Open Bug 1319000 Opened 8 years ago Updated 2 years ago

Cache of database is broken in the case of same subjects and different nickname.

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Version:
3.27
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: fryasu, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

nsstest_PK11_FindCertFromNickname.c
1.14 KB, text/x-csrc
Details
nss-3.28.4.duplicated_subject-tdcache.mozbugzilla1319000.patch
9.57 KB, patch
Details | Diff | Splinter Review
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 Build ID: 20161031141208 Steps to reproduce: When the two certificates which has same subject and different issuer are imported with different nickname, results of PK11_FindCertFromNickname() differ between the first time and the second time. STEP1. creating two CAs $ openssl genrsa 2048 > pki/ca1/ca.key $ openssl req -new -x509 -key pki/ca1/ca.key -out pki/ca1/ca.crt -days 365 -subj "/CN=CA1" $ openssl genrsa 2048 > pki/ca2/ca.key $ openssl req -new -x509 -key pki/ca2/ca.key -out pki/ca2/ca.crt -days 365 -subj "/CN=CA2" STEP2. creating two certificates with same subject with each CAs. $ openssl genrsa 2048 > pki/server1.key $ openssl req -subj "/CN=server" -new -key pki/server1.key > pki/server1.csr $ openssl ca -days 3650 -subj "/CN=server" -keyfile pki/ca1/ca.key -cert pki/ca1/ca.crt -in pki/server1.csr -batch > pki/server1.crt $ openssl x509 -in pki/server1.crt -noout -text |grep -e Subject: -e Issuer: Issuer: CN=CA1 Subject: CN=server $ openssl genrsa 2048 > pki/server2.key $ openssl req -subj "/CN=server" -new -key pki/server2.key > pki/server2.csr $ openssl ca -days 3650 -subj "/CN=server" -keyfile pki/ca2/ca.key -cert pki/ca2/ca.crt -in pki/server2.csr -batch > pki/server2.crt $ openssl x509 -in pki/server2.crt -noout -text |grep -e Subject: -e Issuer: Issuer: CN=CA2 Subject: CN=server STEP3. Imports each certificate with different nickname. $ certutil -d sql:pki/nss -N --empty-password $ certutil -d sql:pki/nss -E -i pki/server1.crt -n server1 -t u,u,u $ certutil -d sql:pki/nss -E -i pki/server2.crt -n server2 -t u,u,u $ certutil -d sql:pki/nss -L Certificate Nickname Trust Attributes server1 ,, server2 ,, STEP4. Please build the attached test code which is PK11_FindCertFromNickname() loop. $ gcc -Wall -std=gnu99 -Wall nsstest_PK11_FindCertFromNickname.c -o nsstest_PK11_FindCertFromNickname \ -I /usr/include/nss3/ -I /usr/include/nspr4/ -lnss3 -lnspr4 STEP5. Runs the test $ ./nsstest_PK11_FindCertFromNickname sql:pki/nss/ server1 server2 ---- [0] first loop ----- - in: nickname='server1' - out: nickname='server1' (0x...9b0), Subject='CN=server', Issuer='CN=CA1' OK - in: nickname='server2' - out: nickname='server2' (0x...210), Subject='CN=server', Issuer='CN=CA2' OK ---- [1] second loop (after cached) ----- - in: nickname='server1' - out: nickname='server2' (0x...210), Subject='CN=server', Issuer='CN=CA2' *ERR* - in: nickname='server2' - out: nickname='server2' (0x...210), Subject='CN=server', Issuer='CN=CA2' OK We doubt nss/lib/pki/tdcache.c behavior. Actual results: In the first loop, PK11_FindCertFromNickname("server1") returns the "server1" certificate. But in the second loop, PK11_FindCertFromNickname("server1") returns the unexpected "server2" certificate. Expected results: the result of second loop shoud be same with first loop's.
Priority: -- → P3
We could make the small patch, we'll be happy if it will be of any help. About cache handling, the following correction was added. before: share the values among the subject cache and nickname cache. after: make the nickname cache indepent from the subject cache. target: - remove_nickname_entry() - add_nickname_entry() because it's necessary of the reverse resolution from certificate to nickname, also following is corrected. before: from one certificate, acquire the entry of subject cache, and acquires the nickname from this entry. after: acquires the nickname from cache of issuer+serial_no cache. target: - remove_subject_to_cache() - add_subject_to_cache() - remove_issuer_and_serial_entry() - add_issuer_and_serial_entry() best regards,
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: