pkix_pl_AIAMgr_GetLDAPCerts or pkix_pl_AiaMgr_FindLDAPClient should check for an empty |domainName|

RESOLVED FIXED in 3.15.5

Status

NSS
Libraries
P2
normal
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: Wan-Teh Chang, Assigned: Wan-Teh Chang)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 3 obsolete attachments)

(Assignee)

Description

4 years ago
LDAP URLs are specified in RFC 4516 (http://tools.ietf.org/html/rfc4516).
The <host> component of a LDAP URL is optional. If <host> is missing, it
means:

   <host>
      If no <host> is given, the client must have some a priori
      knowledge of an appropriate LDAP server to contact.

The RFC gives an example:

      ...  The first example is an LDAP URL referring to the University
   of Michigan entry, available from an LDAP server of the client's
   choosing:

      ldap:///o=University%20of%20Michigan,c=US

Here is an example from the AIA extension of a real certificate:

ldap:///CN=Northrop%20Grumman%20Corporation%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=configuration,DC=northgrum,DC=com?cACertificate?base?objectClass=certificationAuthority

pkix_pl_AIAMgr_GetLDAPCerts, or the pkix_pl_AiaMgr_FindLDAPClient function
it calls, should check for an empty |domainName|. Since libpkix doesn't have
a way to specify a default LDAP server, it should fail with the
SEC_ERROR_BAD_INFO_ACCESS_LOCATION error. (We probably should add a
SEC_ERROR_UNSUPPORTED_INFO_ACCESS_LOCATION error.)
(Assignee)

Comment 1

4 years ago
Created attachment 8358481 [details] [diff] [review]
Patch
Attachment #8358481 - Flags: review?(ryan.sleevi)
(Assignee)

Comment 2

4 years ago
Created attachment 8358484 [details] [diff] [review]
Patch v1.1

Added a comment to explain why I chose that PKIX error code.
Attachment #8358481 - Attachment is obsolete: true
Attachment #8358481 - Flags: review?(ryan.sleevi)
Attachment #8358484 - Flags: review?(ryan.sleevi)

Comment 3

4 years ago
Comment on attachment 8358484 [details] [diff] [review]
Patch v1.1

Review of attachment 8358484 [details] [diff] [review]:
-----------------------------------------------------------------

r+, but a question about the Note that, if correct, suggests the "Note" portion should just be deleted.

::: lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c
@@ +164,5 @@
> +         * LDAP server, so we don't support this kind of LDAP URL.
> +         * Note: pkix_pl_InfoAccess_ParseLocation parses this kind of URL into
> +         * an empty 'domainName' string. With OpenLDAP and Windows, you pass a
> +         * NULL 'host' or 'HostName' argument to ldap_init in this case.
> +         */

I don't fully understand the "Note" comment. Are you trying to describe how it *could* be supported?
Attachment #8358484 - Flags: review?(ryan.sleevi) → review+
(Assignee)

Comment 4

4 years ago
Created attachment 8358741 [details] [diff] [review]
Patch v2

I tried to clarify the "Note" comment. Hopefully I didn't make it worse.
Attachment #8358484 - Attachment is obsolete: true
Attachment #8358741 - Flags: review?(ryan.sleevi)
(Assignee)

Comment 5

4 years ago
Created attachment 8359936 [details] [diff] [review]
Patch v3

I decided to just delete the "Note" comment. It's not that important and
the info can be found in this bug report in patch v2 (attachment 8358741 [details] [diff] [review]).

Patch checked in: https://hg.mozilla.org/projects/nss/rev/f5849acd1dfb
Attachment #8358741 - Attachment is obsolete: true
Attachment #8358741 - Flags: review?(ryan.sleevi)
Attachment #8359936 - Flags: checked-in+
(Assignee)

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Priority: -- → P2
Resolution: --- → FIXED
Target Milestone: --- → 3.15.5

Updated

4 years ago
Target Milestone: 3.15.5 → 3.16
(Assignee)

Updated

4 years ago
Target Milestone: 3.16 → 3.15.5
You need to log in before you can comment on or make changes to this bug.