Remove dependencies of O= in cert name from NSS

RESOLVED FIXED in 3.3

Status

P3
major
RESOLVED FIXED
18 years ago
18 years ago

People

(Reporter: stevepnscp, Assigned: rrelyea)

Tracking

x86
Solaris

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

18 years ago
In CERT_MakeCANickname(), there is still some code which assumes
that the CA subject name has certain composition.

We have customers who want to create more flexible CA's, and this
is a problem for them.

In this particular case, the customer is using DC='S instead of
O=, so 'CERT_GetOrgName()' returns null, and then so does
CERT_MakeCANickname().
(Reporter)

Comment 1

18 years ago
I should add that this then causes CERT_ImportCAChain() to return failure

Updated

18 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: --- → 3.2
(Reporter)

Comment 2

18 years ago
Created attachment 15457 [details] [diff] [review]
Patch to workaround problem
(Reporter)

Comment 3

18 years ago
I have create a patch to allow the nickname to be created when the O=
is missing. This solves the customer's problem for now. But the cert
still must have either CN or OU in it. What if it's all DC?

There needs to be a better scheme for nicknames. How about, if we can't
make the nickname using our current algorithm, we just use the entire
subject name for the nickname?

(Reporter)

Comment 4

18 years ago
Hmm - that patch is bad since at the end of the code, it tries to 
PORT_Free() the memory. But you get the idea.

Updated

18 years ago
QA Contact: wtc → sonmi
(Assignee)

Updated

18 years ago
Target Milestone: 3.2 → 3.3

Comment 5

18 years ago
Reassigning to myself since it's a JSS deliverable.
Assignee: relyea → nicolson

Comment 6

18 years ago
Created attachment 26755 [details] [diff] [review]
proposed patch

Comment 7

18 years ago
The proposed patch will use the full subject name, encoded in RFC1485, if the 
components that are usually used are missing. We need to get this change 
reviewed, approved, and checked in, and NSS needs to be respun for CMS.
(Assignee)

Comment 8

18 years ago
Hmm. I talked to Steve about this, I didn't realize you had a patch in the bug.
I don't think the full DN is necessary as the loop will pick up a counter to
make sure the nickname is unique. Here's my proposed patch.

bob
Assignee: nicolson → relyea
(Assignee)

Comment 9

18 years ago
Created attachment 27071 [details] [diff] [review]
don't fail if the issuer doesn't have an organization
(Assignee)

Comment 10

18 years ago
Fixed in NSS 3.3 and 2.8.5
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.