Closed
Bug 396256
Opened 17 years ago
Closed 17 years ago
certutil and pp do not print all the GeneralNames in a CRLDP extension
Categories
(NSS :: Tools, defect, P1)
NSS
Tools
Tracking
(Not tracked)
RESOLVED
FIXED
3.12
People
(Reporter: nelson, Assigned: nelson)
Details
Attachments
(2 files)
|
508 bytes,
application/octet-stream
|
Details | |
|
1.53 KB,
patch
|
neil.williams
:
review+
|
Details | Diff | Splinter Review |
Several parts of a certificate are defined as "GeneralNames", which is a
SEQUENCE OF any number of GeneralName members.
When certutil or pp print out a certificate, they print only the first
GeneralName, not the whole list.
This may be seen in the CRLDP extension in the attached certificate.
It actually contains these GeneralName's
[1] 'InstanceOfDNSName'
[1] 'rfc822Name'
[2] 'test.com'
[7] 87 09 69 70 41 64 64 72 65 73 73
[8] 88 09 31 32 33 34 35 31 32 33 35
But pp and certutil display only this:
Signed Extensions:
Name: CRL Distribution Points
RFC822 Name: "InstanceOfDNSName"
Reasons:
80
(7 least significant bits unused)
|
Assignee | |
Comment 1•17 years ago
|
||
The problem appears to be in function secu_PrintCRLDistPtsExtension
which assumes that there is only one GeneralName, rather than a sequence
of GeneralNames.
Summary: certutil and pp do not print all the names in a GeneralName → certutil and pp do not print all the GeneralNames in a CRLDP extension
|
|
Assignee | |
Comment 2•17 years ago
|
||
This patch seems to fix the problem.
But I need to check first and make sure that it is correct for CRLDPs
to have multiple GeneralNames.
Assignee: nobody → nelson
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•17 years ago
|
||
Comment on attachment 280983 [details] [diff] [review]
patch v1
Yes, it's valid for CRLDP to have multiple names.
If the DistributionPointName contains multiple values, each name
describes a different mechanism to obtain the same CRL. For example,
the same CRL could be available for retrieval through both LDAP and
HTTP.
requesting review.
Attachment #280983 -
Flags: review?(neil.williams)
|
|
Assignee | |
Comment 4•17 years ago
|
||
With this patch, the CRLDP in the attached cert displays as:
Signed Extensions:
Name: CRL Distribution Points
RFC822 Name: "InstanceOfDNSName"
RFC822 Name: "rfc822Name"
DNS name: "test.com"
IP Address:
87:09:69:70:41:64:64:72:65:73:73
Registered ID: OID.2.953.49.50.51.52.53.49.50.51.53
Reasons:
80
(7 least significant bits unused)
|
||
Comment 5•17 years ago
|
||
Comment on attachment 280983 [details] [diff] [review]
patch v1
much better.
Attachment #280983 -
Flags: review?(neil.williams) → review+
|
|
Assignee | |
Comment 6•17 years ago
|
||
Checking in secutil.c; new revision: 1.79; previous revision: 1.78
There may be other calls to secu_PrintGeneralName that should also be
converted into calls to secu_PrintGeneralNames. Separate bugs should be
filed for those if/when they are found.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•16 years ago
|
Priority: -- → P1
You need to log in
before you can comment on or make changes to this bug.
Description
•