Closed
Bug 94413
Opened 23 years ago
Closed 21 years ago
OCSP needs more fine tuned error messages.
Categories
(NSS :: Libraries, enhancement, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.9
People
(Reporter: javi, Assigned: julien.pierre)
Details
Attachments
(1 file)
1.40 KB,
patch
|
wtc
:
review+
nelson
:
superreview+
|
Details | Diff | Splinter Review |
When NSS performs OCSP as part of verification, it doesn't set an error if in the process the cert that signed the request doesn't verify. For example, recently our OCSP service provider's certificate expired. When I call CERT_VerifyCertNow on a certificate, the error I get when calling PR_GetError is that for an expired certificate. As a caller I assume that means the cert I passed in has expired, but that error actually means the ceritificate belonging to the signer of the OCSP response has expired. This makes giving adequate UI in PSM in error cases with OCSP tricky because we don't know if it's the cert in question's error or the signer cert that fails.
Updated•23 years ago
|
Priority: -- → P1
Target Milestone: --- → 3.4
Assignee | ||
Comment 2•23 years ago
|
||
I haven't been successful at doing any OCSP test yet - I always get errors, so I'm unsure how to reproduce this problem right now. As far as the fix, do you think I should add new error codes for this case (and possibly other odd OCSP failures) ?
Assignee | ||
Comment 3•23 years ago
|
||
Lowering priority to P2 with Wan-teh's agreement.
Assignee | ||
Updated•23 years ago
|
Priority: P1 → P2
Comment 4•22 years ago
|
||
Changed the QA contact to Bishakha.
QA Contact: sonja.mirtitsch → bishakhabanerjee
Updated•22 years ago
|
Target Milestone: 3.6 → 3.7
Comment 7•22 years ago
|
||
Moved to target milestone 3.8 because the original NSS 3.7 release has been renamed 3.8.
Target Milestone: 3.7 → 3.8
Assignee | ||
Comment 8•22 years ago
|
||
Javi, Don't CERT_VerifyCert / CERT_VerifyCERTNow (and the newer functions, CERT_VerifyCertificate / CERT_VerifyCertificateNow) provide you a log ? Is this log inadequate ? It seems this might be the answer to this complex issue, rather than a simple PRError code.
Reporter | ||
Comment 9•22 years ago
|
||
Even if that were possible (I'm not sure), if I do OCSP and PR_GetError returns SEC_ERROR_UNTRUSTED_CERT when in fact OCSP validation on the issuer failed, that's flat out wrong. The error code that gets set should be SEC_ERROR_UNTRUSTED_ISSUER.
Comment 10•21 years ago
|
||
Remove target milestone of 3.8, since these bugs didn't get into that release.
Target Milestone: 3.8 → ---
Assignee | ||
Comment 11•21 years ago
|
||
Actually this is an OCSP enhancement and belongs in 3.9 .
Severity: normal → enhancement
Target Milestone: --- → 3.9
Assignee | ||
Comment 12•21 years ago
|
||
Javier, Regarding comment #9 The error code that you want here, SEC_ERROR_UNTRUSTED_ISSUER, is normally used to signify that a certificate's issuer is invalid. It is not used to signify that an OCSP response's signer certificate is an invalid. Therefore it would be improper to use it for this case. I think the best we can do for these cases where the responder's certificate fails to verify is to set a new generic error code, such as "SEC_ERROR_INVALID_OCSP_SIGNING_CERT" . I don't think it's possible to surface any more level of detail to the caller without using a different mechanism than a single error code - ie. error stacks.
Assignee | ||
Comment 13•21 years ago
|
||
Assignee | ||
Updated•21 years ago
|
Attachment #132379 -
Flags: superreview?(MisterSSL)
Attachment #132379 -
Flags: review?(wchang0222)
Comment 14•21 years ago
|
||
Comment on attachment 132379 [details] [diff] [review] set new SEC_ERROR_OCSP_INVALID_SIGNING_CERT error if needed r=wtc. There is more work to do before we mark this bug fixed. 1. You need to add the new error code to some files in mozilla/security/nss/cmd/lib so that our command-line tools know about it. 2. You need to add the new error code to the SSL Reference (http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html).
Attachment #132379 -
Flags: review?(wchang0222) → review+
Comment 15•21 years ago
|
||
Comment on attachment 132379 [details] [diff] [review] set new SEC_ERROR_OCSP_INVALID_SIGNING_CERT error if needed sr=MisterSSL, subject to comment 14 above.
Attachment #132379 -
Flags: superreview?(MisterSSL) → superreview+
Assignee | ||
Comment 16•21 years ago
|
||
Checking in certhigh/ocsp.c; /cvsroot/mozilla/security/nss/lib/certhigh/ocsp.c,v <-- ocsp.c new revision: 1.16; previous revision: 1.15 done Checking in util/secerr.h; /cvsroot/mozilla/security/nss/lib/util/secerr.h,v <-- secerr.h new revision: 1.12; previous revision: 1.11 done Checking in SECerrs.h; /cvsroot/mozilla/security/nss/cmd/lib/SECerrs.h,v <-- SECerrs.h new revision: 1.7; previous revision: 1.6 done Wan-Teh, How do I add the code to the SSL reference ? I don't have a mozilla.org account to publish files.
Comment 17•21 years ago
|
||
Updated the SSL Reference. Checking in sslerr.html; /cvsroot/mozilla-org/html/projects/security/pki/nss/ref/ssl/sslerr.html,v <-- sslerr.html new revision: 1.10; previous revision: 1.9 done
Assignee | ||
Comment 18•21 years ago
|
||
Thanks, Wan-Teh ! Marking fixed.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•