Last Comment Bug 530356 - NSS cannot use a base64-encoded CRL.
: NSS cannot use a base64-encoded CRL.
Status: NEW
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: nobody
:
:
Mentors:
http://www.rsasecurity.com/products/k...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-21 19:16 PST by Wan-Teh Chang
Modified: 2014-06-29 17:39 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Wan-Teh Chang 2009-11-21 19:16:10 PST
Some CRLs are published in base64-encoded form.  An example is
http://www.rsasecurity.com/products/keon/repository/certificate_status/RSA_Public_Root_CA.crl

-----BEGIN X509 CRL-----
MIIB9jCCAV8CAQEwDQYJKoZIhvcNAQEFBQAwbDEaMBgGA1UEChMRUlNBIFNlY3Vy
aXR5IEluYy4xHjAcBgNVBAMTFVJTQSBQdWJsaWMgUm9vdCBDQSB2MTEuMCwGCSqG
SIb3DQEJARYfcnNha2VvbnJvb3RzaWduQHJzYXNlY3VyaXR5LmNvbRcNMDkxMTAy
MTQzNDIxWhcNMTAwNTAxMTQzNDIxWjCBjDBKAhEArDqoh9FHJHXT7OPguun4+BcN
MDkxMTAyMTQyNzA5WjAmMAoGA1UdFQQDCgEJMBgGA1UdGAQRGA8yMDA5MTEwMjE0
MjQ1NVowPgIRALGznZ095PB5aAOLPg57fMMXDTAyMTAyMzE0NTAxNFowGjAYBgNV
HRgEERgPMjAwMjEwMjMxNDUwMTRaoDAwLjAfBgNVHSMEGDAWgBT1TDF6UQM/LNeL
l5lvqHGQq3g9mzALBgNVHRQEBAICAIEwDQYJKoZIhvcNAQEFBQADgYEAEBMZTMCA
8zoSXIsg+NTFd4+fc4Xyq1gprV88s1FULwCiStUzli+phvAZr12QRZBCqoPSxY6p
JRllYBAVg6BW1jVt08nboQbccSiacbl1MqMdoOlmkDQoTSp3ET1pbgm3uEK8hSGM
ke9aKa878yZQj8gQpC8H2oUBA11ILRn26xg=
-----END X509 CRL-----

If I type that URL in the location bar of Firefox and hit Enter,
I get an Alert dialog:

  The application cannot import the Certificate Revocation List (CRL).
  Error Importing CRL to local Database. Error Code:ffffe009
  Please ask your system administrator for assistance.

Error code 0xffffe009 is -8183 (SEC_ERROR_BAD_DER).  Note: PSM
should print that error code as a signed decimal integer for easier
error code lookup.

This is because NSS passes the downloaded CRL to
CERT_DecodeDERCrlWithFlags directly, without checking if the CRL
needs base64 decoding first.
Comment 1 Nelson Bolyard (seldom reads bugmail) 2009-11-21 20:15:23 PST
This is an RFC conformance issue.  See RFC 5280 page 46.

   If the DistributionPointName contains a general name of type URI, the
   following semantics MUST be assumed: [...]
                          When the HTTP or FTP URI scheme is used, the
   URI MUST point to a single DER encoded CRL as specified in
   [RFC2585].  HTTP server implementations accessed via the URI SHOULD
   specify the media type application/pkix-crl in the content-type
   header field of the response. 

We believe that PEM encoding does not conform to that requirement.
Mozilla tests that applicant CAs deliver their CRLs in binary DER form as 
a condition of admittance to the trusted root CA list.  

So, I believe the proper disposition of this bug is either INVALID or WONTFIX.
Comment 2 Wan-Teh Chang 2009-11-23 14:30:19 PST
Nelson, thank you for the reply.  That CRL meets only one of the
requirement (media type application/pkix-crl in the content-type
header field of the response):

$ curl -i http://www.rsasecurity.com/products/keon/repository/certificate_status/RSA_Public_Root_CA.crl
HTTP/1.1 200 OK
Content-Length: 750
Content-Type: application/pkix-crl
Last-Modified: Mon, 02 Nov 2009 16:41:24 GMT
Accept-Ranges: bytes
ETag: "0d27f50db5bca1:23c"
Server: Microsoft-IIS/6.0
Date: Mon, 23 Nov 2009 22:34:27 GMT

-----BEGIN X509 CRL-----
MIIB9jCCAV8CAQEwDQYJKoZIhvcNAQEFBQAwbDEaMBgGA1UEChMRUlNBIFNlY3Vy
aXR5IEluYy4xHjAcBgNVBAMTFVJTQSBQdWJsaWMgUm9vdCBDQSB2MTEuMCwGCSqG
SIb3DQEJARYfcnNha2VvbnJvb3RzaWduQHJzYXNlY3VyaXR5LmNvbRcNMDkxMTAy
MTQzNDIxWhcNMTAwNTAxMTQzNDIxWjCBjDBKAhEArDqoh9FHJHXT7OPguun4+BcN
MDkxMTAyMTQyNzA5WjAmMAoGA1UdFQQDCgEJMBgGA1UdGAQRGA8yMDA5MTEwMjE0
MjQ1NVowPgIRALGznZ095PB5aAOLPg57fMMXDTAyMTAyMzE0NTAxNFowGjAYBgNV
HRgEERgPMjAwMjEwMjMxNDUwMTRaoDAwLjAfBgNVHSMEGDAWgBT1TDF6UQM/LNeL
l5lvqHGQq3g9mzALBgNVHRQEBAICAIEwDQYJKoZIhvcNAQEFBQADgYEAEBMZTMCA
8zoSXIsg+NTFd4+fc4Xyq1gprV88s1FULwCiStUzli+phvAZr12QRZBCqoPSxY6p
JRllYBAVg6BW1jVt08nboQbccSiacbl1MqMdoOlmkDQoTSp3ET1pbgm3uEK8hSGM
ke9aKa878yZQj8gQpC8H2oUBA11ILRn26xg=
-----END X509 CRL-----

I found some CRLs that are served with the media type
application/x-pkcs7-crl in the content-type response header,
for example, http://crl1.netlock.hu/index.cgi?crl=uzleti.
Comment 4 roland 2014-04-14 17:04:20 PDT
Does that mean that RSA should be removed from the trusted certificates because it is non-complying?

Note You need to log in before you can comment on or make changes to this bug.