Closed
Bug 499908
Opened 15 years ago
Closed 15 years ago
OCSP test with revoked CA and valid EE failed with -g leaf and requireFreshInfo flag.
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
3.12.4
People
(Reporter: slavomir.katuscak+mozilla, Assigned: alvolkov.bgs)
Details
Attachments
(1 file)
415 bytes,
patch
|
Details | Diff | Splinter Review |
From bug 495934 comment 8: > OCSPEE21 -> OCSPCA2 -> OCSPRoot (OCSPCA2 is revoked) > > $ vfychain -d OCSPRootDB -pp -vv -g leaf -h requireFreshInfo -m ocsp > /Users/sven/nss/securitytip/mozilla/security/nss/tests/libpkix/certs/OCSPEE21.cert > /Users/sven/nss/securitytip/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.cert > -t OCSPRoot > Chain is bad, -8180 = Peer's Certificate has been revoked. > PROBLEM WITH THE CERT CHAIN: > CERT 2. OCSPRoot [Certificate Authority]: > ERROR -8180: Peer's Certificate has been revoked. This test should pass if EE cert has AIA extension and was able to get the information. The same test passes when requireFreshInfo flag is removed. Both EE cert and CA2 have AIA extension and are able to get the information.
Reporter | ||
Comment 1•15 years ago
|
||
To reproduce copy scenario file to security/nss/tests/chains/scenarios directory and edit also scenarios file there. You also need to have set variable: NSS_AIA_OCSP=http://dochinups.red.iplanet.com
Assignee | ||
Updated•15 years ago
|
Attachment #384598 -
Attachment is patch: true
Attachment #384598 -
Attachment mime type: application/octet-stream → text/plain
Assignee | ||
Comment 2•15 years ago
|
||
Slavo, libpkix fails the case above for the reason that it can not verify the signature on the ocsp response, and not because of an attempt to validate the OCSPCA2 cert. Can you explain which cert signs the response and how does it fit into the test case?
Reporter | ||
Comment 3•15 years ago
|
||
OCSPEE21 is signed by OCSPCA2, contains link to OCSP server with OCSPCA2 (messages are signed by OCSPCA2). OCSPCA2 is signed by OCSPRoot, contains link to OCSP server with OCSPRoot (messages are signed by OCSPRoot). OCSPRoot is self signed and in this test it is trust anchor. OCSPCA2 is revoked by OCSPRoot, however we are testing for a leaf and not for a chain (-g parameter), so I expect that OCSPCA2 shouldn't be validated as revoked.
Assignee | ||
Comment 4•15 years ago
|
||
Since CA2 is revoked, the received response will be invalid => which means that no information will be available => which means that in case of usage of requireFreshInfo the test will fail.
Assignee | ||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•