Closed Bug 508467 Opened 14 years ago Closed 14 years ago

libpkix ocsp checker should use "date" argument to obtain the time for cert validity verification

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Version:
3.12.1
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.12.4

People

(Reporter: alvolkov.bgs, Assigned: alvolkov.bgs)

Details

Attachments

(1 file)

Patch v1: use supplied time argument for validity check
3.63 KB, patch
nelson
: review+
Details | Diff | Splinter Review 
pkix_pl_OcspResponse_GetStatusForCert verifies time at time provided by PR_Now(). pkix_OcspChecker_CheckLocal does not use supplied PKIX_PL_Date argument when it checks cached cert status.

With this bug, any revoked cert will be reported as invalid at any time in the past.
Attachment #392646 - Flags: review?(nelson)
It's interesting that the revocationTime in the OCSP response is required, but it's not required in CRL entries (it's an optional entry extension).
Of course there is no "query time" in the OCSP request, implicitly OCSP is only supposed to verify certs as of the current time.

When verifying certs in the past, if the current time is later than the cert's notAfter date, we don't know if a "good" response from the responder really means much.
Severity: normal → major
Priority: -- → P2
Target Milestone: 3.12.1 → 3.12.4
Version: 3.12.4 → 3.12.1
Attachment #392646 - Flags: review?(nelson) → review+
Comment on attachment 392646 [details] [diff] [review]
Patch v1: use supplied time argument for validity check

r+=nelson with one necessary change.

>@@ -970,10 +970,12 @@ PKIX_Error *
> pkix_pl_OcspResponse_GetStatusForCert(

>         void *plContext)
> {
>+        int64 time = 0;

That must be a PRTime, not an int64.
Patch v1 committed with the requested change.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.