Open Bug 287285 Opened 20 years ago Updated 2 years ago

certutil can issue cert with zero-length EKU OID

Categories

(NSS :: Tools, defect, P3)

Product:
NSS
Component:
Tools
Version:
3.10
Type:
defect

Tracking

(Not tracked)

People

(Reporter: alvolkov.bgs, Unassigned)

Details

The problem with code is that in case when user choose to exit
the loop right away by picking number that is out of range, then
we will and up with the cert that has SEC_OID_UNKNOWN usage.

Here is discussion log:

From Julien  Pierre:
>AddExtKeyUsage reads user value and created an extension based on added OID value.
>In case, then user pick something above 6, it will create an extension
>with oid SEC_OID_UNKNOWN value.
>
>There are couple places like this. Is it correct thing to add such
>extension to cert(especially if user will pick it as critical) or
>is it something that should be fixed?
>
>
It looks to me like something that should be fixed. rv should probably
be initialized, and the default case should goto loser instead of endloop .
 
I'm cc'ing Neil and Nelson on this. I know there were some fixes going
on in certutil last week that might be related.


From Nelson B Bolyard:
Neil Williams wrote:
>I didn't check all the places there might be code like this but in
>AddExtKeyUsage() it's building a sequence of usages. It loops collecting
>the items of the sequence. It assumes that anything out of range signals
>end of list so it jumps to endloop and creates the extension from its
>sequence of OIDs. So the default case means "end-of-list" not
>"out-of-range". If the default case jumped to loser instead of endloop
>IMO it would never generate an ExtKeyUsage extension. I ran it as is,
>entered 8 at the first prompt and got what looked like a good cert with
>an extension that had a zero length sequence in it. Have to check x.509
>to see if that is legal.

Let's assume that it is not, that EKU extensions must have at least one
valid OID in them.  In that case, sounds like you've found a bug in
certutil's extension generation, and it should be fixed.
This is a tools bug.  The original summary noted this problem is in 
function AddExtKeyUsage in certutil.c
Component: Libraries → Tools
Summary: possible situation when AddExtKeyUsage in certutil.c can add SEC_OID_KNOWN key usage to cert → certutil can add SEC_OID_KNOWN extended key usage to cert
QA Contact: bishakhabanerjee → jason.m.reid
QA Contact: jason.m.reid → tools
Priority: -- → P3
Summary: certutil can add SEC_OID_KNOWN extended key usage to cert → certutil can issue cert with zero-length EKU OID

The bug assignee didn't login in Bugzilla in the last 7 months, so the assignee is being reset.

Assignee: alvolkov.bgs → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.