Last Comment Bug 339737 - LIBPKIX OCSP checking calls CERT_VerifyCert
: LIBPKIX OCSP checking calls CERT_VerifyCert
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All Solaris
P1 enhancement (vote)
: 3.12
Assigned To: Alexei Volkov
Depends on:
Blocks: 635384
  Show dependency treegraph
Reported: 2006-05-30 15:02 PDT by Richard N. Freedman
Modified: 2011-05-23 01:42 PDT (History)
3 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---


Description User image Richard N. Freedman 2006-05-30 15:02:08 PDT
The new OCSP handler written for libpkix uses the old ocsp routines to construct, encode, decode, etc., the ocsp messages. But handling of the ocsp response includes a call to CERT_VerifyOCSPResponseSignature, which calls ocsp_CheckSignature, which calls CERT_VerifyCert. This last routine, of course, lacks all the new features painstakingly added to libpkix.

A new routine will be written for verifying the signature of the ocsp response without using CERT_VerifyCert, using instead the libpkix replacement.
Comment 1 User image Julien Pierre 2007-02-27 23:10:44 PST
This task was supposed to have been completed by Richard.
Comment 2 User image Alexei Volkov 2007-03-08 14:47:03 PST
Need to verify if it was completed. P2 for now
Comment 3 User image Nelson Bolyard (seldom reads bugmail) 2007-08-16 13:34:41 PDT
P1 for NSS 3.12
Comment 4 User image Julien Pierre 2007-08-16 16:14:37 PDT
It appears to be fixed in PKIX_PL_OcspResponse_UseBuildChain in pkix_pl_ocspresponse.c .
Comment 5 User image Nelson Bolyard (seldom reads bugmail) 2007-08-16 17:52:57 PDT
Agreed.  This was fixed on the old PKIX branch before that was merged 
to the trunk.
Comment 6 User image Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-05-22 22:29:29 PDT
Please reopen this bug. (For some reason, I can't reopen it.) Even though PKIX_PL_OcspResponse_UseBuildChain exists, it is never used. Consequently, when we are using libpkix as a replacement for the old cert chain validation logic, internally libpkix uses the old logic to validate OCSP responses and their cert chains. The call stack is like this:


All of the ocsp_* and CERT_* calls in this call stack are wrong, because they use the old certificate "FindBest" selection logic.
Comment 7 User image Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-05-23 01:42:30 PDT
Never mind, do not re-open this. See bug 551429 comment 11.

Note You need to log in before you can comment on or make changes to this bug.