Closed Bug 292896 Opened 20 years ago Closed 20 years ago

crlutil incorrectly encodes Auth Key ID extension

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.10
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 244922

People

(Reporter: alvolkov.bgs, Assigned: wtc)

Details

The problem occurs when encoding the extension with empty key indentifier(octet string), but defined issuer name and serial number. Here is the output of SECU_PrintExtensions when it prints Authority Key ID extension encoded by NSS ASN.1 encoder (CERTAuthKeyIDTemplate is used): Name: Certificate Authority Key Identifier Error: Parsing extension: security library: improperly formatted DER-encoded message. Data: Sequence { [0] a1 } CERTAuthKeyIDTemplate defined in nss/lib/certdb/xauthkid.c: const SEC_ASN1Template CERTAuthKeyIDTemplate[] = { { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTAuthKeyID) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0, offsetof(CERTAuthKeyID,keyID), SEC_OctetStringTemplate}, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, offsetof(CERTAuthKeyID, DERAuthCertIssuer), CERT_GeneralNamesTemplate} , { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2, offsetof(CERTAuthKeyID,authCertSerialNumber), SEC_IntegerTemplate}, { 0 } };
the root of the problem is in asn1 encoder structure length calculation procedure. Length is bogusly calculated for any templates that defined with SEC_ASN1_MAY_STREAM bit, parent of which had the optional bit set. Here is the comments from secasn1e.c: /* * This function currently calculates the length in all cases * except the following: when writing out the contents of a * template that belongs to a state where it was a sub-template * with the SEC_ASN1_MAY_STREAM bit set and it's parent had the * optional bit set. The information that the parent is optional * and that we should return the length of 0 when that length is * present since that means the optional field is no longer present. * So we add the disallowStreaming flag which is passed in when * writing the contents, but for all recursive calls to * sec_asn1e_contents_length, we pass PR_FALSE, because this * function correctly calculates the length for children templates * from that point on. Confused yet? At least you didn't have * to figure it out. ;) -javi */ Here is the block of code that calculates non-zero length: secasn1e.c:741 len = ((SECItem *)src)->len; if (may_stream && len == 0 && !disallowStreaming) len = 1; /* if we're streaming, we may have a secitem w/len 0 as placeholder */ break;
This is a dup of a long known bug. There is a patch for this problem attached to bug 245429 that fixes it, but has not been committed because of other issues. Alexei, Julien and I should meet to discuss how to progress with bug 244922. *** This bug has been marked as a duplicate of 244922 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Summary: crlutil reports warning when creating crl with Auth Key ID extension → crlutil incorrectly encodes Auth Key ID extension
You need to log in before you can comment on or make changes to this bug.