Closed Bug 966060 Opened 6 years ago Closed 6 years ago

Distrust three VeriSign intermediate certificates

Categories

(NSS :: CA Certificates Code, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: rick_andrews, Assigned: cviecco)

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; MS-RTC LM 8)

Steps to reproduce:

We have a partner that has terminated operations, so we have revoked three intermediate CAs that they used to issue Administrator certs to their employees. Because the certificates were only intended to be used by our systems (we were the sole relying party), they did not include CDPs or OCSP pointers. We have no reason to believe that these intermediates were used to sign anything other than Administrator certs. We provide them here to comply with Mozilla's wishes to inform Mozilla when a CA revokes an intermediate cert.

-----BEGIN CERTIFICATE-----
MIIGCTCCBPGgAwIBAgIQTAA2G+UIK6mqznQKBT77NDANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzMwHhcNMDgwNTE4MDAwMDAwWhcNMTgwNTE3MjM1OTU5WjCB1DEL
MAkGA1UEBhMCRUcxFDASBgNVBAoTC0VneXB0IFRydXN0MR8wHQYDVQQLExZWZXJp
U2lnbiBUcnVzdCBOZXR3b3JrMUgwRgYDVQQLEz9UZXJtcyBvZiB1c2UgYXQgaHR0
cHM6Ly93d3cuZWd5cHR0cnVzdC5jb20vcmVwb3NpdG9yeS9ycGEgKGMpMDgxRDBC
BgNVBAMTO0VneXB0IFRydXN0IENsYXNzIDMgTWFuYWdlZCBQS0kgRW50ZXJwcmlz
ZSBBZG1pbmlzdHJhdG9yIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAxnRvQq58R/FY+HmtkB1EF/OENJ4V4iqFFulKpMKVqCebOpXbSMA6ldd5u3yL
o47Zt4m8bnuAs//zPM4PtbgF8AIui9stC0ByNqueL6b7vMu7/48J59gVb5B3DBph
R2fzKsJUaBofFvyTGB15mM0NVxAzQt9NH+hv+Dbx2sDQ0FJW2U+ew4h0RgaGS10e
Drr4Cb4GjneIfKOeW+Yv5a6Hz7XiJ88dp4HGBp0tTUnEUFDHsfszNN8gbaGqcxE1
sSBvQ9HRSRwZEqr0r8I1OMhPhdmmobC8ohTyALruxaP+xa6IsvbuH63dR9o4K1la
Xcj8mHDBqbQ30ebmvo+Cn/ShfQIDAQABo4IB3TCCAdkwEgYDVR0TAQH/BAgwBgEB
/wIBADCBjAYDVR0gBIGEMIGBMH8GC2CGSAGG+EUBBxcDMHAwNQYIKwYBBQUHAgEW
KWh0dHBzOi8vd3d3LmVneXB0dHJ1c3QuY29tL3JlcG9zaXRvcnkvY3BzMDcGCCsG
AQUFBwICMCsaKWh0dHBzOi8vd3d3LmVneXB0dHJ1c3QuY29tL3JlcG9zaXRvcnkv
cnBhMA4GA1UdDwEB/wQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwHQYDVR0OBBYE
FHNjeOXFLkYEA+pOgggOV0z9ue+rMIHxBgNVHSMEgekwgeahgdCkgc0wgcoxCzAJ
BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy
aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24s
IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNp
Z24gQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eSAtIEczghEAm34GSaM+YrnV7pBIcSnvVzANBgkqhkiG9w0BAQUFAAOCAQEAwSNW
bcdNRJ3vqrkvymM6cF9/LoaVwyNwJklsEr1lGjcI8RuJAp3Heh0mVm3Y6ywN/Q8i
SZPTITnqC78G2URZX39fUYM2fw6y2p5ibdLTyrnXMfmztXsUnvbixChGIBIDHSpI
Y08j7ciO/ZXDyaj/Mv3J0Hkv01FcpXpEwBWdSS1XCSxrERr1oW06Zr0i95qwT+qj
WMDj76ceSSsY4I4mOHMRtA1V1HiHKNpajtFyvGabmK0VyYSB2iSZQm0LlNOiKKBh
CZW6lTsqJj4XX9klzP6MESZp9Q1ogQbOkDhSkxk2dG9O7W83vAM8TncfWdNiq2r/
6/KQKzHOGNmQodaqDQ==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIGCjCCBPKgAwIBAgIQPgyeh2mqlVzqI9hFntRbUTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzMwHhcNMDgwNTE4MDAwMDAwWhcNMTgwNTE3MjM1OTU5WjCB1TEL
MAkGA1UEBhMCRUcxFDASBgNVBAoTC0VneXB0IFRydXN0MR8wHQYDVQQLExZWZXJp
U2lnbiBUcnVzdCBOZXR3b3JrMUgwRgYDVQQLEz9UZXJtcyBvZiB1c2UgYXQgaHR0
cHM6Ly93d3cuZWd5cHR0cnVzdC5jb20vcmVwb3NpdG9yeS9ycGEgKGMpMDgxRTBD
BgNVBAMTPEVneXB0IFRydXN0IENsYXNzIDMgTWFuYWdlZCBQS0kgT3BlcmF0aW9u
YWwgQWRtaW5pc3RyYXRvciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMI4Lq9Ukowni8pAEO4BXaWc2QkqBej3yXOJEQ/kbvvYzTxgAqRIn+IL1cC1
5qfb2T3s55srl3HDh58JAeCd6SFbKT2vKOunbGnbiL8T6w3J0jJpBuVnU6ZKxxJd
Tmgow2+s+lTm2G/cmL9xSjTQj6rB/hX7FDoTiw7VSJJ+dwPZmu0unr5tRcb3VUZl
2xaIXMWiHsC07YNBKziMee3/6GHAnRPhopUpVFkoo1IkaLX5dZHSbTBelzWH8hXE
VdRQrObVOqI1aTWcLxino2SSEeOvhbDGWE6MIqzw5r445SW1l2EfFTkzYALNQENZ
H7xHwBWrvS6/IpSLkZIrYcJI82sCAwEAAaOCAd0wggHZMBIGA1UdEwEB/wQIMAYB
Af8CAQAwgYwGA1UdIASBhDCBgTB/BgtghkgBhvhFAQcXAzBwMDUGCCsGAQUFBwIB
FilodHRwczovL3d3dy5lZ3lwdHRydXN0LmNvbS9yZXBvc2l0b3J5L2NwczA3Bggr
BgEFBQcCAjArGilodHRwczovL3d3dy5lZ3lwdHRydXN0LmNvbS9yZXBvc2l0b3J5
L3JwYTAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMB0GA1UdDgQW
BBSnSwLJdlt+4KtMF+tadWnGxOUF3DCB8QYDVR0jBIHpMIHmoYHQpIHNMIHKMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl
cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu
LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT
aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
dHkgLSBHM4IRAJt+BkmjPmK51e6QSHEp71cwDQYJKoZIhvcNAQEFBQADggEBAEes
voSMp69jiNf8p0b1whWOmaaTMwzQz3WRBkE4jqyZa8BLyvWpftaJESbxxpPyB2fc
ikuJuaToEIf3f2UhZdbPmxDAnWBKH1eZruOGUznEtFyuPBRekF5B6f97Suq5eEks
sNqhUGeVfjvWdeNkqFDM2+0HvIabwrW97Fvt4cEFs/TD1J0zkTcGWi92nOjW4m6O
dzuAiQUgKhEZ5oE0XpHUffykWRxKQkJCc2+Jl+EJ54qR8MDeTMLSqnaB4mZg4kgI
1Y2g1vhqEUuv91ZbAxuQaEXrzFCFDD4B3K/7BzlUMFZgNkITG2SuO8fFrSSAcEbV
YCzS7ePBLrWizQaMsGU=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIGAjCCBOqgAwIBAgIQEr0moq4zwH8ke2pYafIKdjANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzMwHhcNMDgwNTE4MDAwMDAwWhcNMTgwNTE3MjM1OTU5WjCBzTEL
MAkGA1UEBhMCRUcxFDASBgNVBAoTC0VneXB0IFRydXN0MR8wHQYDVQQLExZWZXJp
U2lnbiBUcnVzdCBOZXR3b3JrMUgwRgYDVQQLEz9UZXJtcyBvZiB1c2UgYXQgaHR0
cHM6Ly93d3cuZWd5cHR0cnVzdC5jb20vcmVwb3NpdG9yeS9ycGEgKGMpMDgxPTA7
BgNVBAMTNEVneXB0IFRydXN0IENsYXNzIDMgTWFuYWdlZCBQS0kgU0NPIEFkbWlu
aXN0cmF0b3IgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrZCZ4
0A4HwtbemB8Z7bmQGK7Sk9k5RL9QeojdhuGWdd0voqj5hsfCK2S0oTrN5BdMvqiP
U5N7r51TI9vLYWqE1r6eA3Q1ru7+sntvSoclTFnfCnaeAENsxjBy/2pKUAnNzgy9
t28RMsTAHvyFn0400Z5ctqt/wx9b2wZrTf7OsbgTdhshK2WaGrEzW/IppNvbYwCE
GVKjohZfyvf/7UJ8sS/lzSxtRKvvBBTi+C3LZST0Ro0s6m9RaAR/x7LSXiorQfss
15ihEXjwDb6WFnN6OuYR1ykXsEEjk2+FaMRnfdLbtP5gtwImTiC8mfDnc9JnpjZ3
QNgm1i+GvgBeGN7PAgMBAAGjggHdMIIB2TASBgNVHRMBAf8ECDAGAQH/AgEAMIGM
BgNVHSAEgYQwgYEwfwYLYIZIAYb4RQEHFwMwcDA1BggrBgEFBQcCARYpaHR0cHM6
Ly93d3cuZWd5cHR0cnVzdC5jb20vcmVwb3NpdG9yeS9jcHMwNwYIKwYBBQUHAgIw
KxopaHR0cHM6Ly93d3cuZWd5cHR0cnVzdC5jb20vcmVwb3NpdG9yeS9ycGEwDgYD
VR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAdBgNVHQ4EFgQUxwAT7nSE
FPi4fItniv913d2nyuYwgfEGA1UdIwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMC
VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU
cnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAt
IEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzOC
EQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAA4IBAQCXFdkLXgCt4QLB
SxaDTbEUrxkNgHFfUaLXN0lHhPEUblKJJETX3I5iEb6xarDsorNGg0euMI/UfHjg
+S6CsH4r5rbBfywmqXbZKvbAzWwZ0B4DWX/lCO7jaOrJRaa+j96U4CrKDe5kQ3RT
40T+N24Hw4XrHU+nbbyi8L5zE9ySmN9qgM5Jc+con8q2rTfDdFr4r4ILKs+uTQGH
LrrSAN+4v4hz75WDeDOdEVeKxJJG6eI+ZO/Uu+hKC92Kip69ZE5WRgeefbywbi7X
0poMIu4sf6xaQGSoK8awzlWe3heB0o7C6DuuXhQl6imHLqJMkPI8ig6+pPGs5h/j
etZywpSX
-----END CERTIFICATE-----
Camilo, can you add the distrust records to NSS for these certificates, similar to how we added distrust records for the French CA, TrustWave, etc. AFAICT, this isn't an emergency. We'd previously told CAs we would add intermdiate certs to the distrust list upon their notification.
Assignee: nobody → cviecco
Attached patch patch-bug-966060Splinter Review
This should have done it, but when I test it:
../dist/Linux3.2_x86_64_glibc_PTH_64_DBG.OBJ/bin/vfychain -u 3 -pp -v -a /home/cviecco/tmp/egypt-trust3.pem

I do not get a failure. Am I doing this wrong?
Attachment #8371966 - Flags: feedback?(brian)
Please attach the certificates to this bug and include the command line to addbuiltin that you used to add the distrust record.

Even better would be to attach an xpcshell test that tests this. Even a test that fails is OK, because I can debug it in the debugger. We'll want this test anyway and we can then expand it to include tests for other revocations that currently aren't tested in Gecko's test suite.
cat /home/cviecco/tmp/egypt-trust1.der | ../dist/Linux3.2_x86_64_glibc_PTH_64_DBG.OBJ/bin/addbuiltin -D -n 'Distrust: O=Egypt Trust, OU=VeriSign TrustNetwork (cert 1/3)' > /tmp/trust-text.txt
cviecco@cviecco-dell1:~/hg/nss/nss$ cat /home/cviecco/tmp/egypt-trust2.der | ../dist/Linux3.2_x86_64_glibc_PTH_64_DBG.OBJ/bin/addbuiltin -D -n 'Distrust: O=Egypt Trust, OU=VeriSign TrustNetwork (cert 2/3)' >> /tmp/trust-text.txt
cviecco@cviecco-dell1:~/hg/nss/nss$ cat /home/cviecco/tmp/egypt-trust3.der | ../dist/Linux3.2_x86_64_glibc_PTH_64_DBG.OBJ/bin/addbuiltin -D -n 'Distrust: O=Egypt Trust, OU=VeriSign TrustNetwork (cert 3/3)' >> /tmp/trust-text.txt

cp lib/ckfw/builtins/certdata.txt /tmp
cat /tmp/certdata.txt /tmp/trust-text.txt > lib/ckfw/builtins/certdata.tx

make clean
make nss_build_all

../dist/Linux3.2_x86_64_glibc_PTH_64_DBG.OBJ/bin/vfychain -u 3 -pp -v  /home/cviecco/tmp/egypt-trust1.der 
Chain is good!
Root Certificate Subject:: "CN=VeriSign Class 3 Public Primary Certification 
    Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=
    VeriSign Trust Network,O="VeriSign, Inc.",C=US"
Certificate 1 Subject: "CN=Egypt Trust Class 3 Managed PKI Enterprise Adminis
    trator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa (c
    )08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG"


(I will add one of the certs for illustration purposes).
Attached file egypt-trust1.der
Whiteboard: [ETA: 2014-02-17]
Attachment #8371966 - Flags: feedback?(kaie)
Comment on attachment 8371966 [details] [diff] [review]
patch-bug-966060

(In reply to Camilo Viecco (:cviecco) from comment #4)
> cat /tmp/certdata.txt /tmp/trust-text.txt > lib/ckfw/builtins/certdata.tx

You've missed a trailing "t".
Is that the cause for your problem in your test environment?

I've tested your patch locally, and it disables trust for all three certificates given in the initial comment.
Attachment #8371966 - Flags: review+
Attachment #8371966 - Flags: feedback?(kaie)
Attachment #8371966 - Flags: feedback+
Status: UNCONFIRMED → NEW
Ever confirmed: true
Camilo, could it be the case that you have another version of NSS in your $PATH or $LD_LIBRARY_PATH that is causing you to use the old version of the database when you are testing your patch?
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #7)
> Camilo, could it be the case that you have another version of NSS in your
> $PATH or $LD_LIBRARY_PATH that is causing you to use the old version of the
> database when you are testing your patch?

GRRR. Bad $LD_LIBRARY_PATH.
Attachment #8371966 - Flags: feedback?(brian)
Target Milestone: --- → 3.16
Summary: Revoked intermediate certificates → Distrust three VeriSign intermediate certificates
http://hg.mozilla.org/projects/nss/rev/7e92e560a717
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Whiteboard: [ETA: 2014-02-17]
You need to log in before you can comment on or make changes to this bug.