Closed
Bug 219082
Opened 21 years ago
Closed 21 years ago
Support for GeneralizedTime in PKCS#7 signatures
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: julien.pierre, Assigned: wtc)
References
Details
Attachments
(1 file, 1 obsolete file)
2.95 KB,
patch
|
nelson
:
review+
wtc
:
superreview+
|
Details | Diff | Splinter Review |
Currently, we only support the UTCTime encoding, which can only encode dates up to the year 2049 . We need to support a CHOICE of either UTCTime or GeneralizedTime. I have been working on some patches for this library, which I will attach, but so far the NSS tests fail with them, even at current dates.
Reporter | ||
Comment 1•21 years ago
|
||
This patch is not complete, but I'm attaching it so it doesn't get lost. Specifically in the following code : case SEC_OID_PKCS9_SIGNING_TIME: encoded = PR_FALSE; - theTemplate = SEC_ASN1_GET(SEC_UTCTimeTemplate); + /* theTemplate = SEC_ASN1_GET(CERT_InlineTimeChoiceTemplate); */ + theTemplate = SEC_ASN1_GET(SEC_UTCTimeTemplate); break; If I use the CERT_InlineTimeChoiceTemplate instead of SEC_UTCTimeTemplate, things break when decoding. I have not figured out why. I believe the encoding step works OK with that template. If anyone has an idea about the failure, let me know. I spent quite a few hours on it already.
Reporter | ||
Comment 2•21 years ago
|
||
Nelson and I spent quite a few more hours figuring out the problems. We finally got to the bottom of it. When verifying a PKCS#7 signature, the BER message is first decoded then some attributes are re-encoded as DER. The failure was occurring in the encoder. We spent a lot of time looking at the case of encoding choices of choices (!). In the CERT_TimeChoiceTemplate, the last field (size) does not indicate the size of the discriminant object, but rather the size of the entire structure to be encoded or decoded. I had the field set to sizeof(SECItemType) after initial review of my patch for certs. But it needed to be sizeof(SECItem). That fixed the problem with the tests and I was able to use the new template for both encoding and decoding. I am now able to run all the tests successfully, both at the current date and in the future after 2050. Nelson also helped me fix the test scripts so that certutil generates certs with expiration dates 50 years in the future. FYI, I don't need to use the CERT_InlineTimeChoiceTemplate, CERT_TimeChoiceTemplate is OK. I'll remove the former since it's unused.
Reporter | ||
Comment 3•21 years ago
|
||
Attachment #131640 -
Attachment is obsolete: true
Reporter | ||
Updated•21 years ago
|
Attachment #131652 -
Flags: superreview?(wchang0222)
Attachment #131652 -
Flags: review?(MisterSSL)
Assignee | ||
Comment 4•21 years ago
|
||
Comment on attachment 131652 [details] [diff] [review] working patch, depends on bug 143334 fix This patch looks good. r=wtc.
Attachment #131652 -
Flags: superreview?(wchang0222) → superreview+
Comment 5•21 years ago
|
||
Comment on attachment 131652 [details] [diff] [review] working patch, depends on bug 143334 fix r=MisterSSL I need to memorize Julilen's excellent document about the ASN1 encoder/decoder templates. :)
Attachment #131652 -
Flags: review?(MisterSSL) → review+
Reporter | ||
Comment 6•21 years ago
|
||
Fixed. Checking in p7create.c; /cvsroot/mozilla/security/nss/lib/pkcs7/p7create.c,v <-- p7create.c new revision: 1.4; previous revision: 1.3 done Checking in p7decode.c; /cvsroot/mozilla/security/nss/lib/pkcs7/p7decode.c,v <-- p7decode.c new revision: 1.11; previous revision: 1.10 done Checking in p7local.c; /cvsroot/mozilla/security/nss/lib/pkcs7/p7local.c,v <-- p7local.c new revision: 1.6; previous revision: 1.5 done
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•