Strict libpkix OCSP checking needs more detailed error reporting (e.g. SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST for intermediate)

NEW
Unassigned

Status

NSS
Libraries
7 years ago
6 years ago

People

(Reporter: kaie, Unassigned)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
Today, when using libpkix verification, combined with strict OCSP,
visit https://www.dhl.de
and you get a "revoked cert" error page.

After the usual nightmare to trace through the libpkix code,
I identified the cause is:

The OCSP server returns SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST
for the intermediate CA with subject name
"CN=DPWN Root CA R2 PS,OU=IT Services,O=Deutsche Post World Net,DC=com".


Currently the detailed error code for our revocation checking failure is lost.

For example, pkix_OcspChecker_CheckExternal will set the revocation status to "revoked", and the detailed error code is lost.


In my opinion, we might have a difficult time to lobby for strict OCSP checking, as long as diagnosing OCSP failures is difficult.

We should enhance NSS to return this information.

For example, after pkix_CheckChain called PKIX_RevocationChecker_Check, detects the "revoked" status, and creates an error object, the original error code should be added.


(I realize that NSS already creates an error log entry that points to the affected intermediate cert, so the application COULD already report exactly which cert triggered the failure... I will file a separate bug to propose to do that.)

Comment 1

7 years ago
I think in the strict mode, we should report the original error
(such as SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST) instead of
SEC_ERROR_REVOKED_CERTIFICATE.  It is inaccurate to report a
certificate is revoked when we cannot check the revocation
status.  Reporting the original error will also fix this bug.
(Reporter)

Updated

6 years ago
Blocks: 725984
(Reporter)

Updated

6 years ago
Blocks: 725985
(Reporter)

Updated

6 years ago
Blocks: 725986
You need to log in before you can comment on or make changes to this bug.