Closed Bug 970531 Opened 11 years ago Closed 11 years ago

Increase name limits in alg1485

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.16
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.16.2

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

The limits set in alg1485 for common name, org name and org unit name are very small. When working with UTF8 characters, it's very easy to exceed the limits. We have seen certificates were our limits weren't sufficient. I believe this happened the last time we had to deal with blacklisting something... I had discussed this with Bob before, and he had agreed to it, but right now I cannot find the discussion, so I'm filing this for tracking purposes.
Depends on: 970539
patch in bug 970539
(In reply to Kai Engert (:kaie) from comment #1) > patch in bug 970539 From attachment 8373606 [details] [diff] [review]: > - { "CN", 64, SEC_OID_AVA_COMMON_NAME, SEC_ASN1_DS}, > + { "CN", 640, SEC_OID_AVA_COMMON_NAME, SEC_ASN1_DS}, > { "ST", 128, SEC_OID_AVA_STATE_OR_PROVINCE, > SEC_ASN1_DS}, > - { "O", 64, SEC_OID_AVA_ORGANIZATION_NAME, > + { "O", 128, SEC_OID_AVA_ORGANIZATION_NAME, > SEC_ASN1_DS}, > - { "OU", 64, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, > + { "OU", 128, SEC_OID_AVA_ORGANIZATIONAL_UNIT_NAME, > SEC_ASN1_DS}, 64 characters isn't just an arbitrary limit in alg1485.c, it's stemming from RFC 5280 and predecessors: > X520CommonName ::= CHOICE { > teletexString TeletexString (SIZE (1..ub-common-name)), > printableString PrintableString (SIZE (1..ub-common-name)), > universalString UniversalString (SIZE (1..ub-common-name)), > utf8String UTF8String (SIZE (1..ub-common-name)), > bmpString BMPString (SIZE (1..ub-common-name)) } > X520OrganizationName ::= CHOICE { > teletexString TeletexString > (SIZE (1..ub-organization-name)), > printableString PrintableString > (SIZE (1..ub-organization-name)), > universalString UniversalString > (SIZE (1..ub-organization-name)), > utf8String UTF8String > (SIZE (1..ub-organization-name)), > bmpString BMPString > (SIZE (1..ub-organization-name)) } > X520OrganizationalUnitName ::= CHOICE { > teletexString TeletexString > (SIZE (1..ub-organizational-unit-name)), > printableString PrintableString > (SIZE (1..ub-organizational-unit-name)), > universalString UniversalString > (SIZE (1..ub-organizational-unit-name)), > utf8String UTF8String > (SIZE (1..ub-organizational-unit-name)), > bmpString BMPString > (SIZE (1..ub-organizational-unit-name)) } and finally: > -- specifications of Upper Bounds MUST be regarded as mandatory > -- from Annex B of ITU-T X.411 Reference Definition of MTS Parameter > -- Upper Bounds > > -- Upper Bounds > ub-name INTEGER ::= 32768 > ub-common-name INTEGER ::= 64 > ub-locality-name INTEGER ::= 128 > ub-state-name INTEGER ::= 128 > ub-organization-name INTEGER ::= 64 > ub-organizational-unit-name INTEGER ::= 64 While it's true that a SIZE of 64 isn't the same e.g. for a PrintableString and a UTF8String when counting octets, the limits should at least be modified consistently - which is 256 for CN, O and OU (in all of the allowed ASN.1 encodings, at most 4 octets are needed to represent a single character).
fixed as part of bug 970539.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.16.2
You need to log in before you can comment on or make changes to this bug.