Closed
Bug 52210
Opened 24 years ago
Closed 23 years ago
Remove dependencies of O= in cert name from NSS
Categories
(NSS :: Libraries, defect, P3)
Tracking
(Not tracked)
RESOLVED
FIXED
3.3
People
(Reporter: stevepnscp, Assigned: rrelyea)
Details
Attachments
(3 files)
522 bytes,
patch
|
Details | Diff | Splinter Review | |
2.18 KB,
patch
|
Details | Diff | Splinter Review | |
790 bytes,
patch
|
Details | Diff | Splinter Review |
In CERT_MakeCANickname(), there is still some code which assumes that the CA subject name has certain composition. We have customers who want to create more flexible CA's, and this is a problem for them. In this particular case, the customer is using DC='S instead of O=, so 'CERT_GetOrgName()' returns null, and then so does CERT_MakeCANickname().
Reporter | ||
Comment 1•24 years ago
|
||
I should add that this then causes CERT_ImportCAChain() to return failure
Updated•24 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: --- → 3.2
Reporter | ||
Comment 2•24 years ago
|
||
Reporter | ||
Comment 3•24 years ago
|
||
I have create a patch to allow the nickname to be created when the O= is missing. This solves the customer's problem for now. But the cert still must have either CN or OU in it. What if it's all DC? There needs to be a better scheme for nicknames. How about, if we can't make the nickname using our current algorithm, we just use the entire subject name for the nickname?
Reporter | ||
Comment 4•24 years ago
|
||
Hmm - that patch is bad since at the end of the code, it tries to PORT_Free() the memory. But you get the idea.
Updated•24 years ago
|
QA Contact: wtc → sonmi
Assignee | ||
Updated•24 years ago
|
Target Milestone: 3.2 → 3.3
Comment 5•24 years ago
|
||
Reassigning to myself since it's a JSS deliverable.
Assignee: relyea → nicolson
Comment 6•24 years ago
|
||
Comment 7•24 years ago
|
||
The proposed patch will use the full subject name, encoded in RFC1485, if the components that are usually used are missing. We need to get this change reviewed, approved, and checked in, and NSS needs to be respun for CMS.
Assignee | ||
Comment 8•23 years ago
|
||
Hmm. I talked to Steve about this, I didn't realize you had a patch in the bug. I don't think the full DN is necessary as the loop will pick up a counter to make sure the nickname is unique. Here's my proposed patch. bob
Assignee: nicolson → relyea
Assignee | ||
Comment 9•23 years ago
|
||
Assignee | ||
Comment 10•23 years ago
|
||
Fixed in NSS 3.3 and 2.8.5
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•