Closed Bug 482702 Opened 15 years ago Closed 15 years ago

OCSP test with revoked CA cert validated as good.

Categories

(NSS :: Tools, defect)

Sun
Solaris
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
3.12.3

People

(Reporter: slavomir.katuscak+mozilla, Assigned: slavomir.katuscak+mozilla)

Details

(Whiteboard: PKIX SUN_MUST_HAVE)

Attachments

(1 file)

Build:
securitytip/20090309.1/mandela.1/output.log

Test log:
chains.sh: Verifying certificate(s)  OCSPEE21.cert OCSPCA2.cert with flags  -g chain -m ocsp -d OCSPRootDB    -t OCSPRoot
vfychain -d OCSPRootDB -pp -vv  -g chain -m ocsp    /share/builds/mccrel3/security/securitytip/builds/20090309.1/biarritz_Solaris10_amd64/mozilla/security/nss/tests/libpkix/certs/OCSPEE21.cert /share/builds/mccrel3/security/securitytip/builds/20090309.1/biarritz_Solaris10_amd64/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.cert  -t OCSPRoot
Chain is good!
Root Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 219193145 (0xd109f39)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=OCSPRoot ROOT CA,O=OCSPRoot,C=US"
        Validity:
            Not Before: Thu Feb 19 18:31:46 2009
            Not After : Wed Feb 19 18:31:46 2059
        Subject: "CN=OCSPRoot ROOT CA,O=OCSPRoot,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    ef:28:1c:84:50:5a:2e:bb:7a:ad:5e:2e:fb:61:03:ba:
                    44:c9:a9:8d:35:fa:78:6c:ac:7b:57:e2:7f:9e:f9:63:
                    70:15:a9:1c:8a:8d:bb:23:d1:11:7c:37:6c:ca:b0:ea:
                    60:89:57:06:b1:d3:4c:8c:85:e4:21:57:ea:f6:a3:cd:
                    61:cc:51:ba:b5:3c:1f:0e:e4:55:6e:0f:04:a0:7a:69:
                    06:9a:b2:d6:3a:5e:d0:fa:07:12:c4:d3:99:3e:a1:bc:
                    06:de:3a:d1:24:c5:24:c8:03:f2:66:24:76:93:12:ed:
                    4e:cc:f9:e9:f5:3b:e5:4a:d3:63:af:01:13:83:ce:f3
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Type
            Data: <SSL CA,S/MIME CA,ObjectSigning CA>

            Name: Certificate Basic Constraints
            Data: Is a CA with no maximum path length.

            Name: Certificate Key Usage
            Usages: Certificate Signing
                    CRL Signing

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        b4:2f:33:72:87:24:78:9a:4c:24:ac:6e:92:a7:0e:7f:
        32:92:67:79:7b:76:82:88:a5:3c:fd:27:cc:2b:50:f6:
        c4:d2:60:e5:42:20:10:25:07:27:aa:de:ae:f7:20:23:
        6d:ae:6b:75:25:b6:eb:b3:2c:cb:3e:3b:46:8a:61:de:
        6d:8e:0b:de:d4:46:6a:d6:01:44:89:8b:67:b4:47:bc:
        43:be:da:4f:e9:6c:58:a9:c7:90:16:c6:ed:c1:3f:48:
        7a:47:55:27:ed:b8:6c:17:6f:56:c5:6e:2a:8b:f3:67:
        a2:65:6c:b9:f6:71:cd:65:14:4a:40:ea:f1:8f:84:6f
    Fingerprint (MD5):
        35:8F:91:0E:79:08:B0:8B:CF:1D:03:B5:E0:53:B8:B0
    Fingerprint (SHA1):
        85:7B:73:CA:B7:90:27:C4:C3:D1:61:C0:C3:4F:05:20:C6:73:19:AE

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
        Object Signing Flags:
            Valid CA
            Trusted CA

Certificate 1 Subject: "CN=OCSPEE21 EE,O=OCSPEE21,C=US"
Certificate 2 Subject: "CN=OCSPCA2 Intermediate,O=OCSPCA2,C=US"
Returned value is 0, expected result is fail
chains.sh: #5373: OCSP: Verifying certificate(s)  OCSPEE21.cert OCSPCA2.cert with flags  -g chain -m ocsp -d OCSPRootDB    -t OCSPRoot - FAILED
 

Details:

Chain:
OCSPRoot -> OCSPCA2 -> OCSPEE21

OCSPCA2 is revoked by OCSPRoot, OCSPEE21 contains AIA link to OCSP for OCSPCA2, OCSPCA2 contains AIA link to OCSP for OCSPRoot. OCSPCA2 should be validated as revoked by OCSPCA2, but in this case it wasn't.

For more details about this test see bug 473790 comment 15. Test is from scenario nss/tests/chains/scenarios/ocsp.cfg, certs + CRLs are located in nss/tests/libpkix/certs, OCSPDs are on machine dochinups.

This test failed only once, usually it passes.
Whiteboard: PKIX SUN_MUST_HAVE
I suspect, that this is one of these cases, when the server has a status of the certificate, but fail to communicate it back to client. In any cases, since a respond was not received, the status of the cert is considered to be unknown and the chain become valid.
To improve the situation, you can use requireFreshInfo flag. With it, "no info" status of a cert will treated as a failure.
Assignee: alexei.volkov.bugs → slavomir.katuscak
Attachment #368042 - Flags: review?(alexei.volkov.bugs)
Attachment #368042 - Flags: review?(alexei.volkov.bugs) → review+
Comment on attachment 368042 [details] [diff] [review]
Patch adding requireFreshInfo flag. (checked in)

Checking in ocsp.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg,v  <--  ocsp.cfg
new revision: 1.4; previous revision: 1.3
done
Attachment #368042 - Attachment description: Patch adding requireFreshInfo flag. → Patch adding requireFreshInfo flag. (checked in)
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.