Enable OCSP fetching using the GET method in Gecko

NEW
Assigned to

Status

()

Core
Security: PSM
P5
normal
5 years ago
2 years ago

People

(Reporter: randix, Assigned: cviecco)

Tracking

(Depends on: 1 bug, Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-blocked])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Adding tests to verify that OCSP GET works properly.
(Reporter)

Comment 1

5 years ago
Created attachment 759755 [details] [diff] [review]
v1 TestOCSPGetPost

This is the first cut at a PSM test for OCSP GET/POST.

I am requesting a concept review. This code almost works, but is missing some final detail in the OCSPRequest handling.

TBD: the certs need to be moved from the tree to the obj-dir by the Makefile
Attachment #759755 - Flags: review?(bsmith)
Attachment #759755 - Flags: feedback?(dkeeler)
(Reporter)

Comment 2

5 years ago
To help with pursuing this:

There are three "XXX" comments in the test. They need to be fixed. This involves using the IP port number, and getting the Certs into the right place in the <obj-dir>.

Otherwise, dkeeler can probably quickly finish the certificate handling, it "almost works".
Assignee: rdow → nobody
Comment on attachment 759755 [details] [diff] [review]
v1 TestOCSPGetPost

Review of attachment 759755 [details] [diff] [review]:
-----------------------------------------------------------------

A couple of ideas:
1. Does gen_ocsp_certs.sh do the same thing as in the stapling patch? If so, we should see if we can just factor it and the resulting certificates out so they can be shared between tests.
2. I think it would be worthwhile to see if we can combine the stapling server with the responder you've got here.
3. If you re-write this as an xpcshell test, the certificates will be put in the right place by the build/test infrastructure. One problem is that CERT_CheckOCSPStatus isn't directly exposed in an idl, but it looks like it could get called through requestUsagesArrayAsync or something similar. You would have to do some back-channel communication with the server to see what requests were being sent to it.
4. Also, since this is based on the original stapling server, I imagine the reviews of that file would be helpful here, too: bug 700693 comment 23, etc.
Attachment #759755 - Flags: feedback?(dkeeler) → feedback-
Comment on attachment 759755 [details] [diff] [review]
v1 TestOCSPGetPost

Dropping this review request for now. When somebody picks up the bug, if they want me to review this patch as-is, then please request review again.
Attachment #759755 - Flags: review?(brian)
Marking blocking some of the insanity::pkix work since now OCSP GET has landed in NSS so we will pick it up in the next NSS update, which we will take before insanity::pkix gets turned on. Also, now that the NSS patches have landed, we should be able to use our HTTP cache as the OCSP caching mechanism instead of creating a separate OCSP cache. We need to make sure that our HTTP cache is actually caching the OCSP responses in a useful way though.
Assignee: nobody → cviecco
Blocks: 921885, 915930
Depends on: 912155
Blocks: 915932
Summary: PSM testing support for OCSP GET → Enable OCSP fetching using the GET method in Gecko
See Also: → bug 928142
Depends on fixing bug 933109 because, without OCSP GET, restarting Firefox is one way of working around bug 933109. With OCSP GET, that workaround may or may not work. We need to at know that before proceeding here.

Depends on NSS 3.15.3 (bug 898431) because that is the first NSS release that includes OCSP GET support.
Depends on: 933109
Depends on: 898431
Blocks: 803582
No longer depends on: 898431
No longer blocks: 915930, 915932
No longer blocks: 921885
(Assignee)

Updated

4 years ago
Depends on: 982248
(Assignee)

Updated

4 years ago
Depends on: 1005142
(Assignee)

Updated

4 years ago
Depends on: 1016681
Priority: -- → P5
Whiteboard: [psm-blocked]
You need to log in before you can comment on or make changes to this bug.