Closed Bug 540049 Opened 15 years ago Closed 5 months ago

Investigate two places where libpkix may report a certificate as revoked incorrectly

Categories

(NSS :: Libraries, defect, P5)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: wtc, Unassigned)

Details

Alexei:

This is the remaining work of bug 515279 comment 10.

I searched for "PKIX_RevStatus_Revoked" in the NSS source tree and
inspected all occurrences.

1. This one I'm not sure about.  Please review it:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/libpkix/pkix/checker/pkix_revocationchecker.c&rev=1.10&mark=449#420 

2. In pkix_pl_Pk11CertStore_CheckRevByCrl, if the
cert_CheckCertRevocationStatus call fails, we set
pkixRevStatus to PKIX_RevStatus_Revoked:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c&rev=1.17&mark=543,548#539

This is overly strict because cert_CheckCertRevocationStatus
may fail with these error codes:
SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
SEC_ERROR_REVOKED_CERTIFICATE

SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE should not cause us
to set pkixRevStatus to PKIX_RevStatus_Revoked.

cert_CheckCertRevocationStatus could use some cleanup. It
may report that the cert is revoked in two ways:
- return SECSuccess and set *revStatus to
  certRevocationStatusRevoked
- return SECFailure and set error code to
  SEC_ERROR_REVOKED_CERTIFICATE
This is confusing and probably wrong.  Perhaps it should
only use the first method.  Please review
cert_CheckCertRevocationStatus carefully.

The bug assignee is inactive on Bugzilla, so the assignee is being reset.

Assignee: alvolkov.bgs → nobody
Severity: normal → S3
Severity: S3 → S4
Status: NEW → RESOLVED
Closed: 5 months ago
Priority: -- → P5
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.