Closed
Bug 408903
Opened 17 years ago
Closed 15 years ago
CERT_PKIXVerifyCert should do revocation checking of the leaf cert
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.2
People
(Reporter: KaiE, Assigned: alvolkov.bgs)
References
Details
(Whiteboard: PKIX P0)
Attachments
(1 file, 1 obsolete file)
|
14.86 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
From bug 375019 comment 10: "Looking at function CERT_VerifyCert, we see that revocation checking on the leaf cert is done in that function, after the call to CERT_VerifyCertChain has returned successfully. From that fact, we can infer that CERT_PKIXVerifyCert should likewise do the revocation checking on the leaf cert after libPKIX has been called to do the equivalent of CERT_VerifyCertChain." (you might want to read comment 8 and 9 in that bug, too)
|
Reporter | |
Updated•17 years ago
|
Whiteboard: PKIX
|
|
Reporter | |
Comment 1•17 years ago
|
||
I propose this bug should target 3.12. I'm tentatively adding NSS312B2 to the whiteboard to make it show up on the radar.
Target Milestone: --- → 3.12
|
||
Updated•17 years ago
|
Whiteboard: PKIX → PKIX NSS312B2
|
Assignee | |
Updated•17 years ago
|
Assignee: nobody → alexei.volkov.bugs
|
|
Assignee | |
Updated•17 years ago
|
Priority: -- → P1
|
|
Assignee | |
Comment 2•16 years ago
|
||
I've verified, that the leaf cert is get checked for revocation by crl and ocsp checkers. Kai, could you please repeat the experiment. Make sure that ocspTurnedOnForChain is set to true. For that you need to allow ocsp test on the chain. It will enable ocsp checking for the whole chain and a leaf certificate. This is currently the only way to check the leaf cert with ocsp(until revocation controller is implemented to properly parse and interpreter all revocation flags).
Status: NEW → ASSIGNED
|
|
Reporter | |
Comment 3•16 years ago
|
||
I think I can confirm what Alexei said. PSM asks NSS to attempt OCSP on leaf and cert. I tested using https://www.digicert.com/images/footer-1-left-digicert-ssl.gif which will load a single image and enabled OCSP tracing. I used the debugger and set a breakpoint on CERT_PKIXVerifyCert The image gets loaded, and I see NSS creates an OCSP request for the server cert (only). Then the breakpoint at PKIXVerifyCert. I stepped over the function, which results in two more attempts to do OCSP: - for the intermediate cert - again for the server cert (which has the OCSP response already cached). I think this is acceptable for PSM's current needs, because of the fact that PSM asks NSS to attempt OCSP on the chain. However, I think NSS' behavior is quite surprising. As an experiment, I changed PSM to not ask for OCSP on the chain. As Alexei said, in that combination libpkix will not call into the OCSP code to check status for the leaf. So, as Alexei said, if you want checking on the leaf, you must ask for checking the chain.
|
|
Reporter | |
Comment 4•16 years ago
|
||
I did another experiment, which is not strictly related to this bug. I was curious to see
|
|
Reporter | |
Comment 5•16 years ago
|
||
Please see comment 3 if you were recently added to this bug. To summarize, I'd declare this bug as WORKSFORME as far as PSM is concerned (but we must work to make the behavior match the parameters). Please ignore comment 4. Not strictly related to this bug, I did another another experiment. I was interested what happens if the first OCSP request for the leaf cert succeeds (the one initiated by classic NSS as part of SSL), while the second OCSP request for the leaf cert (the one initiated by CERT_PKIXVerifyCert) fails. I made a simple experiment and changed the OCSP cache to return "failure" for each request where a cache entry is found. Luckily, I get the expected result. CERT_PKIXVerifyCert returns the desired failure in this experiment (and PSM does not show EV).
|
|
Assignee | |
Comment 6•16 years ago
|
||
Setting the bug status as WorkForMe.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 7•16 years ago
|
||
PSM may not need CERT_PKIXVerifyCert to be able to send OCSP requests to validate leaf certs, because it is using the old CERT_VerifyCert* functions first, which DO send the OCSP request. But this is still a deficiency of the CERT_PKIXVerifyCert function, and getting this bug fixed is still a prerequisite to being able to switch over entirely from the old to the new cert verification code. So, I'm reopening this bug and changing the target
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Target Milestone: 3.12 → 3.12.1
|
|
||
Updated•16 years ago
|
Target Milestone: 3.12.1 → 3.12.2
|
|
Assignee | |
Comment 9•15 years ago
|
||
Attachment #371729 -
Flags: review?(nelson)
|
|
Assignee | |
Comment 10•15 years ago
|
||
Comment on attachment 371729 [details] [diff] [review] Patch v1 - make libpkix validate leaf cert Patch need to have some function name change and add comments to the code.
Attachment #371729 -
Flags: review?(nelson) → review-
|
|
Assignee | |
Comment 11•15 years ago
|
||
Address review comments.
Attachment #371729 -
Attachment is obsolete: true
Attachment #371800 -
Flags: review?(nelson)
|
|
||
Comment 12•15 years ago
|
||
Comment on attachment 371800 [details] [diff] [review] Patch v2 - make libpkix validate leaf cert(committed) r=nelson
Attachment #371800 -
Flags: review?(nelson) → review+
|
|
Assignee | |
Updated•15 years ago
|
Attachment #371800 -
Attachment description: Patch v2 - make libpkix validate leaf cert → Patch v2 - make libpkix validate leaf cert(committed)
|
|
Assignee | |
Updated•15 years ago
|
Status: REOPENED → RESOLVED
Closed: 16 years ago → 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•