Created attachment 280977 [details] DER cert with multiple GeneralNames Several parts of a certificate are defined as "GeneralNames", which is a SEQUENCE OF any number of GeneralName members. When certutil or pp print out a certificate, they print only the first GeneralName, not the whole list. This may be seen in the CRLDP extension in the attached certificate. It actually contains these GeneralName's  'InstanceOfDNSName'  'rfc822Name'  'test.com'  87 09 69 70 41 64 64 72 65 73 73  88 09 31 32 33 34 35 31 32 33 35 But pp and certutil display only this: Signed Extensions: Name: CRL Distribution Points RFC822 Name: "InstanceOfDNSName" Reasons: 80 (7 least significant bits unused)
The problem appears to be in function secu_PrintCRLDistPtsExtension which assumes that there is only one GeneralName, rather than a sequence of GeneralNames.
Created attachment 280983 [details] [diff] [review] patch v1 This patch seems to fix the problem. But I need to check first and make sure that it is correct for CRLDPs to have multiple GeneralNames.
Comment on attachment 280983 [details] [diff] [review] patch v1 Yes, it's valid for CRLDP to have multiple names. If the DistributionPointName contains multiple values, each name describes a different mechanism to obtain the same CRL. For example, the same CRL could be available for retrieval through both LDAP and HTTP. requesting review.
With this patch, the CRLDP in the attached cert displays as: Signed Extensions: Name: CRL Distribution Points RFC822 Name: "InstanceOfDNSName" RFC822 Name: "rfc822Name" DNS name: "test.com" IP Address: 87:09:69:70:41:64:64:72:65:73:73 Registered ID: OID.2.9126.96.36.199.188.8.131.52.51.53 Reasons: 80 (7 least significant bits unused)
Comment on attachment 280983 [details] [diff] [review] patch v1 much better.
Checking in secutil.c; new revision: 1.79; previous revision: 1.78 There may be other calls to secu_PrintGeneralName that should also be converted into calls to secu_PrintGeneralNames. Separate bugs should be filed for those if/when they are found.