729721 - Miscellaneous code cleanups in libpkix for NSS 3.13.4

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P2)

Description

[Wan-Teh Chang]

Attachment: PKIX_PL_Cert_GetVersion cleanup (checked in)

I will use this bug for miscellaneous cleanups in libpkix for NSS 3.13.4.

The first patch changes PKIX_PL_Cert_GetVersion to use v1 (0) as the
default version of X509 certificate, and checks nssCert->version.len
instead of nssCert->version.data before dereferencing nssCert->version.data
(we may represent an empty SECItem with a non-null 'data' but a zero 'len'.

Comment 1

[Robert Relyea]

Comment on attachment 599780 [details] [diff] [review]
PKIX_PL_Cert_GetVersion cleanup (checked in)

r+ do we have any unexpired version 1 certs in the wild?:).

bob

Comment 2

[Wan-Teh Chang]

Comment on attachment 599780 [details] [diff] [review]
PKIX_PL_Cert_GetVersion cleanup (checked in)

Patch checked in on the NSS trunk (NSS 3.13.4).

Checking in pkix_pl_cert.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c,v  <--  pkix_pl_cert.c
new revision: 1.28; previous revision: 1.27
done

Comment 3

[Ryan Sleevi]

Unfortunately so.

http://wiki.dreamhost.com/NDN_Certificate . Top 10 Web Host. This certificate is used to sign their mail server certificates for IMAPS/SMTPS. Examples of trouble this causes - http://code.google.com/p/android/issues/detail?id=24303

Comment 4

[Wan-Teh Chang]

Attachment: New Dream Network Certificate Authority, a X.509 v1 root certificate

I attached this X.509 v1 root certificate that Ryan mentioned
in comment 3 for future reference.