Normally as a rule, we try to only assert on coding errors, not bad external data. I feel however that there are some exceptions for certain particularly egregious errors, in the case of reused issuer and serial number. Often with some products, the errors are not properly reported all the way to the end user. And we can spend a lot of time debugging this kind of problem for no good reason. I have attached a patch that is #ifdef'ed just for me. But if you agree, I would prefer to have that without ifdef.
Created attachment 317835 [details] [diff] [review] assert on SEC_ERROR_REUSED_ISSUER_AND_SERIAL_NUMBER Nelson, Please let me know also if you are in favor of having this non-ifdef'ed.
Comment on attachment 317835 [details] [diff] [review] assert on SEC_ERROR_REUSED_ISSUER_AND_SERIAL_NUMBER Julien, I'm sure it would not be appropriate to put that assertion into Mozilla browsers. Personally, I would not want to encounter it in NSS tools, either. So, I do not favor putting THIS assertion in unconditionally, but I'm not opposed to it in its present ifdef'ed form. Is there some particular product or family of products you have in mind that fails to report this error? Can we detect that NSS is being used by those products?
Nelson, Our own pk12util still fails to report proper errors. Somebody sent me a p12 file with 2 certs with same issuer & serial in it. All I got was a generic error, and I had to trace the code to figure it out. I suspect mozilla PKCS#12 import would do the same. I thought about surrounding this with a getenv, but I think that would be way too expensive given how common PORT_SetError is.
In reply to comment 3, please file a bug against our PKCS#12 code about this. I'd suggest filing it against the utility first, and then that can be changed to be against the library in case it is found to be the fault of the library code.
Nelson, I already did, over 7 years ago. See bug 72290 .
Checking in secport.c; /cvsroot/mozilla/security/nss/lib/util/secport.c,v <-- secport.c new revision: 1.22; previous revision: 1.21 done