Closed
Bug 205434
Opened 21 years ago
Closed 16 years ago
Fully implement new libPKIX cert verification API from bug 294531
Categories
(NSS :: Libraries, enhancement, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.2
People
(Reporter: wtc, Assigned: alvolkov.bgs)
References
Details
(Whiteboard: PKIX SUN_MUST_HAVE)
Attachments
(8 files, 17 obsolete files)
51.26 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
6.18 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
15.18 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
113.20 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
3.98 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
119.82 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
314.76 KB,
patch
|
Details | Diff | Splinter Review | |
2.48 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
We can only enable or disable OCSP checking *globally* in NSS right now. We should add an option to disable OCSP checking for a particular cert verification.
Updated•19 years ago
|
QA Contact: bishakhabanerjee → jason.m.reid
Updated•18 years ago
|
QA Contact: jason.m.reid → libraries
Assignee | ||
Updated•17 years ago
|
Priority: -- → P2
Whiteboard: PKIX
Target Milestone: --- → 3.12
Assignee | ||
Updated•17 years ago
|
Target Milestone: 3.12 → 3.12.1
Comment 1•17 years ago
|
||
This should be part of the cert verification API design in bug 294531
Blocks: 294531
Updated•17 years ago
|
Summary: Add an option to disable OCSP checking for a particular cert verification → New libPKIX cert verification API needs option to disable OCSP check
Comment 2•16 years ago
|
||
Wan-Teh, Does the new API defined in bug 294531 satisfy this request? If so, then we need a bug that demands the implementation of the API defined in bug 294531. (We may already have such a bug)
Reporter | ||
Comment 3•16 years ago
|
||
Yes, the new API defined in bug 294531 satisfies this request. (That API is so flexible that it can solve any cert path validation problem.)
Updated•16 years ago
|
Assignee: wtc → nobody
Summary: New libPKIX cert verification API needs option to disable OCSP check → Fully implement new libPKIX cert verification API from bug 294531
Assignee | ||
Comment 4•16 years ago
|
||
Proposing to change default setting to revocation flags to remove impact to the performance. Currently, libpkix does two revocation checks on the same cert: * first, while building the chain upward from the leaf to a trust anchor. Each time the algorithm finds a valid issue of a cert in the chain(EE or intermediate CA), it calls CRL revocation checker to verify, that previous cert in the chain was not revoked by issuing ICA. Since the CRLDP is not yet integrated, the crl revocation check is done only by using CRL cache. * second, while validating an already built chain going down. This time libpkix calls ocsp checker, that returns cert status by obtaining an info from ocsp cache. If the cache does not have fresh information, ocsp checker fetches a response from ocsp responder. Once CRLDP code is integrated into libpkix, we will have two types of revocation checkers that have similar parts: OCSP/CRL cache and OCSP responce/CRL network fetching. As a part of work on implementation of CERT_PKIXVerifyCert revocation API, I plan to modify the way libpkix check cert revocation status: it is to make libpkix use cached revocation data while building the chain to its trust achor, and if fresh information is needed to check revocation, do additional data(ocsp responce/CRL) fetching at the time of complete chain validation after trust anchor have been identified. Now, while reviewing the revocation API flags I've found, that current default setting for the flags responsible for defining an order of checking can drawback the performance. These two flags: CERT_REV_MI_TEST_EACH_METHOD_SEPARATELY defined as 0L - default CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST defined as 1L The flag EACH_METHOD_SEPARATELY tells to use a method completely(first cache and then fetch from a network) before going to a next one. If it is used, cached information from the next method will only be checked after the first method is done with network fetching, thus it will happen late, only at the time when chain is already built. In some cases, it will mean that whole chain will need to be completely rebuilt. The patch sets the flag TEST_ALL_LOCAL_INFORMATION_FIRST to be a default, making libpkix to do early check on the cached data available for defined revocation methods.
Assignee: nobody → alexei.volkov.bugs
Status: NEW → ASSIGNED
Attachment #332548 -
Flags: superreview?(rrelyea)
Attachment #332548 -
Flags: review?(nelson)
Assignee | ||
Updated•16 years ago
|
Attachment #332548 -
Flags: review?(kaie)
Comment 5•16 years ago
|
||
Comment on attachment 332548 [details] [diff] [review] Patch v1 - change API flags to remove libpkix performace impact Sorry, I think I must reject this patch. You are reverting the numeric values of CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST and also the other constant. That constant is already used in Firefox 3. I think your change breaks binary compatibility.
Attachment #332548 -
Flags: review?(kaie) → review-
Comment 6•16 years ago
|
||
We disccussed this on Thursday, and there seemed to be an understanding of what the plan was, going forward, between Alexei, Bob and Kai, but I missed it. Would someone care to state here what the new plan is?
Assignee | ||
Comment 7•16 years ago
|
||
The conclusion was to test local caches of all methods regardless of the set flags. Any result from a method that indicates that a cert was not revoked or the status is unknown should be treated as positive. In this case we continue to check if next revocation method has any information(looking for negative info) in its cache. If it does, we will stop, and declare cert to be revoked. A cert that passed all checks will be added into the chain. Next revocation check will be done, when the whole chain get built. This time we do revocation with possible OCSP response/CRL fetching from the network.
Assignee | ||
Updated•16 years ago
|
Attachment #332548 -
Attachment is obsolete: true
Attachment #332548 -
Flags: superreview?(rrelyea)
Attachment #332548 -
Flags: review?(nelson)
Assignee | ||
Updated•16 years ago
|
Target Milestone: 3.12.1 → 3.12.2
Assignee | ||
Updated•16 years ago
|
Whiteboard: PKIX → PKIX SUN_MUST_HAVE
Assignee | ||
Comment 8•16 years ago
|
||
This patch will be split on multiple smaller patches. The patch includes modifications to multiple libpkix files, some changes in certdb, certhigh and modification on vfychain utility.
Assignee | ||
Updated•16 years ago
|
Attachment #339973 -
Attachment description: the whole patch. Not for review → Implementation of new revocation API. The whole patch. Not for review
Assignee | ||
Comment 9•16 years ago
|
||
Attachment #339976 -
Flags: review?(nelson)
Assignee | ||
Comment 10•16 years ago
|
||
Attachment #340009 -
Flags: review?(nelson)
Assignee | ||
Comment 11•16 years ago
|
||
Attachment #340010 -
Flags: review?(nelson)
Assignee | ||
Comment 12•16 years ago
|
||
Attachment #339976 -
Attachment is obsolete: true
Attachment #340250 -
Flags: review?(nelson)
Attachment #339976 -
Flags: review?(nelson)
Updated•16 years ago
|
Attachment #340250 -
Flags: review?(nelson) → review-
Comment 13•16 years ago
|
||
Comment on attachment 340250 [details] [diff] [review] Patch v2 Main logic code. Includes only changes in libpkix/pkix/checker files. Alexei & I reviewed this by phone. I have given him all the review comments verbally.
Assignee | ||
Comment 14•16 years ago
|
||
Resubmitting the patch. The old one had wrong files.
Attachment #340009 -
Attachment is obsolete: true
Attachment #340652 -
Flags: review?(nelson)
Attachment #340009 -
Flags: review?(nelson)
Assignee | ||
Comment 15•16 years ago
|
||
First part of the big patch. It has changes to the underlying pkix_pl layer needed for revocation API implementation to work.
Attachment #340652 -
Attachment is obsolete: true
Attachment #341011 -
Flags: review?(nelson)
Attachment #340652 -
Flags: review?(nelson)
Assignee | ||
Comment 16•16 years ago
|
||
Usage of newly implemented revocation API within libpkix. Revocation params propagation into libpkix.
Attachment #341012 -
Flags: review?(nelson)
Comment 17•16 years ago
|
||
Comment on attachment 340010 [details] [diff] [review] vfychain changes related to the new revocation api r-. I gave Alexei review feeback by phone. (this comment applies to 3 patches.
Attachment #340010 -
Flags: review?(nelson) → review-
Updated•16 years ago
|
Attachment #341011 -
Flags: review?(nelson) → review-
Updated•16 years ago
|
Attachment #341012 -
Flags: review?(nelson) → review-
Assignee | ||
Comment 18•16 years ago
|
||
Patch with changes requested during review.
Attachment #340250 -
Attachment is obsolete: true
Attachment #342913 -
Flags: review?(nelson)
Assignee | ||
Comment 19•16 years ago
|
||
Changes to the patch according the review.
Attachment #340010 -
Attachment is obsolete: true
Attachment #342915 -
Flags: review?(nelson)
Assignee | ||
Comment 20•16 years ago
|
||
Patch changes according to the review.
Attachment #341011 -
Attachment is obsolete: true
Attachment #342920 -
Flags: review?(nelson)
Assignee | ||
Comment 21•16 years ago
|
||
Patch changes according to the review.
Attachment #341012 -
Attachment is obsolete: true
Attachment #342921 -
Flags: review?(nelson)
Assignee | ||
Comment 22•16 years ago
|
||
Changes to new files.
Attachment #342922 -
Flags: review?(nelson)
Assignee | ||
Updated•16 years ago
|
Attachment #342920 -
Attachment description: Suplimental changes in nss/lib to support revocation patch. v3 part 1 → Supplemental changes in nss/lib to support revocation patch. v3 part 1
Assignee | ||
Updated•16 years ago
|
Attachment #342921 -
Attachment description: Suplimental changes in nss/lib to support revocation patch. v3 part 2 → Supplemental changes in nss/lib to support revocation patch. v3 part 2
Assignee | ||
Updated•16 years ago
|
Attachment #342922 -
Attachment description: Suplimental changes to new files in nss/lib to support revocation patch. v3 part 3 → Supplemental changes to new files in nss/lib to support revocation patch. v3 part 3
Assignee | ||
Comment 23•16 years ago
|
||
Comment on attachment 342913 [details] [diff] [review] Patch v3 for Main logic code. Includes only changes in libpkix/pkix/checker files. Main functionality is implemented in function PKIX_RevocationChecker_Check. It is responsible for tracking revocation method independent flags. Control over rev method dependent flags is shared between PKIX_RevocationChecker_Check function and rev method related functions. That is pkix_CrlChecker_CheckLocal and pkix_CrlChecker_CheckExternal for crl and pkix_OcspChecker_CheckLocal and pkix_OcspChecker_CheckExternal for ocsp. Kai, Bob, please review.
Attachment #342913 -
Flags: superreview?(rrelyea)
Attachment #342913 -
Flags: review?(kaie)
Comment 24•16 years ago
|
||
Comment on attachment 342915 [details] [diff] [review] Patch v2: vfychain changes related to the new revocation api In today's review, we made a few more changes to this patch.
Attachment #342915 -
Flags: review?(nelson) → review-
Comment 25•16 years ago
|
||
Comment on attachment 342920 [details] [diff] [review] Supplemental changes in nss/lib to support revocation patch. v3 part 1 r+, with one requested change. In file lib/libpkix/pkix_pl_nss/pki/pkix_pl_ocspresponse.c in the function to be changed as follows: > if (PKIX_ERROR_RECEIVED){ >+ if (ocspResponse) { > PKIX_DECREF(ocspResponse); >+ } else { >+ if (serverSession) >+ hcv1->freeSessionFcn(serverSession); >+ if (requestSession) >+ hcv1->freeFcn(requestSession); >+ } > } Please rename "requestSession" to just "request" all throughout that function.
Attachment #342920 -
Flags: review?(nelson) → review+
Comment 26•16 years ago
|
||
Comment on attachment 342922 [details] [diff] [review] Supplemental changes to new files in nss/lib to support revocation patch. v3 part 3 r=nelson
Attachment #342922 -
Flags: review?(nelson) → review+
Updated•16 years ago
|
Attachment #342913 -
Attachment description: Patch v2 for Main logic code. Includes only changes in libpkix/pkix/checker files. → Patch v3 for Main logic code. Includes only changes in libpkix/pkix/checker files.
Updated•16 years ago
|
Attachment #340250 -
Attachment description: Main logic code. Includes only changes in libpkix/pkix/checker files. → Patch v2 Main logic code. Includes only changes in libpkix/pkix/checker files.
Updated•16 years ago
|
Attachment #339976 -
Attachment description: Main logic code. Includes only changes in libpkix/pkix/checker files. → Patch v1 Main logic code. Includes only changes in libpkix/pkix/checker files.
Assignee | ||
Comment 27•16 years ago
|
||
New files missing from main code patch.
Attachment #343470 -
Flags: review?(nelson)
Comment 28•16 years ago
|
||
Comment on attachment 343470 [details] [diff] [review] Patch v1 Missing pkix_revocationmethod.c and .h r-, this call merely copies the values from method to itself. >+ PKIX_CHECK( >+ pkix_RevocationMethod_Init(method, >+ method->methodType, >+ method->flags, >+ method->priority, >+ method->localRevChecker, >+ method->externalRevChecker, >+ plContext), >+ PKIX_COULDNOTCREATEREVOCATIONMETHODOBJECT);
Attachment #343470 -
Flags: review?(nelson) → review-
Comment 29•16 years ago
|
||
Comment on attachment 342921 [details] [diff] [review] Supplemental changes in nss/lib to support revocation patch. v3 part 2 This is getting very close. There are a few issues in this file: >Index: lib/certhigh/certvfypkix.c 1. The following block of code should not be ifdef'ed. The comment is incorrect. The old chain validation algorithm DOES do CRL checking at each step in the chain. The new code must, also. >+#ifdef DEBUG_volkov >+ /* Will not perform CRL revocation on the whole chain, since old chain >+ * validation algorithm never did it. */ >+ >+ /* add CRL revocation method for other certs in the chain. */ >+ PKIX_CHECK( >+ PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, >+ PKIX_RevocationMethod_CRL, >+ PKIX_REV_M_TEST_USING_THIS_METHOD | >+ PKIX_REV_M_FORBID_NETWORK_FETCHING | >+ PKIX_REV_M_STOP_TESTING_ON_FRESH_INFO, >+ 0, NULL, PKIX_FALSE, plContext), >+ PKIX_REVOCATIONCHECKERADDMETHODFAILED); >+#endif Also, I think that PKIX_REV_M_STOP_TESTING_ON_FRESH_INFO should NOT be set for the CRL tests. For checking leaf certs, the old code would check CRLs first, and if the CRL said it was revoked, that would stop the test, but if the CRL did not say the cert was revoked, and an OCSP URL was present, it would also do the OCSP check, even if the CRL had already been checked. 2. In the OCSP test, I believe the old code had a settable global flag that was equivalent to the new flag named PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO. So, the new flag should not unconditionally set that flag, but rather should test that old global flag, and set the new flag according to the old one. >+ PKIX_CHECK( >+ PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, >+ PKIX_RevocationMethod_OCSP, >+ PKIX_REV_M_TEST_USING_THIS_METHOD | >+ PKIX_REV_M_ALLOW_NETWORK_FETCHING | >+ PKIX_REV_M_ALLOW_IMPLICIT_DEFAULT_SOURCE | >+ PKIX_REV_M_SKIP_TEST_ON_MISSING_SOURCE | >+ PKIX_REV_M_FAIL_ON_MISSING_FRESH_INFO | >+ PKIX_REV_M_STOP_TESTING_ON_FRESH_INFO | >+ methodFlags, >+ 1, NULL, PKIX_TRUE, plContext), 3. The following comment mentions CRL revocation, but the code that it describes is OCSP code, not CRL code. >+#ifdef DEBUG_volkov >+ /* Will not perform CRL revocation on the whole chain, since old chain >+ * validation algorithm never did it. */ >+ >+ /* add OCSP revocation method to check the chain certificates */ >+ PKIX_CHECK( >+ PKIX_RevocationChecker_CreateAndAddMethod(revChecker, procParams, >+ PKIX_RevocationMethod_OCSP,
Attachment #342921 -
Flags: review?(nelson) → review-
Assignee | ||
Comment 30•16 years ago
|
||
Attachment #342913 -
Attachment is obsolete: true
Attachment #344942 -
Flags: review?(nelson)
Attachment #342913 -
Flags: superreview?(rrelyea)
Attachment #342913 -
Flags: review?(nelson)
Attachment #342913 -
Flags: review?(kaie)
Assignee | ||
Comment 31•16 years ago
|
||
Attachment #342915 -
Attachment is obsolete: true
Attachment #344945 -
Flags: review?(nelson)
Assignee | ||
Comment 32•16 years ago
|
||
Comment on attachment 343470 [details] [diff] [review] Patch v1 Missing pkix_revocationmethod.c and .h Obsoleted by "patch v4 for Main logic code. Includes only changes in libpkix/pkix/checker files" patch.
Attachment #343470 -
Attachment is obsolete: true
Assignee | ||
Comment 33•16 years ago
|
||
Attachment #342921 -
Attachment is obsolete: true
Attachment #344946 -
Flags: review?(nelson)
Comment 34•16 years ago
|
||
Comment on attachment 344942 [details] [diff] [review] Patch v4 for Main logic code. Includes only changes in libpkix/pkix/checker files. This appears to address the previous review comments. r=nelson
Attachment #344942 -
Flags: review?(nelson) → review+
Comment 35•16 years ago
|
||
Comment on attachment 344945 [details] [diff] [review] Patch v3: vfychain changes related to the new revocation api r=nelson
Attachment #344945 -
Flags: review?(nelson) → review+
Assignee | ||
Comment 36•16 years ago
|
||
Attachment #344995 -
Flags: review?(nelson)
Assignee | ||
Comment 37•16 years ago
|
||
Attachment #344995 -
Attachment is obsolete: true
Attachment #344997 -
Flags: review?(nelson)
Attachment #344995 -
Flags: review?(nelson)
Assignee | ||
Comment 38•16 years ago
|
||
Attachment #344997 -
Attachment is obsolete: true
Attachment #344999 -
Flags: review?(nelson)
Attachment #344997 -
Flags: review?(nelson)
Assignee | ||
Comment 39•16 years ago
|
||
fix declared returned value in the header file.
Attachment #344999 -
Attachment is obsolete: true
Attachment #345004 -
Flags: review?(nelson)
Attachment #344999 -
Flags: review?(nelson)
Comment 40•16 years ago
|
||
Comment on attachment 344946 [details] [diff] [review] Supplemental changes in nss/lib to support revocation patch. v4 part 2 r+. I suggest adding comments to the expressions that 'OR' in symbols whose values are zero. Add comments pointing out that their values are zero.
Attachment #344946 -
Flags: review?(nelson) → review+
Comment 41•16 years ago
|
||
Comment on attachment 345004 [details] [diff] [review] new ocsp.c ocspi.h changes. Patch v4 >+/* FUNCTION: ocsp_FetchingFailureIsVerificationFailure >+ * The function checks the global ocsp settings and >+ * tells how to treat an ocsp response fetching failure. >+ * RETURNS: >+ * if PR_Bool is returned, then treat fetching as a >+ * revoked cert status. I'm pretty sure that comment wants to say: if PR_TRUE is returned, then ... r=nelson with that change. I want to see testing results before any of this is committed.
Attachment #345004 -
Flags: review?(nelson) → review+
Assignee | ||
Comment 42•16 years ago
|
||
Additional changes to PKIX_RevocationCheker_Check function
Attachment #344942 -
Attachment is obsolete: true
Attachment #345573 -
Flags: review?(nelson)
Updated•16 years ago
|
Attachment #345573 -
Flags: review?(nelson) → review+
Comment 43•16 years ago
|
||
Comment on attachment 345573 [details] [diff] [review] Patch v5 for Main logic code. Includes only changes in libpkix/pkix/checker files. r+. Please make a couple of small changes. >+ /* The following check make sence only for chain Should be "makes" >+enum PKIX_RevocationMethodTypeEnum { >+ PKIX_RevocationMethod_CRL = 0, >+ PKIX_RevocationMethod_OCSP, >+ PKIX_RevocationMethod_Count, >+}; Please change _Count to _MAX. Thanks.
Assignee | ||
Comment 44•16 years ago
|
||
Attachment #339973 -
Attachment is obsolete: true
Assignee | ||
Updated•16 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 45•16 years ago
|
||
Patch for this bug causes build failures on HP/UX: gmake-3.80[5]: Entering directory `/share/builds/mccrel3/security/securitytip/builds/20081101.1/wozzeck_Solaris8/mozilla/security/nss/lib/libpkix/pkix/certsel' cc -o HP-UXB.11.11_OPT.OBJ/pkix_certselector.o -c -O -DHPUX10 -Ae +Z -DHPUX -Dhppa -D_HPUX_SOURCE -D_USE_BIG_FDS +DAportable +DS2.0 -DHPUX11 -D_POSIX_C_SOURCE=199506L -DXP_UNIX -UDEBUG -DNDEBUG -DNSS_ENABLE_ECC -DNSS_ECC_MORE_THAN_SUITE_B -DUSE_UTIL_DIRECTLY -I../../../../../../dist/HP-UXB.11.11_OPT.OBJ/include -I../../../../../../dist/public/nss -I../../../../../../dist/private/nss -I../../../../../../dist/public/dbm pkix_certselector.c cc: "../../../../../../dist/private/nss/pkixt.h", line 125: error 1574: Unknown size for "PKIX_RevocationMethodType". cc: "../../../../../../dist/private/nss/pkixt.h", line 126: error 1574: Unknown size for "PKIX_RevocationStatus". cc: "../../../../../../dist/private/nss/pkix_revchecker.h", line 178: error 1574: Unknown size for "methodType". gmake-3.80[5]: *** [HP-UXB.11.11_OPT.OBJ/pkix_certselector.o] Error 1
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 46•16 years ago
|
||
Attachment #346099 -
Flags: review?(nelson)
Updated•16 years ago
|
Attachment #346099 -
Flags: review?(nelson) → review+
Comment 47•16 years ago
|
||
Comment on attachment 346099 [details] [diff] [review] Patch v1. Move enums to a public header file r=nelson
Assignee | ||
Comment 48•16 years ago
|
||
(In reply to comment #46) > Created an attachment (id=346099) [details] > Patch v1. Move enums to a public header file Committed.
Status: REOPENED → RESOLVED
Closed: 16 years ago → 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•