Closed
Bug 284200
Opened 20 years ago
Closed 20 years ago
No public way to parse Sequence of Extension on Windows
Categories
(NSS :: Libraries, enhancement, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.10
People
(Reporter: nelson, Assigned: nelson)
References
Details
Attachments
(1 file)
|
2.56 KB,
patch
|
neil.williams
:
review+
wtc
:
superreview+
|
Details | Diff | Splinter Review |
Some ASN.1 documents have "Extensions" (that is, Sequence of Extension)
in them. NSS has two differently-named but otherwise identical templates
for parsing these:
CERT_SequenceOfCertExtensionTemplate (in certdb.c)
SEC_CERTExtensionsTemplate (in crl.c)
But neither of these seem to be exported (in nss.def).
Also, I have not found a public function that decodes a caller-supplied
DER buffer using either of those templates.
We have functions that decode those things inside of certs and CRLs,
but they appear in lots of other places, too.
So, I propose to export one of those templates and/or functions to
encode and decode with them. I propose to do this for NSS 3.10.
If you object to that plan, please speak up right away.
If you know of a function that I've missed that decodes with either of
those templates, please let me know. No point in duplicating it.
|
Assignee | |
Comment 1•20 years ago
|
||
This bug blocks bug 284191, which is wanted for NSS 3.10.
Priority: -- → P2
Target Milestone: --- → 3.10
|
|
Assignee | |
Comment 2•20 years ago
|
||
This small patch exports CERT_SequenceOfCertExtensionTemplate and the
function that returns the address of that template (for windows).
Reviewers: please scrutinize the addition to nss.def to see if it looks
acceptable. It's not strict alphabetical order. It is patterned after
the file section for NSS 3.2, but if you prefer it could be patterned after
the section for NSS 3.9.
Attachment #175997 -
Flags: superreview?(wtchang)
Attachment #175997 -
Flags: review?(neil.williams)
|
|
Assignee | |
Updated•20 years ago
|
Severity: normal → enhancement
Status: NEW → ASSIGNED
|
||
Comment 3•20 years ago
|
||
Comment on attachment 175997 [details] [diff] [review]
patch v1 - export CERT_SequenceOfCertExtensionTemplate
>Index: lib/certdb/certt.h
...
> struct CERTCertificateRequestStr {
> PRArenaPool *arena;
> SECItem version;
> CERTName subject;
> CERTSubjectPublicKeyInfo subjectPublicKeyInfo;
>- SECItem **attributes;
>+ CERTAttribute **attributes;
> };
What is this change? It's not clear how this change
is related to the export of CERT_SequenceOfCertExtensionTemplate.
|
|
Assignee | |
Comment 4•20 years ago
|
||
That change really is part of the fix for bug 284191 and bug 263779.
It should have been part of the patch for bug 284191, rather than this patch.
I hope to check in the patches for both bugs (this and 284191) together as
a single checkin when both are approved.
As noted in bug 284191, struct CERTCertificateRequestStr is supposed to
correspond to CERT_CertificateRequestTemplate. But the struct is wrong,
because it has the wrong type for "attribute". The template correctly
decodes (or encodes) the attribute as a CERT_SetOfAttributeTemplate,
that is, as a SET OF Attribute. But the struct erroneously corresponds
to a SET OF ANY.
It is clearly the case that no NSS-based code has ever properly constructed
a cert request with an attribute, nor properly used a parse cert request
attribute. If it had, it would have failed, since a SECItem is quite
different from a CERTAttribute.
This fix to the struct is binary compatible. It does not alter the size
of the struct, and makes the struct properly reflect the data structure
that is actually put into memory by the decoder (or used by the encoder).
It is not API compatible, in the sense that any code that actually expects
an attribute to be represented by a SECItem (e.g. code such as
x->attribute[0]->data ) will no longer compile. However, such code was
always in error, and never could have worked properly.
|
||
Comment 5•20 years ago
|
||
Comment on attachment 175997 [details] [diff] [review]
patch v1 - export CERT_SequenceOfCertExtensionTemplate
Looks good to me. Had a question about
NSS_Get_CERT_SequenceOfCertExtensionTemplate
but it was answered to my satifaction.
Attachment #175997 -
Flags: review?(neil.williams) → review+
|
|
Assignee | |
Comment 6•20 years ago
|
||
/cvsroot/mozilla/security/nss/lib/certdb/certt.h,v <-- certt.h
new revision: 1.29; previous revision: 1.28
/cvsroot/mozilla/security/nss/lib/certdb/certdb.c,v <-- certdb.c
new revision: 1.72; previous revision: 1.71
/cvsroot/mozilla/security/nss/lib/nss/nss.def,v <-- nss.def
new revision: 1.143; previous revision: 1.142
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Summary: No public way to parse Sequence of Extension → No public way to parse Sequence of Extension on Windows
|
|
||
Updated•20 years ago
|
Attachment #175997 -
Flags: superreview?(wtchang) → superreview+
|
|
Assignee | |
Comment 7•20 years ago
|
||
Many thanks for the review and superreviews.
You need to log in
before you can comment on or make changes to this bug.
Description
•