Closed Bug 840714 Opened 11 years ago Closed 11 years ago

certutil -a does not produce ASCII output

Categories

(NSS :: Tools, defect, P1)

Product:
NSS
Component:
Tools
Version:
3.14.2
Platform:
x86_64
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.14.3

People

(Reporter: elio.maldonado.batiz, Assigned: elio.maldonado.batiz)

References

Details

(Keywords: regression)

Attachments

(1 file, 1 obsolete file)

switch the sense of the test
804 bytes, patch
briansmith
: review+
Details | Diff | Splinter Review 
Reperted by Rob Crittenden 2013-02-12 16:59:49 EST

Description of problem:

certutil -a does not produce a base64-encode CSR wrapped with BEGIN/END blocks, it produces garbage.

Version-Release number of selected component (if applicable):

nss-tools-3.14.2-2.fc18.x86_64

How reproducible:

Every time

Steps to Reproduce:
1. mkdir /tmp/db && cd /tmp/db
2. certutil -N -d . (set no password)
3. /usr/bin/certutil -d . -R -k rsa -g 2048 -s 'CN=IPA RA,O=EXAMPLE.COM' -z /etc/group -a
  
Actual results:

Generating key.  This may take a few moments...

Ȼ�n�Ȼ�n���@��@@�En�����n����n�)�;�}�Pa�W!YTހ�Y��#D��/10AЯ@�@�#n�����0A�@q�n��n��P��@�h��n�h��n����

Expected results:

Generating key.  This may take a few moments...

Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: IPA RA
Email: (not specified)
Organization: EXAMPLE.COM
State: (not specified)
Country: (not specified)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICbDCCAVQCAQAwJzEUMBIGA1UEChMLR1JFWU9BSy5DT00xDzANBgNVBAMTBklQ
QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOC5SaFls/vW3No1
NCPz2gGQeFb3bJZWuDoBjz0WWiheYKEZcUYJ5tdo2bnv5l6waXlgOyh24o+FpHP1
aarhUPKoQjOFAraCYsO5cZl/oAR3tVCaQDEriqPle2nWIMeA6kceDP1dL9bWD54I
REBTvURZ2NCXGfdc3Zof19WNhYoNAAFy9rTwoLuaVqljKrUngeQPmUNKIUIZezYE
aJ0QkLc1kpRiUxIC1qM9ZC6/Z46K4Ak7JteIylChExI9lH5ypsqcjYbx3Ug+eelW
gzJQlnTqgR2+kfGl1VUfgjfhvoSu2GydvYf1KjRGkWd01uFgDuE6/Kj8Z0KX+eXd
SPvNvaUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAOEQF11CPWtzoTvB/+9kte
Tnl36ujC6pdeHKcBoddXb8wrZJy8zvT2i70LiVz+U9QdKB7KhekaSbqIZQ+alA7N
izPktKHiER0hWEL3dTmJ12FSLv0ltbio5HYkHFrA180qNh+YBBuMpvDjleuxmvq9
Kutj1B8B8vD4ZYoMeySNg42hF4BD3X8w8E2hwdasp6UcTNjdVBXUZ3BRQ43MBdUi
1H9i0cs+ZK+K9AKfR/KiN8DLGvMWCNfh2bHD0zwJgRUczeNYXC8KIkKvsz3J/f+f
MA71IRjHKu6Fmmi5Ifgj35HL91MxCQrCEzg6mKzffwZ16WB98upZbEQvOq53HS6f
-----END NEW CERTIFICATE REQUEST-----
Summary: c certutil -a does not produce ASCII outpu → certutil -a does not produce ASCII output
Severity: normal → major
Priority: -- → P1
Assignee: nobody → bsmith
Status: NEW → ASSIGNED
I'm guessing this is assigned to me because it is a regression from bug 818410. I will take a look.
Blocks: 818410
Yes, it is a regression and I think I know the cause. A patch next.
SECITEM_AllocItem doesn't zeroize so the if (!result->data) fails and the copies are skipped.
As Brian pointed out, the patch ignored the fact that SECITEM_AllocItem could fail and and just removing dropping the ! from (!result->data) is does the fix.

        Attachment #713228 -
        Flags: review?(bsmith)

    
  

        Attachment #713228 -
        Attachment is obsolete: true

        Attachment #713228 -
        Flags: review?(bsmith)

    
    

    
  
Comment on attachment 713228 [details] [diff] [review]
switch the sense of the test

Elio, did you accidentally mark this patch obsolete instead of the previous one?

This patch looks like the right thing to do to me. However, I didn't test whether certutil actually produces the right output.

        Attachment #713228 -
        Flags: review+

    
  

        Attachment #713228 -
        Attachment is obsolete: false

    
  

        Attachment #713191 -
        Attachment is obsolete: true

    
    

    
  
Yes, I testded
./certutil  -d . -R -k rsa -g 2048 -s 'CN=IPA RA,O=EXAMPLE.COM' -z /etc/group -a

Generating key.  This may take a few moments...


Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: IPA RA
Email: (not specified)
Organization: EXAMPLE.COM
State: (not specified)
Country: (not specified)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICbDCCAVQCAQAwJzEUMBIGA1UEChMLRVhBTVBMRS5DT00xDzANBgNVBAMTBklQ
QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjx4xRv/id09FPd
Zf11g4MXXgUl9HQHtqId+wKdqjKoXT1xfRd2drSXerCLjueOaDxBmjyWYZgxpYmI
Bi/ktkYwfu8gKhRVRPFRGoM8AIRi0R0b0y2ImCyegzuZLJCEZDe8wZZFo0dowR6G
uaNVfUDYTDR5WpPmFyy8jY044LA/8xWGioxK3GwVqkvfe7L/q7D51nMEw9WeP0Vi
8f0Q2IUwipvikC4yHic7gKgv+1v8Tkr/p50qUwFndkCyahuct1QjERUtHDOQyyaZ
NbKdNDJM+x2kr/Q1GlV5LgdGJWrcg0LBo6/lpS51M0tVesBcsp7oneSoK38VWTb6
iSbFyV0CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQDF0lQEQ27kgIYqkp6U9Zgv
B4bXy4QiWgER1HXbe5HGaCiNpLqz4PN4qaWP6L/PO/gYWr9EOwHuQLWkFSQ6/VZY
6O/pi3Od6z0OhGz5vWB08Nb+tggP/so0dnQ8nDlLz+3f97ADcRRXn+p7lpe9W148
uULLrgyMKGDHYsmUi1Lyi5yZ7A0/o0Isn3BFcPVvC3Z6ZPKS+y7Bt/Q/TB5VN3KY
kEXHisdUrZpynVFrhX9raiUnRyTX1J9Za79alX33YF23TOgTo126mfjPU/qzKOu7
/TNNOyO980Wdpo49eeCsPOGpESDVHk+o8zXVq/Is8WDT4Gm7z/Q10iPgskoghYU0
-----END NEW CERTIFICATE REQUEST-----

pasted into pem ecoded part into a file
[emaldona@dhcp-32-223 bin]$  vi test.req.pem
[emaldona@dhcp-32-223 bin]$ pp -t certificate-request -i test.req.pem 
pp: problem converting data (security library: improperly formatted DER-encoded message.)
[emaldona@dhcp-32-223 bin]$ pp -t certificate-request -i test.req.pem -a
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: "CN=IPA RA,O=EXAMPLE.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d8:f1:e3:14:6f:fe:27:74:f4:53:dd:65:fd:75:83:83:
                    17:5e:05:25:f4:74:07:b6:a2:1d:fb:02:9d:aa:32:a8:
                    5d:3d:71:7d:17:76:76:b4:97:7a:b0:8b:8e:e7:8e:68:
                    3c:41:9a:3c:96:61:98:31:a5:89:88:06:2f:e4:b6:46:
                    30:7e:ef:20:2a:14:55:44:f1:51:1a:83:3c:00:84:62:
                    d1:1d:1b:d3:2d:88:98:2c:9e:83:3b:99:2c:90:84:64:
                    37:bc:c1:96:45:a3:47:68:c1:1e:86:b9:a3:55:7d:40:
                    d8:4c:34:79:5a:93:e6:17:2c:bc:8d:8d:38:e0:b0:3f:
                    f3:15:86:8a:8c:4a:dc:6c:15:aa:4b:df:7b:b2:ff:ab:
                    b0:f9:d6:73:04:c3:d5:9e:3f:45:62:f1:fd:10:d8:85:
                    30:8a:9b:e2:90:2e:32:1e:27:3b:80:a8:2f:fb:5b:fc:
                    4e:4a:ff:a7:9d:2a:53:01:67:76:40:b2:6a:1b:9c:b7:
                    54:23:11:15:2d:1c:33:90:cb:26:99:35:b2:9d:34:32:
                    4c:fb:1d:a4:af:f4:35:1a:55:79:2e:07:46:25:6a:dc:
                    83:42:c1:a3:af:e5:a5:2e:75:33:4b:55:7a:c0:5c:b2:
                    9e:e8:9d:e4:a8:2b:7f:15:59:36:fa:89:26:c5:c9:5d
                Exponent: 65537 (0x10001)
    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        c5:d2:54:04:43:6e:e4:80:86:2a:92:9e:94:f5:98:2f:
        07:86:d7:cb:84:22:5a:01:11:d4:75:db:7b:91:c6:68:
        28:8d:a4:ba:b3:e0:f3:78:a9:a5:8f:e8:bf:cf:3b:f8:
        18:5a:bf:44:3b:01:ee:40:b5:a4:15:24:3a:fd:56:58:
        e8:ef:e9:8b:73:9d:eb:3d:0e:84:6c:f9:bd:60:74:f0:
        d6:fe:b6:08:0f:fe:ca:34:76:74:3c:9c:39:4b:cf:ed:
        df:f7:b0:03:71:14:57:9f:ea:7b:96:97:bd:5b:5e:3c:
        b9:42:cb:ae:0c:8c:28:60:c7:62:c9:94:8b:52:f2:8b:
        9c:99:ec:0d:3f:a3:42:2c:9f:70:45:70:f5:6f:0b:76:
        7a:64:f2:92:fb:2e:c1:b7:f4:3f:4c:1e:55:37:72:98:
        90:45:c7:8a:c7:54:ad:9a:72:9d:51:6b:85:7f:6b:6a:
        25:27:47:24:d7:d4:9f:59:6b:bf:5a:95:7d:f7:60:5d:
        b7:4c:e8:13:a3:5d:ba:99:f8:cf:53:fa:b3:28:eb:bb:
        fd:33:4d:3b:23:bd:f3:45:9d:a6:8e:3d:79:e0:ac:3c:
        e1:a9:11:20:d5:1e:4f:a8:f3:35:d5:ab:f2:2c:f1:60:
        d3:e0:69:bb:cf:f4:35:d2:23:e0:b2:4a:20:85:85:34
    Fingerprint (MD5):
        BE:3F:35:05:B7:39:44:86:58:44:CD:99:FB:F2:AD:50
    Fingerprint (SHA1):
        9B:BF:32:E8:70:A3:D3:D2:43:AD:7B:77:8A:B5:27:4A:47:45:63:29

I won't check it the patch just yet. I better test some more and compare outpout with older versions. Call me paranoid.

    
    

    
  
After comparing against older versions I'm happy with the patch.

    
    

    
  
Who will check it in?

Given this is a regression with a trivial fix, I propose to include it in the 3.14.3.
Keywords: regression
Target Milestone: --- → 3.14.3

    
  
Assignee: bsmith → emaldona

    
    

    
  
I confirmed this is a regression in NSS 3.14.2, introduced in
certutil.c, rev. 1.165. By our policy the fix is eligible for
inclusion in NSS 3.14.3.

Elio, please check this in after you have tested this.

    
    

    
  
Checked in to TRUNK for NSS_3.4.3_RTM:

Checking in certutil.c;
/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v  <--  certutil.c
new revision: 1.167; previous revision: 1.166
done

    
  
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: