Closed Bug 1017544 Opened 10 years ago Closed 8 years ago

GeoTrust: Invalid encoding in certificates

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: kurt, Assigned: rick_andrews)

References

Details

(Whiteboard: BR Compliance)

Attachments

(1 file)

invalid_encoding2.pem
1.83 KB, application/x-x509-ca-cert
Details 
I'm seeing certificates with an invalid encoding from the following path:
CN = GeoTrust Primary Certification Authority, O = GeoTrust Inc., C = US
CN = GeoTrust EV SSL CA - G4, O = GeoTrust Inc., C = US

Firefox shows an example certificate as:
L = Düsseldorf
and:
Object Identifier (1 3 6 1 4 1 311 60 2 1 1) = Düsseldorf

The second string is claimed to be a T61String, but the content appears to be  an UTF8String.
Rick, Would you please have someone from Symantec investigate and resolve this bug?
Assignee: kwilson → rick_andrews
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: BR Compliance
Hostname, please?
Flags: needinfo?(kurt)
Attached file invalid_encoding2.pem 
Flags: needinfo?(kurt)

    
    

    
  
Thanks, we're investigating.

Ironically, I could not open the attachment in Firefox: "This is not a certificate authority certificate, so it can't be imported into the certificate authority list." I had to use IE.

    
    

    
  
(In reply to Kurt Roeckx from comment #0)
> The second string is claimed to be a T61String, but the content appears to
> be  an UTF8String.

FWIW, that's actually a long-standing issue with Verisign/Thawte/Geotrust certs, see e.g. bug 443830 comment 4 and bug 458745.

    
  
Blocks: BR-Compliance

    
    

    
  
Rick: any news?

Gerv

    
    

    
  
This is essentially a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1017550. We addressed the root cause in our 12/9/2015 release. The behavior was triggered when certain manual edits were performed on the certificate order before issuance. This has been addressed, so there should be no case in which we use the T61String type.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME

    
  
Product: mozilla.org → NSS
Product: NSS → CA Program

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: