On 2010-03-15 05:25 PST, Rafa M wrote:
> Hi all,
>
> I'm testing some SSL sites in order to check SSL cert chains up to new
> root certificate from FNMT-RCM (Spanish Mint).
>
> I've tried to connect several Official sites
> (https://www.agenciatributaria.gob.es https://sedemeh.gob.es/) and I got
> this response: Error code: sec_error_bad_database.
OK, here's the story.
The OCSP response says that its signer cert bears a subject name that is:
> SEQUENCE {
> SET {
> SEQUENCE {
> OBJECT IDENTIFIER commonName (2 5 4 3) (2 5 4 3)
> PrintableString
> 'DESCRIPCION SERVIDOR OCSP APE - ENTIDAD FNMT-RCM'
> ' - CIF Q2826004J'
> }
> }
> SET {
> SEQUENCE {
> OBJECT IDENTIFIER
> organizationalUnitName (2 5 4 11) (2 5 4 11)
> PrintableString 'AC APE'
> }
> }
> SET {
> SEQUENCE {
> OBJECT IDENTIFIER
> organizationName (2 5 4 10) (2 5 4 10)
> PrintableString 'FNMT-RCM'
> }
> }
> SET {
> SEQUENCE {
> OBJECT IDENTIFIER countryName (2 5 4 6) (2 5 4 6)
> PrintableString 'ES'
> }
> }
> }
> }
But the certificate's subject name is actually this:
> SEQUENCE {
> SET {
> SEQUENCE {
> OBJECT IDENTIFIER
> commonName (2 5 4 3) (2 5 4 3)
> UTF8String
> 'DESCRIPCION SERVIDOR OCSP APE - ENTIDAD FNMT-RCM'
> ' - CIF Q2826004J'
> }
> }
> SET {
> SEQUENCE {
> OBJECT IDENTIFIER
> organizationalUnitName (2 5 4 11) (2 5 4 11)
> UTF8String 'AC APE'
> }
> }
> SET {
> SEQUENCE {
> OBJECT IDENTIFIER
> organizationName (2 5 4 10) (2 5 4 10)
> UTF8String 'FNMT-RCM'
> }
> }
> SET {
> SEQUENCE {
> OBJECT IDENTIFIER
> countryName (2 5 4 6) (2 5 4 6)
> PrintableString 'ES'
> }
> }
> }
And they don't match, so NSS cannot find the certificate by that name.
Sadly, NSS's lame error code for that is "bad database". :(
NSS could return a better error code, but fundamentally, the error is in
the OCSP response. The response gives the wrong name for the signer
certificate.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
