Bug 726802

Summary: RFE: be more forgiving of malformed(?) CMS SignedData messages
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: nssAssignee: nss-nspr-maint <nss-nspr-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dueno, kdudka, rrelyea
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-17 11:24:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
preauth data
none
server CA certificate
none
client CA certificate
none
client credentials
none
test program
none
possible patch, though there's probably a better way
none
bob's improved version of nalin's patch sent upstream, yet to be applied none

Description Nalin Dahyabhai 2011-07-29 20:24:35 UTC 
Description of problem:
When parsing PKINIT preauthentication responses from a KDC running WS2003, my code is failing to verify the signature correctly.  On examination of the signed data inside of the enveloped data, it appears that the digest algorithm given for the signed data is that of a signature algorithm (in my case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION) rather than a digest algorithm (I'd expect SEC_OID_SHA1).

I think the party generating the message is doing it wrong, but I'd like to parse the message successfully anyway.

Version-Release number of selected component (if applicable):
nss-3.12.10-6.fc16.x86_64

How reproducible:
Always

Steps to Reproduce:
I'll attach the data that I have.
  
Actual results:
Error 18 while attempting to verify the data.

Expected results:
No error.
Comment 1 Nalin Dahyabhai 2011-07-29 20:25:08 UTC 
Created attachment 515930 [details]
preauth data
Comment 2 Nalin Dahyabhai 2011-07-29 20:25:40 UTC 
Created attachment 515931 [details]
server CA certificate
Comment 3 Nalin Dahyabhai 2011-07-29 20:26:12 UTC 
Created attachment 515932 [details]
client CA certificate
Comment 4 Nalin Dahyabhai 2011-07-29 20:26:34 UTC 
Created attachment 515933 [details]
client credentials
Comment 5 Nalin Dahyabhai 2011-07-29 20:27:51 UTC 
Created attachment 515934 [details]
test program
Comment 6 Nalin Dahyabhai 2011-07-29 20:28:48 UTC 
Created attachment 515936 [details]
possible patch, though there's probably a better way
Comment 7 Bob Relyea 2011-08-27 00:55:14 UTC 
The possibly better patch has been attached upstream. It passes Nalin's little sample program. Nalin, can you see it works in your test environment?

bob
Comment 8 Elio Maldonado Batiz 2011-09-11 02:20:37 UTC 
Created attachment 522558 [details]
bob's improved version of nalin's patch sent upstream, yet to be applied
Comment 9 Fedora Admin XMLRPC Client 2016-08-15 15:52:30 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 10 Daiki Ueno 2019-05-17 11:24:49 UTC 
The patch was merged in upstream long ago and we have newer versions in Fedora.
If the problem persists, please feel free to reopen.