New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Untriaged
Owner: ----
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 3
Type: Bug

Sign in to add a comment shows ERR_CERT_INVALID on Mac but not Windows

Project Member Reported by, Sep 9 Back to list

Issue description

Chrome Version: 63.3210

What steps will reproduce the problem?
(1) Visit

EXPECT: Error interstitial with override option.
ACTUAL: Error interstitial without override option.

Net-internals log shows ERR_CERT_INVALID on Mac, but not Windows; on Windows, click-through is permitted.

The certificate has Serial number "5153";,cablint%C2%A0%E2%80%A6 shows a few warnings, but none are obviously fatal.

Perhaps fallout from Mac certificate validation changes in
Not related to use_byte_certs.

SecTrustGetResult is showing a CSSMERR_TP_INVALID_CERTIFICATE error on the target cert statuscode from SecTrustGetResult and on the overall SecTrustGetCssmResultCode. I'm not sure what it doesn't like about it. 
Labels: -Pri-2 Pri-3
Matt: Do you have any bandwdith to chase this down? Safari provides this as untrusted with click-through, but I'm not clear if they're masking off TP_INVALID_CERTIFICATE. Keychain can also display/parse the chain, at least on 10.12.6

While tempted to close this as WontFix, parsing it as invalid is undesirable.
Poked a bit more. If I remove the policyConstraints (with requireExplicitPolicy) on the intermediate, the CSSMERR_TP_INVALID_CERTIFICATE goes away and we just get ERR_CERT_AUTHORITY_INVALID as expected.

Attached two hacked-up cert chains.
1: has caIssuers removed from AIA, and re-signed with new keys.
2: same as 1, plus with policyConstraints removed from the intermediate cert.

chain 1 still gets the CSSMERR_TP_INVALID_CERTIFICATE error.
chain 2 does not.

30.3 KB Download
30.0 KB Download

Sign in to add a comment