570438 - certutil's limits on sizes of generated cert extensions are TOO SMALL

Status: RESOLVED FIXED

(NSS :: Tools, defect, P3)

Description

[Nelson Bolyard (seldom reads bugmail)]

Many of the cert extensions that certutil can generate are generated from 
input supplied as command line options and their arguments.  The number of 
DNS names, email addresses, and numerous other items that can be put into
these cert extensions is limited by the size of a single command line 
argument string.  

I recently needed to create an SSL server cert with hundreds of DNS names 
in the SAN extension, and could not.

Since NSS 3.9, certutil has a "batch mode" that reads command lines in from a file, but it limits the length of each command line read in that way to no 
more than 512 bytes.  This would be OK if it allowed lines to be continued 
(joined) with trailing '\' characters, but it does not.  

So, I've written a patch to enable batch mode to join lines with trailing '\'
characters with the line that follows.  This can be repeated as many times as
needed.  Each line on input is still limited to 512 bytes, but when joined, 
there is effectively no limit.  With this patch, I generated a cert with over 
100KB of DNS names.  

This patch is fully backward compatible.   Patch forthcoming.

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

Attachment: patch v1 - enable batch file line continuation

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Attachment: test batch file (edit to taste)

Comment 3

[Robert Relyea]

Comment on attachment 449569 [details] [diff] [review]
patch v1 - enable batch file line continuation

r+

One nit, the diff's seem to have indent differences bwtween some of the added lines and those in the file. It's probably a tab versus space issue.

bob

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

Checking in certutil.c; new revision: 1.149; previous revision: 1.148