Closed
Bug 755227
Opened 12 years ago
Closed 12 years ago
Bug building a certificate chain
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 386871
People
(Reporter: mrella, Unassigned)
Details
Attachments
(1 file)
|
337.57 KB,
application/pdf
|
Details |
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618) Steps to reproduce: We have tried to build a correct certification chain in Firefox (you can see the detailed steps in the attatched file). Actual results: The chain is not build correctly as happens with many other systems (see the attatched file for details) Expected results: The certification chain should be builded and validated
|
||
Updated•12 years ago
|
Component: Untriaged → Security: PSM
Product: Firefox → Core
QA Contact: untriaged → psm
|
||
Updated•12 years ago
|
Assignee: nobody → nobody
Component: Security: PSM → CA Certificates
Product: Core → NSS
QA Contact: psm → root-certs
Version: 1.0 Branch → unspecified
|
|
||
Comment 1•12 years ago
|
||
I manually imported each of the certs from her: http://www.catcert.cat/content/download/6700/16189/file/EV_certificate.zip When I view the EC-SAFP certificate I see that it chains up to EC-GENCAT, which chains up to EC-ACC. That part seems fine. However, when I view the www.ecoviat.com cert, it doesn't show the cert chain. www.ecoviat.com Issuer: CN = EC-SAFP OU = Secretaria d'Administracio i Funcio Publica OU = "Vegeu https://www.catcert.net/verCIC-2 (c)03" OU = Serveis Publics de Certificacio ECV-2 L = Passatge de la Concepcio 11 08008 Barcelona O = Agencia Catalana de Certificacio (NIF Q-0801176-I) C = ES EC-SAFP Subject: CN = EC-SAFP OU = Secretaria d'Administracio i Funcio Publica OU = "Vegeu https://www.catcert.net/verCIC-2 (c)03" OU = Serveis Publics de Certificacio ECV-2 L = Passatge de la Concepcio 11 08008 Barcelona O = Agencia Catalana de Certificacio (NIF Q-0801176-I) C = ES Seems to match, but the chaining doesn't happen. From CATCert: we also think the problem is that the hierarchy has UTF‐8 codification and the SSL certificate has PrintableString, and maybe the algorithm that uses Firefox for building the certification chain is affected by this.
|
|
||
Comment 2•12 years ago
|
||
NSS Team: Does NSS support a cert hierarchy where the root and intermediate certs use UTF-8, but the end-entity cert uses PrintableString?
(In reply to Kathleen Wilson from comment #2) > Does NSS support a cert hierarchy where the root and intermediate > certs use UTF-8, but the end-entity cert uses PrintableString? No, it doesn't. More precisely, the issuer DN of a cert must use the very same ASN.1 string encodings as the subject DN of its issuer cert, otherwise the certs won't chain in NSS. What can be observed with the cert for www.ecoviat.com and the [new] ICA cert from http://www.catcert.cat/descarrega/gencat_sha2.crt (which BTW should serve the cert itself and not redirect to another URI, see RFC 5280 section 4.2.2.1) is exactly the same behavior as described in bug 398153 comment 3.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows Vista → All
Hardware: x86 → All
|
|
||
Comment 4•12 years ago
|
||
Thanks! Looks like this is also a duplicate of bug #386871.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•