Closed Bug 416928 Opened 16 years ago Closed 16 years ago

DER decode error on this policy extension

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: julien.pierre)

References

(
URL
)

Details

(Keywords: regression, Whiteboard: NSS312B2)

Attachments

(2 files)

server cert in PEM format
2.46 KB, text/plain
Details
Fix CERT_UserNoticeTemplate
755 bytes, patch
julien.pierre
: review+
Details | Diff | Splinter Review 
The https server cert at https://www.startssl.com/ has a Certificate Policy
extension with 1 policy with 3 policy qualifiers, the last of which is a 
User Notice policy qualifier.  With FF2, NSS parses it and PSM's cert viewer reports:

 Not Critical
  1.3.6.1.4.1.23223.1.1.4:
  Certification Practice Statement pointer:
    http://cert.startcom.org/intermediate.pdf
  Certification Practice Statement pointer:
    http://cert.startcom.org/policy.pdf
  User Notice: <implementation limitation>

Evidently <Implementation limitation> is a string provided by PSM.

In FF3, PSM dumps the entire extension in Hex.

I dug into it with NSS's pp utility, and found that the function CERT_DecodeUserNotice is reporting failure.  It calls:

    rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate, 
			    &newNoticeItem);

which returns SECFailure.  I dug into that a bit, and found that the error
is being set in DecodeSequence, at this piece of code:

    {
        /* it isn't 100% clear whether this is a bad DER or a bad template.
           The problem is that logically, they don't match - there is extra
           data in the DER that the template doesn't know about */
        PORT_SetError(SEC_ERROR_BAD_DER);
        rv = SECFailure;
    }

I looked at the cert with various tools including dumpasn1, and looked at
the ASN1 definition in RFC 3280, and didn't immediately see any problem 
with the cert's extension.
(In reply to comment #0)
> I dug into it with NSS's pp utility, and found that the function
> CERT_DecodeUserNotice is reporting failure.  It calls:
> 
>     rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate, 
>                             &newNoticeItem);
> 
> which returns SECFailure.

It's a bug in that template, if both noticeRef and explicitText are included - see the attached patch, dugged out from my collection.

> In FF3, PSM dumps the entire extension in Hex.

Attachment 293376 [details] (bug 408547) would actually help. But I'm getting tired of submitting patches which only get reviewed months later (if at all).
Comment on attachment 302755 [details] [diff] [review]
Fix CERT_UserNoticeTemplate

Thanks for the patch Kaspar.
This patch changes code that was last changed for bug 324744,
which was an RFE to enable generating this extension in certs 
with certutil.  That work was reviewed by Julien, so he is the 
right person to review this patch.  I think that certutil code
will need to be retested.
Attachment #302755 - Flags: review?(julien.pierre.boogz)
Marking for 3.12 B2 since this is a regression affecting PSM.
Priority: -- → P1
Whiteboard: NSS312B2
Attachment #302755 - Flags: review?(julien.pierre.boogz) → review+
OS: Windows XP → All
Hardware: PC → All
I checked this in to the NSS trunk.

Checking in polcyxtn.c;
/cvsroot/mozilla/security/nss/lib/certdb/polcyxtn.c,v  <--  polcyxtn.c
new revision: 1.11; previous revision: 1.10
done
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: