On Thu, Apr 7, 2011 at 5:26 AM, Joachim Lingner <joachim.ling...@oracle.com> wrote: > Hi, > > I am testing NSS 3.9.12 with CKBI 1.82 on Windows. To verify that the bogus > certificates are recognized as such I run vfychain. The certificates are > exported from the Windows certificate store. > > Having vfychain use CERT_VerifyCertificate gives me this output > > > [../nss/wntmsci12.pro/bin]$ ./vfychain.exe -d db -p www-google.cer > Chain is bad! > PROBLEM WITH THE CERT CHAIN: > CERT 0. Builtin Object Token:Bogus Google : > ERROR -8171: Peer's certificate has been marked as not trusted by the user. > [../nss/wntmsci12.pro/bin]$ > > Same with all other bogus certificates. > Now using the CERT_PKIXVerifyCert function: > > [../nss/wntmsci12.pro/bin]$ ./vfychain.exe -d db -pp -g leaf www-google.cer > Chain is good! > [../nss/wntmsci12.pro/bin]$ > > Let nss use CRL distribution points proves that the invocation of vfychain > is correct: > > [../nss/wntmsci12.pro/bin]$ ./vfychain.exe -d db -pp -g leaf -m crl > www-google.cer > Chain is bad! > PROBLEM WITH THE CERT CHAIN: > CERT 1. Builtin Object Token:UTN USERFirst Hardware Root CA [Certificate > Authority]: > ERROR -8180: Peer's Certificate has been revoked. > [../nss/wntmsci12.pro/bin]$ > > WireShark confirms that the CRL is being fetched via HTTP Get. > > In both cases the nssckbi.dll is loaded from the db folder, as specified by > the -d switch. I confirmed this by using the ProcessMonitor. > > Have I overlooked something? Can someone confirm this?
Hi Joachim, I confirm this bug. I also discovered this bug last Friday: https://bugzilla.mozilla.org/show_bug.cgi?id=647364 Bob Relyea is working on this bug. I wrote a patch as a proof of concept for fixing the CERT_PKIXVerifyCert bug. Bob will write the real fix. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto