Closed Bug 499908 Opened 15 years ago Closed 15 years ago

OCSP test with revoked CA and valid EE failed with -g leaf and requireFreshInfo flag.

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.12.3
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID
Milestone:
3.12.4

People

(Reporter: slavomir.katuscak+mozilla, Assigned: alvolkov.bgs)

Details

Attachments

(1 file)

Scenario to reproduce problem.
415 bytes, patch
Details | Diff | Splinter Review 
From bug 495934 comment 8:

> OCSPEE21 -> OCSPCA2 -> OCSPRoot (OCSPCA2 is revoked)
> 
> $ vfychain -d OCSPRootDB -pp -vv  -g leaf -h requireFreshInfo -m ocsp   
> /Users/sven/nss/securitytip/mozilla/security/nss/tests/libpkix/certs/OCSPEE21.cert
> /Users/sven/nss/securitytip/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.cert
>  -t OCSPRoot
> Chain is bad, -8180 = Peer's Certificate has been revoked.
> PROBLEM WITH THE CERT CHAIN:
> CERT 2. OCSPRoot [Certificate Authority]:
>   ERROR -8180: Peer's Certificate has been revoked.
This test should pass if EE cert has AIA extension and was able to get the
information.

The same test passes when requireFreshInfo flag is removed. Both EE cert and CA2 have AIA extension and are able to get the information.
To reproduce copy scenario file to security/nss/tests/chains/scenarios directory and edit also scenarios file there. 

You also need to have set variable:
NSS_AIA_OCSP=http://dochinups.red.iplanet.com
Attachment #384598 - Attachment is patch: true
Attachment #384598 - Attachment mime type: application/octet-stream → text/plain
Slavo, libpkix fails the case above for the reason that it can not verify the signature on the ocsp response, and not because of an attempt to validate the OCSPCA2 cert.
Can you explain which cert signs the response and how does it fit into the test case?
OCSPEE21 is signed by OCSPCA2, contains link to OCSP server with OCSPCA2 (messages are signed by OCSPCA2).
OCSPCA2 is signed by OCSPRoot, contains link to OCSP server with OCSPRoot (messages are signed by OCSPRoot).
OCSPRoot is self signed and in this test it is trust anchor.

OCSPCA2 is revoked by OCSPRoot, however we are testing for a leaf and not for a chain (-g parameter), so I expect that OCSPCA2 shouldn't be validated as revoked.
Since CA2 is revoked, the received response will be invalid => which means that no information will be available => which means that in case of usage of requireFreshInfo the test will fail.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: