Closed Bug 871954 Opened 10 years ago Closed 5 years ago

Enable OCSP fetching using the GET method in Gecko


(Core :: Security: PSM, defect, P5)






(Reporter: rdow, Assigned: cviecco)


(Blocks 1 open bug)


(Whiteboard: [psm-blocked])


(1 file)

Adding tests to verify that OCSP GET works properly.
This is the first cut at a PSM test for OCSP GET/POST.

I am requesting a concept review. This code almost works, but is missing some final detail in the OCSPRequest handling.

TBD: the certs need to be moved from the tree to the obj-dir by the Makefile
Attachment #759755 - Flags: review?(bsmith)
Attachment #759755 - Flags: feedback?(dkeeler)
To help with pursuing this:

There are three "XXX" comments in the test. They need to be fixed. This involves using the IP port number, and getting the Certs into the right place in the <obj-dir>.

Otherwise, dkeeler can probably quickly finish the certificate handling, it "almost works".
Assignee: rdow → nobody
Comment on attachment 759755 [details] [diff] [review]
v1 TestOCSPGetPost

Review of attachment 759755 [details] [diff] [review]:

A couple of ideas:
1. Does do the same thing as in the stapling patch? If so, we should see if we can just factor it and the resulting certificates out so they can be shared between tests.
2. I think it would be worthwhile to see if we can combine the stapling server with the responder you've got here.
3. If you re-write this as an xpcshell test, the certificates will be put in the right place by the build/test infrastructure. One problem is that CERT_CheckOCSPStatus isn't directly exposed in an idl, but it looks like it could get called through requestUsagesArrayAsync or something similar. You would have to do some back-channel communication with the server to see what requests were being sent to it.
4. Also, since this is based on the original stapling server, I imagine the reviews of that file would be helpful here, too: bug 700693 comment 23, etc.
Attachment #759755 - Flags: feedback?(dkeeler) → feedback-
Comment on attachment 759755 [details] [diff] [review]
v1 TestOCSPGetPost

Dropping this review request for now. When somebody picks up the bug, if they want me to review this patch as-is, then please request review again.
Attachment #759755 - Flags: review?(brian)
Marking blocking some of the insanity::pkix work since now OCSP GET has landed in NSS so we will pick it up in the next NSS update, which we will take before insanity::pkix gets turned on. Also, now that the NSS patches have landed, we should be able to use our HTTP cache as the OCSP caching mechanism instead of creating a separate OCSP cache. We need to make sure that our HTTP cache is actually caching the OCSP responses in a useful way though.
Assignee: nobody → cviecco
Depends on: 912155
Summary: PSM testing support for OCSP GET → Enable OCSP fetching using the GET method in Gecko
Depends on fixing bug 933109 because, without OCSP GET, restarting Firefox is one way of working around bug 933109. With OCSP GET, that workaround may or may not work. We need to at know that before proceeding here.

Depends on NSS 3.15.3 (bug 898431) because that is the first NSS release that includes OCSP GET support.
Depends on: 933109
Depends on: 982248
Depends on: 1005142
Depends on: 1016681
Priority: -- → P5
Whiteboard: [psm-blocked]
Bug 1456489 removed OCSP GET.
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.