Last Comment Bug 482702 - OCSP test with revoked CA cert validated as good.
: OCSP test with revoked CA cert validated as good.
Status: RESOLVED FIXED
PKIX SUN_MUST_HAVE
:
Product: NSS
Classification: Components
Component: Tools (show other bugs)
: trunk
: Sun Solaris
: -- normal (vote)
: 3.12.3
Assigned To: Slavomir Katuscak
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-11 07:34 PDT by Slavomir Katuscak
Modified: 2009-03-19 02:56 PDT (History)
0 users
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Patch adding requireFreshInfo flag. (checked in) (646 bytes, patch)
2009-03-18 09:44 PDT, Slavomir Katuscak
alvolkov.bgs: review+
Details | Diff | Review

Description Slavomir Katuscak 2009-03-11 07:34:12 PDT
Build:
securitytip/20090309.1/mandela.1/output.log

Test log:
chains.sh: Verifying certificate(s)  OCSPEE21.cert OCSPCA2.cert with flags  -g chain -m ocsp -d OCSPRootDB    -t OCSPRoot
vfychain -d OCSPRootDB -pp -vv  -g chain -m ocsp    /share/builds/mccrel3/security/securitytip/builds/20090309.1/biarritz_Solaris10_amd64/mozilla/security/nss/tests/libpkix/certs/OCSPEE21.cert /share/builds/mccrel3/security/securitytip/builds/20090309.1/biarritz_Solaris10_amd64/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.cert  -t OCSPRoot
Chain is good!
Root Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 219193145 (0xd109f39)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=OCSPRoot ROOT CA,O=OCSPRoot,C=US"
        Validity:
            Not Before: Thu Feb 19 18:31:46 2009
            Not After : Wed Feb 19 18:31:46 2059
        Subject: "CN=OCSPRoot ROOT CA,O=OCSPRoot,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    ef:28:1c:84:50:5a:2e:bb:7a:ad:5e:2e:fb:61:03:ba:
                    44:c9:a9:8d:35:fa:78:6c:ac:7b:57:e2:7f:9e:f9:63:
                    70:15:a9:1c:8a:8d:bb:23:d1:11:7c:37:6c:ca:b0:ea:
                    60:89:57:06:b1:d3:4c:8c:85:e4:21:57:ea:f6:a3:cd:
                    61:cc:51:ba:b5:3c:1f:0e:e4:55:6e:0f:04:a0:7a:69:
                    06:9a:b2:d6:3a:5e:d0:fa:07:12:c4:d3:99:3e:a1:bc:
                    06:de:3a:d1:24:c5:24:c8:03:f2:66:24:76:93:12:ed:
                    4e:cc:f9:e9:f5:3b:e5:4a:d3:63:af:01:13:83:ce:f3
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Type
            Data: <SSL CA,S/MIME CA,ObjectSigning CA>

            Name: Certificate Basic Constraints
            Data: Is a CA with no maximum path length.

            Name: Certificate Key Usage
            Usages: Certificate Signing
                    CRL Signing

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        b4:2f:33:72:87:24:78:9a:4c:24:ac:6e:92:a7:0e:7f:
        32:92:67:79:7b:76:82:88:a5:3c:fd:27:cc:2b:50:f6:
        c4:d2:60:e5:42:20:10:25:07:27:aa:de:ae:f7:20:23:
        6d:ae:6b:75:25:b6:eb:b3:2c:cb:3e:3b:46:8a:61:de:
        6d:8e:0b:de:d4:46:6a:d6:01:44:89:8b:67:b4:47:bc:
        43:be:da:4f:e9:6c:58:a9:c7:90:16:c6:ed:c1:3f:48:
        7a:47:55:27:ed:b8:6c:17:6f:56:c5:6e:2a:8b:f3:67:
        a2:65:6c:b9:f6:71:cd:65:14:4a:40:ea:f1:8f:84:6f
    Fingerprint (MD5):
        35:8F:91:0E:79:08:B0:8B:CF:1D:03:B5:E0:53:B8:B0
    Fingerprint (SHA1):
        85:7B:73:CA:B7:90:27:C4:C3:D1:61:C0:C3:4F:05:20:C6:73:19:AE

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
        Object Signing Flags:
            Valid CA
            Trusted CA

Certificate 1 Subject: "CN=OCSPEE21 EE,O=OCSPEE21,C=US"
Certificate 2 Subject: "CN=OCSPCA2 Intermediate,O=OCSPCA2,C=US"
Returned value is 0, expected result is fail
chains.sh: #5373: OCSP: Verifying certificate(s)  OCSPEE21.cert OCSPCA2.cert with flags  -g chain -m ocsp -d OCSPRootDB    -t OCSPRoot - FAILED
 

Details:

Chain:
OCSPRoot -> OCSPCA2 -> OCSPEE21

OCSPCA2 is revoked by OCSPRoot, OCSPEE21 contains AIA link to OCSP for OCSPCA2, OCSPCA2 contains AIA link to OCSP for OCSPRoot. OCSPCA2 should be validated as revoked by OCSPCA2, but in this case it wasn't.

For more details about this test see bug 473790 comment 15. Test is from scenario nss/tests/chains/scenarios/ocsp.cfg, certs + CRLs are located in nss/tests/libpkix/certs, OCSPDs are on machine dochinups.

This test failed only once, usually it passes.
Comment 1 Alexei Volkov 2009-03-13 13:41:29 PDT
I suspect, that this is one of these cases, when the server has a status of the certificate, but fail to communicate it back to client. In any cases, since a respond was not received, the status of the cert is considered to be unknown and the chain become valid.
To improve the situation, you can use requireFreshInfo flag. With it, "no info" status of a cert will treated as a failure.
Comment 2 Slavomir Katuscak 2009-03-18 09:44:18 PDT
Created attachment 368042 [details] [diff] [review]
Patch adding requireFreshInfo flag. (checked in)
Comment 3 Slavomir Katuscak 2009-03-19 02:56:15 PDT
Comment on attachment 368042 [details] [diff] [review]
Patch adding requireFreshInfo flag. (checked in)

Checking in ocsp.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg,v  <--  ocsp.cfg
new revision: 1.4; previous revision: 1.3
done

Note You need to log in before you can comment on or make changes to this bug.