LIBPKIX OCSP checking calls CERT_VerifyCert

RESOLVED FIXED in 3.12

Status

NSS
Libraries
P1
enhancement
RESOLVED FIXED
11 years ago
6 years ago

People

(Reporter: Richard N. Freedman, Assigned: Alexei Volkov)

Tracking

trunk
3.12
All
Solaris

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX)

(Reporter)

Description

11 years ago
The new OCSP handler written for libpkix uses the old ocsp routines to construct, encode, decode, etc., the ocsp messages. But handling of the ocsp response includes a call to CERT_VerifyOCSPResponseSignature, which calls ocsp_CheckSignature, which calls CERT_VerifyCert. This last routine, of course, lacks all the new features painstakingly added to libpkix.

A new routine will be written for verifying the signature of the ocsp response without using CERT_VerifyCert, using instead the libpkix replacement.
Assignee: richard.freedman → alexei.volkov.bugs
(Assignee)

Updated

11 years ago
Whiteboard: PKIX

Comment 1

11 years ago
This task was supposed to have been completed by Richard.
(Assignee)

Comment 2

10 years ago
Need to verify if it was completed. P2 for now
Priority: -- → P2
P1 for NSS 3.12
Priority: P2 → P1

Comment 4

10 years ago
It appears to be fixed in PKIX_PL_OcspResponse_UseBuildChain in pkix_pl_ocspresponse.c .
Agreed.  This was fixed on the old PKIX branch before that was merged 
to the trunk.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Version: 3.10 → trunk
Please reopen this bug. (For some reason, I can't reopen it.) Even though PKIX_PL_OcspResponse_UseBuildChain exists, it is never used. Consequently, when we are using libpkix as a replacement for the old cert chain validation logic, internally libpkix uses the old logic to validate OCSP responses and their cert chains. The call stack is like this:

   pkix_OcspChecker_CheckExternal 
      pkix_pl_OcspResponse_VerifySignature
          ...
          CERT_FindCertIssuer
          ...
          ocsp_GetSignerCertificate
              ...
              CERT_FindCertByName
              ...
          ...
          pkix_pl_OcspResponse_VerifyResponse
              ...
              CERT_VerifyCertChain
              ...

All of the ocsp_* and CERT_* calls in this call stack are wrong, because they use the old certificate "FindBest" selection logic.
Blocks: 635384
Never mind, do not re-open this. See bug 551429 comment 11.
You need to log in before you can comment on or make changes to this bug.