871954 - Enable OCSP fetching using the GET method in Gecko

Status: RESOLVED WONTFIX

(Core :: Security: PSM, defect, P5)

Description

[Rand Dow [:randix]]

Adding tests to verify that OCSP GET works properly.

Comment 1

[Rand Dow [:randix]]

Attachment: v1 TestOCSPGetPost

This is the first cut at a PSM test for OCSP GET/POST.

I am requesting a concept review. This code almost works, but is missing some final detail in the OCSPRequest handling.

TBD: the certs need to be moved from the tree to the obj-dir by the Makefile

Comment 2

[Rand Dow [:randix]]

To help with pursuing this:

There are three "XXX" comments in the test. They need to be fixed. This involves using the IP port number, and getting the Certs into the right place in the <obj-dir>.

Otherwise, dkeeler can probably quickly finish the certificate handling, it "almost works".

Comment 3

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Comment on attachment 759755 [details] [diff] [review]
v1 TestOCSPGetPost

Review of attachment 759755 [details] [diff] [review]:
-----------------------------------------------------------------

A couple of ideas:
1. Does gen_ocsp_certs.sh do the same thing as in the stapling patch? If so, we should see if we can just factor it and the resulting certificates out so they can be shared between tests.
2. I think it would be worthwhile to see if we can combine the stapling server with the responder you've got here.
3. If you re-write this as an xpcshell test, the certificates will be put in the right place by the build/test infrastructure. One problem is that CERT_CheckOCSPStatus isn't directly exposed in an idl, but it looks like it could get called through requestUsagesArrayAsync or something similar. You would have to do some back-channel communication with the server to see what requests were being sent to it.
4. Also, since this is based on the original stapling server, I imagine the reviews of that file would be helpful here, too: bug 700693 comment 23, etc.

Comment 4

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Comment on attachment 759755 [details] [diff] [review]
v1 TestOCSPGetPost

Dropping this review request for now. When somebody picks up the bug, if they want me to review this patch as-is, then please request review again.

Comment 5

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Marking blocking some of the insanity::pkix work since now OCSP GET has landed in NSS so we will pick it up in the next NSS update, which we will take before insanity::pkix gets turned on. Also, now that the NSS patches have landed, we should be able to use our HTTP cache as the OCSP caching mechanism instead of creating a separate OCSP cache. We need to make sure that our HTTP cache is actually caching the OCSP responses in a useful way though.

Comment 6

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Depends on fixing bug 933109 because, without OCSP GET, restarting Firefox is one way of working around bug 933109. With OCSP GET, that workaround may or may not work. We need to at know that before proceeding here.

Depends on NSS 3.15.3 (bug 898431) because that is the first NSS release that includes OCSP GET support.

Comment 7

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Bug 1456489 removed OCSP GET.