Closed Bug 488059 Opened 15 years ago Closed 9 years ago

Keygen tag fails for DSA keys whether or not DSA params are supplied

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
1.9.0 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: nelson, Unassigned)

References

(
URL
)

Details

(Whiteboard: [psm-cert-manager])

Attachments

(2 files, 1 obsolete file)

Improved DSA Keygen test page, this one WITH PQG params
670 bytes, text/html
Details
Improved DSA Keygen test page, this one WITHOUT PQG params
269 bytes, text/html
Details
Attached file html page/form with DSA keygen tag (obsolete) — 
I ran NSS's makepqg command to generate a base-64 encoded set of PQG 
parameters.  e.g.

    makepqg -a -o /tmp/474958x.txt -g 160

Then I made a tiny html form with a keygen tag that attempts to generate a
DSA key pair using that set of PQG params.  I have attached a copy of that
html form to this bug.

When I visit the form, and click the submit button, 
- it does not prompt me for my "master password"
- it does not generate a DSA key, 
- it immediately submits something (what?) to the form action URL.

It should leave an "orphan" DSA key in my key DB, but it does not.
Note that when I tried it with RSA and EC keys, those worked, but DSA did not.
Oh, and it doesn't report any error to me.  I think that, if there is an 
error in the form or the keygen tag, or PSM is unable to do the keygen for
ANY reason, PSM should tell me the reason (and not "for an unknown reason" :)
The fault is seen at 
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsCrypto.cpp&rev=1.78&mark=609-612#607

The code intentionally fails when DSA parameters are provided. 
This is utterly brain dead, and utterly useless to any real DSA CA, 
because DSA CAs will nearly always provide DSA parameters.   

DSA parameters speed up the DSA key gen process by orders of magnitude.
They're GOOD things, and PSM ought not to treat them as undesirable!
URL: http://bonsai.mozilla.org/cvsblame.cg...
Severity: normal → major
OS: Windows XP → All
Hardware: x86 → All
Summary: Keygen tag doesn't seem to work for DSA keys → Keygen tag fails for DSA keys when DSA params are supplied
Turns out that this page fails whether PQG params are supplied or not.
I will attach a couple of improved test pages to show this.
Summary: Keygen tag fails for DSA keys when DSA params are supplied → Keygen tag fails for DSA keys whether or not DSA params are supplied
These two newly added test pages actually display the data in the form post.
Assignee: kaie → nobody
Whiteboard: [psm-cert-manager]
Bug 1215779 has removed the broken DSA code entirely. See Bug 1215779 comment 0 for why the code isn't really worth fixing.
Status: NEW → RESOLVED
Closed: 9 years ago
Depends on: 1215779
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: