Closed
Bug 221646
Opened 21 years ago
Closed 21 years ago
NSS fails 2 NIST test cases for Name Constraints.
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
VERIFIED
FIXED
3.9
People
(Reporter: nelson, Assigned: nelson)
Details
Attachments
(1 file, 1 obsolete file)
4.80 KB,
patch
|
wtc
:
review+
|
Details | Diff | Splinter Review |
Section 4.13: Name Constraints. 38 test cases.
NSS fails 2 cases. Is this a recent regression (last week or two)?
19: involves a self-issued cert. NSS says it's bad, NIST says good.
Given that it's self issued, I don't think we care.
36: URI name constraints. NSS says it fails, NIST says it's good.
Comment 1•21 years ago
|
||
I checked with an NSS of a month ago, as well as of 2 months ago. I get same
results as reported here. This is not a regression. Sorry, misread the results
last time.
Assignee | ||
Comment 2•21 years ago
|
||
taking bug for NSS 3.9
Assignee: wchang0222 → MisterSSL
Priority: -- → P2
Target Milestone: --- → 3.9
Assignee | ||
Comment 3•21 years ago
|
||
Case 36, reported above, does indeed reveal a flaw in NSS's new name
constraints code.
The constraint is an excluded URI name: "invalidcertificates.gov"
and the EE's URI is "http://testserver.invalidcertificates.gov/index.html".
NSS concludes that the URI matches the constraint, and it therefor excluded.
But RFC 3280 says (pg 38): "When the constraint does not begin with a period,
it specifies a host", (i.e., it does not specify a domain). So, this is a
false match.
I will develop a patch for this.
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•21 years ago
|
||
This patch creates separate comparison functions for URI and DNS names,
and makes them match the RFC3280 description more exactly.
This addresses the problem in test case 36, not case 19.
Assignee | ||
Updated•21 years ago
|
Attachment #135527 -
Flags: review?(wchang0222)
Assignee | ||
Comment 5•21 years ago
|
||
Adding Wan-Teh to CC list. Wan-Teh, please review the above patch.
Assignee | ||
Comment 6•21 years ago
|
||
I see one comment line that must be fixed for the URI comparison function.
The line that reads:
** foo.bar.com www.foo.bar.com matches
should read
** foo.bar.com www.foo.bar.com no match
Assignee | ||
Comment 7•21 years ago
|
||
This patch corrects comments, and the behavior of empty URI constraints.
Attachment #135527 -
Attachment is obsolete: true
Assignee | ||
Updated•21 years ago
|
Attachment #135528 -
Flags: review?(wchang0222)
Assignee | ||
Comment 8•21 years ago
|
||
Comment on attachment 135527 [details] [diff] [review]
patch v1
This obsolete patch no longer needs to be reviewed. However, its successor does
need review.
Attachment #135527 -
Flags: review?(wchang0222)
Comment 9•21 years ago
|
||
Comment on attachment 135528 [details] [diff] [review]
patch v2
r=wtc.
Attachment #135528 -
Flags: review?(wchang0222) → review+
Assignee | ||
Comment 10•21 years ago
|
||
Patch v2 above is checked in. It fixes test case 36.
Steve Hanna and I discussed test case 19 briefly today, and I am going to
take a fresh look at that bug (and other bugs involving self-issued certs)
in light of his comments. So, I am leaving this bug open until I know
what we can/will do about test case 19.
Assignee | ||
Comment 11•21 years ago
|
||
I am going to mark this bug fixed in NSS 3.9.
I am going to file a separate bug about NIST tests with self-signed certs
in the chain.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment 12•21 years ago
|
||
NSS now passes all NIST nameConstraints test, hence marking this VERIFIED. This
duplicates the VERIFIED in 231030 (NSS 3.9.1 target)
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•