OCSP test with revoked CA and valid EE failed with -g leaf and requireFreshInfo flag.

RESOLVED INVALID

Status

NSS
Libraries
RESOLVED INVALID
9 years ago
9 years ago

People

(Reporter: Slavomir Katuscak, Assigned: Alexei Volkov)

Tracking

3.12.3
3.12.4

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
From bug 495934 comment 8:

> OCSPEE21 -> OCSPCA2 -> OCSPRoot (OCSPCA2 is revoked)
> 
> $ vfychain -d OCSPRootDB -pp -vv  -g leaf -h requireFreshInfo -m ocsp   
> /Users/sven/nss/securitytip/mozilla/security/nss/tests/libpkix/certs/OCSPEE21.cert
> /Users/sven/nss/securitytip/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.cert
>  -t OCSPRoot
> Chain is bad, -8180 = Peer's Certificate has been revoked.
> PROBLEM WITH THE CERT CHAIN:
> CERT 2. OCSPRoot [Certificate Authority]:
>   ERROR -8180: Peer's Certificate has been revoked.
This test should pass if EE cert has AIA extension and was able to get the
information.

The same test passes when requireFreshInfo flag is removed. Both EE cert and CA2 have AIA extension and are able to get the information.
(Reporter)

Comment 1

9 years ago
Created attachment 384598 [details] [diff] [review]
Scenario to reproduce problem.

To reproduce copy scenario file to security/nss/tests/chains/scenarios directory and edit also scenarios file there. 

You also need to have set variable:
NSS_AIA_OCSP=http://dochinups.red.iplanet.com
(Assignee)

Updated

9 years ago
Attachment #384598 - Attachment is patch: true
Attachment #384598 - Attachment mime type: application/octet-stream → text/plain
(Assignee)

Comment 2

9 years ago
Slavo, libpkix fails the case above for the reason that it can not verify the signature on the ocsp response, and not because of an attempt to validate the OCSPCA2 cert.
Can you explain which cert signs the response and how does it fit into the test case?
(Reporter)

Comment 3

9 years ago
OCSPEE21 is signed by OCSPCA2, contains link to OCSP server with OCSPCA2 (messages are signed by OCSPCA2).
OCSPCA2 is signed by OCSPRoot, contains link to OCSP server with OCSPRoot (messages are signed by OCSPRoot).
OCSPRoot is self signed and in this test it is trust anchor.

OCSPCA2 is revoked by OCSPRoot, however we are testing for a leaf and not for a chain (-g parameter), so I expect that OCSPCA2 shouldn't be validated as revoked.
(Assignee)

Comment 4

9 years ago
Since CA2 is revoked, the received response will be invalid => which means that no information will be available => which means that in case of usage of requireFreshInfo the test will fail.
(Assignee)

Updated

9 years ago
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.