726811 – Errors parsing nested CMS messages make the encapsulated content irretrievable

Bug 726811 - Errors parsing nested CMS messages make the encapsulated content irretrievable

Summary: Errors parsing nested CMS messages make the encapsulated content irretrievable

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nss
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Elio Maldonado Batiz
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-07-29 20:36 UTC by Nalin Dahyabhai
Modified:	2014-01-03 18:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-01-03 18:14:17 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
preauth data (2.76 KB, application/octet-stream) 2011-07-29 20:37 UTC, Nalin Dahyabhai	no flags	Details
server CA certificate (1.32 KB, text/plain) 2011-07-29 20:38 UTC, Nalin Dahyabhai	no flags	Details
client CA certificate (1.33 KB, text/plain) 2011-07-29 20:38 UTC, Nalin Dahyabhai	no flags	Details
client credentials (2.72 KB, application/octet-stream) 2011-07-29 20:39 UTC, Nalin Dahyabhai	no flags	Details
test program (8.40 KB, text/plain) 2011-07-29 20:39 UTC, Nalin Dahyabhai	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Mozilla Foundation	679380	0	None	None	None	Never
Red Hat Bugzilla	726802	0	unspecified	CLOSED	RFE: be more forgiving of malformed(?) CMS SignedData messages	2021-02-22 00:41:40 UTC

Internal Links: 726802

Description Nalin Dahyabhai 2011-07-29 20:36:46 UTC

Description of problem:

When parsing PKINIT preauthentication responses from a KDC running WS2008, I'm encountering problems reading SignedData which is wrapped in an EnvelopedData.

The server is wrapping the SignedData in a ContentInfo and then putting _that_ inside of the EncapsulatedContentInfo of the EnvelopedData structure.  In earlier versions, the EncapsulatedContentInfo's stated type was Data, so while it looked odd, it was easy to just parse it as a new CMS message, but in the current version the stated type is SignedData, so NSS tries to parse the nested ContentInfo as a SignedData, and it just fails.

I think the party generating the message is nesting the CMS structures wrong, but I'd like to parse the message successfully anyway.

Version-Release number of selected component (if applicable):
nss-3.12.10-6.fc16.x86_64

How reproducible:
Always

Steps to Reproduce:
I'll attach the data that I have.
  
Actual results:
Unable to recover the encapsulated content in its original form.

Expected results:
Able to recover encapsulated content in unparsed form.

Comment 1 Nalin Dahyabhai 2011-07-29 20:37:54 UTC

Created attachment 515937 [details]
preauth data

Comment 2 Nalin Dahyabhai 2011-07-29 20:38:16 UTC

Created attachment 515938 [details]
server CA certificate

Comment 3 Nalin Dahyabhai 2011-07-29 20:38:38 UTC

Created attachment 515939 [details]
client CA certificate

Comment 4 Nalin Dahyabhai 2011-07-29 20:39:00 UTC

Created attachment 515940 [details]
client credentials

Comment 5 Nalin Dahyabhai 2011-07-29 20:39:24 UTC

Created attachment 515941 [details]
test program

Comment 6 Bob Relyea 2011-08-27 01:03:26 UTC

> In earlier versions, the EncapsulatedContentInfo's stated type was Data,
> so while it looked odd, it was easy to just parse it as a new CMS message,
> but in the current version the stated type is SignedData, so NSS tries to
> parse the nested ContentInfo as a SignedData, and it just fails.

So actually I was able to get a dump of the nexted ContentInfo and it is in fact SignedData, except it's not properly wrapped in a sequence. I have a patch I'll attach to the upstream bug which detects this case and magically adds the expected sequence. The patch makes nalin's test case in the bug work correctly. Nalin, could you see if the patch works in your test environment.

bob

Comment 7 Fedora End Of Life 2013-04-03 14:48:11 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 8 Elio Maldonado Batiz 2014-01-03 18:14:17 UTC

Ths was fixed a long time ago upstreama nd we picked it up in a rebase.

Note You need to log in before you can comment on or make changes to this bug.