Last Comment Bug 261496 - REGRESSION, CRLs without nextUpdate fields don't decode
: REGRESSION, CRLs without nextUpdate fields don't decode
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.9
: All All
: P1 critical (vote)
: 3.9.3
Assigned To: Nelson Bolyard (seldom reads bugmail)
: Bishakha Banerjee
Mentors:
: 231907 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-24 19:15 PDT by Nelson Bolyard (seldom reads bugmail)
Modified: 2006-10-25 19:48 PDT (History)
7 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch v1 for trunk (1.73 KB, patch)
2004-09-24 19:19 PDT, Nelson Bolyard (seldom reads bugmail)
julien.pierre: review+
Details | Diff | Review
patch v1 for NSS_3_9_BRANCH (1.75 KB, patch)
2004-09-24 19:25 PDT, Nelson Bolyard (seldom reads bugmail)
no flags Details | Diff | Review

Description Nelson Bolyard (seldom reads bugmail) 2004-09-24 19:15:23 PDT
One of the many bugs fixed in NSS 3.9 was that NSS would previously accept 
only UTCTimes and not GeneralizedTimes in many places (in many types of PKI
SEQUENCES, like certs and CRLs).  The fix was to replace the UTCTime tag 
in most templates with a CHOICE subtemplate that allowed either form of time.

So, in CRLs, the template for the nextUpdate field changed from being an 
OPTIONAL UTCTime to being an OPTIONAL CHOICE.  The QuickDER decoder used for
CRLs has an original bug (which is not a regression in 3.9), namely that it
mishandles missing optional CHOICEs.  Apparently we never had any optional 
choice templates until 3.9.  

In any case, the combination of the new OPTIONAL CHOICE template and the 
original QuickDER bug (treats missing optional choices as errors) cause the
regression that NSS can no longer corrrectly parse CRLs that lack the 
optional nextUpdate component.  

I have a patch that fixes this, and a related patch that prevents certutil
and PP from crashing on CRLs with missing nextUpdate fields.

I would like this fix to go into NSS 3.9.3 and into NSS 3.10.

Thanks to Bill Burns who discovered that CRLs without nextUpdate fields
cannot be printed by pp.
Comment 1 Nelson Bolyard (seldom reads bugmail) 2004-09-24 19:16:28 PDT
Targetting 3.9.3.  I believe Julien agrees with this.
Comment 2 Nelson Bolyard (seldom reads bugmail) 2004-09-24 19:19:53 PDT
Created attachment 160026 [details] [diff] [review]
patch v1 for trunk
Comment 3 Nelson Bolyard (seldom reads bugmail) 2004-09-24 19:20:48 PDT
Comment on attachment 160026 [details] [diff] [review]
patch v1 for trunk

Julien, please review
Comment 4 Nelson Bolyard (seldom reads bugmail) 2004-09-24 19:25:04 PDT
Created attachment 160027 [details] [diff] [review]
patch v1 for NSS_3_9_BRANCH

The only difference between these two patches are the line numbers 
in the diffs.  So, I won't ask for this patch to be reviewed separately.
Comment 5 Julien Pierre 2004-09-27 01:49:12 PDT
Good catch, Nelson. I wish our test suite had some CRL coverage. We really have
to get on it.
Comment 6 Nelson Bolyard (seldom reads bugmail) 2004-09-27 15:38:04 PDT
Fix checked in on NSS 3.9 branch.

Checking in lib/util/quickder.c; new: 1.19.16.1; previous: 1.19
Checking in cmd/lib/secutil.c;   new: 1.60.2.3;  previous: 1.60.2.2
Comment 7 Nelson Bolyard (seldom reads bugmail) 2004-09-27 15:42:18 PDT
Checked in on trunk

Checking in lib/util/quickder.c; new revision: 1.21; previous revision: 1.20
Checking in cmd/lib/secutil.c;   new revision: 1.66; previous revision: 1.65
Comment 8 Nelson Bolyard (seldom reads bugmail) 2004-09-28 16:22:05 PDT
nominating for firefox 1.0
Comment 9 Benjamin Smedberg [:bsmedberg] 2004-10-22 11:20:44 PDT
NSS 3.9.3 is on aviary/1.7
Comment 10 Josh Birnbaum 2004-11-21 00:52:50 PST
*** Bug 231907 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.