Closed Bug 966060 Opened 11 years ago Closed 11 years ago

Distrust three VeriSign intermediate certificates

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rick_andrews, Assigned: cviecco)

Details

Attachments

(2 files)

patch-bug-966060
7.50 KB, patch
KaiE
: review+
KaiE
: feedback+
Details | Diff | Splinter Review
egypt-trust1.der
1.51 KB, application/x-x509-ca-cert
Details
User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; MS-RTC LM 8) Steps to reproduce: We have a partner that has terminated operations, so we have revoked three intermediate CAs that they used to issue Administrator certs to their employees. Because the certificates were only intended to be used by our systems (we were the sole relying party), they did not include CDPs or OCSP pointers. We have no reason to believe that these intermediates were used to sign anything other than Administrator certs. We provide them here to comply with Mozilla's wishes to inform Mozilla when a CA revokes an intermediate cert. -----BEGIN CERTIFICATE----- MIIGCTCCBPGgAwIBAgIQTAA2G+UIK6mqznQKBT77NDANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzMwHhcNMDgwNTE4MDAwMDAwWhcNMTgwNTE3MjM1OTU5WjCB1DEL MAkGA1UEBhMCRUcxFDASBgNVBAoTC0VneXB0IFRydXN0MR8wHQYDVQQLExZWZXJp U2lnbiBUcnVzdCBOZXR3b3JrMUgwRgYDVQQLEz9UZXJtcyBvZiB1c2UgYXQgaHR0 cHM6Ly93d3cuZWd5cHR0cnVzdC5jb20vcmVwb3NpdG9yeS9ycGEgKGMpMDgxRDBC BgNVBAMTO0VneXB0IFRydXN0IENsYXNzIDMgTWFuYWdlZCBQS0kgRW50ZXJwcmlz ZSBBZG1pbmlzdHJhdG9yIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAxnRvQq58R/FY+HmtkB1EF/OENJ4V4iqFFulKpMKVqCebOpXbSMA6ldd5u3yL o47Zt4m8bnuAs//zPM4PtbgF8AIui9stC0ByNqueL6b7vMu7/48J59gVb5B3DBph R2fzKsJUaBofFvyTGB15mM0NVxAzQt9NH+hv+Dbx2sDQ0FJW2U+ew4h0RgaGS10e Drr4Cb4GjneIfKOeW+Yv5a6Hz7XiJ88dp4HGBp0tTUnEUFDHsfszNN8gbaGqcxE1 sSBvQ9HRSRwZEqr0r8I1OMhPhdmmobC8ohTyALruxaP+xa6IsvbuH63dR9o4K1la Xcj8mHDBqbQ30ebmvo+Cn/ShfQIDAQABo4IB3TCCAdkwEgYDVR0TAQH/BAgwBgEB /wIBADCBjAYDVR0gBIGEMIGBMH8GC2CGSAGG+EUBBxcDMHAwNQYIKwYBBQUHAgEW KWh0dHBzOi8vd3d3LmVneXB0dHJ1c3QuY29tL3JlcG9zaXRvcnkvY3BzMDcGCCsG AQUFBwICMCsaKWh0dHBzOi8vd3d3LmVneXB0dHJ1c3QuY29tL3JlcG9zaXRvcnkv cnBhMA4GA1UdDwEB/wQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwHQYDVR0OBBYE FHNjeOXFLkYEA+pOgggOV0z9ue+rMIHxBgNVHSMEgekwgeahgdCkgc0wgcoxCzAJ BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVy aVNpZ24gVHJ1c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24s IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNp Z24gQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eSAtIEczghEAm34GSaM+YrnV7pBIcSnvVzANBgkqhkiG9w0BAQUFAAOCAQEAwSNW bcdNRJ3vqrkvymM6cF9/LoaVwyNwJklsEr1lGjcI8RuJAp3Heh0mVm3Y6ywN/Q8i SZPTITnqC78G2URZX39fUYM2fw6y2p5ibdLTyrnXMfmztXsUnvbixChGIBIDHSpI Y08j7ciO/ZXDyaj/Mv3J0Hkv01FcpXpEwBWdSS1XCSxrERr1oW06Zr0i95qwT+qj WMDj76ceSSsY4I4mOHMRtA1V1HiHKNpajtFyvGabmK0VyYSB2iSZQm0LlNOiKKBh CZW6lTsqJj4XX9klzP6MESZp9Q1ogQbOkDhSkxk2dG9O7W83vAM8TncfWdNiq2r/ 6/KQKzHOGNmQodaqDQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGCjCCBPKgAwIBAgIQPgyeh2mqlVzqI9hFntRbUTANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzMwHhcNMDgwNTE4MDAwMDAwWhcNMTgwNTE3MjM1OTU5WjCB1TEL MAkGA1UEBhMCRUcxFDASBgNVBAoTC0VneXB0IFRydXN0MR8wHQYDVQQLExZWZXJp U2lnbiBUcnVzdCBOZXR3b3JrMUgwRgYDVQQLEz9UZXJtcyBvZiB1c2UgYXQgaHR0 cHM6Ly93d3cuZWd5cHR0cnVzdC5jb20vcmVwb3NpdG9yeS9ycGEgKGMpMDgxRTBD BgNVBAMTPEVneXB0IFRydXN0IENsYXNzIDMgTWFuYWdlZCBQS0kgT3BlcmF0aW9u YWwgQWRtaW5pc3RyYXRvciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAMI4Lq9Ukowni8pAEO4BXaWc2QkqBej3yXOJEQ/kbvvYzTxgAqRIn+IL1cC1 5qfb2T3s55srl3HDh58JAeCd6SFbKT2vKOunbGnbiL8T6w3J0jJpBuVnU6ZKxxJd Tmgow2+s+lTm2G/cmL9xSjTQj6rB/hX7FDoTiw7VSJJ+dwPZmu0unr5tRcb3VUZl 2xaIXMWiHsC07YNBKziMee3/6GHAnRPhopUpVFkoo1IkaLX5dZHSbTBelzWH8hXE VdRQrObVOqI1aTWcLxino2SSEeOvhbDGWE6MIqzw5r445SW1l2EfFTkzYALNQENZ H7xHwBWrvS6/IpSLkZIrYcJI82sCAwEAAaOCAd0wggHZMBIGA1UdEwEB/wQIMAYB Af8CAQAwgYwGA1UdIASBhDCBgTB/BgtghkgBhvhFAQcXAzBwMDUGCCsGAQUFBwIB FilodHRwczovL3d3dy5lZ3lwdHRydXN0LmNvbS9yZXBvc2l0b3J5L2NwczA3Bggr BgEFBQcCAjArGilodHRwczovL3d3dy5lZ3lwdHRydXN0LmNvbS9yZXBvc2l0b3J5 L3JwYTAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMB0GA1UdDgQW BBSnSwLJdlt+4KtMF+tadWnGxOUF3DCB8QYDVR0jBIHpMIHmoYHQpIHNMIHKMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZl cmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IFZlcmlTaWdu LCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMTPFZlcmlT aWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3Jp dHkgLSBHM4IRAJt+BkmjPmK51e6QSHEp71cwDQYJKoZIhvcNAQEFBQADggEBAEes voSMp69jiNf8p0b1whWOmaaTMwzQz3WRBkE4jqyZa8BLyvWpftaJESbxxpPyB2fc ikuJuaToEIf3f2UhZdbPmxDAnWBKH1eZruOGUznEtFyuPBRekF5B6f97Suq5eEks sNqhUGeVfjvWdeNkqFDM2+0HvIabwrW97Fvt4cEFs/TD1J0zkTcGWi92nOjW4m6O dzuAiQUgKhEZ5oE0XpHUffykWRxKQkJCc2+Jl+EJ54qR8MDeTMLSqnaB4mZg4kgI 1Y2g1vhqEUuv91ZbAxuQaEXrzFCFDD4B3K/7BzlUMFZgNkITG2SuO8fFrSSAcEbV YCzS7ePBLrWizQaMsGU= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGAjCCBOqgAwIBAgIQEr0moq4zwH8ke2pYafIKdjANBgkqhkiG9w0BAQUFADCB yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJp U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 aG9yaXR5IC0gRzMwHhcNMDgwNTE4MDAwMDAwWhcNMTgwNTE3MjM1OTU5WjCBzTEL MAkGA1UEBhMCRUcxFDASBgNVBAoTC0VneXB0IFRydXN0MR8wHQYDVQQLExZWZXJp U2lnbiBUcnVzdCBOZXR3b3JrMUgwRgYDVQQLEz9UZXJtcyBvZiB1c2UgYXQgaHR0 cHM6Ly93d3cuZWd5cHR0cnVzdC5jb20vcmVwb3NpdG9yeS9ycGEgKGMpMDgxPTA7 BgNVBAMTNEVneXB0IFRydXN0IENsYXNzIDMgTWFuYWdlZCBQS0kgU0NPIEFkbWlu aXN0cmF0b3IgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrZCZ4 0A4HwtbemB8Z7bmQGK7Sk9k5RL9QeojdhuGWdd0voqj5hsfCK2S0oTrN5BdMvqiP U5N7r51TI9vLYWqE1r6eA3Q1ru7+sntvSoclTFnfCnaeAENsxjBy/2pKUAnNzgy9 t28RMsTAHvyFn0400Z5ctqt/wx9b2wZrTf7OsbgTdhshK2WaGrEzW/IppNvbYwCE GVKjohZfyvf/7UJ8sS/lzSxtRKvvBBTi+C3LZST0Ro0s6m9RaAR/x7LSXiorQfss 15ihEXjwDb6WFnN6OuYR1ykXsEEjk2+FaMRnfdLbtP5gtwImTiC8mfDnc9JnpjZ3 QNgm1i+GvgBeGN7PAgMBAAGjggHdMIIB2TASBgNVHRMBAf8ECDAGAQH/AgEAMIGM BgNVHSAEgYQwgYEwfwYLYIZIAYb4RQEHFwMwcDA1BggrBgEFBQcCARYpaHR0cHM6 Ly93d3cuZWd5cHR0cnVzdC5jb20vcmVwb3NpdG9yeS9jcHMwNwYIKwYBBQUHAgIw KxopaHR0cHM6Ly93d3cuZWd5cHR0cnVzdC5jb20vcmVwb3NpdG9yeS9ycGEwDgYD VR0PAQH/BAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIBBjAdBgNVHQ4EFgQUxwAT7nSE FPi4fItniv913d2nyuYwgfEGA1UdIwSB6TCB5qGB0KSBzTCByjELMAkGA1UEBhMC VVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBU cnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMTk5OSBWZXJpU2lnbiwgSW5jLiAt IEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFz cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzOC EQCbfgZJoz5iudXukEhxKe9XMA0GCSqGSIb3DQEBBQUAA4IBAQCXFdkLXgCt4QLB SxaDTbEUrxkNgHFfUaLXN0lHhPEUblKJJETX3I5iEb6xarDsorNGg0euMI/UfHjg +S6CsH4r5rbBfywmqXbZKvbAzWwZ0B4DWX/lCO7jaOrJRaa+j96U4CrKDe5kQ3RT 40T+N24Hw4XrHU+nbbyi8L5zE9ySmN9qgM5Jc+con8q2rTfDdFr4r4ILKs+uTQGH LrrSAN+4v4hz75WDeDOdEVeKxJJG6eI+ZO/Uu+hKC92Kip69ZE5WRgeefbywbi7X 0poMIu4sf6xaQGSoK8awzlWe3heB0o7C6DuuXhQl6imHLqJMkPI8ig6+pPGs5h/j etZywpSX -----END CERTIFICATE-----
Camilo, can you add the distrust records to NSS for these certificates, similar to how we added distrust records for the French CA, TrustWave, etc. AFAICT, this isn't an emergency. We'd previously told CAs we would add intermdiate certs to the distrust list upon their notification.
Assignee: nobody → cviecco
Attached patch patch-bug-966060Splinter Review
This should have done it, but when I test it: ../dist/Linux3.2_x86_64_glibc_PTH_64_DBG.OBJ/bin/vfychain -u 3 -pp -v -a /home/cviecco/tmp/egypt-trust3.pem I do not get a failure. Am I doing this wrong?
Attachment #8371966 - Flags: feedback?(brian)
Please attach the certificates to this bug and include the command line to addbuiltin that you used to add the distrust record. Even better would be to attach an xpcshell test that tests this. Even a test that fails is OK, because I can debug it in the debugger. We'll want this test anyway and we can then expand it to include tests for other revocations that currently aren't tested in Gecko's test suite.
cat /home/cviecco/tmp/egypt-trust1.der | ../dist/Linux3.2_x86_64_glibc_PTH_64_DBG.OBJ/bin/addbuiltin -D -n 'Distrust: O=Egypt Trust, OU=VeriSign TrustNetwork (cert 1/3)' > /tmp/trust-text.txt cviecco@cviecco-dell1:~/hg/nss/nss$ cat /home/cviecco/tmp/egypt-trust2.der | ../dist/Linux3.2_x86_64_glibc_PTH_64_DBG.OBJ/bin/addbuiltin -D -n 'Distrust: O=Egypt Trust, OU=VeriSign TrustNetwork (cert 2/3)' >> /tmp/trust-text.txt cviecco@cviecco-dell1:~/hg/nss/nss$ cat /home/cviecco/tmp/egypt-trust3.der | ../dist/Linux3.2_x86_64_glibc_PTH_64_DBG.OBJ/bin/addbuiltin -D -n 'Distrust: O=Egypt Trust, OU=VeriSign TrustNetwork (cert 3/3)' >> /tmp/trust-text.txt cp lib/ckfw/builtins/certdata.txt /tmp cat /tmp/certdata.txt /tmp/trust-text.txt > lib/ckfw/builtins/certdata.tx make clean make nss_build_all ../dist/Linux3.2_x86_64_glibc_PTH_64_DBG.OBJ/bin/vfychain -u 3 -pp -v /home/cviecco/tmp/egypt-trust1.der Chain is good! Root Certificate Subject:: "CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU= VeriSign Trust Network,O="VeriSign, Inc.",C=US" Certificate 1 Subject: "CN=Egypt Trust Class 3 Managed PKI Enterprise Adminis trator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa (c )08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG" (I will add one of the certs for illustration purposes).
Attached file egypt-trust1.der
Whiteboard: [ETA: 2014-02-17]
Attachment #8371966 - Flags: feedback?(kaie)
Comment on attachment 8371966 [details] [diff] [review] patch-bug-966060 (In reply to Camilo Viecco (:cviecco) from comment #4) > cat /tmp/certdata.txt /tmp/trust-text.txt > lib/ckfw/builtins/certdata.tx You've missed a trailing "t". Is that the cause for your problem in your test environment? I've tested your patch locally, and it disables trust for all three certificates given in the initial comment.
Attachment #8371966 - Flags: review+
Attachment #8371966 - Flags: feedback?(kaie)
Attachment #8371966 - Flags: feedback+
Status: UNCONFIRMED → NEW
Ever confirmed: true
Camilo, could it be the case that you have another version of NSS in your $PATH or $LD_LIBRARY_PATH that is causing you to use the old version of the database when you are testing your patch?
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #7) > Camilo, could it be the case that you have another version of NSS in your > $PATH or $LD_LIBRARY_PATH that is causing you to use the old version of the > database when you are testing your patch? GRRR. Bad $LD_LIBRARY_PATH.
Attachment #8371966 - Flags: feedback?(brian)
Target Milestone: --- → 3.16
Summary: Revoked intermediate certificates → Distrust three VeriSign intermediate certificates
http://hg.mozilla.org/projects/nss/rev/7e92e560a717
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: [ETA: 2014-02-17]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: