User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199) Gecko/20060909 Firefox/188.8.131.52 Build Identifier: Thunderbird 3.0a1 build 20061004 importing a CRL from http://ca.dutchgrid.nl/medium/cacrl.pem fails because they use a format that includes plain text before the cipher block Reproducible: Always Steps to Reproduce: 1. choose menu tools|options 2. choose tab security 3. click button Revocation lists 4. click import 5. enter http://ca.dutchgrid.nl/medium/cacrl.pem 6. click OK Actual Results: error code ffffe009 Expected Results: the CRL should have been imported and been shown in the dialog box as correctly imported CRL the format in which the CRL is published by this CA is valid. It includes some human-readable text before the ---BEGIN X509 CRL--- block.
If I understand correctly, PEM files do allow additional text outside of those ascii encoded blocks surrounded by "---BEGIN ...". I believe I remember that some time ago, in some other bug, Nelson said, NSS does not claim to directly support PEM for importing certs/crls. However, in my experience, NSS happens to read many PEM files just fine. For example, this sample CA cert http://kuix.de/ca/ns.php is a PEM file, and PSM successfully uses CERT_DecodeCertPackage to get it decoded. It also works when that file is prefixes with additional ascii lines, as this test case shows: http://kuix.de/ca/ns-asciiprefix.php (works, too) So I believe, NSS already has the ability to correctly deal with PSM lines. If it does not work when downloading a CRL formatted like that, we might need to add a decoding somewhere. I made a test URL where the server sends content-type application/x-x509-crl, so you can see the bug by directly clicking that link: http://kuix.de/misc/test355513/cacrl.php
Assignee: dveditz → nobody
Status: UNCONFIRMED → NEW
Component: Security → Libraries
Ever confirmed: true
Product: Core → NSS
QA Contact: toolkit → libraries
Version: Trunk → 3.11.3
What NSS API do you think failed here ? The NSS CRL import APIs only take binary DER, not PEM . So I think the bug is in PSM, unless it also used NSS APIs to parse/base-64 decode the PEM file to binary.
(In reply to comment #2) > What NSS API do you think failed here ? > The NSS CRL import APIs only take binary DER, not PEM . So I think the bug is > in PSM, unless it also used NSS APIs to parse/base-64 decode the PEM file to > binary. PSM uses NSS API CERT_DecodeCertPackage to decode PEM to DER. As NSS already has the PEM decoding capability internally, I propose to provide a new NSS API to decode PEM CRLs to DER CRLs.
Severity: normal → enhancement
OS: Windows XP → All
Hardware: PC → All
Summary: CRL import fails for certain PEM format → NSS should have an API to decode PEM CRLs
You need to log in before you can comment on or make changes to this bug.