Closed
Bug 480706
Opened 16 years ago
Closed 15 years ago
cert_VerifyCertChainPkix returns empty log for self-signed certificate, sec_error_invalid_args result in UI
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
WORKSFORME
3.12.3
People
(Reporter: mayhemer, Assigned: alvolkov.bgs)
References
Details
(Whiteboard: PKIX MOZ)
This was revealed after bug 479393 was landed by a chrome mochitest for bug 413909 which is using a self signed certificate.
Problem is that call to PKIX_BuildChain fails when called from cert_VerifyCertChainPkix during server certificate verification. This leads to error code PKIX_NULLARGUMENT and an empty log.
Fix for bug 444404 doesn't help.
I so far discovered this:
- certsFound list in pkix_Build_GatherCerts is empty after the 'while
(state->certStoreIndex < state->buildConstants.numCertStores)' cycle
- then in pkix_BuildForwardDepthFirstSearch state->status goes to BUILD_TRYAIA and then to BUILD_AIAPENDING
- BUILD_AIAPENDING branch is not executed because 'state->buildConstants.aiaMgr' is null
- cycle ends and result is pkixErrorCode = PKIX_SECERRORUNKNOWNISSUER
- in cert_VerifyCertChainPkix we then get error with errCode = PKIX_NULLARGUMENT
- the log is empty and nsNSSIOLayer code decides there is nothing wrong with certificate
- get ###!!! ASSERTION: why did NSS call our bad cert handler if all looks good? Let's cancel the connection: 'Not Reached', file d:/mozilla/mozilla-central/security/manager/ssl/src/nsNSSIOLayer.cpp, line
2997
The server certificate for the test is outlined in bug 479393 comment 9.
Reporter | ||
Updated•16 years ago
|
Priority: -- → P1
Comment 1•16 years ago
|
||
Honza, can you supply steps to reproduce that don't involve "mochitest" ?
Comment 2•16 years ago
|
||
Honza, did the fix for Bug 484466:
sec_error_invalid_args with NSS_ENABLE_PKIX_VERIFY=1
have any impact on this issue?
Updated•16 years ago
|
Whiteboard: PKIX
Target Milestone: --- → 3.12.3
Assignee | ||
Updated•16 years ago
|
Whiteboard: PKIX → PKIX MOZ
Reporter | ||
Comment 3•16 years ago
|
||
(In reply to comment #1)
> Honza, can you supply steps to reproduce that don't involve "mochitest" ?
It probably means to find a server with a self signed certificate or build the ssltunnel program and chain it with an http server.
(In reply to comment #2)
> Honza, did the fix for Bug 484466:
> sec_error_invalid_args with NSS_ENABLE_PKIX_VERIFY=1
> have any impact on this issue?
The patch could not be applied to mozilla-central's nss copy, it's probably for nss cvs trunk, and I cannot find a place where to apply it manually. So, to check it I have to do it with nss trunk and find some other way then mochitest.
Guys, how are you testing nss? Is there some test suit or infrastructure for it where a test for bug like this could be added? I actually need server and a program based on nss to test this.
Reporter | ||
Comment 4•16 years ago
|
||
According to bug 479393 comment 20 this looks like no more reproducible bug.
Assignee | ||
Comment 5•16 years ago
|
||
(In reply to comment #4)
> According to bug 479393 comment 20 this looks like no more reproducible bug.
Thanks for checking!
(In reply to comment #3)
> Guys, how are you testing nss? Is there some test suit or infrastructure for it
> where a test for bug like this could be added? I actually need server and a
> program based on nss to test this.
We testing nss in a varaiety of ways, but the part that had the problem related to this bug is mostly tested by vfychain. The suite is called "chains". Please check an examples at nss/tests/chains/scenarios/bridge.cfg. This is scenario file for test run by chains.sh script.
If you need to run ssl+validation test, you may use combination of selfserv and tstclnt programs. Examples of tests can be found in nss/tests/ssl/ssl.sh script.
Assignee | ||
Comment 6•15 years ago
|
||
no longer a reproducible bug. Closing...
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Updated•14 years ago
|
Blocks: pkix-default
You need to log in
before you can comment on or make changes to this bug.
Description
•