Bug 726811

Summary: Errors parsing nested CMS messages make the encapsulated content irretrievable
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: emaldona, kdudka, kengert, nalin, rrelyea
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-03 18:14:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
preauth data
none
server CA certificate
none
client CA certificate
none
client credentials
none
test program none

Description Nalin Dahyabhai 2011-07-29 20:36:46 UTC 
Description of problem:

When parsing PKINIT preauthentication responses from a KDC running WS2008, I'm encountering problems reading SignedData which is wrapped in an EnvelopedData.

The server is wrapping the SignedData in a ContentInfo and then putting _that_ inside of the EncapsulatedContentInfo of the EnvelopedData structure.  In earlier versions, the EncapsulatedContentInfo's stated type was Data, so while it looked odd, it was easy to just parse it as a new CMS message, but in the current version the stated type is SignedData, so NSS tries to parse the nested ContentInfo as a SignedData, and it just fails.

I think the party generating the message is nesting the CMS structures wrong, but I'd like to parse the message successfully anyway.

Version-Release number of selected component (if applicable):
nss-3.12.10-6.fc16.x86_64

How reproducible:
Always

Steps to Reproduce:
I'll attach the data that I have.
  
Actual results:
Unable to recover the encapsulated content in its original form.

Expected results:
Able to recover encapsulated content in unparsed form.
Comment 1 Nalin Dahyabhai 2011-07-29 20:37:54 UTC 
Created attachment 515937 [details]
preauth data
Comment 2 Nalin Dahyabhai 2011-07-29 20:38:16 UTC 
Created attachment 515938 [details]
server CA certificate
Comment 3 Nalin Dahyabhai 2011-07-29 20:38:38 UTC 
Created attachment 515939 [details]
client CA certificate
Comment 4 Nalin Dahyabhai 2011-07-29 20:39:00 UTC 
Created attachment 515940 [details]
client credentials
Comment 5 Nalin Dahyabhai 2011-07-29 20:39:24 UTC 
Created attachment 515941 [details]
test program
Comment 6 Bob Relyea 2011-08-27 01:03:26 UTC 
> In earlier versions, the EncapsulatedContentInfo's stated type was Data,
> so while it looked odd, it was easy to just parse it as a new CMS message,
> but in the current version the stated type is SignedData, so NSS tries to
> parse the nested ContentInfo as a SignedData, and it just fails.

So actually I was able to get a dump of the nexted ContentInfo and it is in fact SignedData, except it's not properly wrapped in a sequence. I have a patch I'll attach to the upstream bug which detects this case and magically adds the expected sequence. The patch makes nalin's test case in the bug work correctly. Nalin, could you see if the patch works in your test environment.

bob
Comment 7 Fedora End Of Life 2013-04-03 14:48:11 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 8 Elio Maldonado Batiz 2014-01-03 18:14:17 UTC 
Ths was fixed a long time ago upstreama nd we picked it up in a rebase.