Open Bug 1050451 Opened 6 years ago Updated 3 years ago

mozilla::pkix::VerifyEncodedOCSPResponse doesn't return validity period of the signer cert

Categories

(Core :: Security: PSM, defect, P3)

defect

Tracking

()

People

(Reporter: briansmith, Unassigned)

References

Details

(Keywords: helpwanted, Whiteboard: [psm-backlog])

mozilla::pkix::VerifyEncodedOCSPResponse returns the thisUpdate and nextUpdate times from the OCSP response, which a used by the OCSP response caching logic to determine whether and/or for how long to cache the response. However, the validity period of the signer certificate (whether it is the issuer, or a delegated responder) is also a factor in how a response should be used and cached.

I propose that we change VerifyEncodedOCSPResponse, replacing the thisUpdate and nextUpdate output parameters with noBefore and notAfter output parameters, where notBefore  = max(signer.notBefore, response.thisUpdate) and notAfter = min(signer.notAfter, response.nextUpdate), with the edge cases of the OCSP response fields (e.g. missing nextUpdate) handled the same way we currently do.
Keywords: helpwanted
Whiteboard: [good next bug]
Whiteboard: [good next bug] → [psm-backlog]
You need to log in before you can comment on or make changes to this bug.