Closed Bug 285208 Opened 16 years ago Closed 16 years ago

certutil -C78 creates invalid cert with two subjAltName extensions


(NSS :: Libraries, defect, P2)



(Not tracked)



(Reporter: nelson, Assigned: neil.williams)



(3 files, 1 obsolete file)

A cert can have at most one extension of any single type. Likewise a 
cert request can have at home one requested extension of any single type.

When certutil creates a cert that has both DNSnames and email addresses
for subject alt names, it creates two separate subject alt name 
extensions, which is invalid.  It needs to generate a single 
subjectAltNames extension with both kinds of names in it.

Neil found this while working on bug 263779.  Since he's working on that
code right now, I will give this to him directly.  I will attach a cert 
that demonstrates this problem that Neil created with certutil.
Priority: -- → P2
Target Milestone: --- → 3.10
I believe this cert was created with a NSS 3.9.x version of certutil, 
because this cert still exhibits bug 282527 which is fixed on the trunk.
This patch fixes the problem of adding multiple SUBJECT_ALT_NAME extensions(one
for -7 option and one for -8) in cert and cert request creation. It also allows
creation of cert requests with all the attributes specified by command options
-1 (numeric one) through -8. This was supposed to go into bug but was overlooked.
Attachment #177174 - Flags: review?(nelson)
Made some corrections and clarifications to the previous patch based on
reviewers suggestions.
Attachment #177202 - Flags: review?(nelson)
Attachment #177174 - Attachment is obsolete: true
Comment on attachment 177202 [details] [diff] [review]
replaces previous patch

Looks good to me.  r=nelson
Attachment #177202 - Flags: review?(nelson) → review+
Attachment #177174 - Flags: review?(nelson)
Checking in nss/cmd/certutil/certutil.c;
/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v  <--  certutil.c
new revision: 1.90; previous revision: 1.89
Closed: 16 years ago
Resolution: --- → FIXED
Lines 447-458 of the last patch caused cert extensions to be processed twice for
-S requests. (Create-and-add-cert (-S) works by creating a cert request first
then creating the new cert from the request.) This is incorrect and causes the
test scripts to fail.
Resolution: FIXED → ---
The test scripts are all green with this patch.
Attachment #177644 - Flags: review?(nelson)
Comment on attachment 177644 [details] [diff] [review]
fixes duplicate extension processing.

This solution appears to make the tests go green, and is expedient.  
Longer term, I think the right solution is to do all the processing 
of extensions before generating either the cert request or the cert.  
Also, we need a non-interactive way to generate cert and CSRs with
extensions.  I will file a separate bug about the.
Attachment #177644 - Flags: review?(nelson) → review+
Checking in nss/cmd/certutil/certutil.c;
/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v  <--  certutil.c
new revision: 1.91; previous revision: 1.90
Closed: 16 years ago16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.