Closed Bug 292896 Opened 20 years ago Closed 20 years ago

crlutil incorrectly encodes Auth Key ID extension

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.10
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 244922

People

(Reporter: alvolkov.bgs, Assigned: wtc)

Details

The problem occurs when encoding the extension with empty key indentifier(octet
string), but defined issuer name and serial number.

Here is the output of SECU_PrintExtensions when it prints Authority Key ID
extension encoded by NSS ASN.1 encoder (CERTAuthKeyIDTemplate is used):

       Name: Certificate Authority Key Identifier
        Error: Parsing extension: security library: improperly formatted
DER-encoded message.
        Data: Sequence {
            [0]
                a1
        }


CERTAuthKeyIDTemplate defined in nss/lib/certdb/xauthkid.c:

const SEC_ASN1Template CERTAuthKeyIDTemplate[] = {
    { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(CERTAuthKeyID) },
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 0,
          offsetof(CERTAuthKeyID,keyID), SEC_OctetStringTemplate},
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC  | 1,
          offsetof(CERTAuthKeyID, DERAuthCertIssuer), CERT_GeneralNamesTemplate}
,
    { SEC_ASN1_OPTIONAL | SEC_ASN1_CONTEXT_SPECIFIC | 2,
          offsetof(CERTAuthKeyID,authCertSerialNumber), SEC_IntegerTemplate},
    { 0 }
};
the root of the problem is in asn1 encoder structure length calculation
procedure. Length is bogusly calculated for any templates that defined
with SEC_ASN1_MAY_STREAM bit, parent of which had the optional bit set.

Here is the comments from secasn1e.c:
    /*
     * This function currently calculates the length in all cases
     * except the following: when writing out the contents of a 
     * template that belongs to a state where it was a sub-template
     * with the SEC_ASN1_MAY_STREAM bit set and it's parent had the
     * optional bit set.  The information that the parent is optional
     * and that we should return the length of 0 when that length is 
     * present since that means the optional field is no longer present.
     * So we add the disallowStreaming flag which is passed in when
     * writing the contents, but for all recursive calls to 
     * sec_asn1e_contents_length, we pass PR_FALSE, because this
     * function correctly calculates the length for children templates
     * from that point on.  Confused yet?  At least you didn't have
     * to figure it out.  ;)  -javi
     */


Here is the block of code that calculates non-zero length:
secasn1e.c:741

	len = ((SECItem *)src)->len;
	if (may_stream && len == 0 && !disallowStreaming)
	    len = 1;	/* if we're streaming, we may have a secitem w/len 0 as placeholder */
	break;



This is a dup of a long known bug.  
There is a patch for this problem attached to bug 245429 that fixes it,
but has not been committed because of other issues.  
Alexei, Julien and I should meet to discuss how to progress with bug 244922.

*** This bug has been marked as a duplicate of 244922 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Summary: crlutil reports warning when creating crl with Auth Key ID extension → crlutil incorrectly encodes Auth Key ID extension
You need to log in before you can comment on or make changes to this bug.