Bug 872761 - Sporadic failure of 'certutil' to convert ASCII cert request to binary . . .
Summary: Sporadic failure of 'certutil' to convert ASCII cert request to binary . . .
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: nss
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Elio Maldonado Batiz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 953485
TreeView+ depends on / blocked
 
Reported: 2012-11-02 23:01 UTC by Matthew Harmsen
Modified: 2013-06-01 02:29 UTC (History)
8 users (show)

Fixed In Version: nss-3.14.3-2.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-25 14:16:24 UTC


Attachments (Terms of Use)
cert that demonstrates the problem (1.17 KB, text/plain)
2013-04-19 19:48 UTC, Rob Crittenden
no flags Details
Failling with build 2 as well (1.17 KB, text/plain)
2013-04-19 21:09 UTC, Rob Crittenden
no flags Details


Links
System ID Priority Status Summary Last Updated
Mozilla Foundation 808217 None None None 2019-03-23 04:46:30 UTC

Description Matthew Harmsen 2012-11-02 23:01:07 UTC
Steps to reproduce:

This problem sporadically occurs in 'certutil' when using the "-a" option.

The Dogtag Certificate System utilizes the following 'certutil' commands to generate a certificate:

    * certutil -N -d /tmp/ztest/certs -f /tmp/ztest/password.conf
    * certutil -A -n "caadmin" -t "u,u,u" -f /tmp/ztest/password.conf -d /tmp/ztest/certs -a -i /tmp/ztest/ca_admin.cert


Actual results:

It has been noticed that occasionally, the following command sequence utilized to generate a certificate fails:

    * certutil -N -d /tmp/ztest/certs -f /tmp/ztest/password.conf
    * certutil -A -n "caadmin" -t "u,u,u" -f /tmp/ztest/password.conf -d /tmp/ztest/certs -a -i /tmp/ztest/ca_admin.cert
       error converting ascii to binary (Unrecognized Object Identifier.)
       certutil: unable to read input file: Unrecognized Object Identifier.

Here is a sample of a failed ASCII certificate request:

MIID9DCCAtygAwIBAgIBBjANBgkqhkiG9w0BAQsFADA+MRswGQYDVQQKExJVU0VS
U1lTLlJFREhBVC5DT00xHzAdBgNVBAMTFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUw
HhcNMTIxMDI1MjMyODU1WhcNMTQxMDE1MjMyODU1WjCBkzEbMBkGA1UEChMSVVNF
UlNZUy5SRURIQVQuQ09NMSkwJwYJKoZIhvcNAQkBFhpjYWFkbWluQHVzZXJzeXMu
cmVkaGF0LmNvbTEXMBUGCgmSJomT8ixkAQETB2NhYWRtaW4xMDAuBgNVBAMTJ0NB
IEFkbWluaXN0cmF0b3Igb2YgSW5zdGFuY2UgcGtpLXRvbWNhdDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALz/yuUqY4oDtz/jktdrquoHItGj01w9l3BJ
8mfhmnFR9L1n7Coh4opBaJ/cVo11craeblOhq9pYrSrd6HWKsF26n1dGOGcW80kF
pnbRIl/nvohPEv70T/jG2Mau0OrmIPyofeggKlfqq5ZE+E/WR6DKuACmCVDIbfg4
/i34fMCL/kWKfgwwht2jRVjbHgRGF7HCDLbxR4unqMG9CAEC/oHNgD3y5BZmw8nI
xdUfxLoonD7DFFPTd3lTSweSNPQTlHOSYRkBbM9qpP2F3XNBkW0rq2o7Sp9gfcCI
7m2RL1C8G/GXafPkLt1NZ3A/zKlrmfnL+Kh1iCES5fDO+KXZVtkCAwEAAaOBpjCB
ozAfBgNVHSMEGDAWgBTnj55EvB9WfBzsy/q5r5tvUOUirTBRBggrBgEFBQcBAQRF
MEMwQQYIKwYBBQUHMAGGNWh0dHA6Ly9kb2d0YWcxNy1jbG9uZS51c2Vyc3lzLnJl
ZGhhdC5jb206ODA4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAU
BggrBgEFBQcDAgYIKwYBBQUHAwQwDQYJKoZIhvcNAQELBQADggEBAKgZTBj5P01i
AIV/xe12nT7ti4Hz6//yZbwnIWv1tOSCVULsHYzwDSLp0/HRmdux6nKiE8WBtZ59
NHi5ukT1ceNp9iJP2MP7Xx38K3PPhJfkri4ajuSWtQonjyILxvYY9bmPOgCwEKng
GWec1pqn73n/Pqe/kQn42w8DOfnyA+JS+xsZi6QdZoy9iKKUUnrsJK/SMoprpbKc
fANaeTsKcbA7COYCKUP8W3pMhWDw1DMlFF9o4EnzqYMTw9QfpzJNX8gR+BODaXeI
A5Pbv1/UjvQn/8NUGZ99AuPrkBu1FZOnakz6Ln9rnk+2xrFMzh/FJ5CuUy6y91Zl
yHiL701M/Io=



Expected results:

After using the Dogtag Certificate System AtoB tool to change it from ASCII to Binary, I re-ran certutil (without the '-a' option), and it worked fine:

    AtoB ca_admin.cert ca_bin.cert
    certutil -A -n "caadmin" -t "u,u,u" -f /tmp/ztest/password.conf -d /tmp/ztest/certs -i /tmp/ztest/ca_bin.cert

Comment 1 Jan Cholasta 2013-04-04 08:56:51 UTC
Hi, the bug is in function SECU_ReadDERFromFile. It reads the certificate file into a buffer and then passes the buffer unmodified to ATOB_ConvertAsciiToItem if the certificate file is ASCII without PEM header and trailer. ATOB_ConvertAsciiToItem uses PORT_Strlen to determine the length of the buffer, which is wrong in this case, because the buffer is not null-terminated. The buffer and the incorrect length are then passed to NSSBase64_DecodeBuffer, which in turn tries to decode characters past the end of the buffer, which causes the failure described in this bug.

Comment 2 Martin Kosek 2013-04-18 10:26:42 UTC
We are hitting this issue again on during our Fedora 19 Test Days (https://fedoraproject.org/wiki/Test_Day:2013-04-18).

What are your plans on addressing it? Jan already provided an exact spot in the source code - this should help fixing it.

Comment 3 Kai Engert (:kaie) (inactive account) 2013-04-18 11:20:40 UTC
Thanks to Jan for pointing us to the issue. Somehow I had not seen it yet.

Working on a patch now...

Comment 4 Kai Engert (:kaie) (inactive account) 2013-04-18 12:27:40 UTC
I've attached a patch to the upstream bug.

Elio, once we have review upstream, we should submit updated packages of NSS for Fedora 18 + 19 (at least).

Comment 5 Kai Engert (:kaie) (inactive account) 2013-04-18 12:34:17 UTC
I've submitted a F19 scratch build with the patch applied.
Could you please test it (will probably take 1-2 hours until the build is done)?
http://koji.fedoraproject.org/koji/taskinfo?taskID=5270773
(It should be sufficient to install the nss-tools package only.)

Comment 6 Scott Poore 2013-04-18 13:22:40 UTC
fixed my issue.  I'm no longer seeing the issue from bug 953485

Is there somewhere I can go give this karma to get it pushed through? Or is it just going to go through auto-magically?

Thank!

Comment 7 Kai Engert (:kaie) (inactive account) 2013-04-18 16:29:05 UTC
(In reply to comment #6)
> 
> Is there somewhere I can go give this karma to get it pushed through?

Not yet. Waiting for upstream review, then we can do a regular build for Fedora, then you'll see an automatic comment appearing in this bug (about a package being ready for testing), then your karma will be appreciated.

Thanks

Comment 8 Rob Crittenden 2013-04-19 18:50:06 UTC
As another data point, I'm still seeing the install failure with the test build.

certutil: could not decode certificate: security library: improperly formatted DER-encoded message.

Comment 9 Rob Crittenden 2013-04-19 19:48:50 UTC
Created attachment 737727 [details]
cert that demonstrates the problem

# rpm -q nss
nss-3.14.3-11.fc19.test.808217.1.x86_64
# certutil -N -d /tmp/db
# certutil -d /tmp/db -A -t u,u,u -n ipaCert -a -i /tmp/testcert

Comment 10 Kai Engert (:kaie) (inactive account) 2013-04-19 20:25:47 UTC
Thank you for the test case.
I identified another bug in function SECITEM_ReallocItem...

Comment 11 Kai Engert (:kaie) (inactive account) 2013-04-19 21:00:44 UTC
Another scratch build that fixes the second bug, too:
http://koji.fedoraproject.org/koji/taskinfo?taskID=5278092

Comment 12 Rob Crittenden 2013-04-19 21:09:44 UTC
Created attachment 737769 [details]
Failling with build 2 as well

Attaching the latest cert

# rpm -q nss
nss-3.14.3-11.fc19.test.808217.2.x86_64
# certutil -d /tmp/db -A -t u,u,u -n ipaCert -a -i /tmp/testcert2
certutil: could not decode certificate: security library: improperly formatted DER-encoded message.

Comment 13 Kai Engert (:kaie) (inactive account) 2013-04-19 22:50:07 UTC
The previous scratch build didn't work, because my fix was in a shared library that is contained in the nss-util package - which I had forgotten to build for you.

But in the meantime, Bob has asked for a different approach to fix the bug - which cannot be backported to NSS 3.14.3.

So, for the short term, I will give you a workaround patch, where the fix is contained in the tool code, only.

I've started another scratch build with that newer fix.
http://koji.fedoraproject.org/koji/taskinfo?taskID=5278741

Again, it's only the nss and nss-tools package, but this time it should be sufficient.

(For some reason I cannot reproduce the bug in my Fedora 19 VM, although I am able to reproduce on my primary F18 system. It probably depends on the dynamic contents of memory, it doesn't crash if your runtime memory happens to be fresh and initialized with zeroes...)

Comment 14 Rob Crittenden 2013-04-22 13:12:35 UTC
Using this build I was able to use certutil and the previous test certs standalone and do a full IPA installation as well.

Comment 15 Fedora Update System 2013-04-22 14:58:09 UTC
nss-3.14.3-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/nss-3.14.3-2.fc18

Comment 16 Fedora Update System 2013-04-22 14:58:25 UTC
nss-3.14.3-2.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/nss-3.14.3-2.fc17

Comment 17 Fedora Update System 2013-04-22 14:58:38 UTC
nss-3.14.3-12.0.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/nss-3.14.3-12.0.fc19

Comment 18 Kai Engert (:kaie) (inactive account) 2013-04-22 16:42:37 UTC
(In reply to comment #14)
> Using this build I was able to use certutil and the previous test certs
> standalone and do a full IPA installation as well.

Great, thanks for testing Rob!

Please give Karma to get the packages into the regular updates.

Comment 19 Fedora Update System 2013-04-22 17:19:20 UTC
Package nss-3.14.3-12.0.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing nss-3.14.3-12.0.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6247/nss-3.14.3-12.0.fc19
then log in and leave karma (feedback).

Comment 20 Fedora Update System 2013-04-25 14:16:27 UTC
nss-3.14.3-12.0.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 Fedora Update System 2013-04-26 00:59:24 UTC
nss-3.14.3-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 22 Kai Engert (:kaie) (inactive account) 2013-05-30 16:56:32 UTC
Once we submit NSS 3.15 packages (very soon), it would be great to get help from QA to re-test.

The reason is, the patch used for 3.14 is different than the patch that has been accepted for the main line of 3.15 development. Thanks in advance.

Comment 23 Fedora Update System 2013-06-01 02:29:49 UTC
nss-3.14.3-2.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.