Closed Bug 285208 Opened 19 years ago Closed 19 years ago

certutil -C78 creates invalid cert with two subjAltName extensions

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: neil.williams)

Details

Attachments

(3 files, 1 obsolete file)

DER cert with two subjectAltName extensions
530 bytes, application/octet-stream
Details
replaces previous patch
5.26 KB, patch
nelson
: review+
Details | Diff | Splinter Review
fixes duplicate extension processing.
2.05 KB, patch
nelson
: review+
Details | Diff | Splinter Review 
A cert can have at most one extension of any single type. Likewise a 
cert request can have at home one requested extension of any single type.

When certutil creates a cert that has both DNSnames and email addresses
for subject alt names, it creates two separate subject alt name 
extensions, which is invalid.  It needs to generate a single 
subjectAltNames extension with both kinds of names in it.

Neil found this while working on bug 263779.  Since he's working on that
code right now, I will give this to him directly.  I will attach a cert 
that demonstrates this problem that Neil created with certutil.
Priority: -- → P2
Target Milestone: --- → 3.10
I believe this cert was created with a NSS 3.9.x version of certutil, 
because this cert still exhibits bug 282527 which is fixed on the trunk.
This patch fixes the problem of adding multiple SUBJECT_ALT_NAME extensions(one
for -7 option and one for -8) in cert and cert request creation. It also allows
creation of cert requests with all the attributes specified by command options
-1 (numeric one) through -8. This was supposed to go into bug
https://bugzilla.mozilla.org/show_bug.cgi?id=263779 but was overlooked.
Attachment #177174 - Flags: review?(nelson)
Made some corrections and clarifications to the previous patch based on
reviewers suggestions.
Attachment #177202 - Flags: review?(nelson)
Attachment #177174 - Attachment is obsolete: true
Comment on attachment 177202 [details] [diff] [review]
replaces previous patch

Looks good to me.  r=nelson
Attachment #177202 - Flags: review?(nelson) → review+
Attachment #177174 - Flags: review?(nelson)
Checking in nss/cmd/certutil/certutil.c;
/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v  <--  certutil.c
new revision: 1.90; previous revision: 1.89
done
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Lines 447-458 of the last patch caused cert extensions to be processed twice for
-S requests. (Create-and-add-cert (-S) works by creating a cert request first
then creating the new cert from the request.) This is incorrect and causes the
test scripts to fail.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
The test scripts are all green with this patch.
Attachment #177644 - Flags: review?(nelson)
Comment on attachment 177644 [details] [diff] [review]
fixes duplicate extension processing.

r=nelsonb
This solution appears to make the tests go green, and is expedient.  
Longer term, I think the right solution is to do all the processing 
of extensions before generating either the cert request or the cert.  
Also, we need a non-interactive way to generate cert and CSRs with
extensions.  I will file a separate bug about the.
Attachment #177644 - Flags: review?(nelson) → review+
Checking in nss/cmd/certutil/certutil.c;
/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v  <--  certutil.c
new revision: 1.91; previous revision: 1.90
done
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: