From bug 495934 comment 8: > OCSPEE21 -> OCSPCA2 -> OCSPRoot (OCSPCA2 is revoked) > > $ vfychain -d OCSPRootDB -pp -vv -g leaf -h requireFreshInfo -m ocsp > /Users/sven/nss/securitytip/mozilla/security/nss/tests/libpkix/certs/OCSPEE21.cert > /Users/sven/nss/securitytip/mozilla/security/nss/tests/libpkix/certs/OCSPCA2.cert > -t OCSPRoot > Chain is bad, -8180 = Peer's Certificate has been revoked. > PROBLEM WITH THE CERT CHAIN: > CERT 2. OCSPRoot [Certificate Authority]: > ERROR -8180: Peer's Certificate has been revoked. This test should pass if EE cert has AIA extension and was able to get the information. The same test passes when requireFreshInfo flag is removed. Both EE cert and CA2 have AIA extension and are able to get the information.
Created attachment 384598 [details] [diff] [review] Scenario to reproduce problem. To reproduce copy scenario file to security/nss/tests/chains/scenarios directory and edit also scenarios file there. You also need to have set variable: NSS_AIA_OCSP=http://dochinups.red.iplanet.com
Slavo, libpkix fails the case above for the reason that it can not verify the signature on the ocsp response, and not because of an attempt to validate the OCSPCA2 cert. Can you explain which cert signs the response and how does it fit into the test case?
OCSPEE21 is signed by OCSPCA2, contains link to OCSP server with OCSPCA2 (messages are signed by OCSPCA2). OCSPCA2 is signed by OCSPRoot, contains link to OCSP server with OCSPRoot (messages are signed by OCSPRoot). OCSPRoot is self signed and in this test it is trust anchor. OCSPCA2 is revoked by OCSPRoot, however we are testing for a leaf and not for a chain (-g parameter), so I expect that OCSPCA2 shouldn't be validated as revoked.
Since CA2 is revoked, the received response will be invalid => which means that no information will be available => which means that in case of usage of requireFreshInfo the test will fail.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.