The LDAPCertStore creates LDAP requests using standard fields of a certificate - CN, O, C. One of the NIST Path Discovery tests, test 4.3.7, uses a certificate which has names meeting the requirements of RFC3280, but not containing any the standard types. The result is a hang. The temporary workaround is to use only the PK11CertStore for this particular test. (It queries the database using the complete name fields from the certificate.) Eventually LDAPCertStore needs to be fixed to recognize this hang condition and return an error instead.
Richard, how does test LDAP cert store hang ? Shouldn't it fail in the condition you describe ? We can't have any circumstance on which the content of a certificate affects the proper operation of our code. That would constitute a vulnerability.
OS: Solaris → All
Priority: -- → P1
Hardware: Sun → All
All P1 bugs must have target milestones. Setting this one to 3.12
Target Milestone: --- → 3.12
Version: unspecified → 3.11
Created attachment 215150 [details] [diff] [review] Return "no certs found" if unable to properly encode request If a certificate name contains no "CN=" component (in the subject name, for a Cert request, or an issuer name, for a CRL request), we cannot properly encode a filter for the LDAP query. Previously, we created an improper query which led to a hang. Now, we recognize that our query has no components, and abort the query, returning "no certs found" to the caller.
lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c revision 184.108.40.206
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.