1129540 - mozilla::pkix should provide a parser for the Authority Information Access (AIA) certificate construct

Status: NEW

(Core :: Security: PSM, defect, P5)

Description

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Right now PSM parses the AIA field in order to do OCSP fetching using code that was copied and modified from NSS:
https://hg.mozilla.org/mozilla-central/annotate/0c2f7434c325/security/certverifier/NSSCertDBTrustDomain.cpp#l295

It would be better for mozilla::pkix to provide the parser, so Firefox doesn't need to do it, and so other products can make use of it. In particular, I'm working on making mozilla::pkix into a good foundation for implementing OCSP stapling in servers, and they need a good parser for the AIA information so they can fetch the response to staple.

I'm picturing this having an interface like this:

enum class AIAAccessMethod
{
  id_ad_caIssuers,
  id_ad_ocsp,
};

class AIAChecker
{
public:
   virtual ~AIACallback() { }
 
   // url will be the URL given in the AIA entry. Check should
   // return Success with keepGoing == false to stop iterating
   // early, Success with keepGoing == true to keep iterating,
   // or an error code to stop with an error.
   //
   // Note that no checking of the syntactic or semantic valdity
   // of the URL is done before Check is called. Check must
   // completely validate the URL itself.
   virtual Result Check(Input url, /*out*/ bool& keepGoing) = 0;
}

// aia must be a DER-encoded Authority Information Access
// (AIA) field. Checker will be called for every URL, if any,
// contained in the AIA field that has the given access method.
//
// Note that no checking of the syntactic or semantic valdity of
// the URL is done before checker.Check is called. Check must
// completely validate the URL itself.
Result EnumerateAIAURLs(Input aia, AIAAccessMethod accessMethod,
                        AIAChecker& checker);

Then Firefox's NSSCertDBTrustDomain code can be modified to use EnumerateAIAURLs.

Note that in the case of a server-side implementation of OCSP stapling, it is important to have access to all the URLs, not just one like Firefox needs.

Also note that the license of the current code is NSSCertDBTrustDomain.cpp is MPL, but the code in mozilla::pkix is Apache + MPL, so we can't copy/paste any of the code from NSSCertDBTrustDomain.cpp into the new mozilla::pkix code.

In a follow-up bug to this bug, we should consider adding some validation code to make sure the URL is at least syntactically valid. But, for the purpose of this bug, it is OK for that checking to be the responsibility of the callback.

Comment 1

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

The spec for this is at http://tools.ietf.org/html/rfc5280#section-4.2.2.1.

Please use the Input/Reader classes in security/pkix/include/pkix/Input.h for the parsing. If new tests are needed, then please put the tests in security/pkix/test/gtest/.