Closed
Bug 98193
Opened 23 years ago
Closed 11 years ago
can't trust a CA when CRL next update is in the past.
Categories
(Core :: Security: PSM, enhancement, P5)
Core
Security: PSM
Tracking
()
RESOLVED
INVALID
People
(Reporter: cfu, Unassigned)
References
Details
(Whiteboard: [psm-crl])
I installed Netscape CMS 4.2 sp2 on Solaris 2.6. I used Netscape6 Build
2001083003 to import the CA self-sign cert. The import was successful, however,
"Manage Certificates" shows "Could not verify this certificate because the
issuer is not trusted" (yes, all three trust boxes are checked). Switched to a
different profile, and the CA was imported and trusted successfully.
Import of the same CA cert into a Communicator 4.7 is successful and recognized
as trusted.
don't think it's related, but ibutton has been installed on this system and
logged in by both user profiles.
The following are info for this CA:
Certificate 0x01
Certificate contents
Certificate:
Data:
Version: v3
Serial Number: 0x1
Signature Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Issuer: CN=Certificate Manager 422,O=mcom.com,ST=California,C=US
Validity:
Not Before: Tuesday, August 28, 2001 11:00:00 PM GMT-08:00
Not After: Thursday, August 28, 2003 11:00:00 PM GMT-08:00
Subject: CN=Certificate Manager 422,O=mcom.com,ST=California,C=US
Subject Public Key Info:
Algorithm: RSA - 1.2.840.113549.1.1.1
Public Key:
Exponent: 65537
Public Key Modulus: (512 bits) :
BD:B9:D6:B0:FC:B0:A0:59:3C:29:8B:FE:53:E0:D6:80:
60:A9:B5:28:84:46:C9:1F:9A:1F:B0:86:7F:9A:16:96:
E8:AF:7B:36:67:DF:25:B8:78:A1:C5:30:8B:C5:E6:CE:
25:67:E0:CB:7D:FE:41:44:B9:7C:64:4B:BC:1A:A4:11
Extensions:
Identifier: Netscape Certificate Type - 2.16.840.1.113730.1.1
Critical: no
Certificate Usage:
SSL CA
Secure Email CA
ObjectSigning CA
Identifier: Basic Constraints - 2.5.29.19
Critical: yes
Is CA: yes
Path Length Constraint: UNLIMITED
Identifier: Subject Key Identifier - 2.5.29.14
Critical: no
Key Identifier:
D2:23:10:9E:42:41:F0:14:0D:5B:C2:B3:48:41:73:F1:
B5:5D:DE:EE
Identifier: Authority Key Identifier - 2.5.29.35
Critical: no
Key Identifier:
D2:23:10:9E:42:41:F0:14:0D:5B:C2:B3:48:41:73:F1:
B5:5D:DE:EE
Identifier: Key Usage: - 2.5.29.15
Critical: yes
Key Usage:
Digital Signature
Key CertSign
Crl Sign
Signature:
Algorithm: SHA1withRSA - 1.2.840.113549.1.1.5
Signature:
1F:D6:22:09:7B:5A:A3:BA:B1:D9:54:93:AE:A9:63:77:
CE:44:A8:BC:18:30:35:1A:97:18:E2:CA:4B:4D:BD:CF:
ED:3E:0B:46:5F:54:B9:B6:29:6A:CB:A6:00:ED:98:6F:
02:73:3D:DF:FE:FA:0D:4C:58:21:D4:9C:60:93:F8:88
Certificate fingerprints
MD2: 7D:3C:44:98:1D:29:B6:CB:86:AA:AC:5A:17:EB:83:58
MD5: D6:F1:95:D0:B2:32:0A:C0:82:B0:AC:12:42:2F:B4:FF
SHA1: 4E:72:09:58:04:6F:10:8F:71:09:DA:5D:D0:1C:EC:E8:D7:5F:89:FB
Installing this certificate in a server
The following format can be used to install this certificate into a server.
Base 64 encoded certificate
-----BEGIN CERTIFICATE-----
MIICFTCCAb+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBXMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
Q2FsaWZvcm5pYTERMA8GA1UEChMIbWNvbS5jb20xIDAeBgNVBAMTF0NlcnRpZmljYXRlIE1hbmFn
ZXIgNDIyMB4XDTAxMDgyOTA3MDAwMFoXDTAzMDgyOTA3MDAwMFowVzELMAkGA1UEBhMCVVMxEzAR
BgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAoTCG1jb20uY29tMSAwHgYDVQQDExdDZXJ0aWZpY2F0
ZSBNYW5hZ2VyIDQyMjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC9udaw/LCgWTwpi/5T4NaAYKm1
KIRGyR+aH7CGf5oWluivezZn3yW4eKHFMIvF5s4lZ+DLff5BRLl8ZEu8GqQRAgMBAAGjdjB0MBEG
CWCGSAGG+EIBAQQEAwIABzAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTSIxCeQkHwFA1bwrNI
QXPxtV3e7jAfBgNVHSMEGDAWgBTSIxCeQkHwFA1bwrNIQXPxtV3e7jAOBgNVHQ8BAf8EBAMCAYYw
DQYJKoZIhvcNAQEFBQADQQAf1iIJe1qjurHZVJOuqWN3zkSovBgwNRqXGOLKS029z+0+C0ZfVLm2
KWrLpgDtmG8Ccz3f/voNTFgh1Jxgk/iI
-----END CERTIFICATE-----
Base 64 encoded certificate with CA certificate chain in pkcs7 format
-----BEGIN CERTIFICATE-----
MIICSAYJKoZIhvcNAQcCoIICOTCCAjUCAQExADAPBgkqhkiG9w0BBwGgAgQAoIIC
GTCCAhUwggG/oAMCAQICAQEwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAoTCG1jb20uY29tMSAwHgYDVQQD
ExdDZXJ0aWZpY2F0ZSBNYW5hZ2VyIDQyMjAeFw0wMTA4MjkwNzAwMDBaFw0wMzA4
MjkwNzAwMDBaMFcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREw
DwYDVQQKEwhtY29tLmNvbTEgMB4GA1UEAxMXQ2VydGlmaWNhdGUgTWFuYWdlciA0
MjIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAvbnWsPywoFk8KYv+U+DWgGCptSiE
Rskfmh+whn+aFpbor3s2Z98luHihxTCLxebOJWfgy33+QUS5fGRLvBqkEQIDAQAB
o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQU0iMQnkJB8BQNW8KzSEFz8bVd3u4wHwYDVR0jBBgwFoAU0iMQnkJB8BQNW8Kz
SEFz8bVd3u4wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAH9YiCXta
o7qx2VSTrqljd85EqLwYMDUalxjiyktNvc/tPgtGX1S5tilqy6YA7ZhvAnM93/76
DUxYIdScYJP4iDEA
-----END CERTIFICATE-----
|
Reporter | |
Comment 1•23 years ago
|
||
forgot to mention that the uer profile that failed to trust the CA is a brand new profile, while the one that succeeded was my own.
|
||
Comment 2•23 years ago
|
||
p1 t->2.1 ->rangan
Assignee: ssaux → rangansen
Priority: -- → P1
Target Milestone: --- → 2.1
|
|
||
Comment 3•23 years ago
|
||
Christina, please post the url to import the ca root as a test case.
|
|
||
Updated•23 years ago
|
Keywords: nsenterprise
|
|
Reporter | |
Comment 4•23 years ago
|
||
go to http://cfu, "Retrieval", then click on "Import CA Certificate Chain" and select the default "Import the CA certificate chain into your browser" and submit.
|
|
Reporter | |
Comment 5•23 years ago
|
||
I'd like to add that I have tried the following: I did pkcs12 backup of a client cert signed by the CA from my "good" profile. I then "restore" it from the "bad" profile. It succeeded and the CA was loaded and recognized (on the new profile).
|
|
Reporter | |
Comment 7•23 years ago
|
||
I spoke too soon. After "restore," it had "a moment of trust". After I quit out and started N6 again, the trust of CA disappeared.
|
|
||
Comment 8•23 years ago
|
||
works for me. I was able to load the CA cert from both Christina CA and my CA.
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
|
||
Comment 9•23 years ago
|
||
verified 20010917 build
|
|
Reporter | |
Comment 11•23 years ago
|
||
I know how to reproduce this now. This has something to do with CRL's nextUpdateTime. If a profile has a CRL with nextUpdateTime older than the current time, then the cert can not be verified. To reproduce: 1. get a new profile 2. go to http://cfu [Retrieval][Import CRL][Import the latest CRL to your browser][Submit], note your current time (T1) 3. go to http://cfu [Retrieval][Import CA Cert Chain], import into your browser (make sure you trust it) 4. go to http://cfu [Enrollment][Directory], enter uid "test1" password "test1", now you have a cert in your certdb. 5. go to "Manage Certificates" on you preference menu and you should see test1 "verified" is true. 6. wait until after time pass T1+(20 minutes), go to "Manage Certificates" on you preference menu and you should see test1 "verified" is false. and if you look under "Authorities", you'll see that your ca can not be verified for "unknown reason". It's not clear to me in rfc2459 how "nextUpdateTime" is to be handled by apps. Can someone enlighten me regarding this issue. From a usability point of view, this CRL function, as provided by PSM, seems to be hindering at best. I'll let the PSM team decide whether to reopen this bug, if it is a bug.
Group: netscapeconfidential?
|
|
||
Comment 12•23 years ago
|
||
Reopening. Another checkmark to add when we provide a full CRL handling design. This is related to the dialog we pop up when connecting to an SSL site controlled by a CRL with a nextUpdate in the past. Will add bug number when I find it.
Status: VERIFIED → UNCONFIRMED
Resolution: WORKSFORME → ---
Summary: can't trust a CA → can't trust a CA when CRL next update is in the past.
Target Milestone: 2.1 → Future
|
||
Updated•23 years ago
|
QA Contact: bsharma → junruh
|
||
Updated•23 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 15•23 years ago
|
||
Also, rather than just succeed when the date the past next update, we should be able to define some kind of configurable window - like succeeds when the current time is past, but not more than x days after next update. If it is x days after next update, the validation should fail - implying that this crl is too old
|
|
||
Comment 16•22 years ago
|
||
The "depends on" bug is fixed. Can this bug be marked fixed?
|
|
||
Comment 17•22 years ago
|
||
The 'depends on' bug has fixed the original issue that validation used to fail when next update was in the past - now, possibly, it doesn't care about next update anymore. But, an additional requirement for this bug was to have a configurable time window for the next update field, only within which the CRL will be accepted [Pl ref my last comment]. However, IMO, this would be more of a RFE right now.
|
|
||
Comment 18•22 years ago
|
||
Enhancement, based on Rangan's last comment.
Severity: normal → enhancement
Keywords: qawanted
OS: Windows 2000 → All
Priority: P1 → P5
Hardware: PC → All
Target Milestone: 2.4 → Future
|
||
Comment 19•20 years ago
|
||
reassign former PSM engineers' bugs to nobody
Assignee: rangansen → nobody
Status: ASSIGNED → NEW
QA Contact: junruh → nobody
Target Milestone: Future → ---
|
||
Updated•17 years ago
|
QA Contact: nobody → ui
|
||
Comment 20•16 years ago
|
||
bug 94013 comment 5 and bug 94013 comment 6 seem to indicate to me that this bug should live in NSS.
Assignee: nobody → nobody
Blocks: 94013
Component: Security: UI → Libraries
Product: Core → NSS
QA Contact: ui → libraries
Version: 1.0 Branch → unspecified
|
|
||
Comment 21•16 years ago
|
||
Timeless, This is a PSM issue. Please let the PSM + NSS folks decide if bugs need to be moved from one to the other. Please don't make unwelcome work for us.
Assignee: nobody → kaie
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: libraries → psm
|
||
Updated•14 years ago
|
Assignee: kaie → nobody
Whiteboard: [psm-crl]
|
||
Comment 22•11 years ago
|
||
The "Revocation Lists" feature was removed in bug 867465.
Status: NEW → RESOLVED
Closed: 23 years ago → 11 years ago
Depends on: 867465
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•