Closed Bug 926270 Opened 12 years ago Closed 10 years ago

mozilla::pkix issuer/subject name matching and other name comparisons may be too strict

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1008133

People

(Reporter: briansmith, Unassigned)

Details

This bug report is vague due to my vague recollection of all the issues. Basically, we currently use CERT_CompareName to compare issuer/subject name, and CERT_CompareName is more strict than it should be. See bug 426872, for example. Another issue is that the NSS certificate database seems to use direct bytewise comparison of the subject name to search for certificates, without considering normalization, etc. Basically, we need to look at the rules in RFC 5280, look at what CAs are doing in the real world, decide what makes sense, write some tests, and fix whatever we need to fix to make sure we're not rejecting reasonable certificate chains because we are being too strict. I suspect that bytewise comparison for certificates issued by publicly-trusted CAs actually work fine in almost all cases. There are probably more problems with private CA infrastructures. Because bytewise comparison almost always works, we should ensure our name comparisons try bytewise comparison first before falling back to parsing the names, normalizing, folding case, etc.
Summary: insanity::pkix issuer/subject name matching and other name comparisons may be too strict → mozilla::pkix issuer/subject name matching and other name comparisons may be too strict
Duplicate of bug 1008133. We now use strict bytewise comparison for name comparison instead of CERT_CompareName.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.