Last Comment Bug 416928 - DER decode error on this policy extension
: DER decode error on this policy extension
Status: RESOLVED FIXED
NSS312B2
: regression
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: P1 normal (vote)
: 3.12
Assigned To: Julien Pierre
:
Mentors:
https://www.startssl.com/
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-11 18:48 PST by Nelson Bolyard (seldom reads bugmail)
Modified: 2008-02-12 20:03 PST (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
server cert in PEM format (2.46 KB, text/plain)
2008-02-11 18:48 PST, Nelson Bolyard (seldom reads bugmail)
no flags Details
Fix CERT_UserNoticeTemplate (755 bytes, patch)
2008-02-11 22:04 PST, Kaspar Brand
julien.pierre: review+
Details | Diff | Review

Description Nelson Bolyard (seldom reads bugmail) 2008-02-11 18:48:59 PST
Created attachment 302734 [details]
server cert in PEM format

The https server cert at https://www.startssl.com/ has a Certificate Policy
extension with 1 policy with 3 policy qualifiers, the last of which is a 
User Notice policy qualifier.  With FF2, NSS parses it and PSM's cert viewer reports:

 Not Critical
  1.3.6.1.4.1.23223.1.1.4:
  Certification Practice Statement pointer:
    http://cert.startcom.org/intermediate.pdf
  Certification Practice Statement pointer:
    http://cert.startcom.org/policy.pdf
  User Notice: <implementation limitation>

Evidently <Implementation limitation> is a string provided by PSM.

In FF3, PSM dumps the entire extension in Hex.

I dug into it with NSS's pp utility, and found that the function CERT_DecodeUserNotice is reporting failure.  It calls:

    rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate, 
			    &newNoticeItem);

which returns SECFailure.  I dug into that a bit, and found that the error
is being set in DecodeSequence, at this piece of code:

    {
        /* it isn't 100% clear whether this is a bad DER or a bad template.
           The problem is that logically, they don't match - there is extra
           data in the DER that the template doesn't know about */
        PORT_SetError(SEC_ERROR_BAD_DER);
        rv = SECFailure;
    }

I looked at the cert with various tools including dumpasn1, and looked at
the ASN1 definition in RFC 3280, and didn't immediately see any problem 
with the cert's extension.
Comment 1 Kaspar Brand 2008-02-11 22:04:07 PST
Created attachment 302755 [details] [diff] [review]
Fix CERT_UserNoticeTemplate

(In reply to comment #0)
> I dug into it with NSS's pp utility, and found that the function
> CERT_DecodeUserNotice is reporting failure.  It calls:
> 
>     rv = SEC_QuickDERDecodeItem(arena, userNotice, CERT_UserNoticeTemplate, 
>                             &newNoticeItem);
> 
> which returns SECFailure.

It's a bug in that template, if both noticeRef and explicitText are included - see the attached patch, dugged out from my collection.

> In FF3, PSM dumps the entire extension in Hex.

Attachment 293376 [details] (bug 408547) would actually help. But I'm getting tired of submitting patches which only get reviewed months later (if at all).
Comment 2 Nelson Bolyard (seldom reads bugmail) 2008-02-12 00:01:12 PST
Comment on attachment 302755 [details] [diff] [review]
Fix CERT_UserNoticeTemplate

Thanks for the patch Kaspar.
This patch changes code that was last changed for bug 324744,
which was an RFE to enable generating this extension in certs 
with certutil.  That work was reviewed by Julien, so he is the 
right person to review this patch.  I think that certutil code
will need to be retested.
Comment 3 Nelson Bolyard (seldom reads bugmail) 2008-02-12 16:02:32 PST
Marking for 3.12 B2 since this is a regression affecting PSM.
Comment 4 Julien Pierre 2008-02-12 20:03:35 PST
I checked this in to the NSS trunk.

Checking in polcyxtn.c;
/cvsroot/mozilla/security/nss/lib/certdb/polcyxtn.c,v  <--  polcyxtn.c
new revision: 1.11; previous revision: 1.10
done

Note You need to log in before you can comment on or make changes to this bug.