Closed Bug 1712848 Opened 3 years ago Closed 3 years ago

avoid SecCertificateCopyNormalizedIssuerSequence and SecCertificateCopyNormalizedSubjectSequence in osclientcerts

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
90 Branch
Tracking Flags:
Tracking Status
firefox90 + fixed

People

(Reporter: keeler, Assigned: keeler)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Bug 1712848 - avoid OS APIs that normalize distinguished names in osclientcerts r?rmf
48 bytes, text/x-phabricator-request
Details | Review

SecCertificateCopyNormalizedIssuerSequence and SecCertificateCopyNormalizedSubjectSequence normalize DN sequences (shocking, I know). This means that if the output from these functions is used to identify certificates, naively comparing bytes will result in mismatches. Since normalization is unnecessary and unwanted, we should avoid these functions in oscilentcerts.

[Tracking Requested - why for this release]: osclientcerts is enabled by default in 90. It would be best if it didn't ship with this still an open issue.

SecCertificateCopyNormalizedIssuerSequence and
SecCertificateCopyNormalizedSubjectSequence normalize DN sequences (shocking, I
know). This means that if the output from these functions is used to identify
certificates, naively comparing bytes will result in mismatches. Since
normalization is unnecessary and unwanted, we should avoid these functions in
osclientcerts.

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cc4d270b482a
avoid OS APIs that normalize distinguished names in osclientcerts r=rmf

https://hg.mozilla.org/mozilla-central/rev/cc4d270b482a

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox90: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 90 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: