Closed
Bug 261496
Opened 20 years ago
Closed 20 years ago
REGRESSION, CRLs without nextUpdate fields don't decode
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.9.3
People
(Reporter: nelson, Assigned: nelson)
References
Details
Attachments
(2 files)
1.73 KB,
patch
|
julien.pierre
:
review+
|
Details | Diff | Splinter Review |
1.75 KB,
patch
|
Details | Diff | Splinter Review |
One of the many bugs fixed in NSS 3.9 was that NSS would previously accept only UTCTimes and not GeneralizedTimes in many places (in many types of PKI SEQUENCES, like certs and CRLs). The fix was to replace the UTCTime tag in most templates with a CHOICE subtemplate that allowed either form of time. So, in CRLs, the template for the nextUpdate field changed from being an OPTIONAL UTCTime to being an OPTIONAL CHOICE. The QuickDER decoder used for CRLs has an original bug (which is not a regression in 3.9), namely that it mishandles missing optional CHOICEs. Apparently we never had any optional choice templates until 3.9. In any case, the combination of the new OPTIONAL CHOICE template and the original QuickDER bug (treats missing optional choices as errors) cause the regression that NSS can no longer corrrectly parse CRLs that lack the optional nextUpdate component. I have a patch that fixes this, and a related patch that prevents certutil and PP from crashing on CRLs with missing nextUpdate fields. I would like this fix to go into NSS 3.9.3 and into NSS 3.10. Thanks to Bill Burns who discovered that CRLs without nextUpdate fields cannot be printed by pp.
Assignee | ||
Comment 1•20 years ago
|
||
Targetting 3.9.3. I believe Julien agrees with this.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → 3.9.3
Assignee | ||
Comment 2•20 years ago
|
||
Assignee | ||
Comment 3•20 years ago
|
||
Comment on attachment 160026 [details] [diff] [review] patch v1 for trunk Julien, please review
Attachment #160026 -
Flags: review?(julien.pierre.bugs)
Assignee | ||
Comment 4•20 years ago
|
||
The only difference between these two patches are the line numbers in the diffs. So, I won't ask for this patch to be reviewed separately.
Updated•20 years ago
|
Attachment #160026 -
Flags: review?(julien.pierre.bugs) → review+
Comment 5•20 years ago
|
||
Good catch, Nelson. I wish our test suite had some CRL coverage. We really have to get on it.
Assignee | ||
Comment 6•20 years ago
|
||
Fix checked in on NSS 3.9 branch. Checking in lib/util/quickder.c; new: 1.19.16.1; previous: 1.19 Checking in cmd/lib/secutil.c; new: 1.60.2.3; previous: 1.60.2.2
Assignee | ||
Comment 7•20 years ago
|
||
Checked in on trunk Checking in lib/util/quickder.c; new revision: 1.21; previous revision: 1.20 Checking in cmd/lib/secutil.c; new revision: 1.66; previous revision: 1.65
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Updated•20 years ago
|
Keywords: sun-orion3
Comment 10•20 years ago
|
||
*** Bug 231907 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•