Closed
Bug 958401
Opened 10 years ago
Closed 10 years ago
pkix_pl_AIAMgr_GetLDAPCerts or pkix_pl_AiaMgr_FindLDAPClient should check for an empty |domainName|
Categories
(NSS :: Libraries, defect, P2)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.15.5
People
(Reporter: wtc, Assigned: wtc)
Details
Attachments
(1 file, 3 obsolete files)
2.05 KB,
patch
|
wtc
:
checked-in+
|
Details | Diff | Splinter Review |
LDAP URLs are specified in RFC 4516 (http://tools.ietf.org/html/rfc4516). The <host> component of a LDAP URL is optional. If <host> is missing, it means: <host> If no <host> is given, the client must have some a priori knowledge of an appropriate LDAP server to contact. The RFC gives an example: ... The first example is an LDAP URL referring to the University of Michigan entry, available from an LDAP server of the client's choosing: ldap:///o=University%20of%20Michigan,c=US Here is an example from the AIA extension of a real certificate: ldap:///CN=Northrop%20Grumman%20Corporation%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=configuration,DC=northgrum,DC=com?cACertificate?base?objectClass=certificationAuthority pkix_pl_AIAMgr_GetLDAPCerts, or the pkix_pl_AiaMgr_FindLDAPClient function it calls, should check for an empty |domainName|. Since libpkix doesn't have a way to specify a default LDAP server, it should fail with the SEC_ERROR_BAD_INFO_ACCESS_LOCATION error. (We probably should add a SEC_ERROR_UNSUPPORTED_INFO_ACCESS_LOCATION error.)
Assignee | ||
Comment 1•10 years ago
|
||
Attachment #8358481 -
Flags: review?(ryan.sleevi)
Assignee | ||
Comment 2•10 years ago
|
||
Added a comment to explain why I chose that PKIX error code.
Attachment #8358481 -
Attachment is obsolete: true
Attachment #8358481 -
Flags: review?(ryan.sleevi)
Attachment #8358484 -
Flags: review?(ryan.sleevi)
Comment 3•10 years ago
|
||
Comment on attachment 8358484 [details] [diff] [review] Patch v1.1 Review of attachment 8358484 [details] [diff] [review]: ----------------------------------------------------------------- r+, but a question about the Note that, if correct, suggests the "Note" portion should just be deleted. ::: lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c @@ +164,5 @@ > + * LDAP server, so we don't support this kind of LDAP URL. > + * Note: pkix_pl_InfoAccess_ParseLocation parses this kind of URL into > + * an empty 'domainName' string. With OpenLDAP and Windows, you pass a > + * NULL 'host' or 'HostName' argument to ldap_init in this case. > + */ I don't fully understand the "Note" comment. Are you trying to describe how it *could* be supported?
Attachment #8358484 -
Flags: review?(ryan.sleevi) → review+
Assignee | ||
Comment 4•10 years ago
|
||
I tried to clarify the "Note" comment. Hopefully I didn't make it worse.
Attachment #8358484 -
Attachment is obsolete: true
Attachment #8358741 -
Flags: review?(ryan.sleevi)
Assignee | ||
Comment 5•10 years ago
|
||
I decided to just delete the "Note" comment. It's not that important and the info can be found in this bug report in patch v2 (attachment 8358741 [details] [diff] [review]). Patch checked in: https://hg.mozilla.org/projects/nss/rev/f5849acd1dfb
Attachment #8358741 -
Attachment is obsolete: true
Attachment #8358741 -
Flags: review?(ryan.sleevi)
Attachment #8359936 -
Flags: checked-in+
Assignee | ||
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Priority: -- → P2
Resolution: --- → FIXED
Target Milestone: --- → 3.15.5
Updated•10 years ago
|
Target Milestone: 3.15.5 → 3.16
Assignee | ||
Updated•10 years ago
|
Target Milestone: 3.16 → 3.15.5
You need to log in
before you can comment on or make changes to this bug.
Description
•