Closed
Bug 285208
Opened 19 years ago
Closed 19 years ago
certutil -C78 creates invalid cert with two subjAltName extensions
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.10
People
(Reporter: nelson, Assigned: neil.williams)
Details
Attachments
(3 files, 1 obsolete file)
530 bytes,
application/octet-stream
|
Details | |
5.26 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
2.05 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
A cert can have at most one extension of any single type. Likewise a cert request can have at home one requested extension of any single type. When certutil creates a cert that has both DNSnames and email addresses for subject alt names, it creates two separate subject alt name extensions, which is invalid. It needs to generate a single subjectAltNames extension with both kinds of names in it. Neil found this while working on bug 263779. Since he's working on that code right now, I will give this to him directly. I will attach a cert that demonstrates this problem that Neil created with certutil.
Reporter | ||
Updated•19 years ago
|
Priority: -- → P2
Target Milestone: --- → 3.10
Reporter | ||
Comment 1•19 years ago
|
||
I believe this cert was created with a NSS 3.9.x version of certutil, because this cert still exhibits bug 282527 which is fixed on the trunk.
Assignee | ||
Comment 2•19 years ago
|
||
This patch fixes the problem of adding multiple SUBJECT_ALT_NAME extensions(one for -7 option and one for -8) in cert and cert request creation. It also allows creation of cert requests with all the attributes specified by command options -1 (numeric one) through -8. This was supposed to go into bug https://bugzilla.mozilla.org/show_bug.cgi?id=263779 but was overlooked.
Assignee | ||
Updated•19 years ago
|
Attachment #177174 -
Flags: review?(nelson)
Assignee | ||
Comment 3•19 years ago
|
||
Made some corrections and clarifications to the previous patch based on reviewers suggestions.
Attachment #177202 -
Flags: review?(nelson)
Assignee | ||
Updated•19 years ago
|
Attachment #177174 -
Attachment is obsolete: true
Reporter | ||
Comment 4•19 years ago
|
||
Comment on attachment 177202 [details] [diff] [review] replaces previous patch Looks good to me. r=nelson
Attachment #177202 -
Flags: review?(nelson) → review+
Reporter | ||
Updated•19 years ago
|
Attachment #177174 -
Flags: review?(nelson)
Assignee | ||
Comment 5•19 years ago
|
||
Checking in nss/cmd/certutil/certutil.c; /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v <-- certutil.c new revision: 1.90; previous revision: 1.89 done
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 6•19 years ago
|
||
Lines 447-458 of the last patch caused cert extensions to be processed twice for -S requests. (Create-and-add-cert (-S) works by creating a cert request first then creating the new cert from the request.) This is incorrect and causes the test scripts to fail.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 7•19 years ago
|
||
The test scripts are all green with this patch.
Attachment #177644 -
Flags: review?(nelson)
Reporter | ||
Comment 8•19 years ago
|
||
Comment on attachment 177644 [details] [diff] [review] fixes duplicate extension processing. r=nelsonb This solution appears to make the tests go green, and is expedient. Longer term, I think the right solution is to do all the processing of extensions before generating either the cert request or the cert. Also, we need a non-interactive way to generate cert and CSRs with extensions. I will file a separate bug about the.
Attachment #177644 -
Flags: review?(nelson) → review+
Assignee | ||
Comment 9•19 years ago
|
||
Checking in nss/cmd/certutil/certutil.c; /cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v <-- certutil.c new revision: 1.91; previous revision: 1.90 done
Status: REOPENED → RESOLVED
Closed: 19 years ago → 19 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•