Closed
Bug 416928
Opened 18 years ago
Closed 18 years ago
DER decode error on this policy extension
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.12
People
(Reporter: nelson, Assigned: julien.pierre)
References
()
Details
(Keywords: regression, Whiteboard: NSS312B2)
Attachments
(2 files)
|
2.46 KB,
text/plain
|
Details | |
|
755 bytes,
patch
|
julien.pierre
:
review+
|
Details | Diff | Splinter Review |
The https server cert at https://www.startssl.com/ has a Certificate Policy
extension with 1 policy with 3 policy qualifiers, the last of which is a
User Notice policy qualifier. With FF2, NSS parses it and PSM's cert viewer reports:
Not Critical
1.3.6.1.4.1.23223.1.1.4:
Certification Practice Statement pointer:
http://cert.startcom.org/intermediate.pdf
Certification Practice Statement pointer:
http://cert.startcom.org/policy.pdf
User Notice: <implementation limitation>
Evidently <Implementation limitation> is a string provided by PSM.
In FF3, PSM dumps the entire extension in Hex.
I dug into it with NSS's pp utility, and found that the function CERT_DecodeUserNotice is reporting failure. It calls:
rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate,
&newNoticeItem);
which returns SECFailure. I dug into that a bit, and found that the error
is being set in DecodeSequence, at this piece of code:
{
/* it isn't 100% clear whether this is a bad DER or a bad template.
The problem is that logically, they don't match - there is extra
data in the DER that the template doesn't know about */
PORT_SetError(SEC_ERROR_BAD_DER);
rv = SECFailure;
}
I looked at the cert with various tools including dumpasn1, and looked at
the ASN1 definition in RFC 3280, and didn't immediately see any problem
with the cert's extension.
(In reply to comment #0)
> I dug into it with NSS's pp utility, and found that the function
> CERT_DecodeUserNotice is reporting failure. It calls:
>
> rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate,
> &newNoticeItem);
>
> which returns SECFailure.
It's a bug in that template, if both noticeRef and explicitText are included - see the attached patch, dugged out from my collection.
> In FF3, PSM dumps the entire extension in Hex.
Attachment 293376 [details] (bug 408547) would actually help. But I'm getting tired of submitting patches which only get reviewed months later (if at all).
|
Reporter | |
Comment 2•18 years ago
|
||
Comment on attachment 302755 [details] [diff] [review]
Fix CERT_UserNoticeTemplate
Thanks for the patch Kaspar.
This patch changes code that was last changed for bug 324744,
which was an RFE to enable generating this extension in certs
with certutil. That work was reviewed by Julien, so he is the
right person to review this patch. I think that certutil code
will need to be retested.
Attachment #302755 -
Flags: review?(julien.pierre.boogz)
|
|
Reporter | |
Comment 3•18 years ago
|
||
Marking for 3.12 B2 since this is a regression affecting PSM.
Priority: -- → P1
Whiteboard: NSS312B2
|
Assignee | |
Updated•18 years ago
|
Attachment #302755 -
Flags: review?(julien.pierre.boogz) → review+
|
|
Assignee | |
Updated•18 years ago
|
OS: Windows XP → All
Hardware: PC → All
|
|
Assignee | |
Comment 4•18 years ago
|
||
I checked this in to the NSS trunk.
Checking in polcyxtn.c;
/cvsroot/mozilla/security/nss/lib/certdb/polcyxtn.c,v <-- polcyxtn.c
new revision: 1.11; previous revision: 1.10
done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•