Open Bug 245941 Opened 20 years ago Updated 2 years ago

CMMF code encodes and decodes bogus certs

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

People

(Reporter: nelson, Unassigned)

References

Details

The CMMF library functions CMMF_EncodeCertRepContent and CMMF_CreateCertRepContentFromDER use the template: CMMFCertRepContentTemplate which in turn points to CMMFSequenceOfCertsTemplate which in turn points to SEC_SignedCertificateTemplate This means that when a Cert Reply message is decoded, the certs in it are decoded into CERTCertificate structures that are unknown to NSS; that is, that are not temp or perm certs. All those certs are decoded into the same arena, the arena for the message. For those certs, cert->arena is NULL. When one calls CERT_DestroyCertificate on any of those CERTCertificates, it crashes. Worse, when one ENcodes a Cert reply message, the encoding process re-encodes the certs from their decoded components, and does not simply copy the isser's DER encoded cert into the reply message. The solution to all these problems is to change CMMFSequenceOfCertsTemplate into a Sequence of ANY. And then change the above-named CMMF encode and decode functions to separately handle the certs. The decoder will need to separately decode the certs, in the usual fashion. The CMMFCertRepContent struct will need to change to point to an array of SECItems (or pointers to secitems), rather than an array of pointers to CERTCertificate. The CMMFCertOrEncCertStr struct will have to change similarly, I think. This is the real underlying issue for bug 245420. The patch presently attached to that bug is more a workaround than a fix.
This bug has 2 parts: a server part and a client part. AFAIK, there is no server useing this CMMF code (CMMF_EncodeCertRepContent), so fixing the CMMF server code is only P3 or less. But mozilla does use the client side CMMF code (CMMF_CreateCertRepContentFromDER) so that part of it should be P2 at least. But the two share common code, so fixing one involves fixing the other, I think. So, I am marking this bug P2 for 3.10, but considering that the prerequisites are taking a LONG time to get reviewed, I have doubts that the fix for this will get done for 3.10.
Depends on: 245429
Priority: -- → P2
Target Milestone: --- → 3.10
QA Contact: bishakhabanerjee → jason.m.reid
This work is primarity of interest to mozilla. I won't be able to work on it before 3.12 Bob, Wan-Teh, any interest in it before then?
Priority: P2 → P3
Target Milestone: 3.10 → ---
QA Contact: jason.m.reid → libraries
Alexei, With your prior experience with our ASN.1 encoder and decoders, and your recently exposure to the CRMF and CMMF code, fixing this bug might be a good task for you. Steve, Does your product use this code to send CMMF replies? If not, maybe this is dead code? What do you think?
Certificate System does not call into any NSS C CMMF code. All CMMF messages are created only in Java. Thanks
Assignee: nelson → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.