Closed
Bug 840714
Opened 11 years ago
Closed 11 years ago
certutil -a does not produce ASCII output
Categories
(NSS :: Tools, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.14.3
People
(Reporter: elio.maldonado.batiz, Assigned: elio.maldonado.batiz)
References
Details
(Keywords: regression)
Attachments
(1 file, 1 obsolete file)
804 bytes,
patch
|
briansmith
:
review+
|
Details | Diff | Splinter Review |
Reperted by Rob Crittenden 2013-02-12 16:59:49 EST Description of problem: certutil -a does not produce a base64-encode CSR wrapped with BEGIN/END blocks, it produces garbage. Version-Release number of selected component (if applicable): nss-tools-3.14.2-2.fc18.x86_64 How reproducible: Every time Steps to Reproduce: 1. mkdir /tmp/db && cd /tmp/db 2. certutil -N -d . (set no password) 3. /usr/bin/certutil -d . -R -k rsa -g 2048 -s 'CN=IPA RA,O=EXAMPLE.COM' -z /etc/group -a Actual results: Generating key. This may take a few moments... Ȼ�n�Ȼ�n���@��@@�En�����n����n�)�;�}�Pa�W!YTހ�Y��#D��/10AЯ@�@�#n�����0A�@q�n��n��P��@�h��n�h��n���� Expected results: Generating key. This may take a few moments... Certificate request generated by Netscape certutil Phone: (not specified) Common Name: IPA RA Email: (not specified) Organization: EXAMPLE.COM State: (not specified) Country: (not specified) -----BEGIN NEW CERTIFICATE REQUEST----- MIICbDCCAVQCAQAwJzEUMBIGA1UEChMLR1JFWU9BSy5DT00xDzANBgNVBAMTBklQ QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOC5SaFls/vW3No1 NCPz2gGQeFb3bJZWuDoBjz0WWiheYKEZcUYJ5tdo2bnv5l6waXlgOyh24o+FpHP1 aarhUPKoQjOFAraCYsO5cZl/oAR3tVCaQDEriqPle2nWIMeA6kceDP1dL9bWD54I REBTvURZ2NCXGfdc3Zof19WNhYoNAAFy9rTwoLuaVqljKrUngeQPmUNKIUIZezYE aJ0QkLc1kpRiUxIC1qM9ZC6/Z46K4Ak7JteIylChExI9lH5ypsqcjYbx3Ug+eelW gzJQlnTqgR2+kfGl1VUfgjfhvoSu2GydvYf1KjRGkWd01uFgDuE6/Kj8Z0KX+eXd SPvNvaUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAOEQF11CPWtzoTvB/+9kte Tnl36ujC6pdeHKcBoddXb8wrZJy8zvT2i70LiVz+U9QdKB7KhekaSbqIZQ+alA7N izPktKHiER0hWEL3dTmJ12FSLv0ltbio5HYkHFrA180qNh+YBBuMpvDjleuxmvq9 Kutj1B8B8vD4ZYoMeySNg42hF4BD3X8w8E2hwdasp6UcTNjdVBXUZ3BRQ43MBdUi 1H9i0cs+ZK+K9AKfR/KiN8DLGvMWCNfh2bHD0zwJgRUczeNYXC8KIkKvsz3J/f+f MA71IRjHKu6Fmmi5Ifgj35HL91MxCQrCEzg6mKzffwZ16WB98upZbEQvOq53HS6f -----END NEW CERTIFICATE REQUEST-----
Assignee | ||
Updated•11 years ago
|
Summary: c certutil -a does not produce ASCII outpu → certutil -a does not produce ASCII output
Assignee | ||
Updated•11 years ago
|
Assignee | ||
Updated•11 years ago
|
Severity: normal → major
Priority: -- → P1
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → bsmith
Assignee | ||
Updated•11 years ago
|
Status: NEW → ASSIGNED
Comment 1•11 years ago
|
||
I'm guessing this is assigned to me because it is a regression from bug 818410. I will take a look.
Blocks: 818410
Assignee | ||
Comment 2•11 years ago
|
||
Yes, it is a regression and I think I know the cause. A patch next.
Assignee | ||
Comment 3•11 years ago
|
||
SECITEM_AllocItem doesn't zeroize so the if (!result->data) fails and the copies are skipped.
Assignee | ||
Comment 4•11 years ago
|
||
As Brian pointed out, the patch ignored the fact that SECITEM_AllocItem could fail and and just removing dropping the ! from (!result->data) is does the fix.
Assignee | ||
Comment 5•11 years ago
|
||
Attachment #713228 -
Flags: review?(bsmith)
Assignee | ||
Updated•11 years ago
|
Attachment #713228 -
Attachment is obsolete: true
Attachment #713228 -
Flags: review?(bsmith)
Comment 6•11 years ago
|
||
Comment on attachment 713228 [details] [diff] [review] switch the sense of the test Elio, did you accidentally mark this patch obsolete instead of the previous one? This patch looks like the right thing to do to me. However, I didn't test whether certutil actually produces the right output.
Attachment #713228 -
Flags: review+
Assignee | ||
Updated•11 years ago
|
Attachment #713228 -
Attachment is obsolete: false
Assignee | ||
Updated•11 years ago
|
Attachment #713191 -
Attachment is obsolete: true
Assignee | ||
Comment 7•11 years ago
|
||
Yes, I testded ./certutil -d . -R -k rsa -g 2048 -s 'CN=IPA RA,O=EXAMPLE.COM' -z /etc/group -a Generating key. This may take a few moments... Certificate request generated by Netscape certutil Phone: (not specified) Common Name: IPA RA Email: (not specified) Organization: EXAMPLE.COM State: (not specified) Country: (not specified) -----BEGIN NEW CERTIFICATE REQUEST----- MIICbDCCAVQCAQAwJzEUMBIGA1UEChMLRVhBTVBMRS5DT00xDzANBgNVBAMTBklQ QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjx4xRv/id09FPd Zf11g4MXXgUl9HQHtqId+wKdqjKoXT1xfRd2drSXerCLjueOaDxBmjyWYZgxpYmI Bi/ktkYwfu8gKhRVRPFRGoM8AIRi0R0b0y2ImCyegzuZLJCEZDe8wZZFo0dowR6G uaNVfUDYTDR5WpPmFyy8jY044LA/8xWGioxK3GwVqkvfe7L/q7D51nMEw9WeP0Vi 8f0Q2IUwipvikC4yHic7gKgv+1v8Tkr/p50qUwFndkCyahuct1QjERUtHDOQyyaZ NbKdNDJM+x2kr/Q1GlV5LgdGJWrcg0LBo6/lpS51M0tVesBcsp7oneSoK38VWTb6 iSbFyV0CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQDF0lQEQ27kgIYqkp6U9Zgv B4bXy4QiWgER1HXbe5HGaCiNpLqz4PN4qaWP6L/PO/gYWr9EOwHuQLWkFSQ6/VZY 6O/pi3Od6z0OhGz5vWB08Nb+tggP/so0dnQ8nDlLz+3f97ADcRRXn+p7lpe9W148 uULLrgyMKGDHYsmUi1Lyi5yZ7A0/o0Isn3BFcPVvC3Z6ZPKS+y7Bt/Q/TB5VN3KY kEXHisdUrZpynVFrhX9raiUnRyTX1J9Za79alX33YF23TOgTo126mfjPU/qzKOu7 /TNNOyO980Wdpo49eeCsPOGpESDVHk+o8zXVq/Is8WDT4Gm7z/Q10iPgskoghYU0 -----END NEW CERTIFICATE REQUEST----- pasted into pem ecoded part into a file [emaldona@dhcp-32-223 bin]$ vi test.req.pem [emaldona@dhcp-32-223 bin]$ pp -t certificate-request -i test.req.pem pp: problem converting data (security library: improperly formatted DER-encoded message.) [emaldona@dhcp-32-223 bin]$ pp -t certificate-request -i test.req.pem -a Certificate Request: Data: Version: 0 (0x0) Subject: "CN=IPA RA,O=EXAMPLE.COM" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d8:f1:e3:14:6f:fe:27:74:f4:53:dd:65:fd:75:83:83: 17:5e:05:25:f4:74:07:b6:a2:1d:fb:02:9d:aa:32:a8: 5d:3d:71:7d:17:76:76:b4:97:7a:b0:8b:8e:e7:8e:68: 3c:41:9a:3c:96:61:98:31:a5:89:88:06:2f:e4:b6:46: 30:7e:ef:20:2a:14:55:44:f1:51:1a:83:3c:00:84:62: d1:1d:1b:d3:2d:88:98:2c:9e:83:3b:99:2c:90:84:64: 37:bc:c1:96:45:a3:47:68:c1:1e:86:b9:a3:55:7d:40: d8:4c:34:79:5a:93:e6:17:2c:bc:8d:8d:38:e0:b0:3f: f3:15:86:8a:8c:4a:dc:6c:15:aa:4b:df:7b:b2:ff:ab: b0:f9:d6:73:04:c3:d5:9e:3f:45:62:f1:fd:10:d8:85: 30:8a:9b:e2:90:2e:32:1e:27:3b:80:a8:2f:fb:5b:fc: 4e:4a:ff:a7:9d:2a:53:01:67:76:40:b2:6a:1b:9c:b7: 54:23:11:15:2d:1c:33:90:cb:26:99:35:b2:9d:34:32: 4c:fb:1d:a4:af:f4:35:1a:55:79:2e:07:46:25:6a:dc: 83:42:c1:a3:af:e5:a5:2e:75:33:4b:55:7a:c0:5c:b2: 9e:e8:9d:e4:a8:2b:7f:15:59:36:fa:89:26:c5:c9:5d Exponent: 65537 (0x10001) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: c5:d2:54:04:43:6e:e4:80:86:2a:92:9e:94:f5:98:2f: 07:86:d7:cb:84:22:5a:01:11:d4:75:db:7b:91:c6:68: 28:8d:a4:ba:b3:e0:f3:78:a9:a5:8f:e8:bf:cf:3b:f8: 18:5a:bf:44:3b:01:ee:40:b5:a4:15:24:3a:fd:56:58: e8:ef:e9:8b:73:9d:eb:3d:0e:84:6c:f9:bd:60:74:f0: d6:fe:b6:08:0f:fe:ca:34:76:74:3c:9c:39:4b:cf:ed: df:f7:b0:03:71:14:57:9f:ea:7b:96:97:bd:5b:5e:3c: b9:42:cb:ae:0c:8c:28:60:c7:62:c9:94:8b:52:f2:8b: 9c:99:ec:0d:3f:a3:42:2c:9f:70:45:70:f5:6f:0b:76: 7a:64:f2:92:fb:2e:c1:b7:f4:3f:4c:1e:55:37:72:98: 90:45:c7:8a:c7:54:ad:9a:72:9d:51:6b:85:7f:6b:6a: 25:27:47:24:d7:d4:9f:59:6b:bf:5a:95:7d:f7:60:5d: b7:4c:e8:13:a3:5d:ba:99:f8:cf:53:fa:b3:28:eb:bb: fd:33:4d:3b:23:bd:f3:45:9d:a6:8e:3d:79:e0:ac:3c: e1:a9:11:20:d5:1e:4f:a8:f3:35:d5:ab:f2:2c:f1:60: d3:e0:69:bb:cf:f4:35:d2:23:e0:b2:4a:20:85:85:34 Fingerprint (MD5): BE:3F:35:05:B7:39:44:86:58:44:CD:99:FB:F2:AD:50 Fingerprint (SHA1): 9B:BF:32:E8:70:A3:D3:D2:43:AD:7B:77:8A:B5:27:4A:47:45:63:29 I won't check it the patch just yet. I better test some more and compare outpout with older versions. Call me paranoid.
Assignee | ||
Comment 8•11 years ago
|
||
After comparing against older versions I'm happy with the patch.
Comment 9•11 years ago
|
||
Who will check it in? Given this is a regression with a trivial fix, I propose to include it in the 3.14.3.
Keywords: regression
Target Milestone: --- → 3.14.3
Assignee | ||
Updated•11 years ago
|
Assignee: bsmith → emaldona
Comment 10•11 years ago
|
||
I confirmed this is a regression in NSS 3.14.2, introduced in certutil.c, rev. 1.165. By our policy the fix is eligible for inclusion in NSS 3.14.3. Elio, please check this in after you have tested this.
Assignee | ||
Comment 11•11 years ago
|
||
Checked in to TRUNK for NSS_3.4.3_RTM: Checking in certutil.c; /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v <-- certutil.c new revision: 1.167; previous revision: 1.166 done
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•