devel/nspr dumps core when checking cert with security/nss

Volodymyr Kostyrko c.kworr at gmail.com
Tue Feb 21 12:22:36 UTC 2012 

Florian Smeets wrote:
>>>> RELENG_9, world and ports built with clang.
>>>>
>>>
>>> Do you know if it's caused by the port being built with clang or if
>>> world compiled with clang is the cause?
>>
>> I tested that on RELENG_8 also with the same result.
>>
>> Random junk or hints:
>>    1. certtool from gnutls verifies certificates successfully.
>>    2. Making both keys with 2048 bit width gives the same result.
>>
>> So maybe it's rather about supporting wide (2048 bit) DSA keys?
>>
>
> This seems to be fixed by nspr-4.9 / nss-3.13.2. With your Makefile the
> tool does not crash anymore.

Strange, still crashes for me on RELENG_8_2 and RELENG_9 built with clang:

# checking with certtool
certtool -e --infile site.cert --infile base.cert
Certificate[0]: C=AU,ST=Some-State,O=Internet Widgits Pty Ltd,OU=Pity 
sec,CN=base,EMAIL=noone at nowhere.com
         Issued by: C=AU,ST=Some-State,O=Internet Widgits Pty 
Ltd,OU=Pity sec,CN=base,EMAIL=noone at nowhere.com
         Verification output: Verified.

Chain verification output: Verified.
# checking cert with nss
checkcert -aA site.cert base.cert
Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number: 0 (0x0)
*** Signal 11

Stop in /home/arcade/tmp.

I'll include Makefile for later reference.

And I was wrong, this is not about 2048-bit keys, it fails on 1024-bit 
keys too.

I'll try to setup a virtual host with stock RELENG_9_0 and recheck there.

-- 
Sphinx of black quartz judge my vow.
-------------- next part --------------
all:
	# creating simple CA
	openssl dsaparam -out dp2048.pem 1024
	openssl gendsa -out base.pem dp2048.pem
	printf '\n\n\n\nPity sec\nbase\nnoone at nowhere.com\n' | openssl req -new -x509 -out base.cert -key base.pem -days 365
	@echo
	mkdir -p demoCA/newcerts
	touch demoCA/index.txt
	echo 00 > demoCA/serial
	# creating sample cert
	openssl dsaparam -out dp1024.pem 1024
	openssl gendsa -out site.pem dp1024.pem
	printf '\n\n\n\nPity sec\nsite.base\nnoone at nowhere.com\n\n\n' | openssl req -new -out site.req -key site.pem -days 365
	@echo
	# signing cert
	printf 'y\ny\n' | openssl ca -cert base.cert -keyfile base.pem -policy policy_anything -out site.cert -infiles site.req
	# checking with certtool
	certtool -e --infile site.cert --infile base.cert
	# checking cert with nss
	checkcert -aA site.cert base.cert

clean:
	rm -rf dp2048.pem dp1024.pem base.pem site.pem base.cert site.req site.cert demoCA

More information about the freebsd-gecko mailing list