Closed Bug 220016 Opened 21 years ago Closed 21 years ago

certutil and PP print bogus cert fingerprints

Categories

(NSS :: Tools, defect, P1)

Product:
NSS
Component:
Tools
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: nelson)

Details

Attachments

(2 files)

patch v1
788 bytes, patch
Details | Diff | Splinter Review
patch v2
779 bytes, patch
Details | Diff | Splinter Review 
All recent versions of certutil and PP print the same exact MD5 and SHA1
fingerprint values for ALL certificates, regardless of their content.

I believe this bug is a regression that was introduced by the fix for bug 45303,
which was checked in in the summer of 2000.  Likely all versions of NSS 3.x
beginning with 3.1 or 3.2 have had this bug.  

The fix is tiny.  Patch to follow.
Marking P1 for 3.9.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → 3.9
Attached patch patch v1Splinter Review 
This patch keeps the output format the same as it was in NSS 3.8, but fixes
the computed fingerprint values.  

But to be honest, I think the fingerprint should be displayed after the
signature, not before.	If we aren't required to preserve the format of the
output exactly,
(and I think we are not) then I would rather move the Fingerprints down.
Attached patch patch v2Splinter Review 
This alternative patch causes the fingerprints to appear immediately after
the signature, not before it.  I invite review comments on either patch.
Before the changes for bug 45303, certutil printed the fingerprints last,
after the cert and the trust flags, and pp printed neither fingerprints nor
trust flags.  With my patch v2, both certutil and pp print the fingerprints
immediately after the signature, and certutil additionally prints the trust
flags.  

I will checkin patch v2 shortly.
Checked in patch v2.  Marking fixed.  
Some question remains about whether NSS fingerprints will now match OpenSSL
fingerprints.  If they do not, I will reopen this bug.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment on attachment 131925 [details] [diff] [review]
patch v2

>@@ -2386,6 +2385,7 @@
>     SECU_PrintAsHex(out, &sd->signature, "Signature", level+1);
> loser:
>     PORT_FreeArena(arena, PR_FALSE);
>+    SECU_PrintFingerprints(out, der, "Fingerprint", level+1);
>     return rv;

Would it be more correct to print the fingerprints before the "loser"
label?
Comment on attachment 131924 [details] [diff] [review]
patch v1

>@@ -2377,6 +2376,7 @@
> 
>     SECU_Indent(out, level); fprintf(out, "%s:\n", m);
>     rv = (*inner)(out, &sd->data, "Data", level+1);
>+    SECU_PrintFingerprints(out, der, "Fingerprint", level+1);
>     if (rv) 
> 	goto loser;

Similar comment: I think it would be better to move
SECU_PrintFingerprints() after "goto loser;".
The print functions should attempt to print all they can.  
They should NOT "bail out" on the first error, but rather go on and 
attempt to print whatever they can.
In this case, even if the attempt to parse the signed portion of the
certificate fails, it is still possible to compute and display the 
fingerprint of the der cert, and that's what these patches do.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: