Last Comment Bug 335021 - incorrect smime_encryptionkeypref_template leads to QuickDER decoding failure
: incorrect smime_encryptionkeypref_template leads to QuickDER decoding failure
: fixed1.8.0.5, fixed1.8.1
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.11
: All All
P1 normal (vote)
: 3.11.2
Assigned To: Julien Pierre
Depends on:
Blocks: 39468 332571 332867 333455 340724
  Show dependency treegraph
Reported: 2006-04-21 17:08 PDT by Kai Engert (:kaie)
Modified: 2006-06-14 06:31 PDT (History)
6 users (show)
dveditz: blocking1.8.1+
dveditz: blocking1.8.0.5+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

Hotfix v1 (683 bytes, patch)
2006-04-21 17:17 PDT, Kai Engert (:kaie)
rrelyea: review+
nelson: superreview+
Details | Diff | Splinter Review
smimeenckeyprefs.secitem (120 bytes, application/octet-stream)
2006-04-22 05:33 PDT, Kai Engert (:kaie)
no flags Details
fix template (1.76 KB, patch)
2006-04-27 14:01 PDT, Julien Pierre
nelson: review+
rrelyea: superreview+
dveditz: approval1.8.0.5+
Details | Diff | Splinter Review

Description User image Kai Engert (:kaie) 2006-04-21 17:08:06 PDT
Julien, Bob, Nelson,

in bug 178897 you changed NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference to no longer use SEC_ASN1DecodeItem, but use SEC_QuickDERDecodeItem.

I found that SEC_QuickDERDecodeItem is unable to decode the DER that we produce in NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs using smime_encryptionkeypref_template.

We currently have a regression in Mozilla Mail, S/Mime.
Although receipient encryption certs are available in the local cert database, we don't find them.

This regression is caused by this decoding failure.

In my tests I changed NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference to use SEC_ASN1DecodeItem, and things work again.
To immediately fix the regression, I would like to propose that we make that change in NSS trunk and 3.11 branch to fix the regression.
Comment 1 User image Kai Engert (:kaie) 2006-04-21 17:17:27 PDT
Created attachment 219381 [details] [diff] [review]
Hotfix v1
Comment 2 User image Julien Pierre 2006-04-21 18:07:44 PDT
Interesting how the variable is named DERekp . Are we actually encoding these encryption key preferences as BER ? Or is there another reason why the quick decoder fails ?
Comment 3 User image Robert Relyea 2006-04-21 18:19:37 PDT
Comment on attachment 219381 [details] [diff] [review]
Hotfix v1

r+ for a hot fix.

Kaie, could you post a copy of a sample ekp that failes to decode. That will tell us if the problem is BER coding or not.
Comment 4 User image Nelson Bolyard (seldom reads bugmail) 2006-04-21 18:28:42 PDT
The old decoder decodes both BER and DER.  
The new "quick DER" decoder decodes only DER. 
There are two questions to be asked here:
a) does the spec for the relevant item being decoded here require it to be DER
   encoded? or is BER permitted?
   If BER is permitted, then reverting to the dual BER/DER decoder is the 
   right fix.  If DER is required, then I think it's very likely that the 
   problem is that the object has been BER encoded.
b) Is the item in question actually BER encoded?

We need an attachment here showing the encoded data that the decoder doesn't 
like.  Kai, can you produce that?

If our encoder is encoding the wrong thing, then I'd oppose reintroducing 
the wrong decoder as a mere workaround.
Comment 5 User image Nelson Bolyard (seldom reads bugmail) 2006-04-21 18:42:26 PDT
Here's something to check.  When we're encoding the SMIME encryption prefs,
do we actually re-encode the certificate from its components?  
If so, that's wrong, and that's probably the problem.  
The CRMF/CMMF library has that same problem.  

If you see the smime prefs template pointing to the certificate template,
that's the problem.  When encoding/decoding certs inside of a large template
the cert should always be encoded/decoded as a SEC_ASN1_ANY type.  When 
encoding, the already encoded cert should be provided.  Similarly when 
decoding the encoded cert should be kept intact, and then, if necessary
be separately decoded.  
Comment 6 User image Kai Engert (:kaie) 2006-04-22 05:33:16 PDT
Created attachment 219420 [details]

00000000  a0 76 30 62 31 0b 30 09  06 03 55 04 06 13 02 5a  |.v0b1.0...U....Z|
00000010  41 31 25 30 23 06 03 55  04 0a 13 1c 54 68 61 77  |A1%0#..U....Thaw|
00000020  74 65 20 43 6f 6e 73 75  6c 74 69 6e 67 20 28 50  |te Consulting (P|
00000030  74 79 29 20 4c 74 64 2e  31 2c 30 2a 06 03 55 04  |ty) Ltd.1,0*..U.|
00000040  03 13 23 54 68 61 77 74  65 20 50 65 72 73 6f 6e  |..#Thawte Person|
00000050  61 6c 20 46 72 65 65 6d  61 69 6c 20 49 73 73 75  |al Freemail Issu|
00000060  69 6e 67 20 43 41 02 10  17 73 38 d4 e5 4b 09 e4  |ing CA...s8..K..|
00000070  3a ec f6 a2 f3 51 6b 57                           |:....QkW|
Comment 7 User image Robert Relyea 2006-04-22 11:29:14 PDT
OK, I looks like the problem isn't the data, but maybe the template?
The data is pretty simpe DER, but the template has a choice with a selector.
I think that's why the Quick decoder failed.

data decoded with pp: pp -t none -i /tmp/x
pp: don't know how to print out 'none' files
File contains: [0]: {
    Sequence {
        Set {
            Sequence {
                X520 Country Name
        Set {
            Sequence {
                X520 Organization Name
                "Thawte Consulting (Pty) Ltd."
        Set {
            Sequence {
                X520 Common Name
                "Thawte Personal Freemail Issuing CA"
Comment 8 User image Kai Engert (:kaie) 2006-04-24 09:16:31 PDT
(In reply to comment #5)
> When we're encoding the SMIME encryption prefs,
> do we actually re-encode the certificate from its components?  
> ...
> If you see the smime prefs template pointing to the certificate template,
> that's the problem.

If I understand the template correclty, I don't see a cert template nested.

It seems we do not nest the cert, but only include issuer, serial number, recipient key id, subject key id.

static const SEC_ASN1Template smime_encryptionkeypref_template[] = {
	  offsetof(NSSSMIMEEncryptionKeyPreference,selector), NULL,
	  sizeof(NSSSMIMEEncryptionKeyPreference) },
	  NSSSMIMEEncryptionKeyPref_IssuerSN },
	  NSSSMIMEEncryptionKeyPref_IssuerSN },
	  NSSSMIMEEncryptionKeyPref_SubjectKeyID },
    { 0, }
Comment 9 User image Kai Engert (:kaie) 2006-04-24 09:24:05 PDT
Nelson, you said, the quick decoder is supposed to decode DER.
We now know the data that it fails to decode is DER.
I conclude there is a bug in the quick DER decoder?

Are you ok with taking the hotfix on the NSS 3.11 branch? If yes, could you please give me a second review?

It would be good to have it on the client snapshot we're going to produce shortly.
Comment 10 User image Nelson Bolyard (seldom reads bugmail) 2006-04-24 10:34:45 PDT
Adding QuickDer author to CC list.
Comment 11 User image Nelson Bolyard (seldom reads bugmail) 2006-04-24 11:27:14 PDT
Comment on attachment 219381 [details] [diff] [review]
Hotfix v1

How about if we do this "hot fix" on the 3.11 branch only, and not the trunk?
I'm OK with that.  r=nelson for the branch.
Comment 12 User image Kai Engert (:kaie) 2006-04-24 11:52:51 PDT
(In reply to comment #11)
> (From update of attachment 219381 [details] [diff] [review] [edit])
> How about if we do this "hot fix" on the 3.11 branch only, and not the trunk?
> I'm OK with that.  r=nelson for the branch.

Sounds good to me, thanks!
Hotfix checked in to NSS_3_11_BRANCH.

Checking in smimeutil.c;
/cvsroot/mozilla/security/nss/lib/smime/smimeutil.c,v  <--  smimeutil.c
new revision:; previous revision: 1.16
Comment 13 User image Kai Engert (:kaie) 2006-04-24 13:00:16 PDT
Nelson, you probably want this on the branch only, because a real fix should be produced for the trunk of NSS.

This makes sense, if the real fix can be produced short term.

However, we should make sure the real fix should be produced before a 3.12 release, to ensure we won't regress again.

Landing the hotfix on the trunk (as a temporary fix) would ensure we can't regression again accidentially.

The Mozilla release management defines blocker bugs, that block a release.

If NSS has such a mechanism, and you choose to not checkin the hotfix to the trunk, this bug should be made a blocker bug for the 3.12 release.
Comment 14 User image Wan-Teh Chang 2006-04-25 09:56:05 PDT
I agree that the hot fix should be checked in on the trunk
to eliminate the risk of a regression in NSS 3.12.
Comment 15 User image Nelson Bolyard (seldom reads bugmail) 2006-04-25 10:13:50 PDT
I want to give Julien an easy test bed for debugging.
Also, to keep this bug in view.  (e.g. out of sight, out of mind)
Comment 16 User image Julien Pierre 2006-04-26 18:31:43 PDT
Here are some tips to debug the issue using QuickDER :

1) build NSS in debug mode. QuickDER has some additional checks on templates that are #ifdef DEBUG

2) Try adding the SEC_ASN1_DEBUG_BREAK flag to entries in the templates you are suspecting. QuickDER will assert right at the point where it reaches this component. Start putting this flag at the bottom of the templates, and them move it back up until there is an actual assert hit. Then it should be simple to narrow which component quickder failed to decode. Certainly easier than to step through the decoder.
Comment 17 User image Julien Pierre 2006-04-27 13:50:30 PDT
I created a test program and checked it against the data Kai attached.
I don't see a bug in the QuickDER decoder. The DER data simply doesn't match any of the choices in the template.

The first tag in the data is 0xa0.
The choices defined in the template are 
which translate to 0x80, 0x81, and 0x82 .

SEC_ASN1_POINTER and SEC_ASN1_XTRN are modifiers that have no effect on the expected tag. POINTER is only about memory-management, and XTRN is for invoking a function to retrieve the sub-template from different shared library.

To make the template match the data, one would have to add SEC_ASN1_CONSTRUCTED . I'm wondering why SEC_ASN1DecodeItem allows this to decode without it; and why SEC_ASN1EncodeItem encoded the data as constructed as well.
Comment 18 User image Julien Pierre 2006-04-27 14:01:45 PDT
Created attachment 220058 [details] [diff] [review]
fix template

This template works with both decoders using the data provided by Kai. But I didn't test the encoding step. Kai, please make sure this change doesn't break encoding of the EKP also in the client
Comment 19 User image Robert Relyea 2006-04-27 14:33:29 PDT
Hmmm... The secasn1d.c and derdec.c functions explicitly ignore the SEC_ASN1_CONSTRUCTED tag. I wonder if we should do the same in QuickDERDecode. We have a lot of templates that have CONTEXT_SPECIFIC without the explicit SEC_ASN1_CONSTRUCTED tag.

Comment 20 User image Robert Relyea 2006-04-28 16:58:36 PDT
Comment on attachment 220058 [details] [diff] [review]
fix template

r+ for NSS trunk only.
Well look at the damage there first;).
Comment 21 User image Julien Pierre 2006-04-28 17:24:07 PDT
Thanks for the review, Bob. I checked this in to the tip :

Checking in smimeutil.c;
/cvsroot/mozilla/security/nss/lib/smime/smimeutil.c,v  <--  smimeutil.c
new revision: 1.17; previous revision: 1.16

Re: comment 19,

I think it is a valid case to implicitly tag with SEC_ASN1_CONTEXT_SPECIFIC but without the constructed bit, for example if the subtemplate is for a primitive type rather than a sequence.

Perhaps the legacy decoder figures out the expected value of SEC_ASN1_CONSTRCUTED by looking at the subtemplate ? That would seem odd to me. IMO, the tag value info should be completely in the parent for this retagging case.

So, I wouldn't be eager to change the behavior of the QuickDER decoder until we can understand why the legacy decoder assumes constructed for this case.
Comment 22 User image Julien Pierre 2006-05-23 18:46:24 PDT
Has anyone verified this fix yet ?
Comment 23 User image Nelson Bolyard (seldom reads bugmail) 2006-05-24 12:17:25 PDT
For context specific tags, whether the tag should be constructed or not
should be determined by the subtemplate, not by the template of the 
context-specific tag itself, IINM.  Otherwise, how do you implement a 
context specific ANY ?  

So, I don't think adding the SEC_ASN1_CONSTRUCTED flag to context specific 
tags is the right answer.  
Comment 24 User image Nelson Bolyard (seldom reads bugmail) 2006-05-24 13:09:42 PDT
Please ignore my comment 23.  I needed more coffee when I wrote that.  :-/
I actually DO think that template change is the right one.  

In reply to comment 19, I finally remembered why secasn1d.c ignores the 
CONSTRUCTED bit.  It's a BER and DER decoder.  In BER, ANY of the byte 
T61_STIRNG, IA5_STRING, etc., etc.) may be constructed or primative, 
anywhere they occur (except inside constructed components of the same type).
So, a BER decoder cannot insist on the presence or absence of the CONSTRUCTED
bit in any of those tag types.  Consequently, our BER/DER deocder doesn't 
try to enforce the correctness of the CONSTRUCTED bit until it knows that 
the tag type requires it to be of one fixed value, even for BER.
Comment 25 User image Julien Pierre 2006-05-24 19:07:48 PDT
I checked the fix in to NSS_3_11_BRANCH also.

Checking in smimeutil.c;
/cvsroot/mozilla/security/nss/lib/smime/smimeutil.c,v  <--  smimeutil.c
new revision:; previous revision:

Kai, feel free to reopen if this doesn't solve your problem.
Comment 26 User image Nelson Bolyard (seldom reads bugmail) 2006-05-26 03:22:15 PDT
The NSS_3_11_BRANCH now contains BOTH fixes, the template fix, and the older
"hot fix" (which changed the code to use the older BER/DER decoder).

I think the results of the tests of the "fixed templates" are not valid
or conclusive unless and until we back out the "hot fix", and revert to 
using the QuickDER decoder again.

So, I'm reopening this bug until that "hot fix" is backed out and the 
"template fix" is verified without the "hot fix".
Comment 27 User image Julien Pierre 2006-05-30 19:00:36 PDT
I backed out the hot fix on the NSS_3_11_BRANCH :

Checking in smimeutil.c;
/cvsroot/mozilla/security/nss/lib/smime/smimeutil.c,v  <--  smimeutil.c
new revision:; previous revision:
Comment 28 User image Nelson Bolyard (seldom reads bugmail) 2006-05-30 21:08:42 PDT
Julien, did you test that the email clients will be able to send encrytped
email with that hot fix backed out?  (I suspect they won't!)
Comment 29 User image Nelson Bolyard (seldom reads bugmail) 2006-05-30 22:03:13 PDT
The bad non-DER template caused NSS to encode a great many SMIME encyrption
key prefs in a non-DER encoding.  Correcting the template will cause the 
encoder to start encoding them properly, but won't enable the QuickDER 
decoder to be able to decode the old ones that were improperly encoded.

So, I suspect we must leave this decoder using the older BER/DER decoder until
such time as there are no longer any improperly encoded prefs left to decode.
Comment 30 User image Julien Pierre 2006-05-31 13:35:55 PDT

I believe SEC_ASN1EncodeItem always encodes in DER . You have to use streaming mode to get BER with the encoder, and that requires using different APIs. The question is whether the encoded structure contained the constructed bit or not, not whether it is BER or DER.

Kai ran into the problem where SEC_QuickDERDecodeItem saw a structure that had the constructed bit encoded in it, but was unable to decode it, because its interpretation of the template didn't match - it didn't expect the constructed bit in the encoded component. The template was fixed with the addition of SEC_ASN1_CONSTRUCTED, so SEC_QuickDERDecodeItem will now expect that bit and decode the structure properly.

I don't believe the addition of SEC_ASN1_CONSTRUCTED to the template will change anything to the encoding process - which was already adding the constructed bit. So, I think the code we have now is correct.

I would still like Kai to verify what the behavior is with now this fix in Mozilla mail, both with new profiles and with old ones, rather than speculate as to whether we need to change anything else at this point.
Comment 31 User image Kai Engert (:kaie) 2006-06-07 14:24:19 PDT
Comment on attachment 219381 [details] [diff] [review]
Hotfix v1

I would have prefered to keep this hotfix on the branch. I didn't yet have the time to play with your other patch to verify it is correct.
Comment 32 User image Kai Engert (:kaie) 2006-06-09 09:07:10 PDT
I verified Julien's new patch fixes the bug.
(with the hot fix backed out)
Comment 33 User image Daniel Veditz [:dveditz] 2006-06-13 14:53:51 PDT
Comment on attachment 220058 [details] [diff] [review]
fix template

approved for 1.8.0 branch, a=dveditz for drivers
Comment 34 User image Kai Engert (:kaie) 2006-06-14 06:31:31 PDT
checked in to mozilla 1.8.0 branch
Checking in lib/smime/smimeutil.c;
/cvsroot/mozilla/security/nss/lib/smime/smimeutil.c,v  <--  smimeutil.c
new revision:; previous revision: 1.16

I verified the fix works on that branch.

Note You need to log in before you can comment on or make changes to this bug.