Issue 162311 in chromium: Unknown error -2146869244 mapped to net::ERR_FAILED while running CertVerifyProcWeakDigestTest on Windows 7

[chro...@googlecode.com]

Status: Started
Owner: w...@chromium.org
CC: rsl...@chromium.org, a...@chromium.org
Labels: Type-Bug Pri-2 Area-Internals Internals-Network-SSL OS-Windows

New issue 162311 by w...@chromium.org: Unknown error -2146869244 mapped to
net::ERR_FAILED while running CertVerifyProcWeakDigestTest on Windows 7
http://code.google.com/p/chromium/issues/detail?id=162311

I got the following warning messages while running net_unittests.exe on
Windows 7. -2146869244 (0x80096004) is TRUST_E_CERT_SIGNATURE:
The signature of the certificate cannot be verified. I think this new
error code comes from a recent Windows update. I remember it can come
from either a small RSA key size or a MD5 signature. We have separate
error codes for them, so it's not clear how to map TRUST_E_CERT_SIGNATURE
to our error code.

[----------] 3 tests from VerifyIntermediate/CertVerifyProcWeakDigestTest
[ RUN ] VerifyIntermediate/CertVerifyProcWeakDigestTest.Verify/0
[ OK ] VerifyIntermediate/CertVerifyProcWeakDigestTest.Verify/0 (9 ms)
[ RUN ] VerifyIntermediate/CertVerifyProcWeakDigestTest.Verify/1
[1524:4872:1121/131922:27018827:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[1524:4872:1121/131922:27018827:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[ OK ] VerifyIntermediate/CertVerifyProcWeakDigestTest.Verify/1 (10
ms)
[ RUN ] VerifyIntermediate/CertVerifyProcWeakDigestTest.Verify/2
[1524:4872:1121/131922:27018842:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[1524:4872:1121/131922:27018842:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[ OK ] VerifyIntermediate/CertVerifyProcWeakDigestTest.Verify/2 (15
ms)
[----------] 3 tests from VerifyIntermediate/CertVerifyProcWeakDigestTest
(36 ms
total)

[----------] 3 tests from VerifyEndEntity/CertVerifyProcWeakDigestTest
[ RUN ] VerifyEndEntity/CertVerifyProcWeakDigestTest.Verify/0
[ OK ] VerifyEndEntity/CertVerifyProcWeakDigestTest.Verify/0 (9 ms)
[ RUN ] VerifyEndEntity/CertVerifyProcWeakDigestTest.Verify/1
[1524:4872:1121/131922:27018873:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[1524:4872:1121/131922:27018873:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[ OK ] VerifyEndEntity/CertVerifyProcWeakDigestTest.Verify/1 (10 ms)
[ RUN ] VerifyEndEntity/CertVerifyProcWeakDigestTest.Verify/2
[1524:4872:1121/131922:27018889:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[1524:4872:1121/131922:27018889:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[ OK ] VerifyEndEntity/CertVerifyProcWeakDigestTest.Verify/2 (19 ms)
[----------] 3 tests from VerifyEndEntity/CertVerifyProcWeakDigestTest (41
ms to
tal)

[----------] 3 tests from
VerifyIncompleteIntermediate/CertVerifyProcWeakDigestT
est
[ RUN ]
VerifyIncompleteIntermediate/CertVerifyProcWeakDigestTest.Verify/0
[ OK ]
VerifyIncompleteIntermediate/CertVerifyProcWeakDigestTest.Verify/0
(2 ms)
[ RUN ]
VerifyIncompleteIntermediate/CertVerifyProcWeakDigestTest.Verify/1
[ OK ]
VerifyIncompleteIntermediate/CertVerifyProcWeakDigestTest.Verify/1
(2 ms)
[ RUN ]
VerifyIncompleteIntermediate/CertVerifyProcWeakDigestTest.Verify/2
[ OK ]
VerifyIncompleteIntermediate/CertVerifyProcWeakDigestTest.Verify/2
(2 ms)
[----------] 3 tests from
VerifyIncompleteIntermediate/CertVerifyProcWeakDigestT
est (10 ms total)

[----------] 3 tests from
VerifyIncompleteEndEntity/CertVerifyProcWeakDigestTest

[ RUN ] VerifyIncompleteEndEntity/CertVerifyProcWeakDigestTest.Verify/0
[ OK ]
VerifyIncompleteEndEntity/CertVerifyProcWeakDigestTest.Verify/0 (2
ms)
[ RUN ] VerifyIncompleteEndEntity/CertVerifyProcWeakDigestTest.Verify/1
[1524:4872:1121/131922:27018905:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[1524:4872:1121/131922:27018905:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[ OK ]
VerifyIncompleteEndEntity/CertVerifyProcWeakDigestTest.Verify/1 (3
ms)
[ RUN ] VerifyIncompleteEndEntity/CertVerifyProcWeakDigestTest.Verify/2
[1524:4872:1121/131922:27018905:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[1524:4872:1121/131922:27018905:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[ OK ]
VerifyIncompleteEndEntity/CertVerifyProcWeakDigestTest.Verify/2 (3
ms)
[----------] 3 tests from
VerifyIncompleteEndEntity/CertVerifyProcWeakDigestTest
(11 ms total)

[----------] 3 tests from VerifyMixed/CertVerifyProcWeakDigestTest
[ RUN ] VerifyMixed/CertVerifyProcWeakDigestTest.Verify/0
[1524:4872:1121/131922:27018920:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[1524:4872:1121/131922:27018920:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[ OK ] VerifyMixed/CertVerifyProcWeakDigestTest.Verify/0 (11 ms)
[ RUN ] VerifyMixed/CertVerifyProcWeakDigestTest.Verify/1
[1524:4872:1121/131922:27018936:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[1524:4872:1121/131922:27018936:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[ OK ] VerifyMixed/CertVerifyProcWeakDigestTest.Verify/1 (11 ms)
[ RUN ] VerifyMixed/CertVerifyProcWeakDigestTest.Verify/2
[1524:4872:1121/131922:27018951:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[1524:4872:1121/131922:27018951:WARNING:cert_verify_proc_win.cc(113)]
Unknown er
ror -2146869244 mapped to net::ERR_FAILED
[ OK ] VerifyMixed/CertVerifyProcWeakDigestTest.Verify/2 (11 ms)
[----------] 3 tests from VerifyMixed/CertVerifyProcWeakDigestTest (35 ms
total)

[chro...@googlecode.com]

Updates:
Cc: na...@chromium.org

Comment #1 on issue 162311 by rsl...@chromium.org: Unknown error

-2146869244 mapped to net::ERR_FAILED while running
CertVerifyProcWeakDigestTest on Windows 7
http://code.google.com/p/chromium/issues/detail?id=162311

+cc nasko, in case he knows anybody

Sounds like Microsoft's KB article needs to be updated (
http://support.microsoft.com/kb/2661254 ). It reported that only
CertGetCertificateChain would be affected, but I suppose it's natural for
CertVerifyCertificateChainPolicy to also have been changed.

We know if it's not a strong signature based on
CERT_TRUST_HAS_WEAK_SIGNATURE + CERT_TRUST_IS_NOT_SIGNATURE_VALID, which we
then map accordingly in MapCertChainErrorStatusToCertStatus. It sounds like
the issue comes up because those per-cert status messages then bubble up
into the overall policy evaluation (the TRUST_E_ and CERT_E codes), which
we map on line 723.

I don't want to map the error to WEAK_KEY, since that may allow a user
bypass, for the reasons documented on
http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cert_verify_proc_win.cc?view=annotate#l682 .
I'll take a closer look over the holidays to see what new and
as-yet-undocumented flags may be affecting us here.

[chro...@googlecode.com]

Comment #2 on issue 162311 by w...@chromium.org: Unknown error -2146869244

mapped to net::ERR_FAILED while running CertVerifyProcWeakDigestTest on
Windows 7
http://code.google.com/p/chromium/issues/detail?id=162311

Yes, CertVerifyCertificateChainPolicy reports TRUST_E_CERT_SIGNATURE in
policy_status.dwError.

I found that CertGetCertificateChain sets the
CERT_TRUST_IS_NOT_SIGNATURE_VALID
and CERT_TRUST_HAS_WEAK_SIGNATURE bits in
chain_context->TrustStatus.dwErrorStatus,
which is already handled by the following code:

if (error_status & CERT_TRUST_IS_NOT_SIGNATURE_VALID) {
// Check for a signature that does not meet the OS criteria for strong
// signatures.
// Note: These checks may be more restrictive than the current weak key
// criteria implemented within CertVerifier, such as excluding SHA-1 or
// excluding RSA keys < 2048 bits. However, if the user has configured
// these more stringent checks, respect that configuration and err on
the
// more restrictive criteria.
if (error_status & CERT_TRUST_HAS_WEAK_SIGNATURE) {
cert_status |= CERT_STATUS_WEAK_KEY;
} else {
cert_status |= CERT_STATUS_INVALID;
}
}

This code has a similar issue that our
net::CERT_STATUS_WEAK_SIGNATURE_ALGORITHM
could be the appropriate mapping for CERT_TRUST_HAS_WEAK_SIGNATURE.

[chro...@googlecode.com]

Comment #3 on issue 162311 by rsl...@chromium.org: Unknown error

-2146869244 mapped to net::ERR_FAILED while running
CertVerifyProcWeakDigestTest on Windows 7
http://code.google.com/p/chromium/issues/detail?id=162311

Yes. The difference is that if the policy validation failed, we don't know
that the name validation was successful. I'll have to spend time with
crypt32 again to figure out the order of operations, but my suspicion is
that a non-strong signature will result in an early failure, whereas on
other platforms, it results in a late failure. We want to make sure that we
don't mask more serious errors off by virtue of the early failure, and we
treat the early failure as fatal. That's why I suggested INVALID as the
mapping (err::FAILED also counts as a fatal error, hence why this is not a
security bug at present)

[chro...@googlecode.com]

Updates:
Status: Assigned
Owner: rsl...@chromium.org

Comment #4 on issue 162311 by w...@chromium.org: Unknown error -2146869244

mapped to net::ERR_FAILED while running CertVerifyProcWeakDigestTest on
Windows 7
http://code.google.com/p/chromium/issues/detail?id=162311

rsleevi: I'll let you sort this out since this is a continuation
of your CL r142008 (https://chromiumcodereview.appspot.com/10537153).

Attached is a patch I wrote to map TRUST_E_CERT_SIGNATURE to
net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

Attachments:
cert_verify_proc_win.txt 750 bytes

[chro...@googlecode.com]

Comment #5 on issue 162311 by w...@chromium.org: Unknown error -2146869244

mapped to net::ERR_FAILED while running CertVerifyProcWeakDigestTest on
Windows 7
http://code.google.com/p/chromium/issues/detail?id=162311

In comment 0 I said:

I think this new error code [TRUST_E_CERT_SIGNATURE] comes from a

recent Windows update. I remember it can come from either a small
RSA key size or a MD5 signature.

I was mistaken about a MD5 signature. Only a MD2 or MD4 certificate
signature generates this error. A MD5 signature doesn't. (I verified
this today.)