In CERT_MakeCANickname(), there is still some code which assumes that the CA subject name has certain composition. We have customers who want to create more flexible CA's, and this is a problem for them. In this particular case, the customer is using DC='S instead of O=, so 'CERT_GetOrgName()' returns null, and then so does CERT_MakeCANickname().
I should add that this then causes CERT_ImportCAChain() to return failure
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: --- → 3.2
I have create a patch to allow the nickname to be created when the O= is missing. This solves the customer's problem for now. But the cert still must have either CN or OU in it. What if it's all DC? There needs to be a better scheme for nicknames. How about, if we can't make the nickname using our current algorithm, we just use the entire subject name for the nickname?
Hmm - that patch is bad since at the end of the code, it tries to PORT_Free() the memory. But you get the idea.
Reassigning to myself since it's a JSS deliverable.
Assignee: relyea → nicolson
The proposed patch will use the full subject name, encoded in RFC1485, if the components that are usually used are missing. We need to get this change reviewed, approved, and checked in, and NSS needs to be respun for CMS.
Hmm. I talked to Steve about this, I didn't realize you had a patch in the bug. I don't think the full DN is necessary as the loop will pick up a counter to make sure the nickname is unique. Here's my proposed patch. bob
Assignee: nicolson → relyea
Created attachment 27071 [details] [diff] [review] don't fail if the issuer doesn't have an organization
Fixed in NSS 3.3 and 2.8.5
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.