Closed
Bug 66606
Opened 24 years ago
Closed 22 years ago
Would like Signtool to use OCSP and/or check CRLs during verification
Categories
(NSS :: Tools, enhancement, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.6
People
(Reporter: arshad.noor, Assigned: kirk.erickson)
Details
Attachments
(1 file)
3.31 KB,
patch
|
julien.pierre
:
review+
|
Details | Diff | Splinter Review |
We would like to have signtool use the Online Certificate Status Protocol (OCSP) and CRL checking, when verifying signatures on a signed object. If the certificate that corresponds to the signing key, has a CRL Distribution Point in it, it should attempt to load the CRL defined in the CRLDP's URI and check it for a revoked certificate. If the certificate that corresponds to the signing key, has an Authority Info Access extension in it, signtool should attempt to use the OCSP protocol to make a request to the URI in the AIA extension to validate the certificate. These two features will make signtool more robust and reliable, since it will allow customers to verify, in "real-time" that the certificate that signed the objects has not been revoked. Note: If you'd like, Sun can help by providing an entire testing infrastructure for these enhancements. SunPKI (http://www.sun.com/pki) has established an infrastructure that publishes CRLs, and supports an OCSP server that is accessible over the Internet. Thanks.
Comment 2•24 years ago
|
||
marking signtool bugs as future until 3.3 plan is ready.
Assignee: wtc → mcgreer
Target Milestone: --- → Future
Comment 3•24 years ago
|
||
Set Target Milestone to NSS 3.3. Assigned the RFE to Bob for evaluation.
Assignee: mcgreer → relyea
Priority: -- → P2
Target Milestone: Future → 3.3
Updated•23 years ago
|
Target Milestone: 3.3 → 3.4
Comment 4•23 years ago
|
||
Wan-Teh, This should be relatively easy (assuming CRL's and OCSP are working;), but it's not a critical function for NSS 3.4, so I'm likely to prioritize this low. (This would be a good candidate for someone else to pick up if we want it in 3.4). NOTE: half of this should already be done. CRL's should be working with Signtools. OCSP only requires an option to turn it on. bob
Comment 5•23 years ago
|
||
Assigned the bug to Kirk. I don't think this needs to be done in 3.4. It would be a good idea to talk to the bug reporter about the time frame.
Assignee: relyea → kirk.erickson
Comment 6•22 years ago
|
||
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
Assignee | ||
Updated•22 years ago
|
Target Milestone: 3.5 → 3.6
Assignee | ||
Comment 8•22 years ago
|
||
Reviewed this bug with Julien.. We need to make signtool call CERT_EnableOCSPChecking (handle); Using a cert with the OCSP extension we should then hit: ocsp_GetEncodedResponse(PRArenaPool *arena, PRFileDesc *sock) Stumbled across this typo: kirke@iws-perf[51] rgrep OSCP ./mozilla/security/nss/cmd/certutil/certutil.c:1497: fprintf(stdout, "%-25s 5 - OSCP Responder\n", ""); Should be OCSP (Online Certificate Status Protocol). Emailed Julien, thinking he might still be touching certutil.c.
Status: NEW → ASSIGNED
Assignee | ||
Comment 9•22 years ago
|
||
Adds -O argument to signtool command line, which enables OCSP checking by calling CERT_EnableOCSPChecking().
Assignee | ||
Comment 10•22 years ago
|
||
Julien, I've added you to the cc-list for this bug because its your routine that needs calling. Could you review the patch I've attached? Thanks, kirk
Comment 11•22 years ago
|
||
Comment on attachment 87149 [details] [diff] [review] Proposed patch looks good
Attachment #87149 -
Flags: review+
Assignee | ||
Comment 12•22 years ago
|
||
Checked in patch to add -O (enable OCSP checking), and closed.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 13•22 years ago
|
||
Comment on attachment 87149 [details] [diff] [review] Proposed patch Kirk, Thanks for coming up with the patch. Some comments. 1. In this block of code, the indentation of the body of the inner if statement is wrong: >+ if (enableOCSP) { >+ SECStatus rv = CERT_EnableOCSPChecking(CERT_GetDefaultCertDB()); >+ if (rv != SECSuccess) { >+ PR_fprintf(errorFD, "ERROR: Attempt to enable OCSP Checking failed.\n"); >+ errorCount++; >+ retval = -1; >+ } > } 2. In the original description of this RFE, the reporter asks that OCSP be used if the certificate that corresponds to the signing key has an Authority Info Access extension in it. In your patch, the use of OCSP is controlled by the -O option. This is not exactly what the original RFE asks for. 3. Your patch does not check CRLs so we might want to edit the bug's summary to reflect what actually got implemented.
Comment 14•22 years ago
|
||
Wan-Teh, I would say that it is preferable to keep OCSP an option, because some people may be running signtool offline, or in a non-Internet network where they won't be able to reach OCSP responders for checking. So it should not be enabled by default. As far as CRLs, they should already be checked automatically if they are installed in the cert DB, but the CRL distribution point is not handled yet. See bugs http://bugzilla.mozilla.org/show_bug.cgi?id=133191
Comment 15•22 years ago
|
||
Please ignore my comments 2 and 3 in comment #13. Kirk and Julien have both responded to my questions. Thanks. Kirk, you just need to fix the indentation of that if statement.
Assignee | ||
Comment 16•22 years ago
|
||
I fixed the indentation shortly after seeing comment #15.
You need to log in
before you can comment on or make changes to this bug.
Description
•