Closed
Bug 142868
Opened 22 years ago
Closed 22 years ago
CA certificates are imported with NULL nicknames
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
3.5
People
(Reporter: julien.pierre, Assigned: julien.pierre)
References
Details
(Whiteboard: [adt2 RTM])
Attachments
(1 file, 2 obsolete files)
1.84 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
As discussed in bug 136920, CERT_SaveImportCerts in 3.4 no longer generates a nickname for CA certificates when saving them into the database. As a result they are getting saved with NULL nicknames. This creates many application propblems. This is a regression from NSS 3.3 .
Assignee | ||
Comment 1•22 years ago
|
||
The quick fix for this would be to restore the old behavior and put the nickname generation code back into CERT_ImportCerts. However, it can be argued that logically, we should really do this at a higher-level, independent of the token that the CA certificate is getting stored into. Unfortunately, the API to do that doesn't appear to be exposed, which is the subject of bug 142866. Ian has mentioned there is a function to import a certificate into an NSSToken, but that sounds like a Stan API rather than 3.x. It is not clear that the two fixes are mutually exclusive because CERT_ImportCerts bypass the PKCS#11 softoken layer, and accesses the database directly. So it is unlikely that the code to generate the nickname would be called more than once, if we add the other token-independent import API. My suggestion is just to roll back the old code into 3.4 . Bob, is there any reason not to do that ?
No longer blocks: 136920
Assignee | ||
Comment 2•22 years ago
|
||
This is a bit of a hack. I have to create a temporary certificate, then call the old function CERT_MakeCANickname on it, then I destroy the temporary certificate. It solves the problem, however.
Assignee | ||
Comment 3•22 years ago
|
||
FYI : the reason I did this at the PKCS#12 level rather than inside CERT_ImportCert is because I plan to switch to PK11_ImportCert. See bug 142889 .
Assignee | ||
Comment 4•22 years ago
|
||
This patch restores the old NSS 3.3 behavior in the cert code. It only solves the problem for importing CA certs to the cert db . This works as long as the PKCS#11 layer keeps calling CERT_ImportCert .
Assignee | ||
Comment 5•22 years ago
|
||
Comment on attachment 82720 [details] [diff] [review] patch that solves nickname generation for CA certificate import forget about this one, too hackish.
Attachment #82720 -
Attachment is obsolete: true
Assignee | ||
Comment 6•22 years ago
|
||
I have attached patch 8272 - http://bugzilla.mozilla.org/attachment.cgi?id=82726&action=view . This is just restoring the old code from 3.3 that creates the nickname during CERT_SaveImportedCert. It also solves the problem, and unlike the previous patch, does not interfere with any other patch I'm working on for the PKCS#12 code.
Comment 7•22 years ago
|
||
In NSS 3.4 NONE of the code bypasses the token. CERT_ImportCert eventually calls the STAN import cert code. I think the correct thing to do is to set the nickname on all the CA's. I think PSM needs to be tolerant of NULL nicknamed CA's and certs, but NSS should to it best not to generate such things. Right now I'm most worried about PSM saved certs, so catching the CERT_Save functions seem to be the best way to deal with this. Pulling the original code from 3.3 seems fine as long as we're careful not to pull direct to database calls (which the patch does not.
Assignee | ||
Comment 8•22 years ago
|
||
Hmm. Never mind, this patch does not actually work. I had two patches in my tree and the other was causing it to work. The nickname in CERT_SaveImportedCerts is unused. So the 3.3 code rollback approach has to be ruled out, unless we can restore the nickname setting step somehow.
Assignee | ||
Comment 9•22 years ago
|
||
Comment on attachment 82726 [details] [diff] [review] patch to generate nickname for CA certs in CERT_SaveImportedCerts does not work - nickname at this level is unused
Attachment #82726 -
Attachment is obsolete: true
Attachment #82726 -
Flags: needs-work+
Assignee | ||
Updated•22 years ago
|
Attachment #82720 -
Flags: needs-work+
Assignee | ||
Comment 10•22 years ago
|
||
This one really works and does the nickname computation at the proper level, in CERT_ImportCerts. It tries to emulate exactly the same behavior as before, by computing and setting the nickname only for CA certs, and if no other nickname is passed in. I have tested it successfully with no other patches needed.
Assignee | ||
Comment 11•22 years ago
|
||
Bob, could you please review this patch ?
Comment 12•22 years ago
|
||
Comment on attachment 82744 [details] [diff] [review] third time is the charm Looks good. The only thing I would change is freeNickname is redundant. you can use canickname != NULL in the free case and remove the freeNickname altogether. This is a style issue, not a functional issue. r=relyea
Attachment #82744 -
Flags: review+
Assignee | ||
Comment 13•22 years ago
|
||
Checked in to the tip (NSS 3.5). Checking in certdb.c; /cvsroot/mozilla/security/nss/lib/certdb/certdb.c,v <-- certdb.c new revision: 1.32; previous revision: 1.31 done
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 15•22 years ago
|
||
adt1.0.1+ (on ADT's behalf) for checkin to the 1.0 branch. Pls check this in asap. thanks!
Whiteboard: [adt2 RTM]
Updated•22 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•