Re: CERT_PKIXVerifyCert does not recognize bogus certificates contained in nssckbi.dll

Thu, 07 Apr 2011 08:24:15 -0700 



On Thu, Apr 7, 2011 at 5:26 AM, Joachim Lingner
<joachim.ling...@oracle.com>  wrote:

  Hi,

I am testing NSS 3.9.12 with CKBI 1.82 on Windows. To verify that the bogus
certificates are recognized as such I run vfychain. The certificates are
exported from the Windows certificate store.

Having vfychain use CERT_VerifyCertificate gives me this output


[../nss/wntmsci12.pro/bin]$ ./vfychain.exe -d db -p  www-google.cer
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 0. Builtin Object Token:Bogus Google :
  ERROR -8171: Peer's certificate has been marked as not trusted by the user.
[../nss/wntmsci12.pro/bin]$

Same with all other bogus certificates.
Now using the CERT_PKIXVerifyCert function:

[../nss/wntmsci12.pro/bin]$ ./vfychain.exe -d db -pp  -g leaf www-google.cer
Chain is good!
[../nss/wntmsci12.pro/bin]$

Let nss use CRL distribution points proves that the invocation of vfychain
is correct:

[../nss/wntmsci12.pro/bin]$ ./vfychain.exe -d db -pp  -g leaf -m crl
www-google.cer
Chain is bad!
PROBLEM WITH THE CERT CHAIN:
CERT 1. Builtin Object Token:UTN USERFirst Hardware Root CA [Certificate
Authority]:
  ERROR -8180: Peer's Certificate has been revoked.
[../nss/wntmsci12.pro/bin]$

WireShark confirms that the CRL is being fetched via HTTP Get.

In both cases the nssckbi.dll is loaded from the db folder, as specified by
the -d switch. I confirmed this by using the ProcessMonitor.

Have I overlooked something? Can someone confirm this?

Hi Joachim,

I confirm this bug.  I also discovered this bug last Friday:
https://bugzilla.mozilla.org/show_bug.cgi?id=647364

Bob Relyea is working on this bug.

I wrote a patch as a proof of concept for fixing the
CERT_PKIXVerifyCert bug.  Bob will write the real fix.

Wan-Teh

Thanks  for pointing this bug out to me.

Joachim

--

<http://www.oracle.com/>
Joachim Lingner | Software Developer
Oracle Office GBU

ORACLE Deutschland B.V. & Co. KG | Nagelsweg 55 | 20097 Hamburg

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Rijnzathe 6, 3454PV De Meern, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Jürgen Kunz, Marcel van de Molen, Alexander van der Ven

<http://www.oracle.com/commitment>
Oracle is committed to developing practices and products that help protect the environment 



--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to