Closed Bug 212004 Opened 21 years ago Closed 21 years ago

A crash in CERT_IsUserCert because cert->trust is NULL

Categories

(NSS :: Libraries, defect)

3.7.3
PowerPC
macOS
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: wtc, Assigned: wtc)

Details

(Whiteboard: [3.8.2][3.7.8])

Attachments

(1 file)

The NSS version is 3.7.7.  The tree has been modified with some
printf statements so the line numbers may be off a little.

I am getting a crash in CERT_IsUserCert because cert->trust is
NULL.  The top of the stack trace is:

#0  CERT_IsUserCert (cert=0xa3e0c80) at certdb.c:2613
#1  0x03f46758 in CERT_FilterCertListForUserCerts (certList=0x9967580) at
certdb.c:2640
#2  0x03ef77a4 in CERT_FindUserCertByUsage (handle=0x530b948, nickname=0x873675c
"<a valid cert nickname>", usage=certUsageEmailSigner, validOnly=1,
proto_win=0x0) at certhigh.c:289

This happens while I am viewing a signed email message that I
sent to myself and I remove and re-insert a smartcard, which
has my signing and encryption certs.

The cert in question is:

(gdb) print *cert
$4 = {
  arena = 0x53168e0, 
  subjectName = 0x99591c0 "CN=Wan-Teh Chang, E=wtc@netscape.com, UID=wtc,
O=America Online Inc, C=US", 
  issuerName = 0x9959210 "CN=Intranet Certificate Authority, OU=AOL
Technologies, O=America Online Inc, L=Mountain View, ST=CA, C=US", 
  signatureWrap = {
    data = {
      type = siBuffer, 
      data = 0xa3e0e0c "0\202\002&#65533;\003\002\001\002\002\002i&#65533;0\r\006\t*\206H\206&#65533;
\r\001\001\004\005", 
      len = 746
    }, 
    signatureAlgorithm = {
      algorithm = {
        type = siBuffer, 
        data = 0xa3e10fa "*\206H\206&#65533;\r\001\001\004\005", 
        len = 9
      }, 
      parameters = {
        type = siBuffer, 
        data = 0xa3e1103 "\005", 
        len = 2
      }
    }, 
    signature = {
      type = siBuffer, 
      data = 0xa3e1109 "K/\030+&#65533;&#65533;:&#65533;&#65533;&#65533;&#65533;\fk&#65533;N\026]&#65533;\200\026\030", 
      len = 1024
    }
  }, 
  derCert = {
    type = siBuffer, 
    data = 0xa3e0e08 "0\202\003}0\202\002&#65533;\003\002\001\002\002\002i&#65533;0\r\006\t*
\206H\206&#65533;\r\001\001\004\005", 
    len = 897
  }, 
  derIssuer = {
    type = siBuffer, 
    data = 0xa3e0e28
"0\201\2231\v0\t\006\003U\004\006\023\002US1\v0\t\006\003U\004\b\023\002CA1\0260\024\006\003U\004\a\023\rMountain
View1\e0\031\006\003U\004\n\023\022America Online
Inc1\0310\027\006\003U\004\v\023\020AOL
Technologies1'0%\006\003U\004\003\023\036Intranet Certificate
Authority0\036\027\r030306192627Z\027\r030902192627Z0x1\v0\t\006\003U\004\006\023\002US1\e0"...,

    len = 150
  }, 
  derSubject = {
    type = siBuffer, 
    data = 0xa3e0ede \031\006\003U\004\n\023\022America Online
Inc1\0230\021\006\n\t\222&\211\223&#65533;,d\001\001\023\003wtc1\0370\035\006\t*\206H
\206&#65533;\r\001\t\001\026\020wtc@netscape.com1\0260\024\006\003U\004\003\023\rWan-
Teh Chang0\201\2370\r\006\t*\206H\206&#65533;\r\001\001\001\005", 
    len = 122
  }, 
  derPublicKey = {
    type = siBuffer, 
    data = 0xa3e0f58 "0\201\2370\r\006\t*\206H\206&#65533;\r\001\001\001\005", 
    len = 162
  }, 
  certKey = {
    type = siBuffer, 
    data = 0x99590a0 "i&#65533;0\201\2231\v0\t\006\003U\004\006\023\002US1\v0\t\006
\003U\004\b\023\002CA1\0260\024\006\003U\004\a\023\rMountain
View1\e0\031\006\003U\004\n\023\022America Online
Inc1\0310\027\006\003U\004\v\023\020AOL
Technologies1'0%\006\003U\004\003\023\036Intranet Certificate
Authoritywtc@netscape.com", 
    len = 152
  }, 
  version = {
    type = siBuffer, 
    data = 0xa3e0e14 "\002\002\002i&#65533;0\r\006\t*\206H\206&#65533;\r\001\001\004\005", 
    len = 1
  }, 
  serialNumber = {
    type = siBuffer, 
    data = 0xa3e0e17 "i&#65533;0\r\006\t*\206H\206&#65533;\r\001\001\004\005", 
    len = 2
  }, 
  signature = {
    algorithm = {
      type = siBuffer, 
      data = 0xa3e0e1d "*\206H\206&#65533;\r\001\001\004\005", 
      len = 9
    }, 
    parameters = {
      type = siBuffer, 
      data = 0xa3e0e26 "\005", 
      len = 2
    }
  }, 
  issuer = {
    arena = 0x0, 
    rdns = 0xa3e1198
  }, 
  validity = {
    arena = 0x0, 
    notBefore = {
      type = siBuffer, 
      data = 0xa3e0ec2
"030306192627Z\027\r030902192627Z0x1\v0\t\006\003U\004\006\023\002US1\e0\031\006\003U\004\n\023\022America
Online Inc1\0230\021\006\n\t\222&\211\223&#65533;,d\001\001\023\003wtc1\0370\035\006\t*
\206H\206&#65533;\r\001\t\001\026\020wtc@netscape.com1\0260\024\006\003U\004\003\023\
rWan-Teh Chang0\201\2370\r\006\t*\206H\206&#65533;\r\001\001\001\005", 
      len = 13
    }, 
    notAfter = {
      type = siBuffer, 
      data = 0xa3e0ed1
"030902192627Z0x1\v0\t\006\003U\004\006\023\002US1\e0\031\006\003U\004\n\023\022America
Online Inc1\0230\021\006\n\t\222&\211\223&#65533;,d\001\001\023\003wtc1\0370\035\006\t*
\206H\206&#65533;\r\001\t\001\026\020wtc@netscape.com1\0260\024\006\003U\004\003\023\
rWan-Teh Chang0\201\2370\r\006\t*\206H\206&#65533;\r\001\001\001\005", 
      len = 13
    }
  }, 
  subject = {
    arena = 0x0, 
    rdns = 0xa3e1290
  }, 
  subjectPublicKeyInfo = {
    arena = 0x0, 
    algorithm = {
      algorithm = {
        type = siBuffer, 
        data = 0xa3e0f5f "*\206H\206&#65533;\r\001\001\001\005", 
        len = 9
      }, 
      parameters = {
        type = siBuffer, 
        data = 0xa3e0f68 "\005", 
        len = 2
      }
    }, 
    subjectPublicKey = {
      type = siBuffer, 
      data = 0xa3e0f6e "0\201\211\002\201\201", 
      len = 1120
    }
  }, 
  issuerID = {
    type = siBuffer, 
    data = 0x0, 
    len = 0
  }, 
  subjectID = {
    type = siBuffer, 
    data = 0x0, 
    len = 0
  }, 
  extensions = 0xa3e1360, 
  emailAddr = 0x9959138 "wtc@netscape.com", 
  dbhandle = 0x530b948, 
  subjectKeyID = {
    type = siBuffer, 
    data = 0x9959160 "\233\n&#65533;&#65533;\236\2327\025&#65533;&#65533;&#65533;Jh^&\nfv&#65533;t&#65533;&#65533;&#65533;&#65533;", 
    len = 20
  }, 
  keyIDGenerated = 0, 
  keyUsage = 128, 
  rawKeyUsage = 128, 
  keyUsagePresent = 1, 
  nsCertType = 160, 
  keepSession = 0, 
  timeOK = 0, 
  domainOK = 0x0, 
  isperm = 0, 
  istemp = 1, 
  nickname = 0x0, 
  dbnickname = 0x0, 
  nssCertificate = 0xa3e0490, 
  trust = 0x0, 
  referenceCount = 1, 
  subjectList = 0x0, 
  authKeyID = 0x9959180, 
  isRoot = 0, 
  authsocketlist = 0x0, 
  series = 0, 
  slot = 0x0, 
  pkcs11ID = 0, 
  ownSlot = 0
}

Is it normal for a temp cert to have a NULL 'trust' pointer?
Attached patch Proposed patchSplinter Review
To the best of my knowledge, it is fine for a temp
cert to have a null 'trust' pointer, and it should
be interpreted as no trust.  So that's what this
patch does.
I have verified that CERT_NewTempCertificate returns a cert with a NULL
trust pointer when it is invoked with a previously unknown cert.
Attachment #127286 - Flags: review?(nelsonb)
Comment on attachment 127286 [details] [diff] [review]
Proposed patch

Looks correct to me
Attachment #127286 - Flags: review?(nelsonb) → review+
Fix checked into the NSS tip (NSS 3.9), NSS_3_8_BRANCH (NSS 3.8.2),
and NSS_CLIENT_TAG (Mozilla 1.5a).
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: [3.8.2]
Target Milestone: --- → 3.9
I checked in the fix on the NSS_3_7_BRANCH (NSS 3.7.8).
Whiteboard: [3.8.2] → [3.8.2][3.7.8]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: