New issue
Advanced search Search tips

Issue 763631 link

Starred by 2 users

Issue metadata

Status: Untriaged
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 3
Type: Bug



Sign in to add a comment

www.iad.gov shows ERR_CERT_INVALID on Mac but not Windows

Project Member Reported by elawrence@chromium.org, Sep 9 2017

Issue description

Chrome Version: 63.3210

What steps will reproduce the problem?
(1) Visit https://www.iad.gov

EXPECT: Error interstitial with override option.
ACTUAL: Error interstitial without override option.

Net-internals log shows ERR_CERT_INVALID on Mac, but not Windows; on Windows, click-through is permitted.

The certificate has Serial number "5153"; https://crt.sh/?id=16210158&opt=x509lint,cablint%C2%A0%E2%80%A6 shows a few warnings, but none are obviously fatal.

Perhaps fallout from Mac certificate validation changes in https://chromium.googlesource.com/chromium/src/+/4cede8d39db10321b053c0d9776cf6b23f290310?
 

Comment 1 by mattm@chromium.org, Sep 12 2017

Not related to use_byte_certs.

SecTrustGetResult is showing a CSSMERR_TP_INVALID_CERTIFICATE error on the target cert statuscode from SecTrustGetResult and on the overall SecTrustGetCssmResultCode. I'm not sure what it doesn't like about it. 
Cc: mattm@chromium.org
Labels: -Pri-2 Pri-3
Matt: Do you have any bandwdith to chase this down? Safari provides this as untrusted with click-through, but I'm not clear if they're masking off TP_INVALID_CERTIFICATE. Keychain can also display/parse the chain, at least on 10.12.6

While tempted to close this as WontFix, parsing it as invalid is undesirable.

Comment 3 by mattm@chromium.org, Dec 15 2017

Poked a bit more. If I remove the policyConstraints (with requireExplicitPolicy) on the intermediate, the CSSMERR_TP_INVALID_CERTIFICATE goes away and we just get ERR_CERT_AUTHORITY_INVALID as expected.

Attached two hacked-up cert chains.
1: has caIssuers removed from AIA, and re-signed with new keys.
2: same as 1, plus with policyConstraints removed from the intermediate cert.

chain 1 still gets the CSSMERR_TP_INVALID_CERTIFICATE error.
chain 2 does not.

01-no-AIAcaIssuers-chain.pem
30.3 KB Download
02-no-requireExplicitPolicy-chain.pem
30.0 KB Download

Sign in to add a comment