287760 - OCSP signature verification issue - error 8182 SEC_ERROR_BAD_SIGNATURE

Status: RESOLVED WONTFIX

(NSS :: Libraries, defect, P5)

Description

[hari.nair]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

'm trying to get the Firefox browser to check client certificates via
OCSP to a Tumbleweed OCSP Responder. I can see the browser make a query
to the Responder, and see that the Responder accepts the request and
issue a response (with the proper status). Firefox, however, is not
happy with the response, and spits out a generic "8182" error which
seems to indicate that it could not verify the signature on the
response. I have tried directly adding the responder's signing
certificate into Firefox's certificate stores, as well as just having
the browser trust the issuing CA of the responder cert - without any
change in behavior.

Anybody know what I could be missing? Do I have to get my responder
cert issued off a CA that Firefox trusts as a "built-in" CA - one that
Firefox is compiled with and pre-configured to trust? Or can I just add
my own CA certificate as a "software token" that the browser can be
configured to trust? 

Reproducible: Always

Steps to Reproduce:
1.Configure a Responder with a self signed certificate, or a delegated
certificate issued off a local CA [not trusted within the browser's trust database]
2.Add the responder's self-signed certificate, or the issuing CA's certificate
into the browser's trust database
3.Invoke validation by visiting a secure site over SSL

Actual Results:  
Error code of -8182 returned, and browser refused to display page of secure server

Expected Results:  
Brower should have been able to verify response from the OCSP responder.

Comment 1

[Daniel Veditz [:dveditz]]

This sounds more like a call for help than a bug. Try the newsgroups forums from
http://www.mozilla.org/support/#community -- for this case the
netscape.public.mozilla.crypto newsgroup. All the filed bugs that mention this
error code (except bug 249004) ended up INVALID or WORKSFORME so it sounds like
it's fairly common people set this stuff up wrong when they try to make their
own certs.

https://bugzilla.mozilla.org/buglist.cgi?field0-0-0=product&type0-0-0=substring&value0-0-0=8182&field0-0-1=component&type0-0-1=substring&value0-0-1=8182&field0-0-2=short_desc&type0-0-2=substring&value0-0-2=8182&field0-0-3=status_whiteboard&type0-0-3=substring&value0-0-3=8182

If the n.p.m.crypto guys confirm the bug have them reopen this with better
technical details of the flaw.

Comment 2

[Steve Parkinson]

It would help if the reporter could supply, as attachments to this bug:
 - a CA cert to trust in the browser
 - an OCSP cert
 - a internet-facing website with appropriate SSL cert.

Comment 3

[Steve Parkinson]

More information sent to me by reporter:

http://ocsp.disa.mil/ - welcome page and also port that OCSP queries are
sent to.
http://ocsp.disa.mil/~stats - stats page
http://ocsp.disa.mil/getvaconfig?ocsp -- to fetch the configuration
information, which returns back to Desktop Validator the self-signed
certificate or CA delegated certificate.


And...

This cert below is both the OCSP responder certificate and the CA
certificate for the purpose of validation of the signed OCSP response.
It should be handled in a similar way to directly trusted SSL sites.

-----BEGIN CERTIFICATE-----
MIICnTCCAgagAwIBAgIBADANBgkqhkiG9w0BAQUFADB8MQswCQYDVQQGEwJ1czEL
MAkGA1UECBMCVFgxFDASBgNVBAcTC1NhbiBBbnRvbmlvMRMwEQYDVQQKEwpBRiBQ
S0kgU1BPMQ0wCwYDVQQLEwRVU0FGMSYwJAYDVQQDEx1odHRwOi8vdXNhZm9jc3Au
c2F0eC5kaXNhLm1pbDAeFw0wMzA3MjQxNTE1MzRaFw0wNjA5MTExNTE1MzRaMHwx
CzAJBgNVBAYTAnVzMQswCQYDVQQIEwJUWDEUMBIGA1UEBxMLU2FuIEFudG9uaW8x
EzARBgNVBAoTCkFGIFBLSSBTUE8xDTALBgNVBAsTBFVTQUYxJjAkBgNVBAMTHWh0
dHA6Ly91c2Fmb2NzcC5zYXR4LmRpc2EubWlsMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDBaP+xid/31h4E3ZznnXjH/i+pYJy8RPxKbAtrRijssMeYkAYNMiov
c9IzXTvRnRxLqgylW+t/nVoDq49r5RTvunpIrGApy4YN601guhltHkjxUzgyH8Rb
O8l8Ub1RDgVDs6dHEfEL+Ile8ieHRVP68nsckv91YI1axLaSUgCgmQIDAQABoy8w
LTAJBgNVHRMEAjAAMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDCTAN
BgkqhkiG9w0BAQUFAAOBgQCO7T2QLkSnqnKb1vKRPxrHfxWqT7d24ZuoTliFPt5k
8Ic/bruiSseesfgyaIf96fw2htrA4CnsxwXYMkA2IVZxqWepV9d3oz76ZKz0q1wk
aDglpHGGLZrxxvEIYSCjXwyiCFUvyfLXahnbQMdlVDxDJF7b3K2gNQRW9UVoBjg5
Nw==
-----END CERTIFICATE-----


I will look at this to determine if there is merit to reopen
the bug.

Comment 4

[Chandrasekar Kannan]

Steve, 

I have been able to reproduce this problem with our CA and OCSP. 

re-opening this bug. 

Comment 5

[Wan-Teh Chang]

Bob, could you take a look at this bug?  Thanks.

Comment 6

[Sean]

Also working with tumbleweed OCSP with firefox.
Problem is, no option given to continue on a website if OCSP is not available.
ex: https://bugzilla.mozilla.org after requiring use of OCSP is selected

"Error trying to validate certificate from bugzilla.mozilla.org using OCSP - unknown certificate"

I don't see any option setting available for this to be only a warning instead of a stop alert

Comment 7

[Nelson Bolyard (seldom reads bugmail)]

BTW, error -8182 is SEC_ERROR_BAD_SIGNATURE

Comment 8

[Nelson Bolyard (seldom reads bugmail)]

See also bug 341004 which reports that error SEC_ERROR_BAD_SIGNATURE is the
wrong error code to report for some OCSP and CRL revocation situations.

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.