CertVerifyProcNSS fails to find correct chain if supplied intermediate is revoked by CRLSet and valid intermediate could be fetched by AIA |
|
Issue descriptionThe leaf cert: 001251EA4741173DC679DCCBC043F6918DCAECA184C448A6FF3BF4E62A6100E6 webapp.biotec.tu-dresden.de Has two possible chains: valid-chain: 001251EA4741173DC679DCCBC043F6918DCAECA184C448A6FF3BF4E62A6100E6 webapp.biotec.tu-dresden.de C47350F8484A2B15FB2CB9BAE605038BCC4D0E289C983F9ABD47B66C22E317EE TU Dresden CA - G02 4DBD93C9C8601CB644A8A8830CCDABB368E781EAE48CFD1FF53ECC45F5363981 DFN-Verein PCA Global - G01 B6191A50D0C3977F7DA99BCDAAC86A227DAEB9679EC70BA3B0C9D92271C170D3 Deutsche Telekom Root CA 2 revoked-chain: 001251EA4741173DC679DCCBC043F6918DCAECA184C448A6FF3BF4E62A6100E6 webapp.biotec.tu-dresden.de C47350F8484A2B15FB2CB9BAE605038BCC4D0E289C983F9ABD47B66C22E317EE TU Dresden CA - G02 A8C643939CFB4C8E4E1353562D325BA0DB9EA381271AC60D4C411DBF7F8F3EF0 DFN-Verein PCA Global - G01 B6191A50D0C3977F7DA99BCDAAC86A227DAEB9679EC70BA3B0C9D92271C170D3 Deutsche Telekom Root CA 2 1. If CertVerifyProcNSS is called with just the leaf, it will build the correct chain with AIA and return OK. 2.a. If CertVerifyProcNSS is called with the revoked-chain, it will fail with ERR_CERT_REVOKED. 2.b. If, in the same process, it is then called with just the leaf, it will still fail with ERR_CERT_REVOKED. 2.c. If, in the same process, it is then called with valid-chain it will return OK. 2.d. If, in the same process, it is then called with just the leaf, it will return OK. 3. If CertVerifyProcNSS is called with both intermediates in the input cert chain, it will return OK. (even if the revoked intermediate is listed first.) (CertVerifyProcWin, CertVerifyProcMac, and CertVerifyProcBuiltin all do the correct thing.)
,
Jun 9 2018
Oh, I was just looking through cert_verify_proc_nss and see that AIA isn't used on the initial verification attempt, it's only attempted if the initial verification fails with SEC_ERROR_UNKNOWN_ISSUER or SEC_ERROR_BAD_SIGNATURE. (See RetryPKIXVerifyCertWithWorkarounds.) I guess that may explain it. |
|
►
Sign in to add a comment |
|
Comment 1 by mattm@chromium.org
, May 2 2018