Closed
Bug 216116
Opened 22 years ago
Closed 21 years ago
NSS fails NIST test for cert with optional isserUniqueID
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
3.9.1
People
(Reporter: nelson, Assigned: nelson)
References
Details
(Whiteboard: [pkits])
Attachments
(2 files)
|
630 bytes,
application/octet-stream
|
Details | |
|
1.19 KB,
patch
|
julien.pierre
:
review+
rrelyea
:
superreview+
|
Details | Diff | Splinter Review |
X.509 v2 introduced two new optional components to a certificate.
The optional issuerUniqueID and subjectUniqueID components come after the
subjectPublicKeyInfo and before the extensions. These optional components are
also part of the definition of an X.509 v3 cert, although rarely used.
Each uniqueID is a bitstring.
The new NIST test suite includes one or more certs that contain these optional
UniqueIdentifier components. NSS can't parse them.
This should be easy to fix, I think. Just two new optional components in the
template that are bitstrings. The tricky part is likely to be finding a place
in the CERTCertificate structure for them.
|
Assignee | |
Comment 1•22 years ago
|
||
|
|
Assignee | |
Comment 2•22 years ago
|
||
See RFC 3280 page 15 for the relevant ASN.1 syntax.
|
|
Assignee | |
Comment 3•21 years ago
|
||
This bug is the reason that NSS fails NIST test 4.3.6
also known as "Valid Name Chaining UIDs Test6"
Summary: NSS can't parse a cert with an optional isserUniqueID → NSS fails NIST test for cert with optional isserUniqueID
|
||
Updated•21 years ago
|
Whiteboard: [pkits]
|
|
Assignee | |
Comment 4•21 years ago
|
||
AAARGH! The cause of this bug was SO STUPID.
The unique IDs are NOT OIDS, they're bit strings, and they're not
typically constructed, so we must not require that they be constructed.
The CERTCertificate structure already has places to store them, so binary
compatibility is not an issue.
|
|
Assignee | |
Updated•21 years ago
|
Assignee: wchang0222 → MisterSSL
Priority: -- → P1
Target Milestone: --- → 3.9.1
|
|
Assignee | |
Updated•21 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 5•21 years ago
|
||
Comment on attachment 139102 [details] [diff] [review]
patch v1
Please review.
Attachment #139102 -
Flags: superreview?(wchang0222)
Attachment #139102 -
Flags: review?(jpierre)
|
|
Assignee | |
Comment 6•21 years ago
|
||
Add requested reviewers to cc list
|
||
Updated•21 years ago
|
Attachment #139102 -
Flags: review?(jpierre) → review+
|
|
||
Comment 7•21 years ago
|
||
Comment on attachment 139102 [details] [diff] [review]
patch v1
Nelson, since our ASN.1 decoder expert Julien has
reviewed your patch, you can go ahead and check it
in. I'll review the patch tomorrow. (May need to
ask Bob to review it instead because I'm not familiar
with our ASN.1 templates.)
Attachment #139102 -
Flags: superreview?(wchang0222) → superreview?(rrelyea0264)
|
|
Assignee | |
Comment 8•21 years ago
|
||
/cvsroot/mozilla/security/nss/lib/certdb/certdb.c,v <-- certdb.c
new revision: 1.60; previous revision: 1.59
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
||
Comment 9•21 years ago
|
||
Comment on attachment 139102 [details] [diff] [review]
patch v1
yes, looks good
Attachment #139102 -
Flags: superreview?(rrelyea0264) → superreview+
|
||
Comment 10•21 years ago
|
||
Marking VERIFIED.
Valid Name Chaining UIDs Test 6 (Test 4.3.6) passes.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•