Open Bug 647722 Opened 13 years ago Updated 7 months ago

certificateUsageSSLClient causes CERT_PKIXVerifyCert to build a certification loop

Categories

(NSS :: Libraries, defect, P5)

3.12.9

Tracking

(Not tracked)

REOPENED

People

(Reporter: KaiE, Unassigned)

References

Details

Attachments

(1 file)

My experimental PSM code that uses CERT_PKIXVerifyCert fails.

In order to find a simple test case, I used https://wiki.mozilla.org
(With the cert from that site the pkix debug logs aren't getting as big as for most other sites)

I'l attach a log file.
(I enabled debugging #define in pkix_build.c


Failure is PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED


$7 = {errCode = PKIX_BUILDINITIATEBUILDCHAINFAILED, errClass = PKIX_BUILD_ERROR, plErr = 0, cause = 0xa3b8c6a0, info = 0x0}
(gdb) print *error->cause
$8 = {errCode = PKIX_UNABLETOBUILDCHAIN, errClass = PKIX_BUILD_ERROR, plErr = 0, cause = 0xa3b8c7a0, info = 0x0}
(gdb) print *error->cause->cause
$9 = {errCode = PKIX_BUILDFORWARDDEPTHFIRSTSEARCHFAILED, errClass = PKIX_BUILD_ERROR, plErr = 0, cause = 0xa3b8c3a0, info = 0x0}
(gdb) print *error->cause->cause->cause
$10 = {errCode = PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED, errClass = PKIX_BUILD_ERROR, plErr = 4294959124, cause = 0x0, info = 0x0}
Attached file logfile
bug still exists with tip of NSS, as of today.
I would expect that PKIX_PL_Cert_IsCertTrusted(builtin-root) returns true.
However, for the root CA in this scenario, this function returns not-trusted.

The issue might be inside pkix_pl_Pk11CertStore_CheckTrust

The SSL client code passes cert-usage certUsageSSLClient,
and pkix concludes that it needs trust bits 128,
but it has 24, so it fails.
Blocks: psm-pkix
oh... SECCertUsage != SECCertificateUsage
I think this bug is invalid.
My mistake.
I used the wrong cert usage constants...
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
No longer blocks: psm-pkix
Kai: I also ran into this bug last week, so I think it
is worth getting to the bottom of this bug.

As an experiment, I passed certificateUsageSSLClient instead
of certificateUsageSSLServer, as an experiment.  I was
expecting to get the SEC_ERROR_INADEQUATE_KEY_USAGE error.
But I was surprised to get SEC_ERROR_UNTRUSTED_ISSUER, caused
by PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED.

Note that certificateUsageSSLClient is a valid SECCertificateUsage
value.  But even with an invalid cert usage constant, isn't it
strange that it causes libpkix to build a certification loop?
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
(In reply to comment #6)
> But even with an invalid cert usage constant, isn't it
> strange that it causes libpkix to build a certification loop?

agreed
Kai: did you pass certUsageSSLServer as the SECCertificateUsage
argument?  certUsageSSLServer has the same value as
certificateUsageSSLClient, so you actually ran into the exact
same problem as I did.
Summary: libPKIX unable to verify cert from wiki.mozilla.org ? → certificateUsageSSLClient causes CERT_PKIXVerifyCert to build a certification loop
(In reply to comment #8)
> Kai: did you pass certUsageSSLServer as the SECCertificateUsage
> argument?

Yes, that's exactly what I did.
Severity: normal → S3
Severity: S3 → S4
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: