The default bug view has changed. See this FAQ.

NSS cannot use a base64-encoded CRL.

NEW
Unassigned

Status

NSS
Libraries
7 years ago
3 years ago

People

(Reporter: Wan-Teh Chang, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

7 years ago
Some CRLs are published in base64-encoded form.  An example is
http://www.rsasecurity.com/products/keon/repository/certificate_status/RSA_Public_Root_CA.crl

-----BEGIN X509 CRL-----
MIIB9jCCAV8CAQEwDQYJKoZIhvcNAQEFBQAwbDEaMBgGA1UEChMRUlNBIFNlY3Vy
aXR5IEluYy4xHjAcBgNVBAMTFVJTQSBQdWJsaWMgUm9vdCBDQSB2MTEuMCwGCSqG
SIb3DQEJARYfcnNha2VvbnJvb3RzaWduQHJzYXNlY3VyaXR5LmNvbRcNMDkxMTAy
MTQzNDIxWhcNMTAwNTAxMTQzNDIxWjCBjDBKAhEArDqoh9FHJHXT7OPguun4+BcN
MDkxMTAyMTQyNzA5WjAmMAoGA1UdFQQDCgEJMBgGA1UdGAQRGA8yMDA5MTEwMjE0
MjQ1NVowPgIRALGznZ095PB5aAOLPg57fMMXDTAyMTAyMzE0NTAxNFowGjAYBgNV
HRgEERgPMjAwMjEwMjMxNDUwMTRaoDAwLjAfBgNVHSMEGDAWgBT1TDF6UQM/LNeL
l5lvqHGQq3g9mzALBgNVHRQEBAICAIEwDQYJKoZIhvcNAQEFBQADgYEAEBMZTMCA
8zoSXIsg+NTFd4+fc4Xyq1gprV88s1FULwCiStUzli+phvAZr12QRZBCqoPSxY6p
JRllYBAVg6BW1jVt08nboQbccSiacbl1MqMdoOlmkDQoTSp3ET1pbgm3uEK8hSGM
ke9aKa878yZQj8gQpC8H2oUBA11ILRn26xg=
-----END X509 CRL-----

If I type that URL in the location bar of Firefox and hit Enter,
I get an Alert dialog:

  The application cannot import the Certificate Revocation List (CRL).
  Error Importing CRL to local Database. Error Code:ffffe009
  Please ask your system administrator for assistance.

Error code 0xffffe009 is -8183 (SEC_ERROR_BAD_DER).  Note: PSM
should print that error code as a signed decimal integer for easier
error code lookup.

This is because NSS passes the downloaded CRL to
CERT_DecodeDERCrlWithFlags directly, without checking if the CRL
needs base64 decoding first.
This is an RFC conformance issue.  See RFC 5280 page 46.

   If the DistributionPointName contains a general name of type URI, the
   following semantics MUST be assumed: [...]
                          When the HTTP or FTP URI scheme is used, the
   URI MUST point to a single DER encoded CRL as specified in
   [RFC2585].  HTTP server implementations accessed via the URI SHOULD
   specify the media type application/pkix-crl in the content-type
   header field of the response. 

We believe that PEM encoding does not conform to that requirement.
Mozilla tests that applicant CAs deliver their CRLs in binary DER form as 
a condition of admittance to the trusted root CA list.  

So, I believe the proper disposition of this bug is either INVALID or WONTFIX.
(Reporter)

Comment 2

7 years ago
Nelson, thank you for the reply.  That CRL meets only one of the
requirement (media type application/pkix-crl in the content-type
header field of the response):

$ curl -i http://www.rsasecurity.com/products/keon/repository/certificate_status/RSA_Public_Root_CA.crl
HTTP/1.1 200 OK
Content-Length: 750
Content-Type: application/pkix-crl
Last-Modified: Mon, 02 Nov 2009 16:41:24 GMT
Accept-Ranges: bytes
ETag: "0d27f50db5bca1:23c"
Server: Microsoft-IIS/6.0
Date: Mon, 23 Nov 2009 22:34:27 GMT

-----BEGIN X509 CRL-----
MIIB9jCCAV8CAQEwDQYJKoZIhvcNAQEFBQAwbDEaMBgGA1UEChMRUlNBIFNlY3Vy
aXR5IEluYy4xHjAcBgNVBAMTFVJTQSBQdWJsaWMgUm9vdCBDQSB2MTEuMCwGCSqG
SIb3DQEJARYfcnNha2VvbnJvb3RzaWduQHJzYXNlY3VyaXR5LmNvbRcNMDkxMTAy
MTQzNDIxWhcNMTAwNTAxMTQzNDIxWjCBjDBKAhEArDqoh9FHJHXT7OPguun4+BcN
MDkxMTAyMTQyNzA5WjAmMAoGA1UdFQQDCgEJMBgGA1UdGAQRGA8yMDA5MTEwMjE0
MjQ1NVowPgIRALGznZ095PB5aAOLPg57fMMXDTAyMTAyMzE0NTAxNFowGjAYBgNV
HRgEERgPMjAwMjEwMjMxNDUwMTRaoDAwLjAfBgNVHSMEGDAWgBT1TDF6UQM/LNeL
l5lvqHGQq3g9mzALBgNVHRQEBAICAIEwDQYJKoZIhvcNAQEFBQADgYEAEBMZTMCA
8zoSXIsg+NTFd4+fc4Xyq1gprV88s1FULwCiStUzli+phvAZr12QRZBCqoPSxY6p
JRllYBAVg6BW1jVt08nboQbccSiacbl1MqMdoOlmkDQoTSp3ET1pbgm3uEK8hSGM
ke9aKa878yZQj8gQpC8H2oUBA11ILRn26xg=
-----END X509 CRL-----

I found some CRLs that are served with the media type
application/x-pkcs7-crl in the content-type response header,
for example, http://crl1.netlock.hu/index.cgi?crl=uzleti.

Comment 3

4 years ago
This bug is now mentioned in http://news.netcraft.com/archives/2013/05/13/how-certificate-revocation-doesnt-work-in-practice.html

Comment 4

3 years ago
Does that mean that RSA should be removed from the trusted certificates because it is non-complying?
You need to log in before you can comment on or make changes to this bug.