Bug 4910 - tl-certtool fails to parse certificates.
Summary: tl-certtool fails to parse certificates.
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Misc (show other bugs)
Version: 4.1.1
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.2.0
Assignee: Henrik Andersson
URL:
Keywords: astrand_tester, prosaic
Depends on:
Blocks:
 
Reported: 2013-11-21 15:58 CET by Henrik Andersson
Modified: 2014-04-16 15:52 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description Henrik Andersson cendio 2013-11-21 15:58:11 CET
with following log:

tl-ldap-certalias: DEBUG: Found user xxyyzz
tl-ldap-certalias: ERROR: Failed to load certificate...
stderr from tl-certtool:  ERROR: Could not read Novell subject from certificate (error code -2)


This report arrived from a customer and we have also verified this at another customers site.
Comment 1 Henrik Andersson cendio 2013-11-21 16:00:42 CET
It appears only on certificates with SubjectAlternateName and we have reproduced the problem inhouse.

What is failing is a special case handling in the certificate parser, the problem is pinned to an upgrade of libtasn, which have changed its interface when parsning internal types like IA5String.

The new approach is to use asn1_decode_simple_der().
Comment 2 Henrik Andersson cendio 2013-11-21 16:05:27 CET
Commit 28161 fixes the problem related to initial error report, however there might be other places that uses the old approach which need to be fixed.

A simple grep of IA5String does not reveal any other usage of IA5String usage but there are also other internal asn1 types that needs to be identified and fixed.
Comment 3 Henrik Andersson cendio 2013-11-22 08:01:56 CET
Additional, we should have autotests created to capture these kind of problems.
Comment 4 Henrik Andersson cendio 2013-12-10 14:03:27 CET
(In reply to comment #2)
> Commit 28161 fixes the problem related to initial error report, however there
> might be other places that uses the old approach which need to be fixed.
> 
> A simple grep of IA5String does not reveal any other usage of IA5String usage
> but there are also other internal asn1 types that needs to be identified and
> fixed.

A grep of asn1_create_element() and verify of types used no other internal asn1 types was found and used.
Comment 5 Henrik Andersson cendio 2013-12-10 16:01:42 CET
(In reply to comment #3)
> Additional, we should have autotests created to capture these kind of problems.

Initial autotest created for tl-certool in commit r28190.
Comment 7 Peter Åstrand cendio 2014-04-16 15:52:20 CEST
Inspected commit. Tested tlclient. We have autotests, and the code has also been tested at customer site. That should be enough.

Note You need to log in before you can comment on or make changes to this bug.