If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

libpkix treats CRL nextUpdate time as an expiration time

RESOLVED DUPLICATE of bug 390502

Status

NSS
Libraries
P1
normal
RESOLVED DUPLICATE of bug 390502
10 years ago
10 years ago

People

(Reporter: Steve Parkinson, Assigned: Alexei Volkov)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX)

(Reporter)

Description

10 years ago
pkix_pl_crl.c:
727  PKIX_CRL_DEBUG("\t\tCalling DER_DecodeTimeChoice on nextUpdate\n");
728  status = DER_DecodeTimeChoice(&nextUpdate, &(nssCrl->nextUpdate));
729  if (status != SECSuccess) {
730        PKIX_ERROR(PKIX_DERDECODETIMECHOICEFORNEXTUPDATEFAILED);
(gdb) 
731  }

This causes the CRL to be rejected. In debug builds, DER_DecodeTimeChoice
assert()s.

nextUpdate is technically OPTIONAL as far as the ASN.1 goes, but
mandatory in RFC 3280:

   This profile requires inclusion of nextUpdate in all CRLs issued by
   conforming CRL issuers.  Note that the ASN.1 syntax of TBSCertList
   describes this field as OPTIONAL, which is consistent with the ASN.1
   structure defined in [X.509].  The behavior of clients processing
   CRLs which omit nextUpdate is not specified by this profile. 

Does that make this NOTABUG?
(Assignee)

Comment 1

10 years ago
I've run into this bug while running all.sh. I have patch that fixes this bug.
(Assignee)

Updated

10 years ago
Whiteboard: PKIX
(Assignee)

Updated

10 years ago
Assignee: nobody → alexei.volkov.bugs
Priority: -- → P1
Target Milestone: --- → 3.12
Summary: libpkix treats CRL nextUpdate time as mandatory → libpkix treats CRL nextUpdate time as an expiration time
(Assignee)

Updated

10 years ago
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 390502
You need to log in before you can comment on or make changes to this bug.