Closed Bug 221646 Opened 21 years ago Closed 21 years ago

NSS fails 2 NIST test cases for Name Constraints.

Categories

(NSS :: Libraries, defect, P2)

defect

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: nelson, Assigned: nelson)

Details

Attachments

(1 file, 1 obsolete file)

Section 4.13: Name Constraints. 38 test cases. NSS fails 2 cases. Is this a recent regression (last week or two)? 19: involves a self-issued cert. NSS says it's bad, NIST says good. Given that it's self issued, I don't think we care. 36: URI name constraints. NSS says it fails, NIST says it's good.
I checked with an NSS of a month ago, as well as of 2 months ago. I get same results as reported here. This is not a regression. Sorry, misread the results last time.
taking bug for NSS 3.9
Assignee: wchang0222 → MisterSSL
Priority: -- → P2
Target Milestone: --- → 3.9
Case 36, reported above, does indeed reveal a flaw in NSS's new name constraints code. The constraint is an excluded URI name: "invalidcertificates.gov" and the EE's URI is "http://testserver.invalidcertificates.gov/index.html". NSS concludes that the URI matches the constraint, and it therefor excluded. But RFC 3280 says (pg 38): "When the constraint does not begin with a period, it specifies a host", (i.e., it does not specify a domain). So, this is a false match. I will develop a patch for this.
Status: NEW → ASSIGNED
Attached patch patch v1 (obsolete) — Splinter Review
This patch creates separate comparison functions for URI and DNS names, and makes them match the RFC3280 description more exactly. This addresses the problem in test case 36, not case 19.
Attachment #135527 - Flags: review?(wchang0222)
Adding Wan-Teh to CC list. Wan-Teh, please review the above patch.
I see one comment line that must be fixed for the URI comparison function. The line that reads: ** foo.bar.com www.foo.bar.com matches should read ** foo.bar.com www.foo.bar.com no match
Attached patch patch v2Splinter Review
This patch corrects comments, and the behavior of empty URI constraints.
Attachment #135527 - Attachment is obsolete: true
Attachment #135528 - Flags: review?(wchang0222)
Comment on attachment 135527 [details] [diff] [review] patch v1 This obsolete patch no longer needs to be reviewed. However, its successor does need review.
Attachment #135527 - Flags: review?(wchang0222)
Comment on attachment 135528 [details] [diff] [review] patch v2 r=wtc.
Attachment #135528 - Flags: review?(wchang0222) → review+
Patch v2 above is checked in. It fixes test case 36. Steve Hanna and I discussed test case 19 briefly today, and I am going to take a fresh look at that bug (and other bugs involving self-issued certs) in light of his comments. So, I am leaving this bug open until I know what we can/will do about test case 19.
I am going to mark this bug fixed in NSS 3.9. I am going to file a separate bug about NIST tests with self-signed certs in the chain.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
NSS now passes all NIST nameConstraints test, hence marking this VERIFIED. This duplicates the VERIFIED in 231030 (NSS 3.9.1 target)
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: