[xmlsec] workaround emailAddress problem with nss (nss bug https://bugzilla.mozilla.org/show_bug.cgi?id=56168
- From: Aleksey Sanin <aleksey src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [xmlsec] workaround emailAddress problem with nss (nss bug https://bugzilla.mozilla.org/show_bug.cgi?id=56168
- Date: Mon, 26 Apr 2010 07:26:55 +0000 (UTC)
commit 59dad1727e6103605dbd90182207ad9493feeea6
Author: Aleksey Sanin <aleksey aleksey com>
Date: Sun Apr 25 21:10:04 2010 -0700
workaround emailAddress problem with nss (nss bug https://bugzilla.mozilla.org/show_bug.cgi?id=561689)
ChangeLog | 2 +
src/nss/README | 28 +++++++--------
src/nss/x509vfy.c | 95 +++++++++++++++++++++++++++++++++++-----------------
3 files changed, 79 insertions(+), 46 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index c08430a..a00456a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,8 @@
* Added support for SHA256/384/512 for digest, HMAC and RSA in xmlsec-nss
(requires nss 3.8 + nspr 4.3 or greater)
* Added support for MD5 for digest and RSA in xmlsec-nss
+ * Minor fixes to xmlsec-nss (xmlsec bug #118630), bumping nss min
+ version to 3.9 + nspr 4.4.1 or greater
2010-04-24 Aleksey Sanin <aleksey aleksey com>
* Fix PK_CONFIG problem (reported by Roumen)
diff --git a/src/nss/README b/src/nss/README
index 65dd5bd..e8c1ac0 100644
--- a/src/nss/README
+++ b/src/nss/README
@@ -1,6 +1,6 @@
WHAT VERSION OF NSS?
------------------------------------------------------------------------
-NSS 3.8 or greater and NSPR 4.3 or greater are required.
+NSS 3.9 or greater and NSPR 4.4.1 or greater are required.
KEYS MANAGER
------------------------------------------------------------------------
@@ -41,7 +41,7 @@ are:
- NSS Database
-KNOWN ISSUES.
+KNOWN ISSUES
------------------------------------------------------------------------
1) NSS needs to provide a way to convert a DER integer string to an ASCII
decimal string. Once NSS is fixed, the function xmlSecNssASN1IntegerWrite
@@ -61,23 +61,17 @@ that is missing from xmlsec-nss.
NSS bug: http://bugzilla.mozilla.org/show_bug.cgi?id=158747
xmlsec bug: http://bugzilla.gnome.org/show_bug.cgi?id=118629
-4) There are 2 fixes in NSS that will be rolled into the next release (3.9).
-They are:
-
-
-xmlsec bug: http://bugzilla.gnome.org/show_bug.cgi?id=118630
-
-5) CERT_FindCertByNameString does not work in all cases
+4) CERT_FindCertByNameString does not work in all cases
NSS bug: http://bugzilla.mozilla.org/show_bug.cgi?id=210709
xmlsec bug: http://bugzilla.gnome.org/show_bug.cgi?id=118631
-6) CERT_FindCertBySubjectKeyID does not work in all cases
+5) CERT_FindCertBySubjectKeyID does not work in all cases
NSS bug: http://bugzilla.mozilla.org/show_bug.cgi?id=211051
xmlsec bug: http://bugzilla.gnome.org/show_bug.cgi?id=118632
-7) Finding a cert by Issuer & Serial Number needs the ability to
+6) Finding a cert by Issuer & Serial Number needs the ability to
convert an ASCII decimal string to a DER integer string. Filed
an RFE against NSS. Once fixed, xmlSecNumToItem in x509vfy.c
needs to be changed to use the new function(s) provided
@@ -85,18 +79,18 @@ needs to be changed to use the new function(s) provided
NSS bug: http://bugzilla.mozilla.org/show_bug.cgi?id=212864
xmlsec bug: http://bugzilla.gnome.org/show_bug.cgi?id=118633
-8) RIPEMD160 Digest and RIPEMD160 HMAC is not supported by NSS
+7) RIPEMD160 Digest and RIPEMD160 HMAC is not supported by NSS
xmlsec bug: http://bugzilla.gnome.org/show_bug.cgi?id=118634
-9) AES Key wrap algorithm is implemented in NSS but not exposed due to
+8) AES Key wrap algorithm is implemented in NSS but not exposed due to
some bug src/nss/kw_aes.c uses a workaround which should be removed
when the bug is fixed
NSS bug: http://bugzilla.mozilla.org/show_bug.cgi?id=213795
xmlsec bug: http://bugzilla.gnome.org/show_bug.cgi?id=118635
-10) Not all file formats are supported
+9) Not all file formats are supported
- xmlSecNssAppKeyLoad(): This function loads a PKI key from a file.
The following formats are supported:
@@ -117,7 +111,7 @@ when the bug is fixed
The following formats are not supported:
xmlSecKeyDataFormatPem
-11) "Trusted" vs "Untrusted" certificates:
+10) "Trusted" vs "Untrusted" certificates:
The distinction between "trusted" and "untrusted" certificates in
xmlsec-openssl is maintained because the OPENSSL application (and
not the OPENSSL library) has to maintain a cert store and verify
@@ -126,3 +120,7 @@ application.
Aleksey: Not sure that I understand this point but thats what Tej wrote.
+11) NSS doesn't support emailAddress in the cert subject. There is a hack
+that needs to be removed in xmlSecNssX509FindCert function (x509vfy.c):
+
+https://bugzilla.mozilla.org/show_bug.cgi?id=561689
diff --git a/src/nss/x509vfy.c b/src/nss/x509vfy.c
index 2dbede0..8bf4e27 100644
--- a/src/nss/x509vfy.c
+++ b/src/nss/x509vfy.c
@@ -335,21 +335,77 @@ xmlSecNssX509StoreFinalize(xmlSecKeyDataStorePtr store) {
* Low-level x509 functions
*
*****************************************************************************/
+static CERTName *
+xmlSecNssGetCertName(const xmlChar * name) {
+ xmlChar *tmp, *name2;
+ xmlChar *p;
+ CERTName *res;
+
+ xmlSecAssert2(name != NULL, NULL);
+
+ /* nss doesn't support emailAddress (see https://bugzilla.mozilla.org/show_bug.cgi?id=561689)
+ * This code is not bullet proof and may produce incorrect results if someone has
+ * "emailAddress=" string in one of the fields, but it is best I can suggest to fix
+ * this problem.
+ */
+ name2 = xmlStrdup(name);
+ if(name2 == NULL) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ NULL,
+ XMLSEC_ERRORS_R_MALLOC_FAILED,
+ "xmlStrlen(name)=%d",
+ xmlStrlen(name));
+ return(NULL);
+ }
+ while( (p = (xmlChar*)xmlStrstr(name2, BAD_CAST "emailAddress=")) != NULL) {
+ memcpy(p, " mail=", 13);
+ }
+
+ tmp = xmlSecNssX509NameRead(name2, xmlStrlen(name2));
+ if(tmp == NULL) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "xmlSecNssX509NameRead",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "name2=\"%s\"",
+ xmlSecErrorsSafeString(name2));
+ xmlFree(name2);
+ return(NULL);
+ }
+
+ res = CERT_AsciiToName((char*)tmp);
+ if (name == NULL) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "CERT_AsciiToName",
+ XMLSEC_ERRORS_R_XMLSEC_FAILED,
+ "ascii=\"%s\", error code=%d",
+ xmlSecErrorsSafeString((char*)tmp),
+ PORT_GetError());
+ PORT_Free(tmp);
+ xmlFree(name2);
+ return(NULL);
+ }
+
+ PORT_Free(tmp);
+ return(res);
+}
+
static CERTCertificate*
xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName,
xmlChar *issuerSerial, xmlChar *ski) {
CERTCertificate *cert = NULL;
- xmlChar *p = NULL;
CERTName *name = NULL;
SECItem *nameitem = NULL;
PRArenaPool *arena = NULL;
if (subjectName != NULL) {
- p = xmlSecNssX509NameRead(subjectName, xmlStrlen(subjectName));
- if (p == NULL) {
+ name = xmlSecNssGetCertName(subjectName);
+ if (name == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
- "xmlSecNssX509NameRead",
+ "xmlSecNssGetCertName",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"subject=%s",
xmlSecErrorsSafeString(subjectName));
@@ -366,16 +422,6 @@ xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName,
goto done;
}
- name = CERT_AsciiToName((char*)p);
- if (name == NULL) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "CERT_AsciiToName",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- XMLSEC_ERRORS_NO_MESSAGE);
- goto done;
- }
-
nameitem = SEC_ASN1EncodeItem(arena, NULL, (void *)name,
SEC_ASN1_GET(CERT_NameTemplate));
if (nameitem == NULL) {
@@ -383,7 +429,7 @@ xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName,
NULL,
"SEC_ASN1EncodeItem",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
- "error code=%d", PORT_GetError());
+ "error code=%d", PORT_GetError());
goto done;
}
@@ -394,11 +440,11 @@ xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName,
if((issuerName != NULL) && (issuerSerial != NULL)) {
CERTIssuerAndSN issuerAndSN;
- p = xmlSecNssX509NameRead(issuerName, xmlStrlen(issuerName));
- if (p == NULL) {
+ name = xmlSecNssGetCertName(issuerName);
+ if (name == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
- "xmlSecNssX509NameRead",
+ "xmlSecNssGetCertName",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"issuer=%s",
xmlSecErrorsSafeString(issuerName));
@@ -415,16 +461,6 @@ xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName,
goto done;
}
- name = CERT_AsciiToName((char*)p);
- if (name == NULL) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "CERT_AsciiToName",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- XMLSEC_ERRORS_NO_MESSAGE);
- goto done;
- }
-
nameitem = SEC_ASN1EncodeItem(arena, NULL, (void *)name,
SEC_ASN1_GET(CERT_NameTemplate));
if (nameitem == NULL) {
@@ -473,9 +509,6 @@ xmlSecNssX509FindCert(xmlChar *subjectName, xmlChar *issuerName,
}
done:
- if (p != NULL) {
- PORT_Free(p);
- }
if (arena != NULL) {
PORT_FreeArena(arena, PR_FALSE);
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
