234129 - OCSP Algorithm ID comparison reportedly faulty

Status: RESOLVED DUPLICATE of bug 357197

(NSS :: Libraries, defect)

Description

[Nelson Bolyard (seldom reads bugmail)]

Alex Deacon of Verisign.com wrote:

> [...] while doing some interop testing with the latest Mozilla OCSP
> release against our new OCSP responder, we noticed an issue in the way you
> compare CertID's in the request and responses.  In particular it looks like
> you are doing a binary comparison of the whole CertID structure in the
> response.  The problem  is that your client includes the OPTIONAL parameters
> field in the AlgorithmIdentifier structure in the request, but our
> pre-produced responses do not (did not) include the parameters field.  Thus
> when your client gets the response you rejet it as it doesn't match the
> request.  To fix this, we have modified our responder to include the
> optional parameters field as it doesn't seem to break the other OCSP client
> implementations we are testing.  However, I would suggest however that you
> may want to modify the way you compare CertID's to not take the algorithm
> identifier into account...or perhaps at a minimum not take the parameters
> field into account.  This would involve parsing out the CertID structure,
> but I don't think this would add much overhead.   

Thanks for this report, Alex.

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

Although this but is not yet confirmed, if true, we need to fix it before 
enabling OCSP by default

Comment 2

[Wan-Teh Chang]

*** Bug 357197 has been marked as a duplicate of this bug. ***

Comment 3

[Robert Relyea]

357197 has a patch for this issue. Closing this bug as a dup (even though it was first).

*** This bug has been marked as a duplicate of 357197 ***