Closed Bug 339737 Opened 18 years ago Closed 17 years ago

LIBPKIX OCSP checking calls CERT_VerifyCert

Categories

(NSS :: Libraries, enhancement, P1)

Product:
NSS
Component:
Libraries
Platform:
All
Solaris
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: richard.freedman, Assigned: alvolkov.bgs)

References

Details

(Whiteboard: PKIX) 

The new OCSP handler written for libpkix uses the old ocsp routines to construct, encode, decode, etc., the ocsp messages. But handling of the ocsp response includes a call to CERT_VerifyOCSPResponseSignature, which calls ocsp_CheckSignature, which calls CERT_VerifyCert. This last routine, of course, lacks all the new features painstakingly added to libpkix.

A new routine will be written for verifying the signature of the ocsp response without using CERT_VerifyCert, using instead the libpkix replacement.
Assignee: richard.freedman → alexei.volkov.bugs
Whiteboard: PKIX
This task was supposed to have been completed by Richard.

Need to verify if it was completed. P2 for now
Priority: -- → P2
P1 for NSS 3.12
Priority: P2 → P1
It appears to be fixed in PKIX_PL_OcspResponse_UseBuildChain in pkix_pl_ocspresponse.c .
Agreed.  This was fixed on the old PKIX branch before that was merged 
to the trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Version: 3.10 → trunk
Please reopen this bug. (For some reason, I can't reopen it.) Even though PKIX_PL_OcspResponse_UseBuildChain exists, it is never used. Consequently, when we are using libpkix as a replacement for the old cert chain validation logic, internally libpkix uses the old logic to validate OCSP responses and their cert chains. The call stack is like this:

   pkix_OcspChecker_CheckExternal 
      pkix_pl_OcspResponse_VerifySignature
          ...
          CERT_FindCertIssuer
          ...
          ocsp_GetSignerCertificate
              ...
              CERT_FindCertByName
              ...
          ...
          pkix_pl_OcspResponse_VerifyResponse
              ...
              CERT_VerifyCertChain
              ...

All of the ocsp_* and CERT_* calls in this call stack are wrong, because they use the old certificate "FindBest" selection logic.
Never mind, do not re-open this. See bug 551429 comment 11.
You need to log in before you can comment on or make changes to this bug.