libpkix ocsp checker should use "date" argument to obtain the time for cert validity verification

RESOLVED FIXED in 3.12.4

Status

P2
major
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: alvolkov.bgs, Assigned: alvolkov.bgs)

Tracking

3.12.1
3.12.4

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

9 years ago
Created attachment 392646 [details] [diff] [review]
Patch v1: use supplied time argument for validity check

pkix_pl_OcspResponse_GetStatusForCert verifies time at time provided by PR_Now(). pkix_OcspChecker_CheckLocal does not use supplied PKIX_PL_Date argument when it checks cached cert status.

With this bug, any revoked cert will be reported as invalid at any time in the past.
Attachment #392646 - Flags: review?(nelson)

Comment 1

9 years ago
It's interesting that the revocationTime in the OCSP response is required, but it's not required in CRL entries (it's an optional entry extension).
Of course there is no "query time" in the OCSP request, implicitly OCSP is only supposed to verify certs as of the current time.

When verifying certs in the past, if the current time is later than the cert's notAfter date, we don't know if a "good" response from the responder really means much.
Severity: normal → major
Priority: -- → P2
Target Milestone: 3.12.1 → 3.12.4
Version: 3.12.4 → 3.12.1
Attachment #392646 - Flags: review?(nelson) → review+
Comment on attachment 392646 [details] [diff] [review]
Patch v1: use supplied time argument for validity check

r+=nelson with one necessary change.

>@@ -970,10 +970,12 @@ PKIX_Error *
> pkix_pl_OcspResponse_GetStatusForCert(

>         void *plContext)
> {
>+        int64 time = 0;

That must be a PRTime, not an int64.
(Assignee)

Comment 3

9 years ago
Patch v1 committed with the requested change.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.