Closed
Bug 1007892
Opened 10 years ago
Closed 10 years ago
Firmaprofesional sec_error_ocsp_invalid_signing_cert due to OCSP response being signed by wrong certificate
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mwobensmith, Assigned: kathleen.a.wilson)
References
Details
Attachments
(2 files)
With this preference set to true, the site https://www.ssreyes.org displays this error. We should investigate to make sure we are correctly verifying the certificate that signs the response.
|
Reporter | |
Updated•10 years ago
|
Blocks: mozilla::pkix-beta
What I'm seeing here is that the OCSP responder's issuer is "C=ES/emailAddress=ca1@firmaprofesional.com, L=C/ Muntaner 244 Barcelona, OU=Consulte http://www.firmaprofesional.com, OU=Jerarquia de Certificacion Firmaprofesional, O=Firmaprofesional S.A. NIF A-62634068, CN=AC Firmaprofesional - CA1" The site's certificate's issuer is "C=ES, O=Firmaprofesional SA, OU=Certificados Digitales para la Administracion Publica/serialNumber=A62634068, CN=AC Firmaprofesional - AAPP Validity", which doesn't match. My reading of rfc 6960 section 4.2.2.2 is that a delegated OCSP responder must be issued by the same certificate that issued the end-entity certificate, which appears to not be the case here.
|
||
Comment 4•10 years ago
|
||
Assuming David is correct, I think we should resolve this as INVALID. wtc, rrelyea, rsleevi: Thoughts on this? In particular, it seems like if NSS is accepting these OCSP responses then there's potentially a serious security issue with NSS's OCSP processing: accepting OCSP responses signed by an unrelated sub-CA. Note that this is the issue that I brought up a few months ago. kwilson: Can you ask the CA about this? It seems like a significant issue that they need to correct ASAP.
Group: crypto-core-security
I just tried this using classic verification with OCSP.require=true, and it also displays the error. So, I think NSS is doing the right thing as well, here.
|
||
Comment 6•10 years ago
|
||
I agree we should resolve this bug as INVALID. Brian: in comment 4 you were just asking a hypothetical question, rather than stating for a fact that NSS is accepting these OCSP responses, right? This MXR query shows nss/lib/certhigh/ocsp.c sets the SEC_ERROR_OCSP_INVALID_SIGNING_CERT error code: http://mxr.mozilla.org/mozilla-central/ident?i=SEC_ERROR_OCSP_INVALID_SIGNING_CERT
|
Assignee | |
Comment 7•10 years ago
|
||
Rather than resolving this bug as invalid, how about: Rename the bug to "Firmaprofesional sec_error_ocsp_invalid_signing_cert error" Move the bug to Product: mozilla.org, Component:CA Certificates (assign to me) And make the bug not Security-Sensitive OK?
|
|
||
Comment 8•10 years ago
|
||
(In reply to Wan-Teh Chang from comment #6) > I agree we should resolve this bug as INVALID. > > Brian: in comment 4 you were just asking a hypothetical question, rather > than stating for a fact that NSS is accepting these OCSP responses, right? I think I may have misunderstood why Matt filed the bug. Matt, did you file the bug because this website used to work in Firefox 30 (even with security.OCSP.require=true) and stopped working in Firefox 31 with security.OCSP.require=true? Or, did you file it just because the site doesn't work in Firefox 31 with security.OCSP.requre=true? (In reply to Kathleen Wilson from comment #7) > OK? OK.
Assignee: nobody → nobody
Component: Security: PSM → CA Certificates
Flags: needinfo?(mwobensmith)
Product: Core → NSS
Summary: With security.OCSP.require=true, a site displays error: sec_error_ocsp_invalid_signing_cert → Firmaprofesional sec_error_ocsp_invalid_signing_cert due to OCSP response being signed by wrong certificate
Version: 31 Branch → trunk
|
|
Assignee | |
Comment 9•10 years ago
|
||
Chema, here's the bug regarding the OCSP issue that I sent you email about.
|
|
Reporter | |
Comment 10•10 years ago
|
||
I noticed it when I tested security.OCSP.require=true in Fx31 vs default of Fx31. I mentioned it to David and he suggested that we investigate, just to make sure we were doing the right thing.
Flags: needinfo?(mwobensmith)
|
|
||
Comment 11•10 years ago
|
||
(In reply to Matt Wobensmith from comment #10) > I noticed it when I tested security.OCSP.require=true in Fx31 vs default of > Fx31. > > I mentioned it to David and he suggested that we investigate, just to make > sure we were doing the right thing. Thanks. I am going to open this bug then. Fx31 security.OCSP.require=true vs Fx30 security.OCSP.require=true would also be a good test, to identify regressions, if we have resources for doing that.
Group: crypto-core-security
|
|
Assignee | |
Comment 12•10 years ago
|
||
I'm running Firefox 30 with OCSP hard fail enabled, and https://www.ssreyes.org/ results in Invalid OCSP signing certificate in OCSP response. (Error code: sec_error_ocsp_invalid_signing_cert)
|
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → kwilson
|
||
Comment 13•10 years ago
|
||
(In reply to Kathleen Wilson from comment #9) > Chema, here's the bug regarding the OCSP issue that I sent you email about. Thanks, Kathleen. We were not aware of this bug since you CC me. We start working on it today and by next friday we will sign OCSP responses with an OCSP cert. issued by the same Sub CA issuing the EE certificate.
|
|
||
Comment 14•10 years ago
|
||
We have solve the issue! Can a third party test it, please? Thanks to everyone!
|
|
Reporter | |
Comment 15•10 years ago
|
||
(In reply to chemalogo from comment #14) > We have solve the issue! > > Can a third party test it, please? > > Thanks to everyone! Looks good to me. I tested on today's Fx31 with security.OCSP.require=true.
|
|
Assignee | |
Updated•10 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 16•10 years ago
|
||
Looks good to me too. Thanks!
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•