Closed Bug 328909 Opened 19 years ago Closed 19 years ago

SECKEY_ImportDERPublicKey does not handle EC key yet

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Version:
3.11
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX
Milestone:
3.11.1

People

(Reporter: nkwan, Assigned: rrelyea)

References

Details

(Whiteboard: ECC)

SECKEY_ImportDERPublicKey, which is used by JSS's CRMF pop verification, does not handle EC key type. So JSS is failing to handle the following CRMF request MIIBGDCCARQwgboCBG+fcKQwgYmAAQKlFzAVMRMwEQYDVQQDEwpLYWkgRW5nZXJ0 plkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENFd7AfuOOvV4jDxOxPKQ0bxof1Vg LNZNGB+DeGU1YxKl2ECpedJ6959u/uOIRNPlKZUEbtIAnvdREh8zlnZWoKkQMA4G A1UdDwEB/wQEAwIF4DAmMBEGCSsGAQUFBwUBAQwEYmxhMTARBgkrBgEFBQcFAQIM BGJsYTKhVTAJBgcqhkjOPQIBA0gAMEUCIQCAT6rQSjAKUQuqZgMEnnYE5UWR3Hhb lROGg60TdfzJBQIgLflMaOusKO8b3GA+yOYLCb8o+onPF9A3hYit/4izOzY= Decoding that using http://bluelight.sfbay.redhat.com/apps/dumpasn1/ produces: 0 30 280: SEQUENCE { 4 30 276: SEQUENCE { 8 30 186: SEQUENCE { 11 02 4: INTEGER 1872720036 17 30 137: SEQUENCE { 20 80 1: [0] : 02 23 A5 23: [5] { 25 30 21: SEQUENCE { 27 31 19: SET { 29 30 17: SEQUENCE { 31 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) : (X.520 id-at (2 5 4)) 36 13 10: PrintableString 'Kai Engert' : } : } : } : } 48 A6 89: [6] { 50 30 19: SEQUENCE { 52 06 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) : (ANSI X9.62 public key type) 61 06 8: OBJECT IDENTIFIER '1 2 840 10045 3 1 7' : } 71 03 66: BIT STRING 0 unused bits : 04 34 57 7B 01 FB 8E 3A F5 78 8C 3C 4E C4 F2 90 : D1 BC 68 7F 55 60 2C D6 4D 18 1F 83 78 65 35 63 : 12 A5 D8 40 A9 79 D2 7A F7 9F 6E FE E3 88 44 D3 : E5 29 95 04 6E D2 00 9E F7 51 12 1F 33 96 76 56 : A0 : } 139 A9 16: [9] { 141 30 14: SEQUENCE { 143 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) : (X.509 id-ce (2 5 29)) 148 01 1: BOOLEAN TRUE 151 04 4: OCTET STRING, encapsulates { 153 03 2: BIT STRING 5 unused bits : '111'B : } : } : } : } 157 30 38: SEQUENCE { 159 30 17: SEQUENCE { 161 06 9: OBJECT IDENTIFIER '1 3 6 1 5 5 7 5 1 1' 172 0C 4: UTF8String (1997) : Unrecognised primitive, hex value is: : 62 6C 61 31 : } 178 30 17: SEQUENCE { 180 06 9: OBJECT IDENTIFIER '1 3 6 1 5 5 7 5 1 2' 191 0C 4: UTF8String (1997) : Unrecognised primitive, hex value is: : 62 6C 61 32 : } : } : } 197 A1 85: [1] { 199 30 9: SEQUENCE { 201 06 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) : (ANSI X9.62 public key type) : } 210 03 72: BIT STRING 0 unused bits, encapsulates { 213 30 69: SEQUENCE { 215 02 33: INTEGER : 00 80 4F AA D0 4A 30 0A 51 0B AA 66 03 04 9E 76 : 04 E5 45 91 DC 78 5B 95 13 86 83 AD 13 75 FC C9 : 05 250 02 32: INTEGER : 2D F9 4C 68 EB AC 28 EF 1B DC 60 3E C8 E6 0B 09 : BF 28 FA 89 CF 17 D0 37 85 88 AD FF 88 B3 3B 36 : } : } : } : } : } 0 warnings, 2 errors. If possible, please fix this problem in NSS_3_11_BRANCH.
Another case of missing ECC functionality.
Severity: normal → major
Priority: -- → P1
Whiteboard: ECC
Target Milestone: --- → 3.11.1
Blocks: 326159
Note that I am trying to solve my problem at the JSS level. My immediate solution is not to call SECKEY_ImportDERPubliKey function in NSS. Please refer to https://bugzilla.mozilla.org/show_bug.cgi?id=331369
I'm going to close thie bug as invalid. Even though there is code that claims to handle dh and dsa keys, the keys created are not complete because they are missing the parameter section. RSA does not have a parameter section, and is thus the only key type that this function could support. To add ec support, we would have to add an extra argument for the parameter (in the case of ec it's the curve).
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Bob, why is this bug invalid? Have we DEFINED SECKEY_ImportDERPublicKey to specifically exclude any non-RSA key type? Looks like a comment documents a known bug regarding non-RSA keys types. I don't think that constitutes a basis for marking this invalid.
The interface is defined in such a way that it cannot support any key but RSA. It's horribly broken and should be deprecated. It takes raw key DER keyblobs, but does not provide the parameters associated with those keys. There is a DER form that DOES have the parameters, it's called an Subject Public Key Info. That is what applications *should* use. I believe this interface was added to implement a java method which only works for RSA.
This bug is not invalid. It may be WONTFIX. If we want to deprecate this function, we must do so by adding comments to the source files (.c, .h and perhaps .def) announcing that this is deprecated, what it's shortcomings are, and that we're not going to "fix" it any more.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
The bug as written is unfixable. The API is broken for all by RSA functions. There are better alternatives that already exist. EC CANNOT be made to work with the API of this function. I really don't care how the bug is closed.
Status: REOPENED → RESOLVED
Closed: 19 years ago19 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.