277968 - Implement OCSP request signing

Status: RESOLVED INACTIVE

(NSS :: Libraries, enhancement)

Description

[Wan-Teh Chang]

The CERT_CreateOCSPRequest function takes a
signerCert argument, but callers must pass
a null signerCert now because request signing
is not yet implemented.  The code has a comment
explaining how signing of request should be
implemented:

    we will need to allocate a signature
    structure for the request, fill in the
    "derCerts" field in it, save the signerCert
    there, as well as fill in the "requestorName"
    field of the tbsRequest.

Comment 1

[Muzaffar Mahkamov]

We have implemented the OCSP request signing in NSS 3.12.8. Does anyone still need this? I can submit a patch (~30-40 lines of code were added) which will need a review.

Comment 2

[Muzaffar Mahkamov]

Attachment: OCSP request signing

Comment 3

[Muzaffar Mahkamov]

Attachment: OCSP request signing

Comment 4

[Wan-Teh Chang]

Comment on attachment 508099 [details] [diff] [review]
OCSP request signing

Thank you for the patch.  The new function needs to
be added to lib/nss/nss.def so that it is exported
from the DLL/shared library.  There are some extraneous
whitespace changes in this patch (near line 2070 and
line 2891), some "if" statement formatting inconsistencies
(the placement of the opening curly braces '{'), and
PR_NOT_IMPLEMENTED_ERROR should be removed instead of
being commented out.

Please provide sample code (such as cmd/ocspclnt) to
show how to use the new function.

Note: I know web browsers don't need OCSP request
signing, but as a general-purpose PKI library, NSS
should probably support OCSP request signing.  Bob,
Nelson, what do you think?

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

The bug assignee didn't login in Bugzilla in the last 7 months, so the assignee is being reset.