The default bug view has changed. See this FAQ.

certutil -a does not produce ASCII output

RESOLVED FIXED in 3.14.3

Status

NSS
Tools
P1
major
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: Elio Maldonado, Assigned: Elio Maldonado)

Tracking

({regression})

3.14.2
3.14.3
x86_64
Linux
regression

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

4 years ago
Reperted by Rob Crittenden 2013-02-12 16:59:49 EST

Description of problem:

certutil -a does not produce a base64-encode CSR wrapped with BEGIN/END blocks, it produces garbage.

Version-Release number of selected component (if applicable):

nss-tools-3.14.2-2.fc18.x86_64

How reproducible:

Every time

Steps to Reproduce:
1. mkdir /tmp/db && cd /tmp/db
2. certutil -N -d . (set no password)
3. /usr/bin/certutil -d . -R -k rsa -g 2048 -s 'CN=IPA RA,O=EXAMPLE.COM' -z /etc/group -a
  
Actual results:

Generating key.  This may take a few moments...

Ȼ�n�Ȼ�n���@��@@�En�����n����n�)�;�}�Pa�W!YTހ�Y��#D��/10AЯ@�@�#n�����0A�@q�n��n��P��@�h��n�h��n����

Expected results:

Generating key.  This may take a few moments...

Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: IPA RA
Email: (not specified)
Organization: EXAMPLE.COM
State: (not specified)
Country: (not specified)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICbDCCAVQCAQAwJzEUMBIGA1UEChMLR1JFWU9BSy5DT00xDzANBgNVBAMTBklQ
QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOC5SaFls/vW3No1
NCPz2gGQeFb3bJZWuDoBjz0WWiheYKEZcUYJ5tdo2bnv5l6waXlgOyh24o+FpHP1
aarhUPKoQjOFAraCYsO5cZl/oAR3tVCaQDEriqPle2nWIMeA6kceDP1dL9bWD54I
REBTvURZ2NCXGfdc3Zof19WNhYoNAAFy9rTwoLuaVqljKrUngeQPmUNKIUIZezYE
aJ0QkLc1kpRiUxIC1qM9ZC6/Z46K4Ak7JteIylChExI9lH5ypsqcjYbx3Ug+eelW
gzJQlnTqgR2+kfGl1VUfgjfhvoSu2GydvYf1KjRGkWd01uFgDuE6/Kj8Z0KX+eXd
SPvNvaUCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQAOEQF11CPWtzoTvB/+9kte
Tnl36ujC6pdeHKcBoddXb8wrZJy8zvT2i70LiVz+U9QdKB7KhekaSbqIZQ+alA7N
izPktKHiER0hWEL3dTmJ12FSLv0ltbio5HYkHFrA180qNh+YBBuMpvDjleuxmvq9
Kutj1B8B8vD4ZYoMeySNg42hF4BD3X8w8E2hwdasp6UcTNjdVBXUZ3BRQ43MBdUi
1H9i0cs+ZK+K9AKfR/KiN8DLGvMWCNfh2bHD0zwJgRUczeNYXC8KIkKvsz3J/f+f
MA71IRjHKu6Fmmi5Ifgj35HL91MxCQrCEzg6mKzffwZ16WB98upZbEQvOq53HS6f
-----END NEW CERTIFICATE REQUEST-----
(Assignee)

Updated

4 years ago
Summary: c certutil -a does not produce ASCII outpu → certutil -a does not produce ASCII output
(Assignee)

Updated

4 years ago
(Assignee)

Updated

4 years ago
Severity: normal → major
Priority: -- → P1
(Assignee)

Updated

4 years ago
Assignee: nobody → bsmith
(Assignee)

Updated

4 years ago
Status: NEW → ASSIGNED
I'm guessing this is assigned to me because it is a regression from bug 818410. I will take a look.
Blocks: 818410
(Assignee)

Comment 2

4 years ago
Yes, it is a regression and I think I know the cause. A patch next.
(Assignee)

Comment 3

4 years ago
Created attachment 713191 [details] [diff] [review]
Uncontionally do memcpy the header ascii data and trailer

SECITEM_AllocItem doesn't zeroize so the if (!result->data) fails and the copies are skipped.
(Assignee)

Comment 4

4 years ago
As Brian pointed out, the patch ignored the fact that SECITEM_AllocItem could fail and and just removing dropping the ! from (!result->data) is does the fix.
(Assignee)

Comment 5

4 years ago
Created attachment 713228 [details] [diff] [review]
switch the sense of the test
Attachment #713228 - Flags: review?(bsmith)
(Assignee)

Updated

4 years ago
Attachment #713228 - Attachment is obsolete: true
Attachment #713228 - Flags: review?(bsmith)
Comment on attachment 713228 [details] [diff] [review]
switch the sense of the test

Elio, did you accidentally mark this patch obsolete instead of the previous one?

This patch looks like the right thing to do to me. However, I didn't test whether certutil actually produces the right output.
Attachment #713228 - Flags: review+
(Assignee)

Updated

4 years ago
Attachment #713228 - Attachment is obsolete: false
(Assignee)

Updated

4 years ago
Attachment #713191 - Attachment is obsolete: true
(Assignee)

Comment 7

4 years ago
Yes, I testded
./certutil  -d . -R -k rsa -g 2048 -s 'CN=IPA RA,O=EXAMPLE.COM' -z /etc/group -a

Generating key.  This may take a few moments...


Certificate request generated by Netscape certutil
Phone: (not specified)

Common Name: IPA RA
Email: (not specified)
Organization: EXAMPLE.COM
State: (not specified)
Country: (not specified)

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICbDCCAVQCAQAwJzEUMBIGA1UEChMLRVhBTVBMRS5DT00xDzANBgNVBAMTBklQ
QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANjx4xRv/id09FPd
Zf11g4MXXgUl9HQHtqId+wKdqjKoXT1xfRd2drSXerCLjueOaDxBmjyWYZgxpYmI
Bi/ktkYwfu8gKhRVRPFRGoM8AIRi0R0b0y2ImCyegzuZLJCEZDe8wZZFo0dowR6G
uaNVfUDYTDR5WpPmFyy8jY044LA/8xWGioxK3GwVqkvfe7L/q7D51nMEw9WeP0Vi
8f0Q2IUwipvikC4yHic7gKgv+1v8Tkr/p50qUwFndkCyahuct1QjERUtHDOQyyaZ
NbKdNDJM+x2kr/Q1GlV5LgdGJWrcg0LBo6/lpS51M0tVesBcsp7oneSoK38VWTb6
iSbFyV0CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4IBAQDF0lQEQ27kgIYqkp6U9Zgv
B4bXy4QiWgER1HXbe5HGaCiNpLqz4PN4qaWP6L/PO/gYWr9EOwHuQLWkFSQ6/VZY
6O/pi3Od6z0OhGz5vWB08Nb+tggP/so0dnQ8nDlLz+3f97ADcRRXn+p7lpe9W148
uULLrgyMKGDHYsmUi1Lyi5yZ7A0/o0Isn3BFcPVvC3Z6ZPKS+y7Bt/Q/TB5VN3KY
kEXHisdUrZpynVFrhX9raiUnRyTX1J9Za79alX33YF23TOgTo126mfjPU/qzKOu7
/TNNOyO980Wdpo49eeCsPOGpESDVHk+o8zXVq/Is8WDT4Gm7z/Q10iPgskoghYU0
-----END NEW CERTIFICATE REQUEST-----

pasted into pem ecoded part into a file
[emaldona@dhcp-32-223 bin]$  vi test.req.pem
[emaldona@dhcp-32-223 bin]$ pp -t certificate-request -i test.req.pem 
pp: problem converting data (security library: improperly formatted DER-encoded message.)
[emaldona@dhcp-32-223 bin]$ pp -t certificate-request -i test.req.pem -a
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: "CN=IPA RA,O=EXAMPLE.COM"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d8:f1:e3:14:6f:fe:27:74:f4:53:dd:65:fd:75:83:83:
                    17:5e:05:25:f4:74:07:b6:a2:1d:fb:02:9d:aa:32:a8:
                    5d:3d:71:7d:17:76:76:b4:97:7a:b0:8b:8e:e7:8e:68:
                    3c:41:9a:3c:96:61:98:31:a5:89:88:06:2f:e4:b6:46:
                    30:7e:ef:20:2a:14:55:44:f1:51:1a:83:3c:00:84:62:
                    d1:1d:1b:d3:2d:88:98:2c:9e:83:3b:99:2c:90:84:64:
                    37:bc:c1:96:45:a3:47:68:c1:1e:86:b9:a3:55:7d:40:
                    d8:4c:34:79:5a:93:e6:17:2c:bc:8d:8d:38:e0:b0:3f:
                    f3:15:86:8a:8c:4a:dc:6c:15:aa:4b:df:7b:b2:ff:ab:
                    b0:f9:d6:73:04:c3:d5:9e:3f:45:62:f1:fd:10:d8:85:
                    30:8a:9b:e2:90:2e:32:1e:27:3b:80:a8:2f:fb:5b:fc:
                    4e:4a:ff:a7:9d:2a:53:01:67:76:40:b2:6a:1b:9c:b7:
                    54:23:11:15:2d:1c:33:90:cb:26:99:35:b2:9d:34:32:
                    4c:fb:1d:a4:af:f4:35:1a:55:79:2e:07:46:25:6a:dc:
                    83:42:c1:a3:af:e5:a5:2e:75:33:4b:55:7a:c0:5c:b2:
                    9e:e8:9d:e4:a8:2b:7f:15:59:36:fa:89:26:c5:c9:5d
                Exponent: 65537 (0x10001)
    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        c5:d2:54:04:43:6e:e4:80:86:2a:92:9e:94:f5:98:2f:
        07:86:d7:cb:84:22:5a:01:11:d4:75:db:7b:91:c6:68:
        28:8d:a4:ba:b3:e0:f3:78:a9:a5:8f:e8:bf:cf:3b:f8:
        18:5a:bf:44:3b:01:ee:40:b5:a4:15:24:3a:fd:56:58:
        e8:ef:e9:8b:73:9d:eb:3d:0e:84:6c:f9:bd:60:74:f0:
        d6:fe:b6:08:0f:fe:ca:34:76:74:3c:9c:39:4b:cf:ed:
        df:f7:b0:03:71:14:57:9f:ea:7b:96:97:bd:5b:5e:3c:
        b9:42:cb:ae:0c:8c:28:60:c7:62:c9:94:8b:52:f2:8b:
        9c:99:ec:0d:3f:a3:42:2c:9f:70:45:70:f5:6f:0b:76:
        7a:64:f2:92:fb:2e:c1:b7:f4:3f:4c:1e:55:37:72:98:
        90:45:c7:8a:c7:54:ad:9a:72:9d:51:6b:85:7f:6b:6a:
        25:27:47:24:d7:d4:9f:59:6b:bf:5a:95:7d:f7:60:5d:
        b7:4c:e8:13:a3:5d:ba:99:f8:cf:53:fa:b3:28:eb:bb:
        fd:33:4d:3b:23:bd:f3:45:9d:a6:8e:3d:79:e0:ac:3c:
        e1:a9:11:20:d5:1e:4f:a8:f3:35:d5:ab:f2:2c:f1:60:
        d3:e0:69:bb:cf:f4:35:d2:23:e0:b2:4a:20:85:85:34
    Fingerprint (MD5):
        BE:3F:35:05:B7:39:44:86:58:44:CD:99:FB:F2:AD:50
    Fingerprint (SHA1):
        9B:BF:32:E8:70:A3:D3:D2:43:AD:7B:77:8A:B5:27:4A:47:45:63:29

I won't check it the patch just yet. I better test some more and compare outpout with older versions. Call me paranoid.
(Assignee)

Comment 8

4 years ago
After comparing against older versions I'm happy with the patch.

Comment 9

4 years ago
Who will check it in?

Given this is a regression with a trivial fix, I propose to include it in the 3.14.3.
Keywords: regression
Target Milestone: --- → 3.14.3
(Assignee)

Updated

4 years ago
Assignee: bsmith → emaldona

Comment 10

4 years ago
I confirmed this is a regression in NSS 3.14.2, introduced in
certutil.c, rev. 1.165. By our policy the fix is eligible for
inclusion in NSS 3.14.3.

Elio, please check this in after you have tested this.
(Assignee)

Comment 11

4 years ago
Checked in to TRUNK for NSS_3.4.3_RTM:

Checking in certutil.c;
/cvsroot/mozilla/security/nss/cmd/certutil/certutil.c,v  <--  certutil.c
new revision: 1.167; previous revision: 1.166
done

Updated

4 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.