Bug 671266 - CMS can't verify signed data when the SignerInfo indicates the signer by subjectKeyID
Summary: CMS can't verify signed data when the SignerInfo indicates the signer by subj...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss
Version: 6.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Elio Maldonado Batiz
QA Contact: Aleš Mareček
URL:
Whiteboard:
Depends On:
Blocks: 668887 750914
TreeView+ depends on / blocked
 
Reported: 2011-01-20 22:18 UTC by Nalin Dahyabhai
Modified: 2012-02-28 17:20 UTC (History)
4 users (show)

Fixed In Version: nss-3.12.10-14.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 12:08:30 UTC
Target Upstream Version:

Attachments (Terms of Use)
automated test (3.86 KB, application/gzip)
2011-10-19 15:43 UTC, Aleš Mareček 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 211051 0 None None None Never
Mozilla Foundation 602509 0 None None None Never
Red Hat Product Errata RHBA-2011:1584 0 normal SHIPPED_LIVE nspr, nss, nss-softokn and nss-util bug fix and enhancement update 2011-12-06 00:38:51 UTC

Description Nalin Dahyabhai 2011-01-20 22:18:28 UTC 
Description of problem:
NSS's CMS routines can't verify signed data when the SignerInfo in the signed data indicates the signer ID using the subject key identifier.

Version-Release number of selected component (if applicable):
nss-3.12.9-1

How reproducible:
Always

Steps to Reproduce:
1. openssl cms -cmsout -sign -nodetach -keyid -outform der -signer key-and-cert.pem -in /etc/issue > signed3
2. cmsutil -d db/dir -D -i signed3
  
Actual results:
signer 0 status = SigningCertNotFound
cmsutil: problem decoding: Unrecognized Object Identifier.

Expected results:
The contents of /etc/issue reproduced.

Additional info:
This looks to be caused by an error locating the signer's certificate, despite it being contained in the message.
Comment 2 Bob Relyea 2011-01-21 01:30:27 UTC 
This may be related to upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=602509 ?

bob
Comment 3 Nalin Dahyabhai 2011-01-21 15:34:10 UTC 
Yes, it reads to me as being the same.
Comment 5 RHEL Program Management 2011-04-04 02:13:02 UTC 
Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.
Comment 7 Elio Maldonado Batiz 2011-08-15 17:23:54 UTC 
Picking up the patch from upstream.
Comment 26 errata-xmlrpc 2011-12-06 12:08:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1584.html
Note You need to log in before you can comment on or make changes to this bug.