avoid SecCertificateCopyNormalizedIssuerSequence and SecCertificateCopyNormalizedSubjectSequence in osclientcerts
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
People
(Reporter: keeler, Assigned: keeler)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
SecCertificateCopyNormalizedIssuerSequence
and SecCertificateCopyNormalizedSubjectSequence
normalize DN sequences (shocking, I know). This means that if the output from these functions is used to identify certificates, naively comparing bytes will result in mismatches. Since normalization is unnecessary and unwanted, we should avoid these functions in oscilentcerts.
[Tracking Requested - why for this release]: osclientcerts is enabled by default in 90. It would be best if it didn't ship with this still an open issue.
Assignee | ||
Comment 1•3 years ago
|
||
SecCertificateCopyNormalizedIssuerSequence and
SecCertificateCopyNormalizedSubjectSequence normalize DN sequences (shocking, I
know). This means that if the output from these functions is used to identify
certificates, naively comparing bytes will result in mismatches. Since
normalization is unnecessary and unwanted, we should avoid these functions in
osclientcerts.
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cc4d270b482a avoid OS APIs that normalize distinguished names in osclientcerts r=rmf
Comment 3•3 years ago
|
||
bugherder |
Updated•3 years ago
|
Description
•