Last Comment Bug 172247 - detect certs with duplicated issuer name and serial number
: detect certs with duplicated issuer name and serial number
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.4
: All All
: P1 enhancement (vote)
: 3.7
Assigned To: Ian McGreer
: Bishakha Banerjee
:
Mentors:
: 99422 (view as bug list)
Depends on:
Blocks: 169696
  Show dependency treegraph
 
Reported: 2002-10-02 17:41 PDT by Nelson Bolyard (seldom reads bugmail)
Modified: 2004-05-07 15:23 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
block import of different certs with same issuer/sn as existing certs (6.99 KB, patch)
2002-11-20 17:50 PST, Ian McGreer
no flags Details | Diff | Splinter Review
rename error code (7.00 KB, patch)
2002-11-21 08:10 PST, Ian McGreer
no flags Details | Diff | Splinter Review

Description Nelson Bolyard (seldom reads bugmail) 2002-10-02 17:41:17 PDT
When NSS enounters a cert (e.g. via a call to CERT_NewTempCertificate,
and perhaps via other calls as well) that has the same issuer name and 
serial number as a cert already known to NSS (e.g. in a token or the cert DB), 
NSS treats the new cert as a duplicate of the known cert, even if the two
certs are not identical.  The two certs are assumed to be identical because
they contain the same issuer and serial number.  No comparison is made to 
ensure that they actually are fully identical.  

NSS should compare the newly encountered cert with the previously known one.
If they are the same, then NSS should continue to treat the new cert as a 
duplicate of the old one (because it is).  If they are not the same, NSS
should fail to "import" the new cert (or whatever operation it is performing)
and should return an error code that signifies that the new cert has a 
duplicated issuer name and serial number.  

This change may need to be made in many places in NSS, such as when a cert
is added to the cert cache, or to the temporary store of certs, or to the
cert DB inside the soft token.  I do not know all the places where this needs
to be done.  Hopefully Bob and Ian can help enumerate them all.
Comment 1 Nelson Bolyard (seldom reads bugmail) 2002-10-02 18:20:04 PDT
In today's meeting, we agreed that this bug should be P1 for NSS 3.7.

The motivation for this bug is to reduce the amount of time spent diagnosing
errors caused by certs with duplicated issuer and serial numbers.  Such 
certs are not issued by competent CAs.  But the complaints about problems 
arising from such certs have recently become onerous.
Comment 2 Wan-Teh Chang 2002-10-29 15:48:11 PST
Assigned the bug to Ian.
Comment 3 Ian McGreer 2002-11-20 17:50:40 PST
Created attachment 106971 [details] [diff] [review]
block import of different certs with same issuer/sn as existing certs


Both certutil and pk12util went through CERT_NewTempCertificate, and the error
was caught there.  I changed a line in libpkcs12 to pick up the correct error
code.  I imagine most cases will be handled this way, as the only other way to
create a cert from a DER is to use the deprecated __CERT_DecodeDERCertificate.

Just to be safe, I changed certutil to call DecodeDER and then PK11_Import, the
error was caught in that code path in the same way.
Comment 4 Nelson Bolyard (seldom reads bugmail) 2002-11-20 19:22:56 PST
Thanks for the patch, Ian.  One comment:

Let's not call this new error SEC_ERROR_CERT_ALREADY_EXISTS.  
That's going to cause misunderstanding.  
Let's call it SEC_ERROR_DUPLICATE_ISSUER_AND_SERIAL or
SEC_ERROR_REUSED_ISSUER_AND_SERIAL or something similar.
Comment 5 Ian McGreer 2002-11-21 08:10:14 PST
Created attachment 107023 [details] [diff] [review]
rename error code
Comment 6 Ian McGreer 2002-11-21 12:44:31 PST
I checked the second patch in to the tip.
Comment 7 Nelson Bolyard (seldom reads bugmail) 2002-11-25 14:57:08 PST
Ian,  
Above, your wrote that you've checked the patch into the trunk.
Is this bug fixed now?  
Comment 8 Robert Relyea 2002-11-25 15:41:00 PST
*** Bug 99422 has been marked as a duplicate of this bug. ***
Comment 9 Ian McGreer 2002-12-02 09:34:55 PST
Yes, it is.
Comment 10 Ken Snider 2003-02-26 13:06:04 PST
Ok. Scenerio for you.

Our IMAP mailserver uses the same SSL Cert for both SMTP and IMAP (it's the same
box, same CN). Since 1.3a, we've been unable to use SMTP TLS if we've connected
to IMAP via TLS.

Did this patch potentially cause this issue?
Comment 11 Wan-Teh Chang 2004-02-24 18:07:23 PST
*** Bug 39495 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.