Open Bug 2009641 Opened 2 days ago

CERT_FindUserCertsByUsage does not find PKCS11 cert on token if CommonName has a colon

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: bugzilla, Unassigned)

Details

Steps to reproduce:

Tried to find a certificate on a smart code token issued by Identrust ECA. OpenSC and pkcs11-tool, etc can find, access, and use the certificate without a problem. The determining factor is that the certificate Common Name has a colon, like "JOHN Q SMITH:A01087D00000297..."

Actual results:

No certificate is found, even though the certificate is on the token and NSS is successfully accessing and cataloging the token. A small change to pk11cert.c allows the certificate to be found successfully.

Expected results:

The certificate should have been found - an X.509 CommonName is defined as an ASN.1 PrimtableString, which allows the colon character.

I've seen #390184 and #251594, so I know the waters are deeper than what I can see with my one example. I was able to "fix the glitch" for my case, TBD whether the fix could be acceptable in general.

The find mechanism works for this card if I change the determination of delim in pk11cert.c:find_certs_from_nickname() from PORT_Strchr to PORT_Strrchr - take the last colon instead of the first one. I'm not sure I'm following what happens in other cases - in pki3hack.c:STAN_GetCERTCertificateNameForInstance() I would have expected that the token name doesn't get added if it contains a colon, but the or (||) in the check makes me think it will.

Another possibility might be to use some separator other than colon for the internal concatenation/separation of the nickname. For Common Name in particular, ASN.1 PrintableString excludes a number of printable ASCII characters like ~, , |, etc. If any of those could also reasonably be excluded as part of a database name and token name then it could be used as the separator, and the split function would never split a standard-compliant Common Name. It looks like the internal separator is defined/used in a small number of places within NSS (pki3hack.c, pk11obj.c, and pk11cert.c). But I don't have insight into whether the use of colon ends up being duplicated/relied upon in applications.

You need to log in before you can comment on or make changes to this bug.