwIBAgIBZTANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJVUzEU
MBIGA1UEChMLVGVzdENlbnRyYWwxGDAWBgNVBAMTD0ludGVybWVkaWF0ZSBDQTAe
Fw0xMDEwMTIxMTAyMjRaFw0yMDEwMTIxMTAyMjRaMD8xCzAJBgNVBAYTAlVTMRQw
EgYDVQQKEwtUZXN0Q2VudHJhbDEaMBgGA1UEAwwRKi5yZWQuaXBsYW5ldC5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALQxQ+JPwD8LELBB66vi1tpoZ1+m
38s10ZmbzZEwOQTeJqTocof6ugW3LjEnrnYGR2FKjFAWu/fQrShJ63pNsoQ7/M/e
s9YeoRMl6cpPpLMlGvqf7/3Km1/cTWmXY1Ljd20RdBVy8lciVJLD66mJJB2NLsHa
doS0sjLNYF3lrvpJAgMBAAGjIjAgMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8E
BAMCBSAwDQYJKoZIhvcNAQEFBQADgYEAdK6N+VmRnjxXUL8PEKQfA2eQYAOjYpNZ
drq+QZc5PT1p0PrBsWcNlSdoREIf7aYnMpsrj10jUqFAj2SrEFK4gHYdN+Em16ZK
3N96Ej7gs0hG4ilQu58qKIlVaBvZCR/FRMQyv2dgwI8Q/E/GYxOw3V80+pPcSJpH
iMXmXTaHNiQ=
-----END CERTIFICATE-----
 1 s:/C=US/O=TestCentral/CN=Intermediate CA
   i:/C=US/O=TestCentral/CN=RootCA
-----BEGIN CERTIFICATE-----
MIICHTCCAYagAwIBAgIBZTANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQGEwJVUzEU
MBIGA1UEChMLVGVzdENlbnRyYWwxDzANBgNVBAMTBlJvb3RDQTAeFw0xMDEwMTIx
MTAyMjNaFw0yMDEwMTIxMTAyMjNaMD0xCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtU
ZXN0Q2VudHJhbDEYMBYGA1UEAxMPSW50ZXJtZWRpYXRlIENBMIGfMA0GCSqGSIb3
DQEBAQUAA4GNADCBiQKBgQC+18ORhw3DtArM8+wf5iWUrHMrIgx2jqrZ3NIloAoX
JexNtG/D1wNEN7JtOt0lYF2t0DX7bJO4IjdI7Zo8+vwvupSrJYjYu17V6TNIzt5w
BWx3AxDNT9agOFUH/+KzjpnwC4yGcNlOTEjr+LCMVQKNjf0dyHa+GwDBSkj3dCMS
6QIDAQABozYwNDARBglghkgBhvhCAQEEBAMCAAcwEgYDVR0TAQH/BAgwBgEB/wIB
CjALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEARi8VoMVgxUWQduoRi94Q
pm9YUuheHPTnrdhCRPBRb+3bUWNuKA3TuV61VleFwjvcphvdA+ZrivXwHji11NSr
COplPZ6jdqzQ7l2EkJVIkF+9qkVlJcvbBiZ9es5PJFHZA0Aq34UIgBbbqlY8CGvH
Cm2IT54ulVloD+CrhndGkak=
-----END CERTIFICATE-----
 2 s:/C=US/O=TestCentral/CN=RootCA
   i:/C=US/O=TestCentral/CN=RootCA
-----BEGIN CERTIFICATE-----
MIICFDCCAX2gAwIBAgIBZDANBgkqhkiG9w0BAQUFADA0MQswCQYDVQQGEwJVUzEU
MBIGA1UEChMLVGVzdENlbnRyYWwxDzANBgNVBAMTBlJvb3RDQTAeFw0xMDEwMTIx
MTAyMjJaFw0yMDEwMTIxMTAyMjJaMDQxCzAJBgNVBAYTAlVTMRQwEgYDVQQKEwtU
ZXN0Q2VudHJhbDEPMA0GA1UEAxMGUm9vdENBMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDCDNFjOuw8GBlRboKvXgkZ2iH7+I82BKPVIGhB+qWt3jMf6x09Hz4S
EVR1a9Tw/sNuNQ3YpGinLVAWOgVimYrfvgsUORvwCakE3iGVH4ztDbSupw8/VLsh
mCzRqcB24zlOYZ2lIqIUyH7EtC96rII3kXyGaALBeTsi11xYT8osVQIDAQABozYw
NDARBglghkgBhvhCAQEEBAMCAAcwEgYDVR0TAQH/BAgwBgEB/wIBCjALBgNVHQ8E
BAMCAgQwDQYJKoZIhvcNAQEFBQADgYEAExesOgR3+PjxEdq1dJ1PGP4hypo2kw8T
MXZywfe9Cy5yiR2co7ZyYNaXJd7I8BPF8ZIHu5bnXq3X2EgKuy1FSqK3UNAMZsYL
BBKXKdA+3T03+iC3HgQ0M9ZeOIdwp/u2wGpdAwUauGc/j4PJkYf/tHggUhL36xaA
87BN7Yv5kO8=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/O=TestCentral/CN=*.red.iplanet.com
issuer=/C=US/O=TestCentral/CN=Intermediate CA
---
No client certificate CA names sent
---
SSL handshake has read 1766 bytes and written 309 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 6165AC305CACA6B92A612F9C5186563BDE600353B995E12BDB4FDDB6F202A4B4
    Session-ID-ctx: 
    Master-Key: C47F6B483263EB4DF59BB7AA1A5E02C6A520BE5343F98DB0CC7DBD8361821EC40F17FB524F146159FEAB56E50E7AD21E
    Key-Arg   : None
    Start Time: 1286890313
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
HTTP/1.0 200 OK
Server: Generic Web Server
Date: Tue, 26 Aug 1997 22:10:05 GMT
Content-type: text/plain



EOF
closed

Expected Results:  
As per notes from Nelson Bolyard's Brown bag :
http://blogs.sun.com/meena/entry/notes_about_trust_flags
~~~~~~~~~~~~~~~~~~~~~~~~~~
We can take any intermediate CA cert and mark it with a  "C" so it will be treated as a root CA.  NSS will build chain to send out as far as  it sees "C" flag.

gencert - Script used to generate certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/ksh

NSSDIR=/share/builds/components/security/SECURITY_3.12.8_20100916/SunOS5.10_DBG.OBJ/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$NSSDIR/lib
CERTUTIL=$NSSDIR/bin/certutil

ROOTCA_CERTDN="CN=RootCA, O=TestCentral, C=US"
INTCA_CERTDN="CN=Intermediate CA, O=TestCentral, C=US"
SERVER_CERTDN="CN=*.red.iplanet.com, O=TestCentral, C=US"

echo ""
echo "#####################################################################"
echo "Generating cert DB"
echo "#####################################################################"
$CERTUTIL -N -d . -f pw.txt
echo ""

echo "#####################################################################"
echo "Generating root CA certificate"
echo "#####################################################################"
(ps -elf; date; netstat -a) > noise
# 5 9 n	 -> Cert signing key
# y 10 y  -> basic constraints: CA cert
# 5 6 7 9 n  -> SSL, S/MIME, Object signing CA
echo "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | \
$CERTUTIL -S -d . -n rootCAcert  -s "$ROOTCA_CERTDN" -x -t Cu,Cu,Cu  -g 1024  -m 100 -v 120   -z noise -2 -1 -5

echo ""
echo "#####################################################################"
echo "Generating intermediate CA certificate request"
echo "#####################################################################"
(ps -elf; date; netstat -a) > noise
$CERTUTIL -R -d . -s "$INTCA_CERTDN" -o tmpcertreq -g 1024  -z noise

echo ""
echo "#####################################################################"
echo "Generating intermediate CA certificate"
echo "#####################################################################"
(ps -elf; date; netstat -a) > noise
# 5 9 n	 -> Cert signing key
# y 10 y  -> basic constraints: CA cert
# 5 6 7 9 n  -> SSL, S/MIME, Object signing CA
echo "5\n9\nn\ny\n10\ny\n5\n6\n7\n9\nn\n" | \
$CERTUTIL -C -d . -c rootCAcert  -i tmpcertreq  -o tmpcert.der  -m 101 -v 120 -z noise -2 -1  -5

echo ""
echo "#####################################################################"
echo "Importing Intermediate CA certificate into server cert DB"
echo "#####################################################################"
$CERTUTIL -A -d . -n intermediateCAcert  -t Cu,Cu,Cu  -i tmpcert.der


echo ""
echo "#####################################################################"
echo "Generating server certificate request"
echo "#####################################################################"
(ps -elf; date; netstat -a) > noise
$CERTUTIL -R -d . -s "$SERVER_CERTDN" -o tmpcertreq -g 1024  -z noise


echo ""
echo "#####################################################################"
echo "Generating server certificate"
echo "#####################################################################"
echo "2\n9\nn\n1\n9\nn\n" | \
$CERTUTIL -C -d .  -c intermediateCAcert  -i tmpcertreq  -o tmpcert.der  -m 101 -v 120  -1  -5

echo ""
echo "#####################################################################"
echo "Importing server certificate into server cert DB"
echo "#####################################################################"
$CERTUTIL -A -d . -n Server-Cert -t u,u,u  -i tmpcert.der 

echo ""
echo "#####################################################################"
echo "Clean up"
echo "#####################################################################"
rm noise tmpcert.der tmpcertreq

Note You need to log in before you can comment on or make changes to this bug.