Closed
Bug 425847
Opened 17 years ago
Closed 17 years ago
Cert verification using libPKIX reports INVALID ARGUMENTS when OCSP fails
Categories
(NSS :: Libraries, defect, P1)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 430859
3.12.1
People
(Reporter: nelson, Assigned: alvolkov.bgs)
Details
(Whiteboard: PKIX)
In bug 425538 comment 22, Kai wrote:
When I execute vfychain using the patch from bug 425801 applied (and asking
for OCSP), then vfychain fails (as expected) with the same failure mentioned
in this bug.
FWIW, here is what the error log seems to dump. Besides a dump of OCSP request
and response, there is no indication that the failure is about OCSP.
$ vfychain -d . -s -ppvv -u 1 -o OID.1.3.6.1.4.1.14370.1.6 -u 1 cert.001
cert.002 cert.003 -t 424169a.der
1206740030459995:
E120: 50 4F 53 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D POST / HTTP/1.0.
E130: 0A 48 6F 73 74 3A 20 45 56 53 65 63 75 72 65 2D .Host: EVSecure-
E140: 6F 63 73 70 2E 67 65 6F 74 72 75 73 74 2E 63 6F ocsp.geotrust.co
E150: 6D 3A 38 30 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 m:80..Content-Ty
E160: 70 65 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F pe: application/
E170: 6F 63 73 70 2D 72 65 71 75 65 73 74 0D 0A 43 6F ocsp-request..Co
E180: 6E 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 31 ntent-Length: 11
E190: 35 0D 0A 0D 0A 30 71 30 6F 30 4D 30 4B 30 49 30 5....0q0o0M0K0I0
E1A0: 09 06 05 2B 0E 03 02 1A 05 00 04 14 7A 10 78 49 ...+........z.xI
E1B0: E1 75 1A 40 0E 0D DB AC 30 C8 AA 4B 12 75 D1 AC .u.@....0..K.u..
E1C0: 04 14 2C D5 50 41 97 15 8B F0 8F 36 61 5B 4A FB ..,.PA.....6a[J.
E1D0: 6B D9 99 C9 33 92 02 10 69 48 A2 6B 20 1A A4 21 k...3...iH.k ..!
E1E0: E8 98 B1 C4 92 C7 C5 8E A2 1E 30 1C 30 1A 06 09 ..........0.0...
E1F0: 2B 06 01 05 05 07 30 01 04 04 0D 30 0B 06 09 2B +.....0....0...+
E200: 06 01 05 05 07 30 01 01 .....0..
1206740030635793:
E210: 48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D HTTP/1.1 200 OK.
E220: 0A 63 6F 6E 74 65 6E 74 2D 74 72 61 6E 73 66 65 .content-transfe
E230: 72 2D 65 6E 63 6F 64 69 6E 67 3A 20 62 69 6E 61 r-encoding: bina
E240: 72 79 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 ry..Content-Type
E250: 3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63 : application/oc
E260: 73 70 2D 72 65 73 70 6F 6E 73 65 0D 0A 43 6F 6E sp-response..Con
E270: 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 35 0D 0A tent-Length: 5..
E280: 44 61 74 65 3A 20 46 72 69 2C 20 32 38 20 4D 61 Date: Fri, 28 Ma
E290: 72 20 32 30 30 38 20 32 31 3A 33 35 3A 30 31 20 r 2008 21:35:01
E2A0: 47 4D 54 0D 0A 53 65 72 76 65 72 3A 20 41 70 61 GMT..Server: Apa
E2B0: 63 68 65 2D 43 6F 79 6F 74 65 2F 31 2E 31 0D 0A che-Coyote/1.1..
E2C0: 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 Connection: clos
E2D0: 65 0D 0A 0D 0A 30 03 0A 01 06 e....0....
Chain is bad, -8187 = security library: invalid arguments.
- - end of quote
libPKIX needs to ensure that it reports an OCSP error, not invalid arguments,
whenever OCSP is the cause of a cert validation error.
|
Reporter | |
Updated•17 years ago
|
Priority: -- → P1
Whiteboard: PKIX
|
|
Reporter | |
Comment 1•17 years ago
|
||
Does this problem also occur when tested with vfychain -p (one p) ?
IOW, does this problem occur with the old API when the switch is going to the
new libPKIX implementation?
|
|
Reporter | |
Comment 2•17 years ago
|
||
If this problem happens ONLY with CERT_PKIXVerifyCert and not also with the
old API, then the target should be 3.12.2
|
|
Assignee | |
Comment 3•17 years ago
|
||
The reason for the problem is the same as in bug 430859. See explanation of the problem at
https://bugzilla.mozilla.org/show_bug.cgi?id=430859#c4
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•