54969 - need QA test that all cert name attributes are properly encoded

Status: NEW

(NSS :: Test, enhancement, P2)

Description

[Sonja Mirtitsch]

Test fix for Bug 53127  Accept UTF8String encoding for attributes in Names

 From: thayes@netscape.com (Terry Hayes)
 To: Sonja Mirtitsch <sonmi@netscape.com>

 Yes we should eventually build a test for this.  The problem is that
 there isn't any code right now that makes it easy to create a
 certificate with the new encoding.  We can probably write a program
 that builds a certificate request piece by piece and then use certutil
 and other tools to test whether NSS recognizes it.  Ian may be able to
 help with that as well.
 
-----------------------
 
 The library should accept the UTF8String encoding of directory string values
 found in X.500 names.  This encoding is mandated for certificates created after
 2003.  It should be added as soon as possible to allow for smooth upgrading of
 the PKI infrastructure.

 NOTE: we do not need to generate UTF8String (yet).

 Change is checked in, but I don't know how to QA this in the test suite.  I've
 built a version of PSM that accepts certificates with this encoding as a
 one-time test.

target release 3.3

Comment 1

[Wan-Teh Chang]

Reassigned bug to Sonja.

Comment 2

[Wan-Teh Chang]

Assigned the bug to Bishakha.

Comment 3

[Wan-Teh Chang]

Changed the QA contact to Bishakha.

Comment 4

[Julien Pierre]

Is the certutil limitation about not being able to create that encoding still current ?

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

RFC 3280 (and other related RFCs) define the correct character set to use 
for each and every type of attribute that can exist in the cert names.
Today, NSS encodes a few of them correctly, a few are known to be incorrectly
encoded, and most of the rest are untested.  

The QA test envisioned here would generate a cert with many MANY name attributes
and then test that each and every one was encoded in the correct character set.

NSS 3.11.x, as it exists today, is guaranteed to fail this test, if the test 
was properly implemented.  But the test does not yet exist.  

I believe that the companies that support NSS care about NSS's ability to 
correctly encode cert names, hence P2.

Comment 6

[Nelson Bolyard (seldom reads bugmail)]

Bug 329067 documents some of the cert name attributes that are incorrectly
encoded.  This bug doesn't block that one, nor vice versa.  But I wanted to
mark these bugs as related.  One bug documents the encoding error, the
other bug documents the absence of a QA test that would detect such an
encoding error.

It's clear to me that to fulfill this test RFE, we need a new test tool,
one that parses a certificate and checks the encoding type of every 
attribute, to ensure that every attribute is encoded using one of the 
character set types defined for that attribute.  Such a tool would be 
useful for many purposes.  

Comment 7

[Nelson Bolyard (seldom reads bugmail)]

Reassign to Slavo.

Comment 8

[Slavomir Katuscak]

Decreasing priority to P3 (based on priorities set on meeting with Nelson in September).

Comment 9

[Nelson Bolyard (seldom reads bugmail)]

Readjusting priority back to P2 to be consistent with the priority definitions
used in NSS.  
A fix for this bug/RFE is desired by one of the companies that sponsor NSS.  
By the present definition of NSS priorities, that makes it at least a P2.  

Comment 10

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee is inactive on Bugzilla, and this bug has priority 'P2'.
:beurdouche, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 11

[Marco Castelluccio [:marco]]

We have modified the bot to only consider P1 as high priority, so I'm cancelling the needinfo here.