Closed
Bug 972753
Opened 10 years ago
Closed 10 years ago
Test decoding of OCSP response that contains multiple certificates
Categories
(Core :: Security: PSM, defect, P4)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla31
People
(Reporter: briansmith, Assigned: keeler)
References
Details
Attachments
(1 file, 1 obsolete file)
61.61 KB,
patch
|
cviecco
:
review+
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Comment 1•10 years ago
|
||
In particular, we should make sure we're unwrapping the sequences appropriately when there are multiple certificates. Look for this code: // Unwrap the SEQUENCE that contains the certificate, which is itself a // SEQUENCE.
Reporter | ||
Updated•10 years ago
|
No longer blocks: mozilla::pkix
Reporter | ||
Updated•10 years ago
|
Blocks: mozilla::pkix-beta
Reporter | ||
Updated•10 years ago
|
Priority: -- → P4
Assignee | ||
Comment 3•10 years ago
|
||
This actually tests delegated responses as well as having multiple certificates in the OCSP response.
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8398666 -
Flags: review?(cviecco)
Attachment #8398666 -
Flags: feedback?(brian)
Comment 4•10 years ago
|
||
Comment on attachment 8398666 [details] [diff] [review] patch Review of attachment 8398666 [details] [diff] [review]: ----------------------------------------------------------------- just minor nits for readability ::: security/manager/ssl/tests/unit/tlsserver/generate_certs.sh @@ +146,5 @@ > > make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning" > make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x" > > +make_EE delegatedSigner 'CN=Test Delegated Responder' testCA "invalid.invalid.invalid" "--extKeyUsage ocspResponder" no-subjectaltname.invalid (? readabilityy) ::: security/pkix/test/lib/pkixtestutil.h @@ +35,5 @@ > pkix::ScopedCERTCertificate issuerCert; // The issuer of the subject > pkix::ScopedCERTCertificate signerCert; // This cert signs the response > uint8_t responseStatus; // See the OCSPResponseStatus enum in rfc 6960 > bool skipResponseBytes; // If true, don't include responseBytes > + pkix::ScopedCERTCertificate includedCertificates[4]; make the 4 a const int or #define
Attachment #8398666 -
Flags: review?(cviecco) → review+
Assignee | ||
Comment 5•10 years ago
|
||
Attachment #8398666 -
Attachment is obsolete: true
Attachment #8398666 -
Flags: feedback?(brian)
Attachment #8407082 -
Flags: review?(cviecco)
Updated•10 years ago
|
Attachment #8407082 -
Flags: review?(cviecco) → review+
Assignee | ||
Comment 6•10 years ago
|
||
Thanks, Camilo. https://tbpl.mozilla.org/?tree=Try&rev=6337d1fde760
Assignee | ||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b394e883b806
Comment 8•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b394e883b806
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in
before you can comment on or make changes to this bug.
Description
•