Closed
Bug 378673
Opened 19 years ago
Closed 19 years ago
OCSP signature verification does not allow intermediates
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: KaiE, Unassigned)
Details
Attachments
(1 file)
|
935 bytes,
application/octet-stream
|
Details |
Given the following certs (common names):
(A) root: Certum CA
(B) intermediate: Certum Level IV
(C) server: *.certum.pl
(D) OCSP signer: Certum Validation Service
with the following hierachy:
A
|-B
| |-C
|
|-D
When connecting to a server using (C)
and talking to the OCSP responder listed in (C),
the response we get is signed by (D),
and NSS fails with error code:
SEC_ERROR_OCSP_UNAUTHORIZED_RESPONSE.
I looked at function ocsp_AuthorizedResponderForCertID.
NSS is very strict.
It requires that (C) and (D) have been issued by the same cert,
which is not true in this case.
In other words, when NSS tries to verify a leaf cert using OCSP, it requires both the leaf cert and the responder's signer cert have been *directly* issued by the same root, it does not allow intermediates.
Is this a bug or intended behaviour?
Is this a bug in NSS?
Comment 1•19 years ago
|
||
Kai, section 4.2.2.2(Authorized Responders) of rfc 2560 sais:
(clients) MUST reject the
response if the certificate required to validate the signature on the
response fails to meet at least one of the following criteria:
1. Matches a local configuration of OCSP signing authority for the
certificate in question; or
2. Is the certificate of the CA that issued the certificate in
question; or
3. Includes a value of id-ad-ocspSigning in an ExtendedKeyUsage
extension and is issued by the CA that issued the certificate in
question."
In your case the response would be valid if it would be signed by authorized responder cert issued by CA B. But not CA A.
I think bug is invalid.
Comment 2•19 years ago
|
||
(In reply to comment #1)
> Kai, section 4.2.2.2(Authorized Responders) of rfc 2560 sais:
> (clients) MUST reject the
> response if the certificate required to validate the signature on the
> response fails to meet at least one of the following criteria:
> [...]
>
> In your case the response would be valid if it would be signed by authorized
> responder cert issued by CA B. But not CA A.
>
> I think bug is invalid.
>
RFC 2560 section 2.2, one can read:
2.2 Response
All definitive response messages SHALL be digitally signed. The key
used to sign the response MUST belong to one of the following:
-- the CA who issued the certificate in question
-- a Trusted Responder whose public key is trusted by the requester
-- a CA Designated Responder (Authorized Responder) who holds a
specially marked certificate issued directly by the CA, indicating
that the responder may issue OCSP responses for that CA
Please, bear in mind that Trusted Responder variant is adequate to Certum VS key. I mean, Certum VS similar to Certum Level IV inherits trust directly from Certum CA - a NSS valid and built-in object. So, in my opnion that is why it SHALL always be trusted by the requester and responses not rejected.
Comment 3•19 years ago
|
||
A trusted responder is a responder that the requester has directly trusted.
It doesn't inherit trust from other CAs.
The requester (browser user) says "This is my trusted responder".
NSS supports that.
Some mozilla client products provide UI to configure a trusted responder.
So, if the browser user wants to directly trust a certain responder,
he can do that, and then it doesn't matter who signed that responder's
cert, because the user trusts it directly, much like the way that a user
may trust a root CA cert.
I agree with Julien. I think this bug is invalid.
Comment 4•19 years ago
|
||
(In reply to comment #3)
> A trusted responder is a responder that the requester has directly trusted.
> It doesn't inherit trust from other CAs.
According to RFC 2560 a trusted responder is only a responder: "whose public key is trusted by the requester"... nothing else. We do not know if that key is signed by other CA or just selfsigned, there is not the word "directly" either. Trusted root CA - with its own Certification Policy, Certification Practice Statement, repository, etc. is a different story than simple OCSP trusted responder, I am sure.
> The requester (browser user) says "This is my trusted responder".
> NSS supports that.
It is a good way to support trusted responder mode, but IMHO certificates with URI (ext. AuthorityInformationAccess) should be verified automatically in that way too.
/WS
Comment 5•19 years ago
|
||
Nelson,
Actually, it was Alexei who made the statement about it being invalid. I haven't looked at this issue closely yet.
Flags: blocking1.8.0.13?
Comment 6•19 years ago
|
||
In reply to comment 4,
> According to RFC 2560 a trusted responder is only a responder:
> "whose public key is trusted by the requester".
Right. And "trusted by the requester" is NOT the same thing as
"is in a certificate verifiable with the cert from some other CA that
is trusted by the user."
Think about it. If the intent of RFC 2560 had been to allow OCSP
responses from any OCSP responder whose cert comes from ANY trusted CA,
then the RFC would not have contained this specific provision:
2. Is the certificate of the CA that issued the certificate in
question; or
That provision is there specifically to limit the set of CAs whose
signatures may server to qualify the OCSP responder to the one CA
that issued the cert being tested.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Updated•19 years ago
|
Flags: blocking1.8.0.13?
Comment 7•16 years ago
|
||
Here is a copy of the DER cert with which Certum's OCSP responder signs its
responses. It is a self-signed binary X.509 v3 EE cert (not a CA cert).
I'm attaching it here to facilitate people playing with this as an
explicitly trusted OCSP responder cert.
Updated•16 years ago
|
Attachment #420496 -
Attachment mime type: application/x-x509-ca-cert → application/octet-stream
Comment 8•16 years ago
|
||
Comment on attachment 420496 [details]
Certum's OCSP responder cert
My previous statement about this cert was mistaken. It is not self-signed.
Here is some info from the cert.
Version: 3 (0x2)
Serial Number: 293462 (0x47a56)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL"
Validity:
Not Before: Tue Mar 03 13:02:56 2009
Not After : Sun Mar 03 13:02:56 2024
Subject: "CN=Certum Validation Authority,OU=Certum Certification Auth
ority,O=Unizeto Technologies S.A.,C=PL"
Attachment #420496 -
Attachment description: Certum's self-signed OCSP responder cert → Certum's OCSP responder cert
Comment 9•16 years ago
|
||
FYI last weekend we changed our OCSP service, it's no longer in trusted responder mode and is working fine with FF.
You need to log in
before you can comment on or make changes to this bug.
Description
•