Using AS with new NSS3.4 RC2. Trying to install a new cerificate and the
security CGI crashes in NSS. The call stack is
 nssTrustDomain_GetCertsForSubjectFromCache(td = (nil), subject = 0xecb24,
certListOpt = 0xeeff8), line 845 in "tdcache.c"
 NSSTrustDomain_FindCertificatesBySubject(td = (nil), subject = 0xecb24,
rvOpt = (nil), maximumOpt = 0, arenaOpt = (nil)), line 675 in "trustdomain.c"
 find_issuer_cert_for_identifier(c = 0xecaf0, id = 0xeb858), line 307 in
 NSSCertificate_BuildChain(c = 0xecaf0, timeOpt = 0xeb828, usage =
0xffbef1b0, policiesOpt = (nil), rvOpt = 0xffbef1a4, rvLimit = 2U, arenaOpt =
(nil), statusOpt = 0xffbef1a0), line 356 in "certificate.c"
 CERT_FindCertIssuer(cert = 0xe8840, validTime = 1018057399953784LL, usage
= certUsageSSLServer), line 409 in "certvfy.c"
 CERT_VerifyCertChain(handle = 0xdd688, cert = 0xe8840, checkSig = 1,
certUsage = certUsageSSLServer, t = 1018057399953784LL, wincx = (nil), log =
(nil)), line 702 in "certvfy.c"
 CERT_VerifyCert(handle = 0xdd688, cert = 0xe8840, checkSig = 1, certUsage
= certUsageSSLServer, t = 1018057399953784LL, wincx = (nil), log = (nil)), line
1138 in "certvfy.c"
 CERT_VerifyCertNow(handle = 0xdd688, cert = 0xe8840, checkSig = 1,
certUsage = certUsageSSLServer, wincx = (nil)), line 1179 in "certvfy.c"
 printCertUsageInfo(description = 0x5417f "^I^I<SSLServer></SSLServer>\n",
usage = certUsageSSLServer, cert = 0xe8840), line 356 in "security.c"
=> printCert(cert = 0xe8840, key = (nil), detail = 0xffbef9c0,
forcePrint_CertType = 0x546a9 "SERVER"), line 531 in "security.c"
 installCertificate(tokenName = 0xbb300 "internal (software)", certname =
(nil)), line 1177 in "security.c"
 main(argc = 1, argv = 0xffbefb1c), line 2132 in "security.c"
The same behavior is both on NT and Solaris 2.8.
Bob Relyea has looked at the problem and recognized a NSS bug. He says there is
no workaround for this and NSS needs to be fixed.
Assigned the bug to Bob. Target NSS 3.4.1.
The problem seems to be with the CERT_ImportCerts() call. It creates a cert
without the nickname.
Actually it creates a cert without lots of things. In this case without a
CERTDBHandle (Trust domain).
It looks to me like CERT_ImportCerts should be calling CERT_NewTempCertificate
if keepCert == PR_FALSE. Is that correct?
Yup, that's the bug. It's a pretty easy fix.
Created attachment 78449 [details] [diff] [review]
CERT_ImportCerts was changed from 3.3 to not call CERT_NewTempCertificate.
When keepCerts == PR_FALSE, I believe that is the correct call. Here is my
proposed patch (I don't have the test case).
Comment on attachment 78449 [details] [diff] [review]
This is precisely the patch I had in mind. Approved.
checked in to tip.
Created attachment 81047 [details] [diff] [review]
This patch is the fix that is currently in the tip. Bob
suggested that we check in this fix on the NSS_3_4_BRANCH.
Bob, Ian, please review this new patch.
Changed the QA contact to Bishakha.
Created attachment 81161 [details] [diff] [review]
additional patch needed for 3.4 branch
This change is also needed on the branch. Checked in.
*** Bug 140338 has been marked as a duplicate of this bug. ***
Ok, this is checked in on the tip and in NSS 3.4.2 Beta 1
Set target milestone to NSS 3.4.2.
adt1.0.1+ (on ADT's behalf) for checkin to the 1.0 branch. Pls check this in