Closed
Bug 416928
Opened 16 years ago
Closed 16 years ago
DER decode error on this policy extension
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.12
People
(Reporter: nelson, Assigned: julien.pierre)
References
()
Details
(Keywords: regression, Whiteboard: NSS312B2)
Attachments
(2 files)
2.46 KB,
text/plain
|
Details | |
755 bytes,
patch
|
julien.pierre
:
review+
|
Details | Diff | Splinter Review |
The https server cert at https://www.startssl.com/ has a Certificate Policy extension with 1 policy with 3 policy qualifiers, the last of which is a User Notice policy qualifier. With FF2, NSS parses it and PSM's cert viewer reports: Not Critical 1.3.6.1.4.1.23223.1.1.4: Certification Practice Statement pointer: http://cert.startcom.org/intermediate.pdf Certification Practice Statement pointer: http://cert.startcom.org/policy.pdf User Notice: <implementation limitation> Evidently <Implementation limitation> is a string provided by PSM. In FF3, PSM dumps the entire extension in Hex. I dug into it with NSS's pp utility, and found that the function CERT_DecodeUserNotice is reporting failure. It calls: rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate, &newNoticeItem); which returns SECFailure. I dug into that a bit, and found that the error is being set in DecodeSequence, at this piece of code: { /* it isn't 100% clear whether this is a bad DER or a bad template. The problem is that logically, they don't match - there is extra data in the DER that the template doesn't know about */ PORT_SetError(SEC_ERROR_BAD_DER); rv = SECFailure; } I looked at the cert with various tools including dumpasn1, and looked at the ASN1 definition in RFC 3280, and didn't immediately see any problem with the cert's extension.
(In reply to comment #0) > I dug into it with NSS's pp utility, and found that the function > CERT_DecodeUserNotice is reporting failure. It calls: > > rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate, > &newNoticeItem); > > which returns SECFailure. It's a bug in that template, if both noticeRef and explicitText are included - see the attached patch, dugged out from my collection. > In FF3, PSM dumps the entire extension in Hex. Attachment 293376 [details] (bug 408547) would actually help. But I'm getting tired of submitting patches which only get reviewed months later (if at all).
Reporter | ||
Comment 2•16 years ago
|
||
Comment on attachment 302755 [details] [diff] [review] Fix CERT_UserNoticeTemplate Thanks for the patch Kaspar. This patch changes code that was last changed for bug 324744, which was an RFE to enable generating this extension in certs with certutil. That work was reviewed by Julien, so he is the right person to review this patch. I think that certutil code will need to be retested.
Attachment #302755 -
Flags: review?(julien.pierre.boogz)
Reporter | ||
Comment 3•16 years ago
|
||
Marking for 3.12 B2 since this is a regression affecting PSM.
Priority: -- → P1
Whiteboard: NSS312B2
Assignee | ||
Updated•16 years ago
|
Attachment #302755 -
Flags: review?(julien.pierre.boogz) → review+
Assignee | ||
Updated•16 years ago
|
OS: Windows XP → All
Hardware: PC → All
Assignee | ||
Comment 4•16 years ago
|
||
I checked this in to the NSS trunk. Checking in polcyxtn.c; /cvsroot/mozilla/security/nss/lib/certdb/polcyxtn.c,v <-- polcyxtn.c new revision: 1.11; previous revision: 1.10 done
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•