Closed Bug 403853 Opened 17 years ago Closed 17 years ago

PKIX OCSP failure

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: KaiE, Assigned: alvolkov.bgs)

References

(
URL
)

Details

(Whiteboard: PKIX NSS312B1)

Attachments

(1 file)

stack
3.32 KB, text/plain
Details 
I tested Firefox trunk with NSS trunk which has OCSP enabled.

I tried to connect to https://java.sun.com which uses a cert that lists an OCSP responder.

I tested using NSS_ENABLE_PKIX_VERIFY=1

I get an error page:
  An error occurred during a connection to java.sun.com.
  Invalid OCSP signing certificate in OCSP response.
  (Error code: sec_error_ocsp_invalid_signing_cert)

Are we considering to turn on NSS_ENABLE_PKIX_VERIFY=1 for NSS 3.12 ?

Even if we don't, I believe this bug is a blocker for EV.
EV requires OCSP.
PSM will call CERT_PKIXVerifyCert, which (I think) will always use PKIX based verification, including OCSP.

See also bug 403684.
I don't know if both bugs are dupes.
Blocks: 375019
Blocks: 403684
Whiteboard: PKIX
Attached file stack 
When I run the testcase, I eventually arrive at CERT_VerifyOCSPResponseSignature.
It goes on to call cert_VerifyCertChainPkix.
I traced the failure to happen in pkix_pl_Pk11CertStore_CheckTrust.

It tries to obtain the trust for cert:
(gdb) print state->candidateCert->nssCert->subjectName
$2 = 0x1f44b630 "OU=VeriSign Trust Network,OU=\"(c) 1998 VeriSign, Inc. - For authorized use only\",OU=Class 3 Public Primary Certification Authority - G2,O=\"VeriSign, Inc.\",C=US"
(gdb) print state->candidateCert->nssCert->issuerName
$3 = 0x1f44b6d0 "OU=VeriSign Trust Network,OU=\"(c) 1998 VeriSign, Inc. - For authorized use only\",OU=Class 3 Public Primary Certification Authority - G2,O=\"VeriSign, Inc.\",C=US"
(gdb) p/x  *state->candidateCert->nssCert->serialNumber->data@16
$21 = {0x7d, 0xd9, 0xfe, 0x7, 0xcf, 0xa8, 0x1e, 0xb7, 0x10, 0x79, 0x67, 0xfb, 0xa7, 0x89, 0x34, 0xc6}

In function pkix_pl_Pk11CertStore_CheckTrust the following variables values happen to be set:

certificateUsage 1024
certUsage certUsageStatusResponder
requiredFlags 16
trustType trustTypeNone
trust {sslFlags = 24, emailFlags = 24, objectSigningFlags = 24}
certFlags 0

Function CERT_TrustFlagsForCACertUsage gets called to obtain required flags.

It arrives at
      case certUsageStatusResponder:
        requiredFlags = CERTDB_TRUSTED_CA;
        trustType = trustTypeNone;

But macro SEC_GET_TRUST_FLAGS doesn't know what to do with trustTypeNone.


As a consequence, the issuer cert for the responder cert is treated as "not trusted", and therefore, the responder signing cert can't be verified.

FWIW, full stack attached.
I don't know what the correct fix is.

Just as a *HACK* for testing, I changed CERT_TrustFlagsForCACertUsage to do
      case certUsageStatusResponder:
        requiredFlags = CERTDB_TRUSTED_CA;
        trustType = trustSSL;

With that change, the OCSP signature can be verified, and the page from comment 0 works fine.


(I was curious to see if this hack would also fix bug bug 403684. It does not. So the request for revocation checking in bug 403684 seems to fail elsewhere. So maybe the dependency from this bug to bug 403684 doesn't make sense. But we can delay this decision until we know more.)
Blocks: 405139
Assignee: nobody → alexei.volkov.bugs
Whiteboard: PKIX → PKIX NSS312B1
Alexei asked me to test this again.
I confirm, this is now WORKSFORME. Thanks!

Alexei, if you know which other bug fixed this problem, maybe you want to resolve it as a duplicate.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: