Closed Bug 330354 Opened 18 years ago Closed 18 years ago

libpkix LDAPCertstore can't handle RFC3280MandatoryAttributeTypes

Categories

(NSS :: Test, defect, P1)

3.11
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: richard.freedman, Assigned: richard.freedman)

Details

Attachments

(1 file)

The LDAPCertStore creates LDAP requests using standard fields of a certificate - CN, O, C. One of the NIST Path Discovery tests, test 4.3.7, uses a certificate which has names meeting the requirements of RFC3280, but not containing any the standard types. The result is a hang.

The temporary workaround is to use only the PK11CertStore for this particular test. (It queries the database using the complete name fields from the certificate.) Eventually LDAPCertStore needs to be fixed to recognize this hang condition and return an error instead.
Richard, how does test LDAP cert store hang ? Shouldn't it fail in the condition you describe ? We can't have any circumstance on which the content of a certificate affects the proper operation of our code. That would constitute a vulnerability.

OS: Solaris → All
Priority: -- → P1
Hardware: Sun → All
All P1 bugs must have target milestones.  Setting this one to 3.12
Target Milestone: --- → 3.12
Version: unspecified → 3.11
If a certificate name contains no "CN=" component (in the subject name, for a Cert request, or an issuer name, for a CRL request), we cannot properly encode a filter for the LDAP query. Previously, we created an improper query which led to a hang. Now, we recognize that our query has no components, and abort the query, returning "no certs found" to the caller.
lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c revision 1.1.2.24
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: