Closed Bug 219082 Opened 22 years ago Closed 22 years ago

Support for GeneralizedTime in PKCS#7 signatures

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: julien.pierre, Assigned: wtc)

References

Details

Attachments

(1 file, 1 obsolete file)

working patch, depends on bug 143334 fix
2.95 KB, patch
nelson
: review+
wtc
: superreview+
Details | Diff | Splinter Review
Currently, we only support the UTCTime encoding, which can only encode dates up to the year 2049 . We need to support a CHOICE of either UTCTime or GeneralizedTime. I have been working on some patches for this library, which I will attach, but so far the NSS tests fail with them, even at current dates.
Attached patch preliminary patch (obsolete) — Splinter Review
This patch is not complete, but I'm attaching it so it doesn't get lost. Specifically in the following code : case SEC_OID_PKCS9_SIGNING_TIME: encoded = PR_FALSE; - theTemplate = SEC_ASN1_GET(SEC_UTCTimeTemplate); + /* theTemplate = SEC_ASN1_GET(CERT_InlineTimeChoiceTemplate); */ + theTemplate = SEC_ASN1_GET(SEC_UTCTimeTemplate); break; If I use the CERT_InlineTimeChoiceTemplate instead of SEC_UTCTimeTemplate, things break when decoding. I have not figured out why. I believe the encoding step works OK with that template. If anyone has an idea about the failure, let me know. I spent quite a few hours on it already.
Nelson and I spent quite a few more hours figuring out the problems. We finally got to the bottom of it. When verifying a PKCS#7 signature, the BER message is first decoded then some attributes are re-encoded as DER. The failure was occurring in the encoder. We spent a lot of time looking at the case of encoding choices of choices (!). In the CERT_TimeChoiceTemplate, the last field (size) does not indicate the size of the discriminant object, but rather the size of the entire structure to be encoded or decoded. I had the field set to sizeof(SECItemType) after initial review of my patch for certs. But it needed to be sizeof(SECItem). That fixed the problem with the tests and I was able to use the new template for both encoding and decoding. I am now able to run all the tests successfully, both at the current date and in the future after 2050. Nelson also helped me fix the test scripts so that certutil generates certs with expiration dates 50 years in the future. FYI, I don't need to use the CERT_InlineTimeChoiceTemplate, CERT_TimeChoiceTemplate is OK. I'll remove the former since it's unused.
Attachment #131640 - Attachment is obsolete: true
Attachment #131652 - Flags: superreview?(wchang0222)
Attachment #131652 - Flags: review?(MisterSSL)
Comment on attachment 131652 [details] [diff] [review] working patch, depends on bug 143334 fix This patch looks good. r=wtc.
Attachment #131652 - Flags: superreview?(wchang0222) → superreview+
Comment on attachment 131652 [details] [diff] [review] working patch, depends on bug 143334 fix r=MisterSSL I need to memorize Julilen's excellent document about the ASN1 encoder/decoder templates. :)
Attachment #131652 - Flags: review?(MisterSSL) → review+
Depends on: 143334
Fixed. Checking in p7create.c; /cvsroot/mozilla/security/nss/lib/pkcs7/p7create.c,v <-- p7create.c new revision: 1.4; previous revision: 1.3 done Checking in p7decode.c; /cvsroot/mozilla/security/nss/lib/pkcs7/p7decode.c,v <-- p7decode.c new revision: 1.11; previous revision: 1.10 done Checking in p7local.c; /cvsroot/mozilla/security/nss/lib/pkcs7/p7local.c,v <-- p7local.c new revision: 1.6; previous revision: 1.5 done
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: