Closed
Bug 204788
Opened 22 years ago
Closed 21 years ago
DirectoryString type should be defined as UTF8String encoding
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.9
People
(Reporter: bugz, Assigned: bugz)
Details
(Whiteboard: 3.3.5)
Attachments
(2 files, 1 obsolete file)
|
2.52 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
|
1.02 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
From bugtraq 4719957. Pasting in report:
1. Access to iWS60 admin server from Netscape Communicator.
2. Change the browser coding to Unicode (UTF-8)
3. Create a CSR from Admin server -> Security tab -> Request a Certificate
In the request, enter a utf-8 character for Requestor name, Common name,
Organization.
Example, here's a CSR file with utf-8:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBwTCCASoCAQAwgYAxCzAJBgNVBAYTAkphMRUwEwYDVQQIHAwAADBLAAAwSwAA
MEsxFTATBgNVBAccDAAAMEoAADBKAAAwSjEVMBMGA1UEChwMAAAwRgAAMEYAADBG
MRUwEwYDVQQLHAwAADBIAAAwSAAAMEgxFTATBgNVBAMcDAAAMEQAADBEAAAwRDCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyt1yoszKL0gvvybKBkr1NWWbEukJ
o1CSUONykhC147rej/X5BD0D7y3qEFmGMxDM5sQAuF+BwA8Rqh/r74V4bXT4BDOV
XPjPRPic4YNY1d2MF4dRXLsxZe05aUmv7hHD5+JpWyRtDRCLygm2KFCmP9+S6dOm
BWo/OxPGzpkDMLcCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBACLHLJW7qQNxFlLL
R5f7lZP7TTrQe3HdvUolv2HmX4DoHi1HkB5jr+BAiGQuPcF/dc79wv50aPStrSYQ
nRenHnDgJJC1PZ678A6c6oNv5M7DbhEYUMS1HalrP0y383bNC4WQpA9qOzNqDWzw
b87pkp/kUDMTb2E5sQaSgB3laMYz
-----END NEW CERTIFICATE REQUEST-----
4. Dump CSR: use the openssl as following -
# openssl asn1parse -i -in <CSR file> -inform PEM
0:d=0 hl=4 l= 449 cons: SEQUENCE
4:d=1 hl=4 l= 298 cons: SEQUENCE
8:d=2 hl=2 l= 1 prim: INTEGER :00
11:d=2 hl=3 l= 128 cons: SEQUENCE
14:d=3 hl=2 l= 11 cons: SET
16:d=4 hl=2 l= 9 cons: SEQUENCE
18:d=5 hl=2 l= 3 prim: OBJECT :countryName
23:d=5 hl=2 l= 2 prim: PRINTABLESTRING :Ja
27:d=3 hl=2 l= 21 cons: SET
29:d=4 hl=2 l= 19 cons: SEQUENCE
31:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
36:d=5 hl=2 l= 12 prim: UNIVERSALSTRING
50:d=3 hl=2 l= 21 cons: SET
52:d=4 hl=2 l= 19 cons: SEQUENCE
54:d=5 hl=2 l= 3 prim: OBJECT :localityName
59:d=5 hl=2 l= 12 prim: UNIVERSALSTRING
73:d=3 hl=2 l= 21 cons: SET
75:d=4 hl=2 l= 19 cons: SEQUENCE
77:d=5 hl=2 l= 3 prim: OBJECT :organizationName
82:d=5 hl=2 l= 12 prim: UNIVERSALSTRING
96:d=3 hl=2 l= 21 cons: SET
98:d=4 hl=2 l= 19 cons: SEQUENCE
100:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
105:d=5 hl=2 l= 12 prim: UNIVERSALSTRING
119:d=3 hl=2 l= 21 cons: SET
121:d=4 hl=2 l= 19 cons: SEQUENCE
123:d=5 hl=2 l= 3 prim: OBJECT :commonName
128:d=5 hl=2 l= 12 prim: UNIVERSALSTRING
142:d=2 hl=3 l= 159 cons: SEQUENCE
145:d=3 hl=2 l= 13 cons: SEQUENCE
147:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
158:d=4 hl=2 l= 0 prim: NULL
160:d=3 hl=3 l= 141 prim: BIT STRING
304:d=2 hl=2 l= 0 cons: cont [ 0 ]
306:d=1 hl=2 l= 13 cons: SEQUENCE
308:d=2 hl=2 l= 9 prim: OBJECT :md5WithRSAEncryption
319:d=2 hl=2 l= 0 prim: NULL
321:d=1 hl=3 l= 129 prim: BIT STRING
As can be seen from above, it looks like DirectoryString is UniversalString and
not a
UTF8String. Here's the RFC(under 4.1.2.4 ):
http://www.faqs.org/rfcs/rfc3280.html
It states the following:
"The DirectoryString type is defined as a choice of PrintableString,
TeletexString, BMPString, UTF8String, and UniversalString. The
UTF8String encoding [RFC 2279] is the preferred encoding, and all
certificates issued after December 31, 2003 MUST use the UTF8String
encoding of DirectoryString (except as noted below)."
As per the RFC, UTF8String encoding is the preferred encoding. So customer
is requesting us to use UTF8String encoding and hence this RFE.
|
Assignee | |
Comment 1•22 years ago
|
||
more info:
WS uses CERT_AsciiToName() to create a CERTName from a string of the form
"CN=x, OU=x, O=x, L=x, ST=x, C=x" (where the OU, L, and ST are optional). This
ends up calling CERT_ParseRFC1485AVA() which contains the following code:
/* Hack -- for rationale see X.520 DirectoryString defn */
if (IsPrintable((unsigned char*)valBuf, valLen)) {
vt = SEC_ASN1_PRINTABLE_STRING;
} else if (Is7Bit((unsigned char *)valBuf, valLen)) {
vt = SEC_ASN1_T61_STRING;
} else {
vt = SEC_ASN1_UNIVERSAL_STRING;
}
|
|
Assignee | |
Updated•22 years ago
|
Priority: -- → P2
Whiteboard: 3.3.5
Target Milestone: --- → 3.9
|
|
Assignee | |
Comment 2•22 years ago
|
||
|
|
Assignee | |
Comment 3•22 years ago
|
||
Comment on attachment 123407 [details] [diff] [review]
change default from UniversalString to UTF8String
After looking around, I found there's more work to do.
Attachment #123407 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 4•22 years ago
|
||
|
|
Assignee | |
Comment 5•22 years ago
|
||
Comment on attachment 123414 [details] [diff] [review]
another place where UniversalString was assumed
I'll see if I can make a cert with UTF8 chars to test this with. I believe
these are all the places that need to be changed.
Attachment #123414 -
Flags: review?(nelsonb)
|
|
Assignee | |
Comment 6•22 years ago
|
||
Managed to get certutil to create a CSR with a UTF8 character, here's before:
C-Sequence (374)
C-Sequence (224)
Integer (1)
00
C-Sequence (55)
C-Set (53)
C-Sequence (51)
Object Identifier (3)
2 5 4 3 (X520 Common Name)
Universal String (44)
00 00 00 49 00 00 00 61 00 00 00 6e 00 00 00 20 00 00
00 b5 00 00 00 63 00 00 00 67 00 00 00 72 00 00 00 65
00 00 00 65 00 00 00 72
...
and after:
C-Sequence (342)
C-Sequence (192)
Integer (1)
00
C-Sequence (23)
C-Set (21)
C-Sequence (19)
Object Identifier (3)
2 5 4 3 (X520 Common Name)
UTF8 String (12)
49 61 6e 20 c2 b5 63 67 72 65 65 72
...
The actual DN was:
Subject: CN=Ian µcgreer
|
||
Updated•22 years ago
|
Attachment #123414 -
Flags: review?(nelsonb) → review+
|
|
Assignee | |
Comment 7•22 years ago
|
||
checked in at tip:
Checking in alg1485.c;
/cvsroot/mozilla/security/nss/lib/certdb/alg1485.c,v <-- alg1485.c
new revision: 1.11; previous revision: 1.10
done
Checking in secname.c;
/cvsroot/mozilla/security/nss/lib/certdb/secname.c,v <-- secname.c
new revision: 1.10; previous revision: 1.9
done
and 3.3 branch:
Checking in alg1485.c;
/cvsroot/mozilla/security/nss/lib/certdb/alg1485.c,v <-- alg1485.c
new revision: 1.3.48.2; previous revision: 1.3.48.1
done
Checking in secname.c;
/cvsroot/mozilla/security/nss/lib/certdb/secname.c,v <-- secname.c
new revision: 1.3.68.1; previous revision: 1.3
done
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
|
||
Comment 8•21 years ago
|
||
It's after December 31, 2003. RFC 3280 requires *all* new certs to use
UTF8String encoding.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 9•21 years ago
|
||
|
|
||
Comment 10•21 years ago
|
||
Yes, RFC 3280 says that, but a number of the major CAs are not complying,
and (based on private correspondence) are in no hurry to do so.
|
|
||
Comment 11•21 years ago
|
||
Comment on attachment 139529 [details] [diff] [review]
Use UTF8String exclusively
Nonetheless, I agree this is the right thing to do.
Attachment #139529 -
Flags: review+
|
|
||
Comment 12•21 years ago
|
||
I don't consider myself capable of adequately testing this, so I'd appreciate
someone else landing the patch.
|
|
||
Comment 13•21 years ago
|
||
This change should go into 3.10, and not 3.9.1 IMO, so perhaps we should make
the 3.9 branch now.
Target Milestone: 3.9 → 3.10
|
|
||
Comment 14•21 years ago
|
||
Actually, upon further reflection, I think the solution may be more
complicated than this.
The functions that create an encoded DN are sometimes used when creating a
new cert request, and at other times are used to create a DN for an older
cert.
When creating a new cert request, we should use UTF8 exclusively, but
when creating an encoded DN for other purposes, such as looking for
an old cert with that name, we want to create the encoded DN with the
encoding it would have had when it was created.
This issue is related to bug http://bugzilla.mozilla.org/show_bug.cgi?id=210709
and its blockers.
We could choose to
a) have two sets of functions for building encoded DNs from attribute type/value
pairs, one for new CSRs and one for older certs, or
b) have a function for that that takes a date argument, upon which the function
decides which encodings to use, or
c) Other suggestions? (John?)
BTW, I think we should open a new bug for this coverstion-to-UTF8-always
issue, and not morph this bug into that one. Agreed?
|
|
||
Comment 15•21 years ago
|
||
I'm marking this bug fixed again, so that it will serve as a record of some
bugs that were fixed in NSS 3.9.
I will shortly open a new bug for this issue of using only UTF8 in new CSRs.
Status: REOPENED → RESOLVED
Closed: 22 years ago → 21 years ago
Resolution: --- → FIXED
Target Milestone: 3.10 → 3.9
|
|
||
Comment 16•21 years ago
|
||
(In reply to comment #15)
> I will shortly open a new bug for this issue of using only UTF8 in new CSRs.
Have you gotten around to this? What is the new bug?
|
|
||
Comment 17•21 years ago
|
||
John, It's but 232775. You added comments to it the same day I filed it.
They say memory is the second human faculty to go.
I don't remember what the first thing is. :)
You need to log in
before you can comment on or make changes to this bug.
Description
•