libpkix LDAPCertstore can't handle RFC3280MandatoryAttributeTypes

RESOLVED FIXED in 3.12

Status

NSS
Test
P1
normal
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: Richard N. Freedman, Assigned: Richard N. Freedman)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

12 years ago
The LDAPCertStore creates LDAP requests using standard fields of a certificate - CN, O, C. One of the NIST Path Discovery tests, test 4.3.7, uses a certificate which has names meeting the requirements of RFC3280, but not containing any the standard types. The result is a hang.

The temporary workaround is to use only the PK11CertStore for this particular test. (It queries the database using the complete name fields from the certificate.) Eventually LDAPCertStore needs to be fixed to recognize this hang condition and return an error instead.

Comment 1

12 years ago
Richard, how does test LDAP cert store hang ? Shouldn't it fail in the condition you describe ? We can't have any circumstance on which the content of a certificate affects the proper operation of our code. That would constitute a vulnerability.

OS: Solaris → All
Priority: -- → P1
Hardware: Sun → All
All P1 bugs must have target milestones.  Setting this one to 3.12
Target Milestone: --- → 3.12
Version: unspecified → 3.11
(Assignee)

Comment 3

12 years ago
Created attachment 215150 [details] [diff] [review]
Return "no certs found" if unable to properly encode request

If a certificate name contains no "CN=" component (in the subject name, for a Cert request, or an issuer name, for a CRL request), we cannot properly encode a filter for the LDAP query. Previously, we created an improper query which led to a hang. Now, we recognize that our query has no components, and abort the query, returning "no certs found" to the caller.
(Assignee)

Comment 4

12 years ago
lib/libpkix/pkix_pl_nss/module/pkix_pl_ldapcertstore.c revision 1.1.2.24
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.