DER decode error on this policy extension

RESOLVED FIXED in 3.12

Status

NSS
Libraries
P1
normal
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Nelson Bolyard (seldom reads bugmail), Assigned: Julien Pierre)

Tracking

({regression})

trunk
3.12
regression

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: NSS312B2, URL)

Attachments

(2 attachments)

Created attachment 302734 [details]
server cert in PEM format

The https server cert at https://www.startssl.com/ has a Certificate Policy
extension with 1 policy with 3 policy qualifiers, the last of which is a 
User Notice policy qualifier.  With FF2, NSS parses it and PSM's cert viewer reports:

 Not Critical
  1.3.6.1.4.1.23223.1.1.4:
  Certification Practice Statement pointer:
    http://cert.startcom.org/intermediate.pdf
  Certification Practice Statement pointer:
    http://cert.startcom.org/policy.pdf
  User Notice: <implementation limitation>

Evidently <Implementation limitation> is a string provided by PSM.

In FF3, PSM dumps the entire extension in Hex.

I dug into it with NSS's pp utility, and found that the function CERT_DecodeUserNotice is reporting failure.  It calls:

    rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate, 
			    &newNoticeItem);

which returns SECFailure.  I dug into that a bit, and found that the error
is being set in DecodeSequence, at this piece of code:

    {
        /* it isn't 100% clear whether this is a bad DER or a bad template.
           The problem is that logically, they don't match - there is extra
           data in the DER that the template doesn't know about */
        PORT_SetError(SEC_ERROR_BAD_DER);
        rv = SECFailure;
    }

I looked at the cert with various tools including dumpasn1, and looked at
the ASN1 definition in RFC 3280, and didn't immediately see any problem 
with the cert's extension.

Comment 1

9 years ago
Created attachment 302755 [details] [diff] [review]
Fix CERT_UserNoticeTemplate

(In reply to comment #0)
> I dug into it with NSS's pp utility, and found that the function
> CERT_DecodeUserNotice is reporting failure.  It calls:
> 
>     rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate, 
>                             &newNoticeItem);
> 
> which returns SECFailure.

It's a bug in that template, if both noticeRef and explicitText are included - see the attached patch, dugged out from my collection.

> In FF3, PSM dumps the entire extension in Hex.

Attachment 293376 [details] (bug 408547) would actually help. But I'm getting tired of submitting patches which only get reviewed months later (if at all).
Comment on attachment 302755 [details] [diff] [review]
Fix CERT_UserNoticeTemplate

Thanks for the patch Kaspar.
This patch changes code that was last changed for bug 324744,
which was an RFE to enable generating this extension in certs 
with certutil.  That work was reviewed by Julien, so he is the 
right person to review this patch.  I think that certutil code
will need to be retested.
Attachment #302755 - Flags: review?(julien.pierre.boogz)
Marking for 3.12 B2 since this is a regression affecting PSM.
Priority: -- → P1
Whiteboard: NSS312B2
(Assignee)

Updated

9 years ago
Attachment #302755 - Flags: review?(julien.pierre.boogz) → review+
(Assignee)

Updated

9 years ago
OS: Windows XP → All
Hardware: PC → All
(Assignee)

Comment 4

9 years ago
I checked this in to the NSS trunk.

Checking in polcyxtn.c;
/cvsroot/mozilla/security/nss/lib/certdb/polcyxtn.c,v  <--  polcyxtn.c
new revision: 1.11; previous revision: 1.10
done
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.