Closed Bug 1007892 Opened 11 years ago Closed 11 years ago

Firmaprofesional sec_error_ocsp_invalid_signing_cert due to OCSP response being signed by wrong certificate

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mwobensmith, Assigned: kathleen.a.wilson)

References

Details

Attachments

(2 files)

ocsp-responder.der
1.32 KB, application/octet-stream
Details
ee.der
1.80 KB, application/octet-stream
Details
With this preference set to true, the site https://www.ssreyes.org displays this error. We should investigate to make sure we are correctly verifying the certificate that signs the response.
Blocks: 1007895
No longer blocks: 1007895
What I'm seeing here is that the OCSP responder's issuer is "C=ES/emailAddress=ca1@firmaprofesional.com, L=C/ Muntaner 244 Barcelona, OU=Consulte http://www.firmaprofesional.com, OU=Jerarquia de Certificacion Firmaprofesional, O=Firmaprofesional S.A. NIF A-62634068, CN=AC Firmaprofesional - CA1" The site's certificate's issuer is "C=ES, O=Firmaprofesional SA, OU=Certificados Digitales para la Administracion Publica/serialNumber=A62634068, CN=AC Firmaprofesional - AAPP Validity", which doesn't match. My reading of rfc 6960 section 4.2.2.2 is that a delegated OCSP responder must be issued by the same certificate that issued the end-entity certificate, which appears to not be the case here.
Assuming David is correct, I think we should resolve this as INVALID. wtc, rrelyea, rsleevi: Thoughts on this? In particular, it seems like if NSS is accepting these OCSP responses then there's potentially a serious security issue with NSS's OCSP processing: accepting OCSP responses signed by an unrelated sub-CA. Note that this is the issue that I brought up a few months ago. kwilson: Can you ask the CA about this? It seems like a significant issue that they need to correct ASAP.
Group: crypto-core-security
I just tried this using classic verification with OCSP.require=true, and it also displays the error. So, I think NSS is doing the right thing as well, here.
I agree we should resolve this bug as INVALID. Brian: in comment 4 you were just asking a hypothetical question, rather than stating for a fact that NSS is accepting these OCSP responses, right? This MXR query shows nss/lib/certhigh/ocsp.c sets the SEC_ERROR_OCSP_INVALID_SIGNING_CERT error code: http://mxr.mozilla.org/mozilla-central/ident?i=SEC_ERROR_OCSP_INVALID_SIGNING_CERT
Rather than resolving this bug as invalid, how about: Rename the bug to "Firmaprofesional sec_error_ocsp_invalid_signing_cert error" Move the bug to Product: mozilla.org, Component:CA Certificates (assign to me) And make the bug not Security-Sensitive OK?
(In reply to Wan-Teh Chang from comment #6) > I agree we should resolve this bug as INVALID. > > Brian: in comment 4 you were just asking a hypothetical question, rather > than stating for a fact that NSS is accepting these OCSP responses, right? I think I may have misunderstood why Matt filed the bug. Matt, did you file the bug because this website used to work in Firefox 30 (even with security.OCSP.require=true) and stopped working in Firefox 31 with security.OCSP.require=true? Or, did you file it just because the site doesn't work in Firefox 31 with security.OCSP.requre=true? (In reply to Kathleen Wilson from comment #7) > OK? OK.
Assignee: nobody → nobody
Component: Security: PSM → CA Certificates
Flags: needinfo?(mwobensmith)
Product: Core → NSS
Summary: With security.OCSP.require=true, a site displays error: sec_error_ocsp_invalid_signing_cert → Firmaprofesional sec_error_ocsp_invalid_signing_cert due to OCSP response being signed by wrong certificate
Version: 31 Branch → trunk
Chema, here's the bug regarding the OCSP issue that I sent you email about.
I noticed it when I tested security.OCSP.require=true in Fx31 vs default of Fx31. I mentioned it to David and he suggested that we investigate, just to make sure we were doing the right thing.
Flags: needinfo?(mwobensmith)
(In reply to Matt Wobensmith from comment #10) > I noticed it when I tested security.OCSP.require=true in Fx31 vs default of > Fx31. > > I mentioned it to David and he suggested that we investigate, just to make > sure we were doing the right thing. Thanks. I am going to open this bug then. Fx31 security.OCSP.require=true vs Fx30 security.OCSP.require=true would also be a good test, to identify regressions, if we have resources for doing that.
Group: crypto-core-security
I'm running Firefox 30 with OCSP hard fail enabled, and https://www.ssreyes.org/ results in Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert)
Assignee: nobody → kwilson
(In reply to Kathleen Wilson from comment #9) > Chema, here's the bug regarding the OCSP issue that I sent you email about. Thanks, Kathleen. We were not aware of this bug since you CC me. We start working on it today and by next friday we will sign OCSP responses with an OCSP cert. issued by the same Sub CA issuing the EE certificate.
We have solve the issue! Can a third party test it, please? Thanks to everyone!
(In reply to chemalogo from comment #14) > We have solve the issue! > > Can a third party test it, please? > > Thanks to everyone! Looks good to me. I tested on today's Fx31 with security.OCSP.require=true.
Status: NEW → ASSIGNED
Looks good to me too. Thanks!
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: