639315 - Looping CA Cross-Certificates not displayed as going to a Root CA

Status: VERIFIED DUPLICATE of bug 634074

(Core :: Security, defect)

Description

[Ridley]

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Build Identifier: Any build of Mozilla [Firefox] tested so far 3.x through 4.0b12

Presence both of a pair of cross-certificates in the Authorities certificarte store results looping rather than traversing to a root certificate. Although the looping appears to end in the 5th scrolled image [See link to gallery below], that is ending at a cross-certificate and not a root. It appears the Mozilla function does the looping for a certain predetermined number of times then stops. Not sure at this point if this is a cosmetic issue of the path display feature or if this actually can cause multiple attempts at validation as a result of the looping. Certificate trust does not appear effected. Not that Microsoft Windows and OS X do not have this issue, although their methods of choosing the proper path to root varies, they do not get caught in a loop as this Mozilla implementation appears to do.

Reproducible: Always

Steps to Reproduce:
1. Import CA Certificates including a cross certificates pair in path to root into the Authorities certificate store in any Mozilla Product 
2. Check the path of certificate that can go to root via one of the cross certificates
3. Notice the looping occurs multiple times yet never displays as going to a root certificate
Actual Results:  
Looping the cross-certificate occurs multiple times yet never displays as going to a root certificate

Expected Results:  
The path should take only one of the cross-certificates that go to root and not loop back to a certificate used previously in the path to root.

Please contact me if you need the certificate to import to examine this, some are publicly available.

This issue is exhibited any CAs with cross certified certificates in the path to root being present, although I'm most familiar with it occurring with the US Federal PKI cross-certificates with the Federal Common Policy CA / Federal Bridge CA / DoD CAs.  There are many cross certified CA's so this can happen many different ways even from one starting point depending on the collection of certificates and cross-certificates present in the Mozilla certificate store.

Check https://pki.treas.gov for some certificate bundles to import to see this issue.

Comment 1

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

It stops at the 20th cert because NSS is hard-coded to stop (give up) after the 20th cert in the chain to avoid infinite loops.