Closed
Bug 132942
Opened 22 years ago
Closed 21 years ago
RFE: better parsing and display of certificates
Categories
(NSS :: Tools, enhancement, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.10
People
(Reporter: Bill.Burns, Assigned: nelson)
References
Details
(Whiteboard: [cert])
Attachments
(1 file, 6 obsolete files)
|
58.14 KB,
patch
|
Details | Diff | Splinter Review |
I'd like more verbose printing of the various values inside certificates.
OpenSSL, for example, prints out information like keysize, certificate policy,
CRL distribution point, AKI, basic constraints, etc.
certutil (and possibly NSM) should crack open and parse as many OIDs as possible.
OpenSSL parsing of the AOLTW Intranet root:
OpenSSL> x509 -text -in /tmp/cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 33554918 (0x20001e6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GTE Corporation, CN=GTE CyberTrust Root
Validity
Not Before: Jun 1 12:47:00 2001 GMT
Not After : Jun 1 23:59:00 2004 GMT
Subject: C=US, ST=CA, L=Mountain View, O=America Online Inc, OU=AOL
Technologies, CN=Intranet Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e2:ef:5f:2c:76:43:89:4b:1a:5f:b3:e5:f8:aa:
6f:8b:2f:81:4d:67:ff:bd:4a:0f:63:2e:c4:dc:85:
f6:9e:2c:49:26:20:ff:00:17:e4:88:88:69:de:fd:
83:57:e0:a3:11:19:11:aa:d6:dc:bc:ef:b3:d2:15:
2e:54:c6:6e:7c:bf:d9:b9:c3:46:d3:09:05:84:e5:
53:5c:48:ed:84:85:9a:0e:3b:3d:16:07:5c:f0:b3:
79:ab:9a:10:a5:bc:c1:a4:d1:78:4c:06:e5:64:41:
fc:05:25:63:26:eb:ef:0c:c7:6e:54:a1:8c:ce:54:
57:b6:1f:92:da:b2:12:4b:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 CRL Distribution Points:
URI:http://www1.us-hosting.baltimore.com/cgi-bin/CRL/GTERoot.cgi
X509v3 Subject Key Identifier:
29:DB:B2:2D:83:7E:7F:8B:23:BB:C2:CC:66:B9:39:E8:29:F3:02:86
X509v3 Certificate Policies:
0]0F.
*.H..c....0806..+........*http://www.baltimore.com/CPS/OmniRoot.html0...*..0.0
..+.......
X509v3 Authority Key Identifier:
DirName:/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
serial:01:A3
X509v3 Private Key Usage Period:
Not Before: Jun 1 12:47:30 2001 GMT, Not After: Sep 1 23:59:00
2003 GMT
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints:
CA:TRUE, pathlen:1
Signature Algorithm: sha1WithRSAEncryption
4a:62:0e:d9:fa:46:77:04:0a:6c:0d:dd:fe:d2:22:39:99:10:
0a:ae:88:2d:86:3d:57:84:e6:12:24:37:69:fb:59:5e:e2:11:
b0:f9:9f:a4:57:86:8a:69:1f:06:63:d1:7d:ee:33:36:49:10:
20:0f:1f:97:17:2c:27:6c:3d:6c:39:04:7b:e2:45:e8:87:1b:
54:b6:60:41:6d:1d:ae:05:f3:9d:f9:3a:34:9a:e3:7b:6b:4c:
71:f8:eb:a8:2b:83:b0:35:90:4c:19:68:71:ed:f0:63:22:5e:
c2:5b:ec:20:7a:b5:b0:51:73:e9:07:ee:81:67:76:79:53:f7:
95:d4
-----BEGIN CERTIFICATE-----
MIID1jCCAz+gAwIBAgIEAgAB5jANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMRwwGgYDVQQDExNHVEUgQ3liZXJU
cnVzdCBSb290MB4XDTAxMDYwMTEyNDcwMFoXDTA0MDYwMTIzNTkwMFowgZMxCzAJ
BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEb
MBkGA1UEChMSQW1lcmljYSBPbmxpbmUgSW5jMRkwFwYDVQQLExBBT0wgVGVjaG5v
bG9naWVzMScwJQYDVQQDEx5JbnRyYW5ldCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOLvXyx2Q4lLGl+z5fiqb4svgU1n
/71KD2MuxNyF9p4sSSYg/wAX5IiIad79g1fgoxEZEarW3Lzvs9IVLlTGbny/2bnD
RtMJBYTlU1xI7YSFmg47PRYHXPCzeauaEKW8waTReEwG5WRB/AUlYybr7wzHblSh
jM5UV7YfktqyEkuNAgMBAAGjggGCMIIBfjBNBgNVHR8ERjBEMEKgQKA+hjxodHRw
Oi8vd3d3MS51cy1ob3N0aW5nLmJhbHRpbW9yZS5jb20vY2dpLWJpbi9DUkwvR1RF
Um9vdC5jZ2kwHQYDVR0OBBYEFCnbsi2Dfn+LI7vCzGa5Oegp8wKGMGYGA1UdIARf
MF0wRgYKKoZIhvhjAQIBBTA4MDYGCCsGAQUFBwIBFipodHRwOi8vd3d3LmJhbHRp
bW9yZS5jb20vQ1BTL09tbmlSb290Lmh0bWwwEwYDKgMEMAwwCgYIKwYBBQUHAgEw
WAYDVR0jBFEwT6FJpEcwRTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jw
b3JhdGlvbjEcMBoGA1UEAxMTR1RFIEN5YmVyVHJ1c3QgUm9vdIICAaMwKwYDVR0Q
BCQwIoAPMjAwMTA2MDExMjQ3MzBagQ8yMDAzMDkwMTIzNTkwMFowDgYDVR0PAQH/
BAQDAgEGMA8GA1UdEwQIMAYBAf8CAQEwDQYJKoZIhvcNAQEFBQADgYEASmIO2fpG
dwQKbA3d/tIiOZkQCq6ILYY9V4TmEiQ3aftZXuIRsPmfpFeGimkfBmPRfe4zNkkQ
IA8flxcsJ2w9bDkEe+JF6IcbVLZgQW0drgXznfk6NJrje2tMcfjrqCuDsDWQTBlo
ce3wYyJewlvsIHq1sFFz6QfugWd2eVP3ldQ=
-----END CERTIFICATE-----
|
||
Updated•22 years ago
|
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 1•22 years ago
|
||
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
|
|
||
Updated•22 years ago
|
Priority: -- → P2
Whiteboard: [cert]
Target Milestone: --- → 3.6
|
|
||
Updated•22 years ago
|
Target Milestone: 3.6 → Future
|
Assignee | |
Comment 2•21 years ago
|
||
Taking. NSS's certutil and pp programs need to do a MUCH better job of telling you what's in a cert, and what it means. It's way better in NSS 3.9 than before, but it still has a long ways to go.
Assignee: wchang0222 → MisterSSL
Target Milestone: Future → 3.9.1
|
|
Assignee | |
Comment 3•21 years ago
|
||
BTW, I believe the example cert shown above is invalid.
More specifically, I believe the certificatePolicies extension contains
an improperly encoded PolicyQualifierInfo.
The extension looks like this:
567 30 102: SEQUENCE {
569 06 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
: (X.509 id-ce (2 5 29))
574 04 95: OCTET STRING, encapsulates {
576 30 93: SEQUENCE {
578 30 70: SEQUENCE {
580 06 10: OBJECT IDENTIFIER '1 2 840 113763 1 2 1 5'
592 30 56: SEQUENCE {
594 30 54: SEQUENCE {
596 06 8: OBJECT IDENTIFIER cps (1 3 6 1 5 5 7 2 1)
: (PKIX policy qualifier)
606 16 42: IA5String
: 'http://www.baltimore.com/CPS/OmniRoot.html'
: }
: }
: }
650 30 19: SEQUENCE {
652 06 3: OBJECT IDENTIFIER '1 2 3 4'
657 30 12: SEQUENCE {
659 30 10: SEQUENCE {
661 06 8: OBJECT IDENTIFIER cps (1 3 6 1 5 5 7 2 1)
: (PKIX policy qualifier)
: }
: }
: }
: }
: }
: }
This extension contains 2 "PolicyInformation" sequences, one with OID
'1 2 840 113763 1 2 1 5' and one with OID '1 2 3 4'. Each of those contains
a PolicyQualifierInfo sequence. A PolicyQualifierInfo contains TWO parts:
- The policyqualifierID, which is an OID, and
- The "qualifier", which is "ANY DEFINED BY policyQualifierId"
Neither part is OPTIONAL.
The second PolicyInformation's PolicyQualifierInfo sequence contains
only the policyqualifierID, and not the qualifier.
It has been encoded as if the qualifier is OPTIONAL, which it is not.
We can make NSS accept this PolicyQUalifierInfo by changing the ASN.1
decoder template to declare qualifier to be OPTIONAL, but I think we
should not do this unless real CAs have issued many such certs. (Have they?)|
|
Assignee | |
Comment 4•21 years ago
|
||
*** Bug 222124 has been marked as a duplicate of this bug. ***
|
|
Assignee | |
Comment 5•21 years ago
|
||
I have enhanced the cert parsing/printing in pp and certutil quite a bit. I will attach a patch shortly. There is more work to do, but I want to checkin what is done thus far, because it is a big improvement (IMhO).
Status: NEW → ASSIGNED
Summary: RFE: better parsing of certificates → RFE: better parsing and display of certificates
|
|
Assignee | |
Comment 6•21 years ago
|
||
|
|
Assignee | |
Comment 7•21 years ago
|
||
Comment on attachment 139547 [details] [diff] [review] patch part 1 - v1 Wan-Teh, please review. Synopsis of patch. This patch 1. Moves all the code that parses a Policies extension out of secutil.c and into the new file pppolicy.c, and extends the code substantially there. 2. Renames secu_PrintString, secu_PrintAny and secu_PrintPolicy by upshifting the prefix, and puts the declarations for these functions into secutil.h 3. Improves the printing of basic constraints, 4. Adds printing of X509 Key Usage extension 5. Adds printing of optional issuer and subject unique IDs. 6. Recursively decodes certain content that previously was merely dumped in hex. 7. Is smarter about printing printable strings as strings, vs hex dumps. Still to do: 1. Decode and print these extensions: a) authority key ID extension b) CRL distribution points c) subject alt name and issuer alt name d) name constraints e) authority info access extension 2. export certain symbols from NSS shared libs that parse the above extensions
Attachment #139547 -
Flags: review?(wchang0222)
|
|
Assignee | |
Comment 8•21 years ago
|
||
|
|
Assignee | |
Comment 9•21 years ago
|
||
This patch includes changes to export symbols from NSS, and to make one existing private NSS header file public. This work is still in development. Just capturing the code here.
|
|
Assignee | |
Updated•21 years ago
|
Attachment #139606 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 11•21 years ago
|
||
This patch is getting much nearer to completion. Since certain functions have not yet been exported from the shared libs, this patch uses some awful hacks to work around that. After those functions have been properly exported, the hacks will go away.
Attachment #139652 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 12•21 years ago
|
||
This patch is quite a bit smaller than the last one. This one depends on the patch for bug 231881 being checked in or applied. That patch exports numerous functions from libNSS. This patch is just capturing the current state of development. Bug 124923 must also be fixed before this bug/patch will be finally ready for review and checkin.
Attachment #139775 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 13•21 years ago
|
||
This patch depends on the patches for bug 124923 and bug 231881 being checked in first. Please review the patches for those bugs before reviewing this patch. This patch adds 2 source files to nss/cmd/lib. One of them adds many OIDs to the dynamic OID table, so that the printing code can print nice names instead of numeric OIDs. The other one adds new code to parse extensions. It parses cert policy extensions in a way that is more tolerant of errors than the way the NSS shared libraries do it. This is helpful in diagnosing cert with poorly formed extensions. It also adds code to print the Private Key Usage Period extension, which NSS parses but does not use. Finally, this patch greatly extends the printing abilities of the code in secutil.c. Here is a list of enhancements: - Print warning messages that are properly indendented. - PrintAsHex notices when the buffer contains entirely printable characters, and is larger than an int, and prints it as text in that case. - PrintRawString now indents the string, rather than always printing it on a separate line. - now prints decoded bit strings - now prints BMP (UCS2) strings as strings (not as hex) when they contain only printable ASCII characters. - now prints Universal (UCS4) Strings as strings (not hex) when they contain only printable ASCII characters. - Decodes certain encoded data that was previously printed as hex. - Generically decodes ASN.1 data, rather than merely printing an error, when the ASN.1 data doesn't fit a known template. - properly handles all optional components of basic constraints extensions. - Prints the names of the bits in the X509 Key Usage extension. - Prints General Names. - Print Auth Key ID extensions - Print subject and issuer alt name extensions - Print CRL distribution points extensions - format and print name constraints extensions - print Authority Information Access extensions - Print optional X509v2 subject and issuer Unique ID bit strings
|
|
Assignee | |
Updated•21 years ago
|
Attachment #139547 -
Attachment is obsolete: true
Attachment #139955 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 14•21 years ago
|
||
Comment on attachment 140036 [details] [diff] [review] patch for review Please review. This patch assumes that the patches for bug 124923 and bug 231881 are already applied.
Attachment #140036 -
Flags: review?(wchang0222)
|
|
||
Comment 15•21 years ago
|
||
Comment on attachment 140036 [details] [diff] [review] patch for review I've reviewed this patch the best I can. Bob would be a better person to review the cert parsing and display code. Given the size of this patch and the fact that it only affects our cert pretty-print tools, I will not ask Bob to review it. However, it is a good idea for Bob to review the output of the patch on a few sample certs. Bob may want to do that in lieu of a code review. There are some minor issues and questions with this patch, which I will give to Nelson offline.
Attachment #140036 -
Flags: review?(wchang0222) → review+
|
|
Assignee | |
Comment 16•21 years ago
|
||
Wanteh, although you gave r= to the previous patch, the number of changes you suggested were sufficiently large that I felt it best to submit a second patch here. I incorporated nearly all your suggestions. I decided to explicity call the new SECU_RegisterDynamicOids() function from each program that needs it, rather than doing it implicitly inside SECU_Indent. Nearly every nss cmd uses SECU_Indent, but rather few need the extra OIDs.
Attachment #140036 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 17•21 years ago
|
||
Comment on attachment 140137 [details] [diff] [review] patch with wtc's suggestions Wan-Teh, please review again. I believe all the changes made were ones you suggested, except for the removal of the initialization code from SECU_Indent, and moving it to the various test programs.
Attachment #140137 -
Flags: review?(wchang0222)
|
|
Assignee | |
Comment 18•21 years ago
|
||
Wan-Teh approved this checkin. /cvsroot/mozilla/security/nss/cmd/lib/manifest.mn,v <-- manifest.mn new revision: 1.7; previous revision: 1.6 /cvsroot/mozilla/security/nss/cmd/lib/moreoids.c,v <-- moreoids.c initial revision: 1.1 /cvsroot/mozilla/security/nss/cmd/lib/pppolicy.c,v <-- pppolicy.c initial revision: 1.1 /cvsroot/mozilla/security/nss/cmd/lib/secutil.c,v <-- secutil.c new revision: 1.61; previous revision: 1.60 /cvsroot/mozilla/security/nss/cmd/lib/secutil.h,v <-- secutil.h new revision: 1.15; previous revision: 1.14 /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v <-- certutil.c new revision: 1.83; previous revision: 1.82 /cvsroot/mozilla/security/nss/cmd/checkcert/checkcert.c,v <-- checkcert.c new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/cmd/crlutil/crlutil.c,v <-- crlutil.c new revision: 1.22; previous revision: 1.21 /cvsroot/mozilla/security/nss/cmd/keyutil/keyutil.c,v <-- keyutil.c new revision: 1.2; previous revision: 1.1 /cvsroot/mozilla/security/nss/cmd/ocspclnt/ocspclnt.c,v <-- ocspclnt.c new revision: 1.6; previous revision: 1.5 /cvsroot/mozilla/security/nss/cmd/pp/pp.c,v <-- pp.c new revision: 1.5; previous revision: 1.4 /cvsroot/mozilla/security/nss/cmd/signver/signver.c,v <-- signver.c new revision: 1.8; previous revision: 1.7 /cvsroot/mozilla/security/nss/cmd/vfychain/vfychain.c,v <-- vfychain.c new revision: 1.6; previous revision: 1.5 /cvsroot/mozilla/security/nss/cmd/vfyserv/vfyserv.c,v <-- vfyserv.c new revision: 1.6; previous revision: 1.5
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 19•21 years ago
|
||
Comment on attachment 139547 [details] [diff] [review] patch part 1 - v1 Removing review request from this obsolete patch.
Attachment #139547 -
Flags: review?(wchang0222)
|
|
Assignee | |
Comment 20•21 years ago
|
||
Comment on attachment 140137 [details] [diff] [review] patch with wtc's suggestions Removing review request from this patch. r+ was given to its predecessor.
Attachment #140137 -
Flags: review?(wchang0222)
|
|
Assignee | |
Comment 21•20 years ago
|
||
*** Bug 280941 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•