NSS should have an API to decode PEM CRLs

NEW
Unassigned

Status

--
enhancement
12 years ago
11 years ago

People

(Reporter: walter, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Build Identifier: Thunderbird 3.0a1 build 20061004

importing a CRL from http://ca.dutchgrid.nl/medium/cacrl.pem fails because they use a format that includes plain text before the cipher block


Reproducible: Always

Steps to Reproduce:
1. choose menu tools|options
2. choose tab security
3. click button Revocation lists
4. click import
5. enter http://ca.dutchgrid.nl/medium/cacrl.pem
6. click OK

Actual Results:  
error code ffffe009


Expected Results:  
the CRL should have been imported and been shown in the dialog box as correctly imported CRL


the format in which the CRL is published by this CA is valid. It includes some human-readable text before the ---BEGIN X509 CRL--- block.

Comment 1

12 years ago
If I understand correctly, PEM files do allow additional text outside of those ascii encoded blocks surrounded by "---BEGIN ...".

I believe I remember that some time ago, in some other bug, Nelson said, NSS does not claim to directly support PEM for importing certs/crls.

However, in my experience, NSS happens to read many PEM files just fine. For example, this sample CA cert http://kuix.de/ca/ns.php is a PEM file, and PSM successfully uses CERT_DecodeCertPackage to get it decoded. It also works when that file is prefixes with additional ascii lines, as this test case shows: http://kuix.de/ca/ns-asciiprefix.php (works, too)

So I believe, NSS already has the ability to correctly deal with PSM lines.

If it does not work when downloading a CRL formatted like that, we might need to add a decoding somewhere.

I made a test URL where the server sends content-type application/x-x509-crl, so you can see the bug by directly clicking that link:
http://kuix.de/misc/test355513/cacrl.php
Assignee: dveditz → nobody
Status: UNCONFIRMED → NEW
Component: Security → Libraries
Ever confirmed: true
Product: Core → NSS
QA Contact: toolkit → libraries
Version: Trunk → 3.11.3

Comment 2

12 years ago
What NSS API do you think failed here ?
The NSS CRL import APIs only take binary DER, not PEM . So I think the bug is in PSM, unless it also used NSS APIs to parse/base-64 decode the PEM file to binary.

Comment 3

12 years ago
(In reply to comment #2)
> What NSS API do you think failed here ?
> The NSS CRL import APIs only take binary DER, not PEM . So I think the bug is
> in PSM, unless it also used NSS APIs to parse/base-64 decode the PEM file to
> binary.


PSM uses NSS API CERT_DecodeCertPackage to decode PEM to DER.
As NSS already has the PEM decoding capability internally, I propose to provide a new NSS API to decode PEM CRLs to DER CRLs.

Updated

11 years ago
Severity: normal → enhancement
OS: Windows XP → All
Hardware: PC → All
Summary: CRL import fails for certain PEM format → NSS should have an API to decode PEM CRLs
You need to log in before you can comment on or make changes to this bug.