Closed Bug 497172 Opened 16 years ago Closed 16 years ago

Add default OCSP responder for globalsign

Categories

(Core :: Security: PSM, enhancement)

Product:
Core
Component:
Security: PSM
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.1 --- .2-fixed

People

(Reporter: johnath, Assigned: KaiE)

Details

(Keywords: verified1.9.1)

Attachments

(4 files, 1 obsolete file)

Added GlobalSign to the data structure
37.55 KB, text/plain
Details
Created patch to add GlobalSign OCSP
860 bytes, patch
KaiE
: review+
Details | Diff | Splinter Review
Updated OCSP URL for GlobalSign.
985 bytes, patch
Details | Diff | Splinter Review
Final debugged Patch
864 bytes, patch
nelson
: review+
beltzner
: approval1.9.1.2+
Details | Diff | Splinter Review
Globalsign has a live OCSP responder now, and would like to make use of the default OCSP responder mechanism implemented by bug 485052. The data structure that controls this is here: http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSCallbacks.cpp#1058 So we just need that information (issuer name, issuer key ID) for each cert (including intermediates) that Globalsign wants to have OCSP checking for using this mechanism.
The Intermediate certificates are not OCSP enabled. The end untity certifiactes are issued by "GlobalSign Extended Validation CA" The (SKI) is "34 b1 f9 c9 8c 6b 35 44 cc 08 69 0a ee e3 a3 b9 5c bf 16 e0" The format is therefore /* GlobalSign */ { "CN=GlobalSign Extended Validation CA,O=GlobalSign,OU=Extended Validation CA", nsnull, "to be added by engineering team in Japan", nsnull, "http://evssl-ocsp.globalsign.com/responder " }, Engineering need to convert the SKI to the relevant form.
Here is a KeyID of issuer in base64 "NLH5yYxrNUTMCGkK7uOjuVy/FuA=" Masakazu Asano Tech Div. GlobalSign K.K.
Here's the final logic for the code which amends the URL. /* GlobalSign */ { "CN=GlobalSign Extended Validation CA,O=GlobalSign,OU=Extended Validation CA", nsnull, "NLH5yYxrNUTMCGkK7uOjuVy/FuA=", nsnull, "http://ocsp.globalsign.com" } Many thanks for a swift implementation.
A final review with the team suggests that in readiness for a separate OCSP responder for EV Code signing we should change the URL slightly /* GlobalSign */ { "CN=GlobalSign Extended Validation CA,O=GlobalSign,OU=Extended Validation CA", nsnull, "NLH5yYxrNUTMCGkK7uOjuVy/FuA=", nsnull, "http://ocsp.globalsign.com/ExtendedSSL" } Many thanks for a swift implementation.
Who wants to produce the code patch? Then I can review it.
Attached patch OCSP amendment (obsolete) — Splinter Review
The Patch has been submitted. Previous datastructure had a missing ,
Comment on attachment 382695 [details] [diff] [review] OCSP amendment r=kaie
Attachment #382695 - Flags: review+
Keywords: checkin-needed
Attachment #382695 - Flags: approval1.9.1?
kaie - did your review include testing? Do we know that this change will resolve the issue? Note to drivers - I know that RC1 is already spinning. If there is an opportunity for this to land as part of a hypothetical second RC, it is a code change but extremely low-risk, since it just adds another entry to a list of known sources for certificate validation. Even if it were found to be incorrect, it would fail back to the behaviour we currently have in the product. The reward is that certificates from another EV-approved CA are properly checked for revocation and show EV UI again. This is the CA that issues the certificate for addons.mozilla.org, among others.
(In reply to comment #10) > kaie - did your review include testing? Do we know that this change will > resolve the issue? No
Now I've been able to test it. Unfortunately, this patch is still not sufficient to make GlobalSign sites (e.g. addons.mozilla.org) appear with green EV status. Suspected reason: because OCSP checking for the intermediate certs doesn't work. abbreviations: - globalsign fake ocsp patch from this bug: gs-ocsp-patch - a patch I used for testing that drops the requirement to have revocation info on intermediate certs: ignore-chain-patch Test results for addons.mozilla.org for current ff 3.5 (mozilla-1.9.1) with or without patches: no patches: no green ignore-chain-patch : no green gs-ocsp-patch: no green gs-ocsp-patch + ignore-chain-patch : green This tells me, the patch in this patch improves the situation slightly, because we do get an OCSP result for the server cert, but it's not sufficient, because by our policy we require info for the chain, too.
Comment on attachment 385730 [details] [diff] [review] Created patch to add GlobalSign OCSP r=kaie I don't mind adding this patch, but would have prefered to test first.
Attachment #385730 - Flags: review+
Attachment #382695 - Attachment is obsolete: true
Attachment #382695 - Flags: approval1.9.1?
Flags: blocking1.9.1.1?
I applied this patch to my 3.5 source tree and I still see no EV for addons.mozilla.org (I was using globalsign.com, but that cert now has an AIA field). Did this work in your own tests? Has something changed?
The AIA extension of the addons.mozilla.org server certificate doesn't contain an OCSP URI.
Eddy, surely you remember bug 485052 and bug 477244. This is all about making OCSP usable from certs from certain CAs that have OCSP responders but did not put their OCSP URLs in their certs.
(In reply to comment #16) > I applied this patch to my 3.5 source tree and I still see no EV for > addons.mozilla.org (I was using globalsign.com, but that cert now has an AIA > field). Did this work in your own tests? Has something changed? We have tested and it works for addons.mozilla.org. I'm wondering what is the difference between our build and yours.... Followings are information of 3.5 source that we are using; Downloaded from : ftp://ftp.mozilla.org/pub/firefox/releases/3.5/source/ Downloaded file name : firefox-3.5-source.tar.bz2 Last update : 2009/06/29 16:26:00 Extracted Folder name : mozilla-1.9.1 Can you please let me know how did you build yours?
Can this land on trunk so we can consider it for 1.9.1.1? kaie, johnath? Not blocking anyway, but we'll definitely approve a patch.
Flags: blocking1.9.1.1? → wanted1.9.1.x+
This final patch has the " " added :-)
Severity: normal → enhancement
Keywords: checkin-needed
OS: Mac OS X → All
Hardware: x86 → All
Attachment #388763 - Attachment is patch: true
Comment on attachment 388763 [details] [diff] [review] Final debugged Patch Steve, I want to double-check something with you. The diffs between the patch in attachment 385730 [details] [diff] [review] ("Created patch to add GlobalSign OCSP") and attachment 386710 [details] [diff] [review] ("Updated OCSP URL for GlobalSign.") include these changes to the URLs: -+ "http://ocsp.globalsign.com/ExtendedSSLCACross" ++ "http://ocsp.globalsign.com/ExtendedSSL" -+ "http://ocsp.globalsign.com/ExtendedSSLCA" ++ "http://ocsp.globalsign.com/ExtendedSSL" However, the differences between attachment 385730 [details] [diff] [review] ("Created patch to add GlobalSign OCSP") and attachment 388763 [details] [diff] [review] (your "Final debugged Patch") do not include those changes, and instead include only this change (shortened here to avoid line wrap): -+ "O=GlobalSign,OU=Extended ValidationCA", ++ "O=GlobalSign,OU=Extended Validation CA", My question is: are the changes in attachment 386710 [details] [diff] [review] no longer wanted?
Attachment #388763 - Flags: review?
Hi Nelson, Thanks for checking. Yes the initial patch was correct apart from the space in the CA name. The 2nd attachment was a red herring. The third and final attachment is correct and so is 99% the same as the first. Sorry for any confusion.
Attachment #388763 - Flags: review? → review+
> + "CN=GlobalSign Root CA,O=GlobalSign nv-sa,OU=Root CA,C=BE", Steve, the O and OU in this string are the "wrong way round" compared to their order in the GlobalSign Root CA certificate. This isn't a problem for the current implementation of MyAlternateOCSPAIAInfoCallback(), since CERT_CompareName() doesn't care about the order of the attributes. However, for the sake of clarity (and just in case this behaviour ever changes), might I suggest that you put them the "right way round" instead? e.g. + "CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE",
> CERT_CompareName() doesn't care about the order of the attributes. It requires RDNs to be in the same order in both names. It will not find two names in different orders to match, e.g. CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE CN=GlobalSign Root CA,O=GlobalSign nv-sa,OU=Root CA,C=BE will not match. It is possible (though quite rare in practice) for a single RDN to contain multiple ATAV pairs. Since RDNs are SETs, the order of the multiple ATAVs in a "multi-valued RDN" are not supposed to matter, so when comparing two multi-valued RDNs, the order of the ATAVs in the RDN do not matter. When shown as a string, the ATAVs in a multi-valued RDN are separated by '+' rather than by ',' (which separates RDNs). In the example names given above, there are no multi-valued RDNs, so this factoid about multi-valued RDNs is not relevant to them.
Landed on mozilla-central for baking, though baking is really more of a technicality for this kind of change which is purely metadata. http://hg.mozilla.org/mozilla-central/rev/ea87b5fe8a94 Asking for approval to land this on the 1.9.1 branch as soon as it opens up. Steve - based on Rob's comment 24, and my own inspection, I updated the issuer name for that cert (after verifying that correct behaviour was preserved). If there was a reason why you wanted it different (not sure why that would be, but I'm open to the possibility!) let me know, but I have assumed it was an oversight.
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Attachment #388763 - Flags: approval1.9.1.2?
Comment on attachment 388763 [details] [diff] [review] Final debugged Patch Per comments above, requesting approval to land this on 1.9.1.2. There is negligible risk here, and the upside is that we fix validation of certificates for this CA.
Thanks Johnathan for your help. And thanks to Rob for his initial feedback. Yes this would have been an oversight.
Comment on attachment 388763 [details] [diff] [review] Final debugged Patch a1912=beltzner
Attachment #388763 - Flags: approval1.9.1.2? → approval1.9.1.2+
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ebdd03c0c753 This has landed on the 1.9.1 stream, should be testable in tomorrow's nightly 1.9.1 builds, and should appear in Firefox 3.5.2 when it is released.
status1.9.1: --- → .2-fixed
Verified using information in comment #12 with: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729) As well as 3.5.2 on Linux and Mac. 3.5 shows the identity button blue, whereas 3.5.2 shows it green for https://addons.mozilla.org/ with the extended validation information.
Keywords: verified1.9.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: