Closed Bug 285208 Opened 20 years ago Closed 20 years ago

certutil -C78 creates invalid cert with two subjAltName extensions

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: nelson, Assigned: neil.williams)

Details

Attachments

(3 files, 1 obsolete file)

DER cert with two subjectAltName extensions
530 bytes, application/octet-stream
Details
replaces previous patch
5.26 KB, patch
nelson
: review+
Details | Diff | Splinter Review
fixes duplicate extension processing.
2.05 KB, patch
nelson
: review+
Details | Diff | Splinter Review
A cert can have at most one extension of any single type. Likewise a cert request can have at home one requested extension of any single type. When certutil creates a cert that has both DNSnames and email addresses for subject alt names, it creates two separate subject alt name extensions, which is invalid. It needs to generate a single subjectAltNames extension with both kinds of names in it. Neil found this while working on bug 263779. Since he's working on that code right now, I will give this to him directly. I will attach a cert that demonstrates this problem that Neil created with certutil.
Priority: -- → P2
Target Milestone: --- → 3.10
I believe this cert was created with a NSS 3.9.x version of certutil, because this cert still exhibits bug 282527 which is fixed on the trunk.
This patch fixes the problem of adding multiple SUBJECT_ALT_NAME extensions(one for -7 option and one for -8) in cert and cert request creation. It also allows creation of cert requests with all the attributes specified by command options -1 (numeric one) through -8. This was supposed to go into bug https://bugzilla.mozilla.org/show_bug.cgi?id=263779 but was overlooked.
Attachment #177174 - Flags: review?(nelson)
Made some corrections and clarifications to the previous patch based on reviewers suggestions.
Attachment #177202 - Flags: review?(nelson)
Attachment #177174 - Attachment is obsolete: true
Comment on attachment 177202 [details] [diff] [review] replaces previous patch Looks good to me. r=nelson
Attachment #177202 - Flags: review?(nelson) → review+
Attachment #177174 - Flags: review?(nelson)
Checking in nss/cmd/certutil/certutil.c; /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v <-- certutil.c new revision: 1.90; previous revision: 1.89 done
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Lines 447-458 of the last patch caused cert extensions to be processed twice for -S requests. (Create-and-add-cert (-S) works by creating a cert request first then creating the new cert from the request.) This is incorrect and causes the test scripts to fail.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
The test scripts are all green with this patch.
Attachment #177644 - Flags: review?(nelson)
Comment on attachment 177644 [details] [diff] [review] fixes duplicate extension processing. r=nelsonb This solution appears to make the tests go green, and is expedient. Longer term, I think the right solution is to do all the processing of extensions before generating either the cert request or the cert. Also, we need a non-interactive way to generate cert and CSRs with extensions. I will file a separate bug about the.
Attachment #177644 - Flags: review?(nelson) → review+
Checking in nss/cmd/certutil/certutil.c; /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v <-- certutil.c new revision: 1.91; previous revision: 1.90 done
Status: REOPENED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: