Closed
Bug 540049
Opened 15 years ago
Closed 5 months ago
Investigate two places where libpkix may report a certificate as revoked incorrectly
Categories
(NSS :: Libraries, defect, P5)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: wtc, Unassigned)
Details
Alexei: This is the remaining work of bug 515279 comment 10. I searched for "PKIX_RevStatus_Revoked" in the NSS source tree and inspected all occurrences. 1. This one I'm not sure about. Please review it: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c&rev=1.10&mark=449#420 2. In pkix_pl_Pk11CertStore_CheckRevByCrl, if the cert_CheckCertRevocationStatus call fails, we set pkixRevStatus to PKIX_RevStatus_Revoked: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c&rev=1.17&mark=543,548#539 This is overly strict because cert_CheckCertRevocationStatus may fail with these error codes: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE SEC_ERROR_REVOKED_CERTIFICATE SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE should not cause us to set pkixRevStatus to PKIX_RevStatus_Revoked. cert_CheckCertRevocationStatus could use some cleanup. It may report that the cert is revoked in two ways: - return SECSuccess and set *revStatus to certRevocationStatusRevoked - return SECFailure and set error code to SEC_ERROR_REVOKED_CERTIFICATE This is confusing and probably wrong. Perhaps it should only use the first method. Please review cert_CheckCertRevocationStatus carefully.
Comment 1•2 years ago
|
||
The bug assignee is inactive on Bugzilla, so the assignee is being reset.
Assignee: alvolkov.bgs → nobody
Updated•2 years ago
|
Severity: normal → S3
Updated•5 months ago
|
Severity: S3 → S4
Status: NEW → RESOLVED
Closed: 5 months ago
Priority: -- → P5
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•