Last Comment Bug 339737 - LIBPKIX OCSP checking calls CERT_VerifyCert
: LIBPKIX OCSP checking calls CERT_VerifyCert
Status: RESOLVED FIXED
PKIX
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All Solaris
: P1 enhancement (vote)
: 3.12
Assigned To: Alexei Volkov
:
:
Mentors:
Depends on:
Blocks: 635384
  Show dependency treegraph
 
Reported: 2006-05-30 15:02 PDT by Richard N. Freedman
Modified: 2011-05-23 01:42 PDT (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Richard N. Freedman 2006-05-30 15:02:08 PDT
The new OCSP handler written for libpkix uses the old ocsp routines to construct, encode, decode, etc., the ocsp messages. But handling of the ocsp response includes a call to CERT_VerifyOCSPResponseSignature, which calls ocsp_CheckSignature, which calls CERT_VerifyCert. This last routine, of course, lacks all the new features painstakingly added to libpkix.

A new routine will be written for verifying the signature of the ocsp response without using CERT_VerifyCert, using instead the libpkix replacement.
Comment 1 Julien Pierre 2007-02-27 23:10:44 PST
This task was supposed to have been completed by Richard.
Comment 2 Alexei Volkov 2007-03-08 14:47:03 PST
Need to verify if it was completed. P2 for now
Comment 3 Nelson Bolyard (seldom reads bugmail) 2007-08-16 13:34:41 PDT
P1 for NSS 3.12
Comment 4 Julien Pierre 2007-08-16 16:14:37 PDT
It appears to be fixed in PKIX_PL_OcspResponse_UseBuildChain in pkix_pl_ocspresponse.c .
Comment 5 Nelson Bolyard (seldom reads bugmail) 2007-08-16 17:52:57 PDT
Agreed.  This was fixed on the old PKIX branch before that was merged 
to the trunk.
Comment 6 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-05-22 22:29:29 PDT
Please reopen this bug. (For some reason, I can't reopen it.) Even though PKIX_PL_OcspResponse_UseBuildChain exists, it is never used. Consequently, when we are using libpkix as a replacement for the old cert chain validation logic, internally libpkix uses the old logic to validate OCSP responses and their cert chains. The call stack is like this:

   pkix_OcspChecker_CheckExternal 
      pkix_pl_OcspResponse_VerifySignature
          ...
          CERT_FindCertIssuer
          ...
          ocsp_GetSignerCertificate
              ...
              CERT_FindCertByName
              ...
          ...
          pkix_pl_OcspResponse_VerifyResponse
              ...
              CERT_VerifyCertChain
              ...

All of the ocsp_* and CERT_* calls in this call stack are wrong, because they use the old certificate "FindBest" selection logic.
Comment 7 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-05-23 01:42:30 PDT
Never mind, do not re-open this. See bug 551429 comment 11.

Note You need to log in before you can comment on or make changes to this bug.