Bug 796293

Summary: cannot decode Basic Constraints
Product: [Fedora] Fedora Reporter: Rob Crittenden <rcritten>
Component: python-nssAssignee: John Dennis <jdennis>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dcantrell, jdennis, pkis
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-nss-0.13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 796295 (view as bug list) Environment:
Last Closed: 2012-10-05 16:48:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 796295    
Attachments:
Description Flags
The failing CA PEM file none

Description Rob Crittenden 2012-02-22 16:07:34 UTC 
Description of problem:

I have a CA cert and I'm trying to pick out its constraints and parsing it is failing in python-nss with:

$ python ~rcrit/python_nss/doc/examples/cert_dump.py /etc/ipa/ca.crt
Traceback (most recent call last):
  File "/home/rcrit/cert_dump.py", line 183, in <module>
    print_extension(2, extension)
  File "/home/rcrit/cert_dump.py", line 101, in print_extension
    bc = nss.BasicConstraints(extension.value)
nss.error.NSPRError: [Errno -8183] (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message.: 'cannot decode Basic Constraints'

Version-Release number of selected component (if applicable):

python-nss-0.12-1.fc16.x86_64
Comment 1 Rob Crittenden 2012-02-22 16:08:09 UTC 
Created attachment 565031 [details]
The failing CA PEM file
Comment 2 John Dennis 2012-02-23 18:33:33 UTC 
The format specifier for PyArg_ParseTupleAndKeywords in BasicConstraints_init() was wrong, instead of "O|i" it should have been "O!", looks like it was a cut-n-paste bug.

<     if (!PyArg_ParseTupleAndKeywords(args, kwds, "O|i:BasicConstraints", kwlist,
---
>     if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!:BasicConstraints", kwlist,
Comment 3 John Dennis 2012-02-23 23:37:50 UTC 
As a note to myself, I found a couple of other places with similar issues, they're fixed in upstream tip but if we do a patch we should include these as well:

-    if (!PyArg_ParseTupleAndKeywords(args, kwds, "O|i:GeneralName", kwlist,
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!:GeneralName", kwlist,

--------------

-    if (!PyArg_ParseTuple(args, "O!|i:x509_key_usage",
-                          &SecItemType, &py_sec_item, &repr_kind))
+    if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!|i:x509_key_usage", kwlist,
+                                     &SecItemType, &py_sec_item, &repr_kind))

---------------

-    {"x509_key_usage",                   (PyCFunction)cert_x509_key_usage,                 METH_VARARGS,               cert_x509_key_usage_doc},
+    {"x509_key_usage",                   (PyCFunction)cert_x509_key_usage,                 METH_VARARGS|METH_KEYWORDS, cert_x509_key_usage_doc},