Last Comment Bug 394077 - libpkix need to return revocation status of a cert
: libpkix need to return revocation status of a cert
Status: RESOLVED FIXED
PKIX SUN_MUST_HAVE
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: trunk
: All All
: P2 major (vote)
: 3.12.3
Assigned To: Alexei Volkov
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-28 15:54 PDT by Alexei Volkov
Modified: 2009-01-13 15:07 PST (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Patch v1 - return revocation status (1.71 KB, patch)
2008-12-01 17:03 PST, Alexei Volkov
nelson: review+
Details | Diff | Review

Description Alexei Volkov 2007-08-28 15:54:51 PDT
The last parameter of cert_VerifyCertChain function is an address of boolean variable that, if passed, will tell to caller if a chain was not build due to revoked certs. 

Lib pkix currently returns PKIX_VerifyNode - a validation errors tree from which the revocation status can be obtained.
Comment 1 Alexei Volkov 2007-08-28 16:08:59 PDT
Failure to verify a signature of one of the cert in the chain should also be reported back to caller.
Comment 2 Julien Pierre 2007-09-04 16:03:47 PDT
Could you be more specific about exactly which libpkix function you intend to modify here ? Thanks.
Comment 3 Nelson Bolyard (seldom reads bugmail) 2008-11-12 17:09:01 PST
This is a binary compatibility requirement. 
If we're going to allow libPKIX to take the place of the old code, and be
used through the old APIs, then it must still produce the right answers, 
or it is a regression.  

This cannot be SUN_MUST_HAVE and be P2.
Comment 4 Alexei Volkov 2008-12-01 12:12:56 PST
The old code is checking the revocation status of the cert and if it is positive(cert is revoked) returns it to a caller. The libpkix algorithm is a bit different: we check revocation status of the cert and if the cert is revoked, we try another path to find out if there is a valid candidate cert that can be used to complete the chain. 

In this case would you agree with the following: If there is another candidate cert which lead as to completion of the chain to a trusted anchor, then we report success. If the use of the second cert didn't lead us to a trusted anchor and there is not other alternatives, we will report chain building failure due to revoked status of the cert.
Comment 5 Nelson Bolyard (seldom reads bugmail) 2008-12-01 12:34:11 PST
Clearly, if we report success, we should not also report a revoked cert.

I guess the question is: what happens if there are multiple paths, all
of which fail for different reasons?  If one path fails because a CA 
cert was revoked, and another path fails because (say) a CA cert is 
expired or has an unknown issuer, then what do we report about revocation
status?  

In the end, we return a single error code.  That error code comes from one
of the certification paths. (I don't know which one. first? last? nastiest?)  
I think that the revocation boolean value should be for the same path whose
error code is returned.  Does that make sense?
Comment 6 Alexei Volkov 2008-12-01 14:16:19 PST
> In the end, we return a single error code.  That error code comes from one
> of the certification paths. (I don't know which one. first? last? nastiest?)  
> I think that the revocation boolean value should be for the same path whose
> error code is returned.  Does that make sense?

Today the final failure reported to a caller is the last failure that was received.
I think your statement makes sense since a caller may request a log to be returned. Later the log can be parsed, if needed, to understand a particular reason for a CA cert rejection.
Comment 7 Alexei Volkov 2008-12-01 17:03:18 PST
Created attachment 350877 [details] [diff] [review]
Patch v1 - return revocation status

Ones libpkix to nss error conversion is done, check NSS error code to see if chain building failed due to revoked certificate.
Comment 8 Nelson Bolyard (seldom reads bugmail) 2008-12-09 15:41:42 PST
Comment on attachment 350877 [details] [diff] [review]
Patch v1 - return revocation status

r=nelson
Comment 9 Alexei Volkov 2009-01-13 15:07:19 PST
Patch is integrated.

Note You need to log in before you can comment on or make changes to this bug.