certutil and pp do not print all the GeneralNames in a CRLDP extension

RESOLVED FIXED in 3.12

Status

NSS
Tools
P1
normal
RESOLVED FIXED
10 years ago
9 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

Created attachment 280977 [details]
DER cert with multiple GeneralNames

Several parts of a certificate are defined as "GeneralNames", which is a 
SEQUENCE OF any number of GeneralName members.   
When certutil or pp print out a certificate, they print only the first
GeneralName, not the whole list.  

This may be seen in the CRLDP extension in the attached certificate. 
It actually contains these GeneralName's

     [1] 'InstanceOfDNSName'
     [1] 'rfc822Name'
     [2] 'test.com'
     [7] 87 09 69 70 41 64 64 72 65 73 73
     [8] 88 09 31 32 33 34 35 31 32 33 35

But pp and certutil display only this:

        Signed Extensions:
            Name: CRL Distribution Points
            RFC822 Name: "InstanceOfDNSName"
            Reasons:
                80
                (7 least significant bits unused)
(Assignee)

Comment 1

10 years ago
The problem appears to be in function secu_PrintCRLDistPtsExtension 
which assumes that there is only one GeneralName, rather than a sequence
of GeneralNames. 
Summary: certutil and pp do not print all the names in a GeneralName → certutil and pp do not print all the GeneralNames in a CRLDP extension
(Assignee)

Comment 2

10 years ago
Created attachment 280983 [details] [diff] [review]
patch v1

This patch seems to fix the problem.  
But I need to check first and make sure that it is correct for CRLDPs
to have multiple GeneralNames.
Assignee: nobody → nelson
Status: NEW → ASSIGNED
(Assignee)

Comment 3

10 years ago
Comment on attachment 280983 [details] [diff] [review]
patch v1

Yes, it's valid for CRLDP to have multiple names.  

   If the DistributionPointName contains multiple values, each name
   describes a different mechanism to obtain the same CRL.  For example,
   the same CRL could be available for retrieval through both LDAP and
   HTTP.

requesting review.
Attachment #280983 - Flags: review?(neil.williams)
(Assignee)

Comment 4

10 years ago
With this patch, the CRLDP in the attached cert displays as:

        Signed Extensions:
            Name: CRL Distribution Points
            RFC822 Name: "InstanceOfDNSName"
            RFC822 Name: "rfc822Name"
            DNS name: "test.com"
            IP Address:
                87:09:69:70:41:64:64:72:65:73:73
            Registered ID: OID.2.953.49.50.51.52.53.49.50.51.53
            Reasons:
                80
                (7 least significant bits unused)

Comment 5

10 years ago
Comment on attachment 280983 [details] [diff] [review]
patch v1

much better.
Attachment #280983 - Flags: review?(neil.williams) → review+
(Assignee)

Comment 6

10 years ago
Checking in secutil.c; new revision: 1.79; previous revision: 1.78

There may be other calls to secu_PrintGeneralName that should also be 
converted into calls to secu_PrintGeneralNames.  Separate bugs should be
filed for those if/when they are found.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
(Assignee)

Updated

9 years ago
Priority: -- → P1
You need to log in before you can comment on or make changes to this bug.