Open
Bug 647722
Opened 14 years ago
Updated 11 months ago
certificateUsageSSLClient causes CERT_PKIXVerifyCert to build a certification loop
Categories
(NSS :: Libraries, defect, P5)
Tracking
(Not tracked)
REOPENED
People
(Reporter: KaiE, Unassigned)
References
Details
Attachments
(1 file)
|
50.30 KB,
text/plain
|
Details |
My experimental PSM code that uses CERT_PKIXVerifyCert fails.
In order to find a simple test case, I used https://wiki.mozilla.org
(With the cert from that site the pkix debug logs aren't getting as big as for most other sites)
I'l attach a log file.
(I enabled debugging #define in pkix_build.c
Failure is PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED
$7 = {errCode = PKIX_BUILDINITIATEBUILDCHAINFAILED, errClass = PKIX_BUILD_ERROR, plErr = 0, cause = 0xa3b8c6a0, info = 0x0}
(gdb) print *error->cause
$8 = {errCode = PKIX_UNABLETOBUILDCHAIN, errClass = PKIX_BUILD_ERROR, plErr = 0, cause = 0xa3b8c7a0, info = 0x0}
(gdb) print *error->cause->cause
$9 = {errCode = PKIX_BUILDFORWARDDEPTHFIRSTSEARCHFAILED, errClass = PKIX_BUILD_ERROR, plErr = 0, cause = 0xa3b8c3a0, info = 0x0}
(gdb) print *error->cause->cause->cause
$10 = {errCode = PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED, errClass = PKIX_BUILD_ERROR, plErr = 4294959124, cause = 0x0, info = 0x0}
|
Reporter | |
Comment 1•14 years ago
|
||
|
|
Reporter | |
Comment 2•14 years ago
|
||
bug still exists with tip of NSS, as of today.
|
|
Reporter | |
Comment 3•14 years ago
|
||
I would expect that PKIX_PL_Cert_IsCertTrusted(builtin-root) returns true.
However, for the root CA in this scenario, this function returns not-trusted.
The issue might be inside pkix_pl_Pk11CertStore_CheckTrust
The SSL client code passes cert-usage certUsageSSLClient,
and pkix concludes that it needs trust bits 128,
but it has 24, so it fails.
|
|
Reporter | |
Comment 4•14 years ago
|
||
oh... SECCertUsage != SECCertificateUsage
|
|
Reporter | |
Comment 5•14 years ago
|
||
I think this bug is invalid.
My mistake.
I used the wrong cert usage constants...
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
|
||
Comment 6•14 years ago
|
||
Kai: I also ran into this bug last week, so I think it
is worth getting to the bottom of this bug.
As an experiment, I passed certificateUsageSSLClient instead
of certificateUsageSSLServer, as an experiment. I was
expecting to get the SEC_ERROR_INADEQUATE_KEY_USAGE error.
But I was surprised to get SEC_ERROR_UNTRUSTED_ISSUER, caused
by PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED.
Note that certificateUsageSSLClient is a valid SECCertificateUsage
value. But even with an invalid cert usage constant, isn't it
strange that it causes libpkix to build a certification loop?
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
|
|
Reporter | |
Comment 7•14 years ago
|
||
(In reply to comment #6)
> But even with an invalid cert usage constant, isn't it
> strange that it causes libpkix to build a certification loop?
agreed
|
|
||
Comment 8•14 years ago
|
||
Kai: did you pass certUsageSSLServer as the SECCertificateUsage
argument? certUsageSSLServer has the same value as
certificateUsageSSLClient, so you actually ran into the exact
same problem as I did.
Summary: libPKIX unable to verify cert from wiki.mozilla.org ? → certificateUsageSSLClient causes CERT_PKIXVerifyCert to build a certification loop
|
|
Reporter | |
Comment 9•14 years ago
|
||
(In reply to comment #8)
> Kai: did you pass certUsageSSLServer as the SECCertificateUsage
> argument?
Yes, that's exactly what I did.
|
||
Updated•14 years ago
|
Blocks: pkix-default
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Updated•11 months ago
|
Severity: S3 → S4
Priority: -- → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•