RFE: better parsing and display of certificates



17 years ago
14 years ago


(Reporter: bill, Assigned: Nelson Bolyard (seldom reads bugmail))


Windows 2000
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [cert])


(1 attachment, 6 obsolete attachments)



17 years ago
I'd like more verbose printing of the various values inside certificates. 
OpenSSL, for example, prints out information like keysize, certificate policy,
CRL distribution point, AKI, basic constraints, etc.

certutil (and possibly NSM) should crack open and parse as many OIDs as possible.

OpenSSL parsing of the AOLTW Intranet root:
OpenSSL> x509 -text -in /tmp/cert
        Version: 3 (0x2)
        Serial Number: 33554918 (0x20001e6)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=GTE Corporation, CN=GTE CyberTrust Root
            Not Before: Jun  1 12:47:00 2001 GMT
            Not After : Jun  1 23:59:00 2004 GMT
        Subject: C=US, ST=CA, L=Mountain View, O=America Online Inc, OU=AOL
Technologies, CN=Intranet Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 CRL Distribution Points:

            X509v3 Subject Key Identifier:
            X509v3 Certificate Policies:
            X509v3 Authority Key Identifier:
                DirName:/C=US/O=GTE Corporation/CN=GTE CyberTrust Root

            X509v3 Private Key Usage Period:
                Not Before: Jun  1 12:47:30 2001 GMT, Not After: Sep  1 23:59:00
2003 GMT
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints:
                CA:TRUE, pathlen:1
    Signature Algorithm: sha1WithRSAEncryption


17 years ago
Severity: normal → enhancement
Ever confirmed: true

Comment 1

16 years ago
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee


16 years ago
Priority: -- → P2
Whiteboard: [cert]
Target Milestone: --- → 3.6


16 years ago
Target Milestone: 3.6 → Future

Comment 2

15 years ago

NSS's certutil and pp programs need to do a MUCH better job of telling you 
what's in a cert, and what it means.  It's way better in NSS 3.9 than before, 
but it still has a long ways to go.  
Assignee: wchang0222 → MisterSSL
Target Milestone: Future → 3.9.1

Comment 3

15 years ago
BTW, I believe the example cert shown above is invalid.
More specifically, I believe the certificatePolicies extension contains
an improperly encoded PolicyQualifierInfo.

The extension looks like this:

 567 30  102:         SEQUENCE {
 569 06    3:           OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
            :             (X.509 id-ce (2 5 29))
 574 04   95:           OCTET STRING, encapsulates {
 576 30   93:               SEQUENCE {
 578 30   70:                 SEQUENCE {
 580 06   10:                   OBJECT IDENTIFIER '1 2 840 113763 1 2 1 5'
 592 30   56:                   SEQUENCE {
 594 30   54:                     SEQUENCE {
 596 06    8:                       OBJECT IDENTIFIER cps (1 3 6 1 5 5 7 2 1)
            :                         (PKIX policy qualifier)
 606 16   42:                       IA5String
            :                   'http://www.baltimore.com/CPS/OmniRoot.html'
            :                       }
            :                     }
            :                   }
 650 30   19:                 SEQUENCE {
 652 06    3:                   OBJECT IDENTIFIER '1 2 3 4'
 657 30   12:                   SEQUENCE {
 659 30   10:                     SEQUENCE {
 661 06    8:                       OBJECT IDENTIFIER cps (1 3 6 1 5 5 7 2 1)
            :                         (PKIX policy qualifier)
            :                       }
            :                     }
            :                   }
            :                 }
            :               }
            :           }

This extension contains 2 "PolicyInformation" sequences, one with OID 
'1 2 840 113763 1 2 1 5' and one with OID '1 2 3 4'.  Each of those contains
a PolicyQualifierInfo sequence.  A PolicyQualifierInfo contains TWO parts:
  - The policyqualifierID, which is an OID, and 
  - The "qualifier", which is "ANY DEFINED BY policyQualifierId"
Neither part is OPTIONAL.  

The second PolicyInformation's  PolicyQualifierInfo sequence contains 
only the policyqualifierID, and not the qualifier.  
It has been encoded as if the qualifier is OPTIONAL, which it is not.

We can make NSS accept this PolicyQUalifierInfo by changing the ASN.1 
decoder template to declare qualifier to be OPTIONAL, but I think we 
should not do this unless real CAs have issued many such certs.  (Have they?)

Comment 4

15 years ago
*** Bug 222124 has been marked as a duplicate of this bug. ***

Comment 5

15 years ago
I have enhanced the cert parsing/printing in pp and certutil quite a bit.
I will attach a patch shortly.
There is more work to do, but I want to checkin what is done thus far,
because it is a big improvement (IMhO). 
Summary: RFE: better parsing of certificates → RFE: better parsing and display of certificates

Comment 6

15 years ago
Created attachment 139547 [details] [diff] [review]
patch part 1 - v1

Comment 7

15 years ago
Comment on attachment 139547 [details] [diff] [review]
patch part 1 - v1

Wan-Teh, please review.

Synopsis of patch.  This patch

1. Moves all the code that parses a Policies extension out of secutil.c and 
into the new file pppolicy.c, and extends the code substantially there.  

2. Renames secu_PrintString, secu_PrintAny and secu_PrintPolicy by upshifting 
the prefix, and puts the declarations for these functions into secutil.h

3. Improves the printing of basic constraints, 
4. Adds printing of X509 Key Usage extension
5. Adds printing of optional issuer and subject unique IDs.
6. Recursively decodes certain content that previously was merely dumped in
7. Is smarter about printing printable strings as strings, vs hex dumps.

Still to do:

1. Decode and print these extensions:
   a) authority key ID extension
   b) CRL distribution points
   c) subject alt name and issuer alt name
   d) name constraints 
   e) authority info access extension

2. export certain symbols from NSS shared libs that parse the above extensions
Attachment #139547 - Flags: review?(wchang0222)

Comment 8

15 years ago
Created attachment 139606 [details] [diff] [review]
patch part 2 - v1 Decode Authority Key ID

Comment 9

15 years ago
Created attachment 139652 [details] [diff] [review]
rollup patch - combines all changes so far

This patch includes changes to export symbols from NSS, and to make one 
existing private NSS header file public.

This work is still in development.  Just capturing the code here.


15 years ago
Attachment #139606 - Attachment is obsolete: true

Comment 10

15 years ago
retargetting to 3.10.  
Target Milestone: 3.9.1 → 3.10


15 years ago
Depends on: 231881

Comment 11

15 years ago
Created attachment 139775 [details] [diff] [review]
rollup patch v2 - all changes so far

This patch is getting much nearer to completion.  Since certain functions have
not yet been exported from the shared libs, this patch uses some awful hacks
to work around that.  After those functions have been properly exported, the
hacks will go away.
Attachment #139652 - Attachment is obsolete: true


15 years ago
Depends on: 124923

Comment 12

15 years ago
Created attachment 139955 [details] [diff] [review]
Rollup patch v3 

This patch is quite a bit smaller than the last one.  
This one depends on the patch for bug 231881 being checked in or applied.
That patch exports numerous functions from libNSS.

This patch is just capturing the current state of development.	
Bug 124923 must also be fixed before this bug/patch  will be finally ready
for review and checkin.
Attachment #139775 - Attachment is obsolete: true

Comment 13

15 years ago
Created attachment 140036 [details] [diff] [review]
patch for review

This patch depends on the patches for bug 124923 and bug 231881 being
checked in first.  Please review the patches for those bugs before 
reviewing this patch.  

This patch adds 2 source files to nss/cmd/lib.
One of them adds many OIDs to the dynamic OID table, so that the printing
code can print nice names instead of numeric OIDs.

The other one adds new code to parse extensions.  It parses cert policy
extensions in a way that is more tolerant of errors than the way the NSS
shared libraries do it.  This is helpful in diagnosing cert with poorly
formed extensions.  It also adds code to print the Private Key Usage Period
extension, which NSS parses but does not use.

Finally, this patch greatly extends the printing abilities of the code
in secutil.c.  Here is a list of enhancements:

- Print warning messages that are properly indendented.
- PrintAsHex notices when the buffer contains entirely printable characters,
and is larger than an int, and prints it as text in that case.
- PrintRawString now indents the string, rather than always printing it on 
a separate line.
- now prints decoded bit strings
- now prints BMP (UCS2) strings as strings (not as hex) when they contain only
printable ASCII characters.
- now prints Universal (UCS4) Strings as strings (not hex) when they contain
only printable ASCII characters.
- Decodes certain encoded data that was previously printed as hex.
- Generically decodes ASN.1 data, rather than merely printing an error, when
  the ASN.1 data doesn't fit a known template.	
- properly handles all optional components of basic constraints extensions.
- Prints the names of the bits in the X509 Key Usage extension.
- Prints General Names.
- Print Auth Key ID extensions
- Print subject and issuer alt name extensions
- Print CRL distribution points extensions
- format and print name constraints extensions
- print Authority Information Access extensions
- Print optional X509v2 subject and issuer Unique ID bit strings


15 years ago
Attachment #139547 - Attachment is obsolete: true
Attachment #139955 - Attachment is obsolete: true

Comment 14

15 years ago
Comment on attachment 140036 [details] [diff] [review]
patch for review

Please review.	This patch assumes that the patches for bug 124923 and bug
231881 are already applied.
Attachment #140036 - Flags: review?(wchang0222)

Comment 15

15 years ago
Comment on attachment 140036 [details] [diff] [review]
patch for review

I've reviewed this patch the best I can.  Bob would
be a better person to review the cert parsing and
display code.  Given the size of this patch and the
fact that it only affects our cert pretty-print tools,
I will not ask Bob to review it.  However, it is a
good idea for Bob to review the output of the patch
on a few sample certs.	Bob may want to do that in
lieu of a code review.

There are some minor issues and questions with this
patch, which I will give to Nelson offline.
Attachment #140036 - Flags: review?(wchang0222) → review+

Comment 16

15 years ago
Created attachment 140137 [details] [diff] [review]
patch with wtc's suggestions

Wanteh, although you gave r= to the previous patch, the number of changes
you suggested were sufficiently large that I felt it best to submit a second
patch here.  I incorporated nearly all your suggestions.

I decided to explicity call the new SECU_RegisterDynamicOids() function from
each program that needs it, rather than doing it implicitly inside SECU_Indent.

Nearly every nss cmd uses SECU_Indent, but rather few need the extra OIDs.
Attachment #140036 - Attachment is obsolete: true

Comment 17

15 years ago
Comment on attachment 140137 [details] [diff] [review]
patch with wtc's suggestions

Wan-Teh, please review again.  I believe all the changes made were ones you
suggested, except for the removal of the initialization code from SECU_Indent,
and moving it to the various test programs.
Attachment #140137 - Flags: review?(wchang0222)

Comment 18

15 years ago
Wan-Teh approved this checkin.

/cvsroot/mozilla/security/nss/cmd/lib/manifest.mn,v  <--  manifest.mn
new revision: 1.7; previous revision: 1.6

/cvsroot/mozilla/security/nss/cmd/lib/moreoids.c,v  <--  moreoids.c
initial revision: 1.1

/cvsroot/mozilla/security/nss/cmd/lib/pppolicy.c,v  <--  pppolicy.c
initial revision: 1.1

/cvsroot/mozilla/security/nss/cmd/lib/secutil.c,v  <--  secutil.c
new revision: 1.61; previous revision: 1.60

/cvsroot/mozilla/security/nss/cmd/lib/secutil.h,v  <--  secutil.h
new revision: 1.15; previous revision: 1.14

/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v  <--  certutil.c
new revision: 1.83; previous revision: 1.82

/cvsroot/mozilla/security/nss/cmd/checkcert/checkcert.c,v  <--  checkcert.c
new revision: 1.3; previous revision: 1.2

/cvsroot/mozilla/security/nss/cmd/crlutil/crlutil.c,v  <--  crlutil.c
new revision: 1.22; previous revision: 1.21

/cvsroot/mozilla/security/nss/cmd/keyutil/keyutil.c,v  <--  keyutil.c
new revision: 1.2; previous revision: 1.1

/cvsroot/mozilla/security/nss/cmd/ocspclnt/ocspclnt.c,v  <--  ocspclnt.c
new revision: 1.6; previous revision: 1.5

/cvsroot/mozilla/security/nss/cmd/pp/pp.c,v  <--  pp.c
new revision: 1.5; previous revision: 1.4

/cvsroot/mozilla/security/nss/cmd/signver/signver.c,v  <--  signver.c
new revision: 1.8; previous revision: 1.7

/cvsroot/mozilla/security/nss/cmd/vfychain/vfychain.c,v  <--  vfychain.c
new revision: 1.6; previous revision: 1.5

/cvsroot/mozilla/security/nss/cmd/vfyserv/vfyserv.c,v  <--  vfyserv.c
new revision: 1.6; previous revision: 1.5
Last Resolved: 15 years ago
Resolution: --- → FIXED

Comment 19

15 years ago
Comment on attachment 139547 [details] [diff] [review]
patch part 1 - v1

Removing review request from this obsolete patch.
Attachment #139547 - Flags: review?(wchang0222)

Comment 20

15 years ago
Comment on attachment 140137 [details] [diff] [review]
patch with wtc's suggestions

Removing review request from this patch.  r+ was
given to its predecessor.
Attachment #140137 - Flags: review?(wchang0222)

Comment 21

14 years ago
*** Bug 280941 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.