LDAP URLs are specified in RFC 4516 (http://tools.ietf.org/html/rfc4516). The <host> component of a LDAP URL is optional. If <host> is missing, it means: <host> If no <host> is given, the client must have some a priori knowledge of an appropriate LDAP server to contact. The RFC gives an example: ... The first example is an LDAP URL referring to the University of Michigan entry, available from an LDAP server of the client's choosing: ldap:///o=University%20of%20Michigan,c=US Here is an example from the AIA extension of a real certificate: ldap:///CN=Northrop%20Grumman%20Corporation%20Issuing%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=configuration,DC=northgrum,DC=com?cACertificate?base?objectClass=certificationAuthority pkix_pl_AIAMgr_GetLDAPCerts, or the pkix_pl_AiaMgr_FindLDAPClient function it calls, should check for an empty |domainName|. Since libpkix doesn't have a way to specify a default LDAP server, it should fail with the SEC_ERROR_BAD_INFO_ACCESS_LOCATION error. (We probably should add a SEC_ERROR_UNSUPPORTED_INFO_ACCESS_LOCATION error.)
Created attachment 8358481 [details] [diff] [review] Patch
Created attachment 8358484 [details] [diff] [review] Patch v1.1 Added a comment to explain why I chose that PKIX error code.
Comment on attachment 8358484 [details] [diff] [review] Patch v1.1 Review of attachment 8358484 [details] [diff] [review]: ----------------------------------------------------------------- r+, but a question about the Note that, if correct, suggests the "Note" portion should just be deleted. ::: lib/libpkix/pkix_pl_nss/module/pkix_pl_aiamgr.c @@ +164,5 @@ > + * LDAP server, so we don't support this kind of LDAP URL. > + * Note: pkix_pl_InfoAccess_ParseLocation parses this kind of URL into > + * an empty 'domainName' string. With OpenLDAP and Windows, you pass a > + * NULL 'host' or 'HostName' argument to ldap_init in this case. > + */ I don't fully understand the "Note" comment. Are you trying to describe how it *could* be supported?
Attachment #8358484 - Flags: review?(ryan.sleevi) → review+
Created attachment 8358741 [details] [diff] [review] Patch v2 I tried to clarify the "Note" comment. Hopefully I didn't make it worse.
Created attachment 8359936 [details] [diff] [review] Patch v3 I decided to just delete the "Note" comment. It's not that important and the info can be found in this bug report in patch v2 (attachment 8358741 [details] [diff] [review]). Patch checked in: https://hg.mozilla.org/projects/nss/rev/f5849acd1dfb
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Priority: -- → P2
Resolution: --- → FIXED
Target Milestone: --- → 3.15.5
You need to log in before you can comment on or make changes to this bug.