Closed
Bug 250234
Opened 21 years ago
Closed 21 years ago
CERT_EncodeAuthKeyID produces malformated DER without KeyID set to something
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 244922
3.10
People
(Reporter: emil.assarsson, Assigned: wtc)
References
Details
Attachments
(1 file)
|
1.78 KB,
text/plain
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040413 Debian/1.6-5
Sorry about this long and boring text but I don't know it I can explain it better.
I'm using CERT_EncodeAuthKeyID to add the Authority Key Extension to generated
certificates. I use the issuers Subject Public Key ID if it exist, but when it's
not I want to use the issuers subject and serial only.
I guess that the KeyID (the first item in the AKI Sequence) should be NULL. But
I get a malformated item here. It is 2 bytes with HEAD, witch leaving nothing to
the DATA. But the Length is set to 1. So this will overlap the next item.
Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Actual Results:
Output from a generated certificate:
$openssl asn1parse -inform der -in outbox/mupp.der -i
[...]
374:d=4 hl=2 l= 18 cons: SEQUENCE
376:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
381:d=5 hl=2 l= 1 prim: BOOLEAN :255
384:d=5 hl=2 l= 8 prim: OCTET STRING
394:d=4 hl=2 l= 76 cons: SEQUENCE
396:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
401:d=5 hl=2 l= 69 prim: OCTET STRING
472:d=1 hl=2 l= 13 cons: SEQUENCE
474:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
485:d=2 hl=2 l= 0 prim: NULL
487:d=1 hl=3 l= 129 prim: BIT STRING
[...]
Output from the generated AuthKeyID octet string found at offset 403:
$openssl asn1parse -inform der -in outbox/mupp.der -i -offset 403
0:d=0 hl=2 l= 65 cons: SEQUENCE
2:d=1 hl=2 l= 1 prim: cont [ 0 ]
Error in encoding
* This is the problem *
If I set KeyID to an empty SECItem it will end up as a 2 byte long der item with
the length set to 1. This will overlap the next item!
If I go on to offset 407 witch is the subject of the issuer:
$openssl asn1parse -inform der -in outbox/mupp.der -i \
> -offset 407 -length 60
0:d=0 hl=2 l= 60 cons: cont [ 1 ]
2:d=1 hl=2 l= 58 cons: cont [ 4 ]
4:d=2 hl=2 l= 56 cons: SEQUENCE
6:d=3 hl=2 l= 11 cons: SET
8:d=4 hl=2 l= 9 cons: SEQUENCE
10:d=5 hl=2 l= 3 prim: OBJECT :countryName
15:d=5 hl=2 l= 2 prim: PRINTABLESTRING :SE
19:d=3 hl=2 l= 16 cons: SET
21:d=4 hl=2 l= 14 cons: SEQUENCE
23:d=5 hl=2 l= 3 prim: OBJECT :organizationName
28:d=5 hl=2 l= 7 prim: PRINTABLESTRING :Test AB
37:d=3 hl=2 l= 23 cons: SET
39:d=4 hl=2 l= 21 cons: SEQUENCE
41:d=5 hl=2 l= 3 prim: OBJECT :commonName
46:d=5 hl=2 l= 14 prim: PRINTABLESTRING :Emil Assarsson
Expected Results:
A valid DER encoding with a nice length :-)
|
Reporter | |
Comment 1•21 years ago
|
||
Compile this and run. The program writes a file (authKeyID.der) with an DER
formated AKI. After that you could run DER test programs on this file and you
will find something fishy.
|
Assignee | |
Comment 2•21 years ago
|
||
*** Bug 250241 has been marked as a duplicate of this bug. ***
|
|
Assignee | |
Updated•21 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
Assignee | |
Updated•21 years ago
|
Attachment #152536 -
Attachment mime type: text/x-csrc → text/plain
|
||
Comment 3•21 years ago
|
||
Emil, This seems like a dup of bug 244922, which is awaiting patch review.
Please review that bug, and tell me (here) if you think this bug is a
duplicate of that, or not. The crucial question is whether or not your
template has any "MAY_STREAM" flags.
Also, you can test out the complete set of 5 patches attached to that bug,
and see if that solves your problem.
|
||
Comment 4•21 years ago
|
||
The description in bug 244922 matches mine.
CERTAuthKeyIDTemplate uses SEC_OctetStringTemplate on the KeyID witch has the
flag SEC_ASN1_MAY_STREAM.
After applying the 5 patches it works perfectly!
Here is the output after running the test program again:
$ ./akitest
$ openssl asn1parse -inform der -in authkeyid.der -i -dump -length 64
0:d=0 hl=2 l= 62 cons: SEQUENCE
2:d=1 hl=2 l= 57 cons: cont [ 1 ]
4:d=2 hl=2 l= 55 cons: cont [ 4 ]
6:d=3 hl=2 l= 53 cons: SEQUENCE
8:d=4 hl=2 l= 11 cons: SET
10:d=5 hl=2 l= 9 cons: SEQUENCE
12:d=6 hl=2 l= 3 prim: OBJECT :countryName
17:d=6 hl=2 l= 2 prim: PRINTABLESTRING :SE
21:d=4 hl=2 l= 16 cons: SET
23:d=5 hl=2 l= 14 cons: SEQUENCE
25:d=6 hl=2 l= 3 prim: OBJECT :organizationName
30:d=6 hl=2 l= 7 prim: PRINTABLESTRING :test AB
39:d=4 hl=2 l= 20 cons: SET
41:d=5 hl=2 l= 18 cons: SEQUENCE
43:d=6 hl=2 l= 3 prim: OBJECT :commonName
48:d=6 hl=2 l= 11 prim: PRINTABLESTRING :test person
61:d=1 hl=2 l= 1 prim: cont [ 2 ]
This bug should be marked as an duplicate of bug 244922.
Thank you!
|
|
Assignee | |
Comment 5•21 years ago
|
||
*** This bug has been marked as a duplicate of 244922 ***
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
Target Milestone: --- → 3.10
You need to log in
before you can comment on or make changes to this bug.
Description
•