Closed Bug 482702 Opened 16 years ago Closed 16 years ago

OCSP test with revoked CA cert validated as good.

Categories

(NSS :: Tools, defect)

Product:
NSS
Component:
Tools
Platform:
Sun
Solaris
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.12.3

People

(Reporter: slavomir.katuscak+mozilla, Assigned: slavomir.katuscak+mozilla)

Details

(Whiteboard: PKIX SUN_MUST_HAVE)

Attachments

(1 file)

Patch adding requireFreshInfo flag. (checked in)
646 bytes, patch
alvolkov.bgs
: review+
Details | Diff | Splinter Review
Build: securitytip/20090309.1/mandela.1/output.log Test log: chains.sh: Verifying certificate(s) OCSPEE21.cert OCSPCA2.cert with flags -g chain -m ocsp -d OCSPRootDB -t OCSPRoot vfychain -d OCSPRootDB -pp -vv -g chain -m ocsp /share/builds/mccrel3/security/securitytip/builds/20090309.1/biarritz_Solaris10_amd64/mozilla/security/nss/tests/libpkix/certs/OCSPEE21.cert /share/builds/mccrel3/security/securitytip/builds/20090309.1/biarritz_Solaris10_amd64/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.cert -t OCSPRoot Chain is good! Root Certificate: Data: Version: 3 (0x2) Serial Number: 219193145 (0xd109f39) Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Issuer: "CN=OCSPRoot ROOT CA,O=OCSPRoot,C=US" Validity: Not Before: Thu Feb 19 18:31:46 2009 Not After : Wed Feb 19 18:31:46 2059 Subject: "CN=OCSPRoot ROOT CA,O=OCSPRoot,C=US" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ef:28:1c:84:50:5a:2e:bb:7a:ad:5e:2e:fb:61:03:ba: 44:c9:a9:8d:35:fa:78:6c:ac:7b:57:e2:7f:9e:f9:63: 70:15:a9:1c:8a:8d:bb:23:d1:11:7c:37:6c:ca:b0:ea: 60:89:57:06:b1:d3:4c:8c:85:e4:21:57:ea:f6:a3:cd: 61:cc:51:ba:b5:3c:1f:0e:e4:55:6e:0f:04:a0:7a:69: 06:9a:b2:d6:3a:5e:d0:fa:07:12:c4:d3:99:3e:a1:bc: 06:de:3a:d1:24:c5:24:c8:03:f2:66:24:76:93:12:ed: 4e:cc:f9:e9:f5:3b:e5:4a:d3:63:af:01:13:83:ce:f3 Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Type Data: <SSL CA,S/MIME CA,ObjectSigning CA> Name: Certificate Basic Constraints Data: Is a CA with no maximum path length. Name: Certificate Key Usage Usages: Certificate Signing CRL Signing Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption Signature: b4:2f:33:72:87:24:78:9a:4c:24:ac:6e:92:a7:0e:7f: 32:92:67:79:7b:76:82:88:a5:3c:fd:27:cc:2b:50:f6: c4:d2:60:e5:42:20:10:25:07:27:aa:de:ae:f7:20:23: 6d:ae:6b:75:25:b6:eb:b3:2c:cb:3e:3b:46:8a:61:de: 6d:8e:0b:de:d4:46:6a:d6:01:44:89:8b:67:b4:47:bc: 43:be:da:4f:e9:6c:58:a9:c7:90:16:c6:ed:c1:3f:48: 7a:47:55:27:ed:b8:6c:17:6f:56:c5:6e:2a:8b:f3:67: a2:65:6c:b9:f6:71:cd:65:14:4a:40:ea:f1:8f:84:6f Fingerprint (MD5): 35:8F:91:0E:79:08:B0:8B:CF:1D:03:B5:E0:53:B8:B0 Fingerprint (SHA1): 85:7B:73:CA:B7:90:27:C4:C3:D1:61:C0:C3:4F:05:20:C6:73:19:AE Certificate Trust Flags: SSL Flags: Valid CA Trusted CA Trusted Client CA Email Flags: Valid CA Trusted CA Object Signing Flags: Valid CA Trusted CA Certificate 1 Subject: "CN=OCSPEE21 EE,O=OCSPEE21,C=US" Certificate 2 Subject: "CN=OCSPCA2 Intermediate,O=OCSPCA2,C=US" Returned value is 0, expected result is fail chains.sh: #5373: OCSP: Verifying certificate(s) OCSPEE21.cert OCSPCA2.cert with flags -g chain -m ocsp -d OCSPRootDB -t OCSPRoot - FAILED Details: Chain: OCSPRoot -> OCSPCA2 -> OCSPEE21 OCSPCA2 is revoked by OCSPRoot, OCSPEE21 contains AIA link to OCSP for OCSPCA2, OCSPCA2 contains AIA link to OCSP for OCSPRoot. OCSPCA2 should be validated as revoked by OCSPCA2, but in this case it wasn't. For more details about this test see bug 473790 comment 15. Test is from scenario nss/tests/chains/scenarios/ocsp.cfg, certs + CRLs are located in nss/tests/libpkix/certs, OCSPDs are on machine dochinups. This test failed only once, usually it passes.
Whiteboard: PKIX SUN_MUST_HAVE
I suspect, that this is one of these cases, when the server has a status of the certificate, but fail to communicate it back to client. In any cases, since a respond was not received, the status of the cert is considered to be unknown and the chain become valid. To improve the situation, you can use requireFreshInfo flag. With it, "no info" status of a cert will treated as a failure.
Assignee: alexei.volkov.bugs → slavomir.katuscak
Attachment #368042 - Flags: review?(alexei.volkov.bugs)
Attachment #368042 - Flags: review?(alexei.volkov.bugs) → review+
Comment on attachment 368042 [details] [diff] [review] Patch adding requireFreshInfo flag. (checked in) Checking in ocsp.cfg; /cvsroot/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg,v <-- ocsp.cfg new revision: 1.4; previous revision: 1.3 done
Attachment #368042 - Attachment description: Patch adding requireFreshInfo flag. → Patch adding requireFreshInfo flag. (checked in)
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: