Open Bug 647722 Opened 14 years ago Updated 2 years ago

certificateUsageSSLClient causes CERT_PKIXVerifyCert to build a certification loop

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.12.9
Type:
defect

Tracking

(Not tracked)

Status:
REOPENED

People

(Reporter: KaiE, Unassigned)

References

Details

Attachments

(1 file)

logfile
(deleted), text/plain
Details 
My experimental PSM code that uses CERT_PKIXVerifyCert fails.

In order to find a simple test case, I used https://wiki.mozilla.org
(With the cert from that site the pkix debug logs aren't getting as big as for most other sites)

I'l attach a log file.
(I enabled debugging #define in pkix_build.c


Failure is PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED


$7 = {errCode = PKIX_BUILDINITIATEBUILDCHAINFAILED, errClass = PKIX_BUILD_ERROR, plErr = 0, cause = 0xa3b8c6a0, info = 0x0}
(gdb) print *error->cause
$8 = {errCode = PKIX_UNABLETOBUILDCHAIN, errClass = PKIX_BUILD_ERROR, plErr = 0, cause = 0xa3b8c7a0, info = 0x0}
(gdb) print *error->cause->cause
$9 = {errCode = PKIX_BUILDFORWARDDEPTHFIRSTSEARCHFAILED, errClass = PKIX_BUILD_ERROR, plErr = 0, cause = 0xa3b8c3a0, info = 0x0}
(gdb) print *error->cause->cause->cause
$10 = {errCode = PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED, errClass = PKIX_BUILD_ERROR, plErr = 4294959124, cause = 0x0, info = 0x0}
Attached file logfile (deleted) — 

  

  



    
    

    
  
bug still exists with tip of NSS, as of today.

  

  



    
    

    
  
I would expect that PKIX_PL_Cert_IsCertTrusted(builtin-root) returns true.
However, for the root CA in this scenario, this function returns not-trusted.

The issue might be inside pkix_pl_Pk11CertStore_CheckTrust

The SSL client code passes cert-usage certUsageSSLClient,
and pkix concludes that it needs trust bits 128,
but it has 24, so it fails.

  

  



    
  
Blocks: psm-pkix

    
    

    
  
oh... SECCertUsage != SECCertificateUsage

  

  



    
    

    
  
I think this bug is invalid.
My mistake.
I used the wrong cert usage constants...

  

  


Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID

    
  
No longer blocks: psm-pkix

    
    

    
  
Kai: I also ran into this bug last week, so I think it
is worth getting to the bottom of this bug.

As an experiment, I passed certificateUsageSSLClient instead
of certificateUsageSSLServer, as an experiment.  I was
expecting to get the SEC_ERROR_INADEQUATE_KEY_USAGE error.
But I was surprised to get SEC_ERROR_UNTRUSTED_ISSUER, caused
by PKIX_LOOPDISCOVEREDDUPCERTSNOTALLOWED.

Note that certificateUsageSSLClient is a valid SECCertificateUsage
value.  But even with an invalid cert usage constant, isn't it
strange that it causes libpkix to build a certification loop?

  

  


Status: RESOLVED → REOPENED
Resolution: INVALID → ---

    
    

    
  
(In reply to comment #6)
> But even with an invalid cert usage constant, isn't it
> strange that it causes libpkix to build a certification loop?

agreed

  

  



    
    

    
  
Kai: did you pass certUsageSSLServer as the SECCertificateUsage
argument?  certUsageSSLServer has the same value as
certificateUsageSSLClient, so you actually ran into the exact
same problem as I did.

  

  


Summary: libPKIX unable to verify cert from wiki.mozilla.org ? → certificateUsageSSLClient causes CERT_PKIXVerifyCert to build a certification loop

    
    

    
  
(In reply to comment #8)
> Kai: did you pass certUsageSSLServer as the SECCertificateUsage
> argument?

Yes, that's exactly what I did.

  

  



    
  
Severity: normal → S3

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: