Closed Bug 220855 Opened 21 years ago Closed 21 years ago

CERT_NameToAscii fails when cert name attribute too long

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: nelson)

References

Details

Attachments

(2 files, 1 obsolete file)

cert with too-long OU in subject name (base64)
1.09 KB, text/plain
Details
patch v2
1.24 KB, patch
wtc
: review+
Details | Diff | Splinter Review 
The End Entity cert for NIST test 4.3.10, which is in a file named
ValidRolloverfromPrintableStringtoUTF8StringTest10EE.crt, has a
commonName attribute in the Subject Name that is 71 characters long. 
The commonName in question is:

Valid Rollover from PrintableString to UTF8String EE Certificate Test10 

NSS fails this test in two different ways.  This bug report is about one
of those failures.

NSS is unable to print the subject name of that cert because of the length
of the commonName attribute.  

RFC 3280 defines upper bounds for the lengths of the various attribute 
types in a Name.  The bound for a commonName attribute is 64 characters.  

NSS enforces that limit in CERT_CreateAVA and in CERT_NameToAscii.  
Both operations simply fail if any attribute's length exceeds its respective
upper bound.  If any attribute is too long, CERT_NameToAscii returns NULL.
It doesn't return a string that contains any useful information about the
other attributes, or about the attribute that was too long.  I think that's
bad.  

Some alternatives for CERT_NameToAscii are:

1. when an attribute is too long, simply truncate it to the maximum length,
and go on.

2. when an attribute is too long, display "Value Too Long" instead of the 
actual value.

3. remove the length checks entirely

4. Raise the length limits so that no limit is less than, say, 128 or 256.
*** Bug 216119 has been marked as a duplicate of this bug. ***
Nelson, now that NIST acknowledged that that test was
incorrect, I think this bug can be resolved INVALID,
right?  Do we want to be more lenient about the length
of cert name attributes?
I propose to implement alternative #1 above in time for NSS 3.9.
It should only be a few lines of code, and it will make the programs that
depend on this function MUCH more useful in the presence of certs that are
slightly out of spec.
Status: NEW → ASSIGNED
Priority: -- → P3
Summary: NIST test failure when cert name attribute too long → CERT_NameToAscii fails when cert name attribute too long
Target Milestone: --- → 3.9
Retargetting to 3.9.1.  Patch forthcoming.
Target Milestone: 3.9 → 3.9.1
Attached patch patch v1 (obsolete) — Splinter Review 
truncate too-long strings, and change last character to "!" to signify
truncation.
This cert demonstrates the problem and shows the fix.
Comment on attachment 139540 [details]
cert with too-long OU in subject name (base64)

Wan-Teh, please review.
Attachment #139540 - Flags: review?(wchang0222)
Comment on attachment 139540 [details]
cert with too-long OU in subject name (base64)

sorry, wrong attachment.
Attachment #139540 - Flags: review?(wchang0222)
Comment on attachment 139538 [details] [diff] [review]
patch v1

Wan-Teh, please review.
Attachment #139538 - Flags: review?(wchang0222)
Comment on attachment 139538 [details] [diff] [review]
patch v1

Adding "!" is not a strong enough indication that
the string has been truncated.	First, some company
names, for example, "Yahoo!", contain "!".  Second,
this cannot be detected programmatically.  Why don't
we add an error code to report this condition?

>+	** XXX Perhaps we should see if we're in the middle of a 
>+	** multi-byte UTF8 character.

This is an issue.
Wan-Teh, previouslt this code did detect the condition and report it with 
an error.  This patch changes it to not do that, and display something 
useful to a user instead.  

This function is used to generate strings that are displayed, e.g. by 
certutil or pp.  The present code (which outputs an error and no string)
makes it impossible for a user of those programs to see the name in a 
cert that contains an invalid (too long) name attribute.  

The point of this patch is to give the user a readable useful string, 
while still calling attention to the error in a humanly readable way.

As for being programmatically detectable, I submit that there are other
APIs that should be used for that purpose.  

I will look into the UTF8 issue.
Thanks for the explanation.

I think "..." is a more common indication of truncation
than "!".

Is the string in question always UTF-8?
taking bug.
Assignee: wchang0222 → MisterSSL
Status: ASSIGNED → NEW
Attached patch patch v2Splinter Review 
Deal with multi-byte UTF9 characters.  
Add elipsis (...) to show string too long.
Attachment #139538 - Attachment is obsolete: true
Attachment #139538 - Flags: review?(wchang0222)
Comment on attachment 139638 [details] [diff] [review]
patch v2

Wan-Teh, please review.
This patch addresses your review comments to the previous patch.
Attachment #139638 - Flags: review?(wchang0222)
Before and after pictures:
Before:
        Subject:
            "!Invalid AVA!"

After:  (slightly edited here to preserve some anonymity of cert holder)
        Subject:
            "CN=www.br****way.tv,OU=Domain Control Validated,OU=See www.geo**
            ***.com/qu****sl/cps (c)03,OU=Business Registration: https://serv
            ices.****c****nt.net/get.jsp?...,O=www.br****way.tv,C=US"
See the ellipsis ------------------------^^^
The results are much more useful.
Comment on attachment 139638 [details] [diff] [review]
patch v2

r=wtc.

1. I find the test (avaValue->len > maxLen + 3) a little
hard to understand. I would write the test like this:

    if (avaValue->len > maxLen) {
	maxLen -= 3; /* must be room for "..." */

2. I don't know how to detect whether we are in the middle
of a multi-byte UTF-8 character, so I'll trust that your
test ((xxx & 0xc0) == 0x80) is correct.

3. Does maxLen mean the number of bytes or the number of
UTF-8 characters?
Attachment #139638 - Flags: review?(wchang0222) → review+
Comment on attachment 139638 [details] [diff] [review]
patch v2

If maxLen may be < 3, my proposed rewrite may reduce maxLen
below 0.  To address that will make the code complicated and
Nelson's version will turn out to be simpler.
Answers to comment 17

1. The new code wants to display up to maxLen characters from the original 
string, PLUS 3 dots, so that is what the test tests.  To avoid reallocating, 
we ensure that the existing string has room for the 3 dots.  Yes, this means 
that if a string exceeds maxLen by only 1 or 2, we let it slide.

2. The test I used was taken from John Meyer's new UTF8 parser code.  That
code expects the first byte to encode the length of the rest, and the 
remaining bytes will match the test given.

3. I have wondered about this myself.  I have not found an authoritative 
answer to this question.  As implemented, maxLen means bytes.  

This could be changed.  I have thought about implementing special NSS UTF8
functions that return the character count in a UTF8 string (UTF8_strlen), 
or copy a UTF8 string up to some character limit (UTF8_strncpy).  

A related question is: how should command line tools display UTF8 strings? 
e.g. What (if anything) can pp or certutil do to cause the charaacters to 
be displayed properly ?

For Comment 18:

That's why I want to display the elipsis _after_ the allowed length of 
characters.
/cvsroot/mozilla/security/nss/lib/certdb/alg1485.c,v  <--  alg1485.c
new revision: 1.19; previous revision: 1.18
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
(In reply to comment #19)
> A related question is: how should command line tools display UTF8 strings? 
> e.g. What (if anything) can pp or certutil do to cause the charaacters to 
> be displayed properly ?

If you don't want to assume UTF-8, you could use something like
iconv_open("char", "UTF-8") to convert to the locale's charset.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: