Closed Bug 287052 Opened 19 years ago Closed 17 years ago

Function to get CRL Entry reason code has incorrect prototype and implementation

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Version:
3.10
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hanfei.yu, Assigned: julien.pierre)

References

Details

(Whiteboard: PKIX)

Attachments

(4 files, 3 obsolete files)

fix that applies to NSS_LIBPKIX_BRANCH
5.34 KB, patch
Details | Diff | Splinter Review
rename CERT_FindCRLReasonExten to CERT_FindCRLEntryReasonExten
908 bytes, patch
Details | Diff | Splinter Review
Use the name CERT_FindCRLEntryReasonExten
1.90 KB, patch
Details | Diff | Splinter Review
combine calls to avoid memory storage issue and provides reason code as enum type.
9.22 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.4) Gecko/20041214
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.4) Gecko/20041214

 There are two problems with the function CERT_FindCRLReasonExten():
 1) parameter passed was CERTCrl *crl. Since ReasonCode is in CRLEntry
 extension, and there could be multiple CRLEntries associated with one CRL,
 the parameter should be CERTCrlEntry. Suggest to rename it as
 CERT_FindCRLEntryReasonExten().
 2) ReasonCode is an enumerate type, the decoder function should be fixed
 accordingly.


Reproducible: Always



Expected Results:  
As suggested in Details block.
Nelson, please reassign to the appropriate engineer
on your team.

I found that CERT_FindCRLReasonExten is dead
code.  It is not exported, and not used by NSS
internally.  So the correctness of this function
is unknown.
Assignee: wtchang → nelson
Julien is Mr. CRL  :)

We should either expunge this dead code, or consider this to be an RFE,
asking that it be made public.  

HanFei, are you asking that this function be made public?  
Do you want to use it?
Assignee: nelson → julien.pierre.bugs
Yes, I would think this function need to be public. (Am I the the first person
trying to get CRL reason code ? :-) )

I had the fix local in our NSS source, if you need a copy of it, let me know.
Han-Fei,

You are right, the CRL reason code extension cannot appear in CRL extensions, 
only in CRL entry extensions .

For a minute I thought this might be legal for distribution points that only
list certain reason codes, but RFC3280 says in fact that's done by setting the
ReasonFlags in an issuingDistributionPoint of onlySomeReasons .

This function should be re-implemented as CERT_FindCRLEntryReasonExten.

It would use the internal function cert_FindExtension to locate the extension
within the CertCrlEntryStr 's extensions field .
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Solaris → All
Hardware: Sun → All
Version: unspecified → 3.10
Hanfei,

BTW, yes, I think you are the first NSS user who wanted to look at this
extension, since there is no way to get at it with the current public API. Even
NSS itself never checks it currently, since it only supports full CRLs, and from
that perspective, all reason codes lead to the same conclusion - that the cert
is revoked.

This is of course no longer true in the case of delta CRLs and distribution
points - you really need to have it. Do you want to take on this bug and create
this new function, since it is needed for libpkix NSS integration ?

Targetting this bug and all other libpkix related bugs to 3.11 .
Priority: -- → P1
Target Milestone: --- → 3.11
Julien:

  Since I don't have the setup here for NSS pushback and testing, can you 
  integrate it in your setup? This fix had been tested using NIST CRL files.

  Please note that I created another function named CERT_FindCRLEntryReasonExten
  just to call CERT_FindCRLReasonExten. Because I wasn't sure anyone had been
  using the original one.

Hanfei

******************** in crlv2.c:

SECStatus CERT_FindCRLReasonExten (CERTCrlEntry *crlEntry, int *value)
{
    SECStatus rv;
    SECItem tmpItem;

    tmpItem.data = NULL;
    tmpItem.len = 0;

    rv = CERT_FindExtensionWithTemplate
	(crlEntry->extensions, SEC_OID_X509_REASON_CODE, 
	 SEC_EnumeratedTemplate, &tmpItem);

    if ( rv != SECSuccess )
	return (rv);

    *value = DER_GetInteger(&tmpItem);
    SECITEM_FreeItem(&tmpItem, PR_FALSE);

    return (rv);
}

SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry, int *value)
{
    return (CERT_FindCRLReasonExten(crlEntry, value));
}
Hanfei,

It would be very useful for you to setup an NSS build environment.

For now, please fix your function - you can get rid of the old one altogether
since it's not in use - and generate a diff with cvs -q diff -u10 . Then use the
"create new attachment" link at the top of this bug to attach this file .

As to the pushback, I targeted this bug for NSS 3.11 . We can't add new
functions to 3.10 at this time. We haven't branched for 3.10 yet. It's probably
going to be a few weeks before this fix gets put back.
Attached file CVS diff for fixing bug 287052 (obsolete) — 

    
    

    
  
Comment on attachment 178485 [details]
CVS diff for fixing bug 287052

This function needs to be declared in a public
header file (certdb.h?) and exported in lib/nss/nss.def.
QA Contact: bishakhabanerjee → jason.m.reid

    
    

    
  
Hanfei,

The patch you attached depends on the function CERT_FindExtensionWithTemplate,
which is not in NSS yet. Please attach a patch that includes all the dependencies.

Thanks.


    
    

    
  


  
CERT_FindCRLEntryReasonExten is not working correctly. Modify changes at
cert.h, certxutl.c and crlv2.c .

    
  

        Attachment #178485 -
        Attachment is obsolete: true

        Attachment #189447 -
        Flags: review?(julien.pierre.bugs)

    
    

    
  
Comment on attachment 189447 [details] [diff] [review]
Fixed incorrect behavior for CERT_FindCRLEntryReasonExten()

Unfortunately, this patch does not apply to NSS_LIBPKIX_BRANCH due to other
changes .

        Attachment #189447 -
        Flags: review?(julien.pierre.bugs) → review-

    
    

    
  


  
Also declare the missing CERT_FindExtensionWithTemplate function in cert.h .
Remove the bogus and unused CERT_FindCRLReasonExten function from crl.c .

        Attachment #189447 -
        Attachment is obsolete: true

    
    

    
  
As checked in on NSS_LIBPKIX_BRANCH .

Checking in certdb/cert.h;
/cvsroot/mozilla/security/nss/lib/certdb/cert.h,v  <--  cert.h
new revision: 1.53.10.4; previous revision: 1.53.10.3
done
Checking in certdb/certxutl.c;
/cvsroot/mozilla/security/nss/lib/certdb/certxutl.c,v  <--  certxutl.c
new revision: 1.5.10.1; previous revision: 1.5
done
Checking in certhigh/crlv2.c;
/cvsroot/mozilla/security/nss/lib/certhigh/crlv2.c,v  <--  crlv2.c
new revision: 1.3.10.2; previous revision: 1.3.10.1
done


    
    

    
  


  
Pleaase apply the attachment diff file, which includes:

1) correct function name for CERT_FindCRLReasonExten in cert.h
2) include ReleaseDPCache in certi.h (was a static function)
3) add CERT_FindCRLReasonExten and CERT_FindCRLNumberExten in nss.def

Thanks.

Hanfei

    
  

        Attachment #189888 -
        Attachment is patch: true

        Attachment #189888 -
        Attachment mime type: application/octet-stream → text/plain

    
    

    
  
Hanfei,

Re: your patch from 7/20, we really do want to change the function name from
CERT_FindCRLReasonExten to CERT_FindCRLEntryReasonExten . The function was not
previously exported or used internally, so it is OK to change both its prototype
and name. The new name is more appropriate, since a CRL doesn't have a reason
extension, only a CRL entry does.


    
    

    
  


  
As checked in to NSS_LIBPKIX_BRANCH .

Checking in crlv2.c;
/cvsroot/mozilla/security/nss/lib/certhigh/crlv2.c,v  <--  crlv2.c
new revision: 1.3.10.3; previous revision: 1.3.10.2

        Attachment #189888 -
        Attachment is obsolete: true

    
    

    
  


  
The patch difference is created for using CERT_FindCRLEntryReasonExten call
instead of CERT_FindCRLReasonExten.

    
    

    
  
There are several problems with the function CERT_FindExtensionWithTemplate :
1. When you call SEC_QuickDERDecodeItem, you are passing a pointer to tmpItem as
the second argument, which is the destination .

The destination is defined as a void* to QuickDER, because its type actually
depends on the content of the template. The way you have written your code, only
very simple templates, representing primitive ASN.1 types that fit in a single
SECItem, can be passed in to CERT_FindExtensionWithTemplate . Anything bigger
will cause a stack overflow, which could cause remote code to be executed . This
function needs to be fixed so that this is not possible. If you are always
calling CERT_FindExtensionWithTemplate with templates representing primitive
types, then I think this function doesn't really need to exist. You should just
integrate the call to SEC_QuickDERDecodeItem into the calling function .

2. if you find a way to fix the design of the function and keep it around, the
following would need to be resolved :

- you should agree on a common way to initialize both tmpItem and wrapperItem
- you should use one of the SECITEM_ functions to copy items; there is no need
to write your own copy code

Summary: Function to get CRL Entry reason code is incorrect → Function to get CRL Entry reason code has incorrect prototype and implementation

    
    

    
  
Another problem is with CERT_FindCRLReasonExten . It is written to return an int.
It would be much better to return an enum type of the various reason codes.

Assignee: julien.pierre.bugs → hanfei.yu

    
    

    
  
Comment on attachment 190398 [details] [diff] [review]
Use the name CERT_FindCRLEntryReasonExten

Let's not add any functions to NSS whose names end with "Ex" or "Exten".  
Exten tells me nothing about what changed, and is easily confused with
Extension (as in CertExtension).
If the name is unique without any such suffix, just omit the suffix. 
Otherwise, please add a meaningful suffix.

        Attachment #190398 -
        Attachment is patch: true

    
    

    
  
(In reply to comment #21)
> Another problem is with CERT_FindCRLReasonExten . It is written to return an int.
> It would be much better to return an enum type of the various reason codes.

Julien, it returns a SECStatus.  I think you meant that it outputs an int,
and you'd prefer that it output a new reason code (enumerated type).  Right?



    
    

    
  
Nelson,

Yes, that's what I meant.


    
    

    
  


  
This patch includes two changes. One is to consolidate the call
CERT_FindExtensionWithTemplate() into CERT_FindCRLReasonExten(). The other is
for API CERT_FindCRLReasonExten() to return CRL entry reason code as enum in
its argument list.

Please note, since pkix_pl_crlentry.c (which I believe is not in the main line
yet) is affected by the API change, its diff is also in the patch file.

    
    

    
  
This didn't make 3.11 . Retargetting to 3.12 .

Target Milestone: 3.11 → 3.12

    
    

    
  
Reassigning.  HanFei isn't working on NSS any more.
Assignee: hanfei.yu → julien.pierre.bugs
QA Contact: jason.m.reid → libraries

    
  
Whiteboard: PKIX

    
  
Depends on: 358785
Priority: P1 → P2

    
    

    
  
This was fixed as part of the checkin for bug 358785 .
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: