Last Comment Bug 840714 - certutil -a does not produce ASCII output
: certutil -a does not produce ASCII output
Status: RESOLVED FIXED
: regression
Product: NSS
Classification: Components
Component: Tools (show other bugs)
: 3.14.2
: x86_64 Linux
: P1 major (vote)
: 3.14.3
Assigned To: Elio Maldonado
:
:
Mentors:
Depends on:
Blocks: 818410
  Show dependency treegraph
 
Reported: 2013-02-12 14:06 PST by Elio Maldonado
Modified: 2013-02-13 12:04 PST (History)
4 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Uncontionally do memcpy the header ascii data and trailer (1.02 KB, patch)
2013-02-12 16:55 PST, Elio Maldonado
no flags Details | Diff | Splinter Review
switch the sense of the test (804 bytes, patch)
2013-02-12 17:53 PST, Elio Maldonado
brian: review+
Details | Diff | Splinter Review

Description Elio Maldonado 2013-02-12 14:06:11 PST
Reperted by Rob Crittenden 2013-02-12 16:59:49 EST

Description of problem:

certutil -a does not produce a base64-encode CSR wrapped with BEGIN/END blocks, it produces garbage.

Version-Release number of selected component (if applicable):

nss-tools-3.14.2-2.fc18.x86_64

How reproducible:

Every time

Steps to Reproduce:
1. mkdir /tmp/db && cd /tmp/db
2. certutil -N -d . (set no password)
3. /usr/bin/certutil -d . -R -k rsa -g 2048 -s 'CN=IPA RA,O=EXAMPLE.COM' -z /etc/group -a
  
Actual results:

Generating key.  This may take a few moments...

Ȼ�n�Ȼ�n���@��@@�En�����n����n�)�;�}�Pa�W!YTހ�Y��#D��/10AЯ@�@�#n�����0A�@q�n��n��P��@�h��n�h��n����

Expected results:

Generating key.  This may take a few moments...

Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: IPA RA
Email: (not specified)
Organization: EXAMPLE.COM
State: (not specified)
Country: (not specified)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICbDCCAVQCAQAwJzEUMBIGA1UEChMLR1JFWU9BSy5DT00xDzANBgNVBAMTBklQ
QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOC5SaFls/vW3No1
NCPz2gGQeFb3bJZWuDoBjz0WWiheYKEZcUYJ5tdo2bnv5l6waXlgOyh24o+FpHP1
aarhUPKoQjOFAraCYsO5cZl/oAR3tVCaQDEriqPle2nWIMeA6kceDP1dL9bWD54I
REBTvURZ2NCXGfdc3Zof19WNhYoNAAFy9rTwoLuaVqljKrUngeQPmUNKIUIZezYE
aJ0QkLc1kpRiUxIC1qM9ZC6/Z46K4Ak7JteIylChExI9lH5ypsqcjYbx3Ug+eelW
gzJQlnTqgR2+kfGl1VUfgjfhvoSu2GydvYf1KjRGkWd01uFgDuE6/Kj8Z0KX+eXd
SPvNvaUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAOEQF11CPWtzoTvB/+9kte
Tnl36ujC6pdeHKcBoddXb8wrZJy8zvT2i70LiVz+U9QdKB7KhekaSbqIZQ+alA7N
izPktKHiER0hWEL3dTmJ12FSLv0ltbio5HYkHFrA180qNh+YBBuMpvDjleuxmvq9
Kutj1B8B8vD4ZYoMeySNg42hF4BD3X8w8E2hwdasp6UcTNjdVBXUZ3BRQ43MBdUi
1H9i0cs+ZK+K9AKfR/KiN8DLGvMWCNfh2bHD0zwJgRUczeNYXC8KIkKvsz3J/f+f
MA71IRjHKu6Fmmi5Ifgj35HL91MxCQrCEzg6mKzffwZ16WB98upZbEQvOq53HS6f
-----END NEW CERTIFICATE REQUEST-----
Comment 1 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2013-02-12 16:13:26 PST
I'm guessing this is assigned to me because it is a regression from bug 818410. I will take a look.
Comment 2 Elio Maldonado 2013-02-12 16:52:20 PST
Yes, it is a regression and I think I know the cause. A patch next.
Comment 3 Elio Maldonado 2013-02-12 16:55:43 PST
Created attachment 713191 [details] [diff] [review]
Uncontionally do memcpy the header ascii data and trailer

SECITEM_AllocItem doesn't zeroize so the if (!result->data) fails and the copies are skipped.
Comment 4 Elio Maldonado 2013-02-12 17:39:19 PST
As Brian pointed out, the patch ignored the fact that SECITEM_AllocItem could fail and and just removing dropping the ! from (!result->data) is does the fix.
Comment 5 Elio Maldonado 2013-02-12 17:53:27 PST
Created attachment 713228 [details] [diff] [review]
switch the sense of the test
Comment 6 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2013-02-12 18:25:01 PST
Comment on attachment 713228 [details] [diff] [review]
switch the sense of the test

Elio, did you accidentally mark this patch obsolete instead of the previous one?

This patch looks like the right thing to do to me. However, I didn't test whether certutil actually produces the right output.
Comment 7 Elio Maldonado 2013-02-12 18:55:24 PST
Yes, I testded
./certutil  -d . -R -k rsa -g 2048 -s 'CN=IPA RA,O=EXAMPLE.COM' -z /etc/group -a

Generating key.  This may take a few moments...


Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: IPA RA
Email: (not specified)
Organization: EXAMPLE.COM
State: (not specified)
Country: (not specified)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICbDCCAVQCAQAwJzEUMBIGA1UEChMLRVhBTVBMRS5DT00xDzANBgNVBAMTBklQ
QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjx4xRv/id09FPd
Zf11g4MXXgUl9HQHtqId+wKdqjKoXT1xfRd2drSXerCLjueOaDxBmjyWYZgxpYmI
Bi/ktkYwfu8gKhRVRPFRGoM8AIRi0R0b0y2ImCyegzuZLJCEZDe8wZZFo0dowR6G
uaNVfUDYTDR5WpPmFyy8jY044LA/8xWGioxK3GwVqkvfe7L/q7D51nMEw9WeP0Vi
8f0Q2IUwipvikC4yHic7gKgv+1v8Tkr/p50qUwFndkCyahuct1QjERUtHDOQyyaZ
NbKdNDJM+x2kr/Q1GlV5LgdGJWrcg0LBo6/lpS51M0tVesBcsp7oneSoK38VWTb6
iSbFyV0CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQDF0lQEQ27kgIYqkp6U9Zgv
B4bXy4QiWgER1HXbe5HGaCiNpLqz4PN4qaWP6L/PO/gYWr9EOwHuQLWkFSQ6/VZY
6O/pi3Od6z0OhGz5vWB08Nb+tggP/so0dnQ8nDlLz+3f97ADcRRXn+p7lpe9W148
uULLrgyMKGDHYsmUi1Lyi5yZ7A0/o0Isn3BFcPVvC3Z6ZPKS+y7Bt/Q/TB5VN3KY
kEXHisdUrZpynVFrhX9raiUnRyTX1J9Za79alX33YF23TOgTo126mfjPU/qzKOu7
/TNNOyO980Wdpo49eeCsPOGpESDVHk+o8zXVq/Is8WDT4Gm7z/Q10iPgskoghYU0
-----END NEW CERTIFICATE REQUEST-----

pasted into pem ecoded part into a file
[emaldona@dhcp-32-223 bin]$  vi test.req.pem
[emaldona@dhcp-32-223 bin]$ pp -t certificate-request -i test.req.pem 
pp: problem converting data (security library: improperly formatted DER-encoded message.)
[emaldona@dhcp-32-223 bin]$ pp -t certificate-request -i test.req.pem -a
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: "CN=IPA RA,O=EXAMPLE.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d8:f1:e3:14:6f:fe:27:74:f4:53:dd:65:fd:75:83:83:
                    17:5e:05:25:f4:74:07:b6:a2:1d:fb:02:9d:aa:32:a8:
                    5d:3d:71:7d:17:76:76:b4:97:7a:b0:8b:8e:e7:8e:68:
                    3c:41:9a:3c:96:61:98:31:a5:89:88:06:2f:e4:b6:46:
                    30:7e:ef:20:2a:14:55:44:f1:51:1a:83:3c:00:84:62:
                    d1:1d:1b:d3:2d:88:98:2c:9e:83:3b:99:2c:90:84:64:
                    37:bc:c1:96:45:a3:47:68:c1:1e:86:b9:a3:55:7d:40:
                    d8:4c:34:79:5a:93:e6:17:2c:bc:8d:8d:38:e0:b0:3f:
                    f3:15:86:8a:8c:4a:dc:6c:15:aa:4b:df:7b:b2:ff:ab:
                    b0:f9:d6:73:04:c3:d5:9e:3f:45:62:f1:fd:10:d8:85:
                    30:8a:9b:e2:90:2e:32:1e:27:3b:80:a8:2f:fb:5b:fc:
                    4e:4a:ff:a7:9d:2a:53:01:67:76:40:b2:6a:1b:9c:b7:
                    54:23:11:15:2d:1c:33:90:cb:26:99:35:b2:9d:34:32:
                    4c:fb:1d:a4:af:f4:35:1a:55:79:2e:07:46:25:6a:dc:
                    83:42:c1:a3:af:e5:a5:2e:75:33:4b:55:7a:c0:5c:b2:
                    9e:e8:9d:e4:a8:2b:7f:15:59:36:fa:89:26:c5:c9:5d
                Exponent: 65537 (0x10001)
    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        c5:d2:54:04:43:6e:e4:80:86:2a:92:9e:94:f5:98:2f:
        07:86:d7:cb:84:22:5a:01:11:d4:75:db:7b:91:c6:68:
        28:8d:a4:ba:b3:e0:f3:78:a9:a5:8f:e8:bf:cf:3b:f8:
        18:5a:bf:44:3b:01:ee:40:b5:a4:15:24:3a:fd:56:58:
        e8:ef:e9:8b:73:9d:eb:3d:0e:84:6c:f9:bd:60:74:f0:
        d6:fe:b6:08:0f:fe:ca:34:76:74:3c:9c:39:4b:cf:ed:
        df:f7:b0:03:71:14:57:9f:ea:7b:96:97:bd:5b:5e:3c:
        b9:42:cb:ae:0c:8c:28:60:c7:62:c9:94:8b:52:f2:8b:
        9c:99:ec:0d:3f:a3:42:2c:9f:70:45:70:f5:6f:0b:76:
        7a:64:f2:92:fb:2e:c1:b7:f4:3f:4c:1e:55:37:72:98:
        90:45:c7:8a:c7:54:ad:9a:72:9d:51:6b:85:7f:6b:6a:
        25:27:47:24:d7:d4:9f:59:6b:bf:5a:95:7d:f7:60:5d:
        b7:4c:e8:13:a3:5d:ba:99:f8:cf:53:fa:b3:28:eb:bb:
        fd:33:4d:3b:23:bd:f3:45:9d:a6:8e:3d:79:e0:ac:3c:
        e1:a9:11:20:d5:1e:4f:a8:f3:35:d5:ab:f2:2c:f1:60:
        d3:e0:69:bb:cf:f4:35:d2:23:e0:b2:4a:20:85:85:34
    Fingerprint (MD5):
        BE:3F:35:05:B7:39:44:86:58:44:CD:99:FB:F2:AD:50
    Fingerprint (SHA1):
        9B:BF:32:E8:70:A3:D3:D2:43:AD:7B:77:8A:B5:27:4A:47:45:63:29

I won't check it the patch just yet. I better test some more and compare outpout with older versions. Call me paranoid.
Comment 8 Elio Maldonado 2013-02-13 08:24:27 PST
After comparing against older versions I'm happy with the patch.
Comment 9 Kai Engert (:kaie) 2013-02-13 11:28:13 PST
Who will check it in?

Given this is a regression with a trivial fix, I propose to include it in the 3.14.3.
Comment 10 Wan-Teh Chang 2013-02-13 11:39:53 PST
I confirmed this is a regression in NSS 3.14.2, introduced in
certutil.c, rev. 1.165. By our policy the fix is eligible for
inclusion in NSS 3.14.3.

Elio, please check this in after you have tested this.
Comment 11 Elio Maldonado 2013-02-13 11:44:20 PST
Checked in to TRUNK for NSS_3.4.3_RTM:

Checking in certutil.c;
/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v  <--  certutil.c
new revision: 1.167; previous revision: 1.166
done

Note You need to log in before you can comment on or make changes to this bug.