615100 - Certificate Viewer only displays the first CRL Distribution Point location

Status: RESOLVED WONTFIX

(Core :: Security: PSM, defect)

Description

[Ryan Sleevi]

Attachment: Screen shot showing the bug

When viewing a certificate with a CRL Distribution Point extension which contains multiple GeneralNames in the fullName field of the DistributionPointName, only the first GeneralName is displayed.

According to RFC 3280, the fullName field is defined as GeneralNames:

DistributionPointName ::= CHOICE {
     fullName                [0]     GeneralNames,
     nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

and GeneralNames is defined as a SEQUENCE of GeneralName:

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

The root cause is found in nsNSSCertHelper.cpp, as it is calling ProcessGeneralName, which processes a single GeneralName, rather than ProcessGeneralNames

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSCertHelper.cpp&rev=1.38&mark=1479,1454#1454

The problem is resolved by updating the highlighted call to ProcessGeneralNames.

Comment 1

[Wan-Teh Chang]

Thanks for the bug report.  We should take the
opportunity to review other related code in NSS:
http://mxr.mozilla.org/security/ident?i=distPoint
http://mxr.mozilla.org/security/ident?i=fullName
http://mxr.mozilla.org/security/ident?i=derFullName

Also, we should add a new enum constant 'generalNames'
and deprecate the original enum constant 'generalName':

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certdb/certt.h&rev=1.54&mark=731#727

typedef enum DistributionPointTypesEnum {
    generalNames = 1,                    /* only support this for now */
    generalName = generalNames,          /* deprecated */
    relativeDistinguishedName = 2
} DistributionPointTypes;

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Support for CRLs was removed. I don't think it's important to fix this in the certificate viewer.