Bug 796295 - cannot decode Basic Constraints
Summary: cannot decode Basic Constraints
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: python-nss
Version: 6.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: John Dennis
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On: 796293
Blocks: 747991 791327
TreeView+ depends on / blocked
 
Reported: 2012-02-22 16:12 UTC by Rob Crittenden
Modified: 2013-02-21 10:11 UTC (History)
4 users (show)

Fixed In Version: python-nss-0.13
Doc Type: Bug Fix
Doc Text:
Clone Of: 796293
Environment:
Last Closed: 2013-02-21 10:11:57 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0405 0 normal SHIPPED_LIVE python-nss bug fix and enhancement update 2013-02-20 20:50:47 UTC

Description Rob Crittenden 2012-02-22 16:12:46 UTC 
+++ This bug was initially created as a clone of Bug #796293 +++

Description of problem:

I have a CA cert and I'm trying to pick out its constraints and parsing it is failing in python-nss with:

$ python ~rcrit/python_nss/doc/examples/cert_dump.py /etc/ipa/ca.crt
Traceback (most recent call last):
  File "/home/rcrit/cert_dump.py", line 183, in <module>
    print_extension(2, extension)
  File "/home/rcrit/cert_dump.py", line 101, in print_extension
    bc = nss.BasicConstraints(extension.value)
nss.error.NSPRError: [Errno -8183] (SEC_ERROR_BAD_DER) security library: improperly formatted DER-encoded message.: 'cannot decode Basic Constraints'

Version-Release number of selected component (if applicable):

python-nss-0.12-1.fc16.x86_64

--- Additional comment from rcritten on 2012-02-22 11:08:09 EST ---

Created attachment 565031 [details]
The failing CA PEM file
Comment 1 Rob Crittenden 2012-02-22 16:13:14 UTC 
Fails differently in RHEL 6.2, may be due to older version in RHEL.

$ python cert_dump.py /etc/ipa/ca.crt 
certificate filename=/etc/ipa/ca.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1000 (0x3e8)
        Signature Algorithm:
Traceback (most recent call last):
  File "cert_dump.py", line 171, in <module>
    print nss.indented_format(cert.signature_algorithm.format_lines(3))
AttributeError: 'nss.nss.SignatureAlgorithm' object has no attribute 'format_lines'
Comment 2 John Dennis 2012-02-23 18:38:01 UTC 
The format specifier for PyArg_ParseTupleAndKeywords in BasicConstraints_init()
was wrong, instead of "O|i" it should have been "O!", looks like it was a
cut-n-paste bug.

<     if (!PyArg_ParseTupleAndKeywords(args, kwds, "O|i:BasicConstraints",
kwlist,
---
>     if (!PyArg_ParseTupleAndKeywords(args, kwds, "O!:BasicConstraints", kwlist,


As for SignatureAlgorithm not having a format_lines method, that's due to version skew between the example code and the library, that was a change between 0.11 and 0.12, RHEL6 is still back at 0.11. That difference will not affect your use of 
BasicConstaints.
Comment 8 errata-xmlrpc 2013-02-21 10:11:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0405.html
Note You need to log in before you can comment on or make changes to this bug.