Closed
Bug 330354
Opened 18 years ago
Closed 18 years ago
libpkix LDAPCertstore can't handle RFC3280MandatoryAttributeTypes
Categories
(NSS :: Test, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12
People
(Reporter: richard.freedman, Assigned: richard.freedman)
Details
Attachments
(1 file)
The LDAPCertStore creates LDAP requests using standard fields of a certificate - CN, O, C. One of the NIST Path Discovery tests, test 4.3.7, uses a certificate which has names meeting the requirements of RFC3280, but not containing any the standard types. The result is a hang. The temporary workaround is to use only the PK11CertStore for this particular test. (It queries the database using the complete name fields from the certificate.) Eventually LDAPCertStore needs to be fixed to recognize this hang condition and return an error instead.
Comment 1•18 years ago
|
||
Richard, how does test LDAP cert store hang ? Shouldn't it fail in the condition you describe ? We can't have any circumstance on which the content of a certificate affects the proper operation of our code. That would constitute a vulnerability.
OS: Solaris → All
Priority: -- → P1
Hardware: Sun → All
Comment 2•18 years ago
|
||
All P1 bugs must have target milestones. Setting this one to 3.12
Target Milestone: --- → 3.12
Version: unspecified → 3.11
Assignee | ||
Comment 3•18 years ago
|
||
If a certificate name contains no "CN=" component (in the subject name, for a Cert request, or an issuer name, for a CRL request), we cannot properly encode a filter for the LDAP query. Previously, we created an improper query which led to a hang. Now, we recognize that our query has no components, and abort the query, returning "no certs found" to the caller.
Assignee | ||
Comment 4•18 years ago
|
||
lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c revision 1.1.2.24
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•