Last Comment Bug 396256 - certutil and pp do not print all the GeneralNames in a CRLDP extension
: certutil and pp do not print all the GeneralNames in a CRLDP extension
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: Tools (show other bugs)
: trunk
: All All
: P1 normal (vote)
: 3.12
Assigned To: Nelson Bolyard (seldom reads bugmail)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-14 19:47 PDT by Nelson Bolyard (seldom reads bugmail)
Modified: 2008-06-20 13:00 PDT (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
DER cert with multiple GeneralNames (508 bytes, application/octet-stream)
2007-09-14 19:47 PDT, Nelson Bolyard (seldom reads bugmail)
no flags Details
patch v1 (1.53 KB, patch)
2007-09-15 00:05 PDT, Nelson Bolyard (seldom reads bugmail)
neil.williams: review+
Details | Diff | Splinter Review

Description Nelson Bolyard (seldom reads bugmail) 2007-09-14 19:47:21 PDT
Created attachment 280977 [details]
DER cert with multiple GeneralNames

Several parts of a certificate are defined as "GeneralNames", which is a 
SEQUENCE OF any number of GeneralName members.   
When certutil or pp print out a certificate, they print only the first
GeneralName, not the whole list.  

This may be seen in the CRLDP extension in the attached certificate. 
It actually contains these GeneralName's

     [1] 'InstanceOfDNSName'
     [1] 'rfc822Name'
     [2] 'test.com'
     [7] 87 09 69 70 41 64 64 72 65 73 73
     [8] 88 09 31 32 33 34 35 31 32 33 35

But pp and certutil display only this:

        Signed Extensions:
            Name: CRL Distribution Points
            RFC822 Name: "InstanceOfDNSName"
            Reasons:
                80
                (7 least significant bits unused)
Comment 1 Nelson Bolyard (seldom reads bugmail) 2007-09-14 23:47:06 PDT
The problem appears to be in function secu_PrintCRLDistPtsExtension 
which assumes that there is only one GeneralName, rather than a sequence
of GeneralNames. 
Comment 2 Nelson Bolyard (seldom reads bugmail) 2007-09-15 00:05:17 PDT
Created attachment 280983 [details] [diff] [review]
patch v1

This patch seems to fix the problem.  
But I need to check first and make sure that it is correct for CRLDPs
to have multiple GeneralNames.
Comment 3 Nelson Bolyard (seldom reads bugmail) 2007-09-15 00:12:01 PDT
Comment on attachment 280983 [details] [diff] [review]
patch v1

Yes, it's valid for CRLDP to have multiple names.  

   If the DistributionPointName contains multiple values, each name
   describes a different mechanism to obtain the same CRL.  For example,
   the same CRL could be available for retrieval through both LDAP and
   HTTP.

requesting review.
Comment 4 Nelson Bolyard (seldom reads bugmail) 2007-09-15 00:15:20 PDT
With this patch, the CRLDP in the attached cert displays as:

        Signed Extensions:
            Name: CRL Distribution Points
            RFC822 Name: "InstanceOfDNSName"
            RFC822 Name: "rfc822Name"
            DNS name: "test.com"
            IP Address:
                87:09:69:70:41:64:64:72:65:73:73
            Registered ID: OID.2.953.49.50.51.52.53.49.50.51.53
            Reasons:
                80
                (7 least significant bits unused)
Comment 5 Neil Williams 2007-09-17 16:42:37 PDT
Comment on attachment 280983 [details] [diff] [review]
patch v1

much better.
Comment 6 Nelson Bolyard (seldom reads bugmail) 2007-09-19 15:46:32 PDT
Checking in secutil.c; new revision: 1.79; previous revision: 1.78

There may be other calls to secu_PrintGeneralName that should also be 
converted into calls to secu_PrintGeneralNames.  Separate bugs should be
filed for those if/when they are found.

Note You need to log in before you can comment on or make changes to this bug.