Closed Bug 1342137 Opened 8 years ago Closed 7 years ago

CERT_AsciiToName() does not handle OIDs in dotted decimal form

Categories

(NSS :: Libraries, defect)

3.28.1
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: vmiklos, Assigned: jcj)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170126000000 Steps to reproduce: Compile this source code: ---- #include <iostream> #include <cert.h> void test(const char* string) { CERTName* name = CERT_AsciiToName(string); if (name) { std::cerr << "CERT_AsciiToName() succeeded for '" << string << "'" << std::endl; CERT_DestroyName(name); } else std::cerr << "CERT_AsciiToName() failed for '" << string << "'" << std::endl; } int main() { test("C=HU,L=Budapest,O=NISZ Nemzeti Infokommunikációs Szolgáltató Zrt.,CN=Állampolgári Tanúsítványkiadó - Qualified Citizen CA,2.5.4.97=VATHU-10585560"); return 0; } ---- and run it. Actual results: "CERT_AsciiToName() failed for" gets printed. Expected results: "CERT_AsciiToName() succeeded for" gets printed. The problem seems to be the ,2.5.4.97=... part. See the mailing list archive that confirms this is a bug: http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12789.html
Attached patch Proposed patchSplinter Review
The attached patch solves the problem for me. Although this is my first patch to NSS, so it's possible this is not the correct fix. Could someone please review it? I'm happy to look into writing a testcase for this in case the patch itself is OK. Thanks!
Hmm, the patch in itself is not correct: SECItem* derName = SEC_ASN1EncodeItem(arena, nullptr, name, SEC_ASN1_GET(CERT_NameTemplate)); Results in an ASN1 blob that's not actually valid.
Thanks for the patch. Could you provide a test for the fix to make sure this is actually working?
Flags: needinfo?(vmiklos)
The initial description above has sample code gives "succeeded for" with my patch and "failed for" without the patch. However, as mentioned in comment 2, probably this is only part of a larger problem: someone with more NSS knowledge would have to fix up other parts of NSS, so that when certutils gets a string where one of the attribute types are specified in dotted-decimal form it doesn't fail. So in short probably just ignore my patch, but the problem is still there.
Flags: needinfo?(vmiklos)
Blocks: 1363416
Blocks: 1363928
Assignee: nobody → jjones
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.31
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: