Bug 6089 - nss_passwdaliases assumes canonical string for given DN (subject/issuer)
Summary: nss_passwdaliases assumes canonical string for given DN (subject/issuer)
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Smart card (show other bugs)
Version: 1.3.1
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Pierre Ossman
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-10 14:00 CET by Pierre Ossman
Modified: 2016-11-15 10:43 CET (History)
1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio 2016-11-10 14:00:47 CET 
The current implementation of nss_passwdaliases is very simple. It does a simple string compare of what it's given and what's in the config file. Unfortunately this is not the correct method to compare DNs. Some parts of complex DNs can vary in order, whilst still referring to the same thing.

Scenarios when this might happen is if we tweak the implementation in the client, or another implementation is used. The order might also shift if a new certificate is issued with the same subject.


Ideally we'd do the comparison properly, ignoring order when appropriate. A temporary solution could be to strictly specify the order, e.g. sort by OID.
Note You need to log in before you can comment on or make changes to this bug.