Closed Bug 221646 Opened 21 years ago Closed 21 years ago

NSS fails 2 NIST test cases for Name Constraints.


(NSS :: Libraries, defect, P2)



(Not tracked)



(Reporter: nelson, Assigned: nelson)



(1 file, 1 obsolete file)

Section 4.13: Name Constraints.  38 test cases.

    NSS fails 2 cases.  Is this a recent regression (last week or two)?

    19: involves a self-issued cert.  NSS says it's bad, NIST says good.
    Given that it's self issued, I don't think we care.

    36: URI name constraints.  NSS says it fails, NIST says it's good.
I checked with an NSS of a month ago, as well as of 2 months ago. I get same
results as reported here. This is not a regression. Sorry, misread the results
last time.
taking bug for NSS 3.9
Assignee: wchang0222 → MisterSSL
Priority: -- → P2
Target Milestone: --- → 3.9
Case 36, reported above, does indeed reveal a flaw in NSS's new name 
constraints code. 

The constraint is an excluded URI name: ""
and the EE's URI is "".
NSS concludes that the URI matches the constraint, and it therefor excluded.
But RFC 3280 says (pg 38): "When the constraint does not begin with a period,
it specifies a host", (i.e., it does not specify a domain).  So, this is a 
false match.  

I will develop a patch for this.
Attached patch patch v1 (obsolete) — Splinter Review
This patch creates separate comparison functions for URI and DNS names,
and makes them match the RFC3280 description more exactly.
This addresses the problem in test case 36, not case 19.
Attachment #135527 - Flags: review?(wchang0222)
Adding Wan-Teh to CC list.  Wan-Teh, please review the above patch.
I see one comment line that must be fixed for the URI comparison function.
The line that reads:
**      matches
should read
**      no match
Attached patch patch v2Splinter Review
This patch corrects comments, and the behavior of empty URI constraints.
Attachment #135527 - Attachment is obsolete: true
Attachment #135528 - Flags: review?(wchang0222)
Comment on attachment 135527 [details] [diff] [review]
patch v1

This obsolete patch no longer needs to be reviewed. However, its successor does
need review.
Attachment #135527 - Flags: review?(wchang0222)
Comment on attachment 135528 [details] [diff] [review]
patch v2

Attachment #135528 - Flags: review?(wchang0222) → review+
Patch v2 above is checked in.  It fixes test case 36.

Steve Hanna and I discussed test case 19 briefly today, and I am going to 
take a fresh look at that bug (and other bugs involving self-issued certs)
in light of his comments.  So, I am leaving this bug open until I know
what we can/will do about test case 19.
I am going to mark this bug fixed in NSS 3.9.
I am going to file a separate bug about NIST tests with self-signed certs 
in the chain.
Closed: 21 years ago
Resolution: --- → FIXED
NSS now passes all NIST nameConstraints test, hence marking this VERIFIED. This
duplicates the VERIFIED in 231030 (NSS 3.9.1 target)
You need to log in before you can comment on or make changes to this bug.