Certificate lookup with PKCS #11 URI doesn't take into account of attributes other than "object"
Categories
(NSS :: Libraries, enhancement, P1)
Tracking
(Not tracked)
People
(Reporter: ueno, Assigned: ueno)
Details
Attachments
(1 file)
Since bug 1162897 NSS has a mechanism to lookup certificates by PKCS #11 URI if the nickname starts with "pkcs11:". However, this only checks the "object" attribute (mapped to CKA_LABEL) and ignores other attributes. That is counter-intuitive to the matching behavior guidelined in RFC 7512:
https://tools.ietf.org/html/rfc7512#section-2.5
Assignee | ||
Comment 1•3 years ago
|
||
Previously we only used the "object" attribute (mapped to CKA_LABEL) to find certificates by PKCS #11 URI. This updates the logic to match also with "id" (mapped to CKA_ID) and reject the request if a "type" attribute is present with the value other than "cert".
Note: as "id" may not be null-terminated, the PKCS #11 URI API had to be revamped to allow binary blobs. This is still not perfect because PK11URIAttribute doesn't have a length field of value.
Updated•3 years ago
|
Comment 2•2 years ago
|
||
The bug assignee didn't login in Bugzilla in the last 7 months and this bug has priority 'P1'.
:beurdouche, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 3•2 years ago
|
||
Sorry for the inactivity. Looks like the patch itself is almost ready for merge; let me take it again.
Comment hidden (off-topic) |
Assignee | ||
Updated•2 years ago
|
Comment 5•2 years ago
|
||
Sorry, there was a problem with the detection of inactive users. I'm reverting the change.
Assignee | ||
Comment 6•2 years ago
|
||
The fix has been pushed as: https://hg.mozilla.org/projects/nss/rev/af70850fbd65642af819e1192abc8765a1850f0b
Updated•1 year ago
|
Description
•