Note: There are a few cases of duplicates in user autocompletion which are being worked on.

OCSP test with revoked CA cert validated as good.

RESOLVED FIXED in 3.12.3

Status

NSS
Tools
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Slavomir Katuscak, Assigned: Slavomir Katuscak)

Tracking

trunk
3.12.3
Sun
Solaris

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX SUN_MUST_HAVE)

Attachments

(1 attachment)

(Assignee)

Description

9 years ago
Build:
securitytip/20090309.1/mandela.1/output.log

Test log:
chains.sh: Verifying certificate(s)  OCSPEE21.cert OCSPCA2.cert with flags  -g chain -m ocsp -d OCSPRootDB    -t OCSPRoot
vfychain -d OCSPRootDB -pp -vv  -g chain -m ocsp    /share/builds/mccrel3/security/securitytip/builds/20090309.1/biarritz_Solaris10_amd64/mozilla/security/nss/tests/libpkix/certs/OCSPEE21.cert /share/builds/mccrel3/security/securitytip/builds/20090309.1/biarritz_Solaris10_amd64/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.cert  -t OCSPRoot
Chain is good!
Root Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 219193145 (0xd109f39)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=OCSPRoot ROOT CA,O=OCSPRoot,C=US"
        Validity:
            Not Before: Thu Feb 19 18:31:46 2009
            Not After : Wed Feb 19 18:31:46 2059
        Subject: "CN=OCSPRoot ROOT CA,O=OCSPRoot,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    ef:28:1c:84:50:5a:2e:bb:7a:ad:5e:2e:fb:61:03:ba:
                    44:c9:a9:8d:35:fa:78:6c:ac:7b:57:e2:7f:9e:f9:63:
                    70:15:a9:1c:8a:8d:bb:23:d1:11:7c:37:6c:ca:b0:ea:
                    60:89:57:06:b1:d3:4c:8c:85:e4:21:57:ea:f6:a3:cd:
                    61:cc:51:ba:b5:3c:1f:0e:e4:55:6e:0f:04:a0:7a:69:
                    06:9a:b2:d6:3a:5e:d0:fa:07:12:c4:d3:99:3e:a1:bc:
                    06:de:3a:d1:24:c5:24:c8:03:f2:66:24:76:93:12:ed:
                    4e:cc:f9:e9:f5:3b:e5:4a:d3:63:af:01:13:83:ce:f3
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Type
            Data: <SSL CA,S/MIME CA,ObjectSigning CA>

            Name: Certificate Basic Constraints
            Data: Is a CA with no maximum path length.

            Name: Certificate Key Usage
            Usages: Certificate Signing
                    CRL Signing

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        b4:2f:33:72:87:24:78:9a:4c:24:ac:6e:92:a7:0e:7f:
        32:92:67:79:7b:76:82:88:a5:3c:fd:27:cc:2b:50:f6:
        c4:d2:60:e5:42:20:10:25:07:27:aa:de:ae:f7:20:23:
        6d:ae:6b:75:25:b6:eb:b3:2c:cb:3e:3b:46:8a:61:de:
        6d:8e:0b:de:d4:46:6a:d6:01:44:89:8b:67:b4:47:bc:
        43:be:da:4f:e9:6c:58:a9:c7:90:16:c6:ed:c1:3f:48:
        7a:47:55:27:ed:b8:6c:17:6f:56:c5:6e:2a:8b:f3:67:
        a2:65:6c:b9:f6:71:cd:65:14:4a:40:ea:f1:8f:84:6f
    Fingerprint (MD5):
        35:8F:91:0E:79:08:B0:8B:CF:1D:03:B5:E0:53:B8:B0
    Fingerprint (SHA1):
        85:7B:73:CA:B7:90:27:C4:C3:D1:61:C0:C3:4F:05:20:C6:73:19:AE

    Certificate Trust Flags:
        SSL Flags:
            Valid CA
            Trusted CA
            Trusted Client CA
        Email Flags:
            Valid CA
            Trusted CA
        Object Signing Flags:
            Valid CA
            Trusted CA

Certificate 1 Subject: "CN=OCSPEE21 EE,O=OCSPEE21,C=US"
Certificate 2 Subject: "CN=OCSPCA2 Intermediate,O=OCSPCA2,C=US"
Returned value is 0, expected result is fail
chains.sh: #5373: OCSP: Verifying certificate(s)  OCSPEE21.cert OCSPCA2.cert with flags  -g chain -m ocsp -d OCSPRootDB    -t OCSPRoot - FAILED
 

Details:

Chain:
OCSPRoot -> OCSPCA2 -> OCSPEE21

OCSPCA2 is revoked by OCSPRoot, OCSPEE21 contains AIA link to OCSP for OCSPCA2, OCSPCA2 contains AIA link to OCSP for OCSPRoot. OCSPCA2 should be validated as revoked by OCSPCA2, but in this case it wasn't.

For more details about this test see bug 473790 comment 15. Test is from scenario nss/tests/chains/scenarios/ocsp.cfg, certs + CRLs are located in nss/tests/libpkix/certs, OCSPDs are on machine dochinups.

This test failed only once, usually it passes.
(Assignee)

Updated

9 years ago
Whiteboard: PKIX SUN_MUST_HAVE

Comment 1

9 years ago
I suspect, that this is one of these cases, when the server has a status of the certificate, but fail to communicate it back to client. In any cases, since a respond was not received, the status of the cert is considered to be unknown and the chain become valid.
To improve the situation, you can use requireFreshInfo flag. With it, "no info" status of a cert will treated as a failure.
(Assignee)

Comment 2

9 years ago
Created attachment 368042 [details] [diff] [review]
Patch adding requireFreshInfo flag. (checked in)
Assignee: alexei.volkov.bugs → slavomir.katuscak
Attachment #368042 - Flags: review?(alexei.volkov.bugs)

Updated

9 years ago
Attachment #368042 - Flags: review?(alexei.volkov.bugs) → review+
(Assignee)

Comment 3

9 years ago
Comment on attachment 368042 [details] [diff] [review]
Patch adding requireFreshInfo flag. (checked in)

Checking in ocsp.cfg;
/cvsroot/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg,v  <--  ocsp.cfg
new revision: 1.4; previous revision: 1.3
done
Attachment #368042 - Attachment description: Patch adding requireFreshInfo flag. → Patch adding requireFreshInfo flag. (checked in)
(Assignee)

Updated

9 years ago
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.