Closed Bug 322070 Opened 16 years ago Closed 8 years ago

CRL import fails if CRL is not binary DER

Categories

(Core :: Security: PSM, defect)

x86
Windows 2000
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: ken2006, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Some CRLs have extraneous whitespace bytes in their head/tail, due to the way some webservers (response filters) dynamically prepend/append data to their response. Other browsers handle these CRLs gracefully; NSS throws a 'ffffe009' error.

Reproducible: Always

Steps to Reproduce:
1. Load http://certificates.starfieldtech.com/repository/root.crl



Note, I have no affiliation with godaddy.com, except as a customer.
The above URL returns to me the following results (including http headers)

HTTP/1.1 200 OK
Date: Mon, 02 Jan 2006 03:40:00 GMT
Server: Apache
Last-Modified: Thu, 08 Dec 2005 15:34:24 GMT
ETag: "83c1f-241-d9a000"
Accept-Ranges: bytes
Content-Length: 577
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Connection: close
Content-Type: application/x-pkcs7-crl

-----BEGIN X509 CRL-----
MIIBgTCB6zANBgkqhkiG9w0BAQUFADCBuzEkMCIGA1UEBxMbVmFsaUNlcnQgVmFs
aWRhdGlvbiBOZXR3b3JrMRcwFQYDVQQKEw5WYWxpQ2VydCwgSW5jLjE1MDMGA1UE
CxMsVmFsaUNlcnQgQ2xhc3MgMiBQb2xpY3kgVmFsaWRhdGlvbiBBdXRob3JpdHkx
ITAfBgNVBAMTGGh0dHA6Ly93d3cudmFsaWNlcnQuY29tLzEgMB4GCSqGSIb3DQEJ
ARYRaW5mb0B2YWxpY2VydC5jb20XDTA1MDEyNzE4MDIyN1oXDTA2MDEyNzE4MDIy
N1owDQYJKoZIhvcNAQEFBQADgYEAMnhxebiiZFDVRtJOkLsGDsR2dttw4EdlIw5k
OajHzMfUXdlxkjP3xfeKFYmelK9L4adqMmri5JHrT/0qdX+esve1TkvYF+TgxJyB
smSB+Nri2qhVRzqKlEyLEk3n8HsQfxYfPPeFV19QNxBJlfPdbugFjdRhtp0H1PUM
oVFZSa8=
-----END X509 CRL-----

Maybe our parser isn't expecting base64? 
or maybe somthing other than "X509 CRL" ?
Error ffffe008 is actually error -8183 (displayed as unsigned hex, rather
than as signed decimal).  According to the official list of error numbers,
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html
That is error SEC_ERROR_BAD_DER
Security library: improperly formatted DER-encoded message.

That tells me that mozilla tried to decode it as a binary DER-encoded 
message and failed, because it was BASE64 encoded, not binary.
I don't know if this is the responsibility of NSS or PSM.  
base64 decoding is PSM's responsibility . There is no base64 decoding of CRLs in NSS libraries. The CRL decoder APIs all take DER as input.

I'm not sure what the Content-type of application/x-pkcs7-crl is supposed to be - binary or ASCII, or either way.
The inability to accept a base64 encoded CRL seems to be somewhat inconsistent 
with NSS's ability to import certs as either binary DER or base64 encoded.

I don't know of any official standard definition of the data types that 
should be associated with MIME content types, especially with the content
types that start with application/x- .

Kai, if you agree that this is a PSM bug/RFE, please change it into a PSM bug.
Thanks.
Summary: CRL import fails if superfluous head/tail whitespace octets → CRL import fails if CRL is not binary DER
> The inability to accept a base64 encoded CRL seems to be somewhat inconsistent 
> with NSS's ability to import certs as either binary DER or base64 encoded.

I agree


> I don't know of any official standard definition of the data types that 
> should be associated with MIME content types, especially with the content
> types that start with application/x- .

As these are not fully defined, I think it's fine to try to be smart.


> Kai, if you agree that this is a PSM bug/RFE, please change it into a PSM bug.

I think it could be either a NSS or a PSM RFE bug.
If you don't like the idea to make NSS smarter, despite the inconsistency, it's ok to change this into a PSM RFE bug.


Note for anybody who is going to work on this: nss/cmd/lib/secutil.c, SECU_ReadDERFromFile already contains some logic to do the conversion.
Status: UNCONFIRMED → NEW
Component: Libraries → Security: PSM
Ever confirmed: true
Product: NSS → Core
Version: unspecified → Trunk
Assignee: wtchang → kengert
QA Contact: jason.m.reid
QA Contact: psm
(In reply to Nelson Bolyard (seldom reads bugmail) from comment #4)
> The inability to accept a base64 encoded CRL seems to be somewhat
> inconsistent 
> with NSS's ability to import certs as either binary DER or base64 encoded.
> 
> I don't know of any official standard definition of the data types that 
> should be associated with MIME content types, especially with the content
> types that start with application/x- .
> 
> Kai, if you agree that this is a PSM bug/RFE, please change it into a PSM
> bug.
> Thanks.

This is ancient but the mime type should be application/pkix-crl (See RFC 2585).  Sec 4.2 addresses the encoding considerations.
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody
The CRL Manager / Revocation Lists feature was removed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.