Closed Bug 972753 Opened 6 years ago Closed 6 years ago

Test decoding of OCSP response that contains multiple certificates

Categories

(Core :: Security: PSM, defect, P4)

defect

Tracking

()

RESOLVED FIXED
mozilla31

People

(Reporter: briansmith, Assigned: keeler)

References

Details

Attachments

(1 file, 1 obsolete file)

No description provided.
In particular, we should make sure we're unwrapping the sequences appropriately when there are multiple certificates. Look for this code:

      // Unwrap the SEQUENCE that contains the certificate, which is itself a
      // SEQUENCE.
Priority: -- → P4
Duplicate of this bug: 980538
Attached patch patch (obsolete) — Splinter Review
This actually tests delegated responses as well as having multiple certificates in the OCSP response.
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8398666 - Flags: review?(cviecco)
Attachment #8398666 - Flags: feedback?(brian)
Comment on attachment 8398666 [details] [diff] [review]
patch

Review of attachment 8398666 [details] [diff] [review]:
-----------------------------------------------------------------

just minor nits for readability

::: security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@@ +146,5 @@
>  
>  make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning"
>  make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
>  
> +make_EE delegatedSigner 'CN=Test Delegated Responder' testCA "invalid.invalid.invalid" "--extKeyUsage ocspResponder"

no-subjectaltname.invalid (? readabilityy)

::: security/pkix/test/lib/pkixtestutil.h
@@ +35,5 @@
>    pkix::ScopedCERTCertificate issuerCert; // The issuer of the subject
>    pkix::ScopedCERTCertificate signerCert; // This cert signs the response
>    uint8_t responseStatus; // See the OCSPResponseStatus enum in rfc 6960
>    bool skipResponseBytes; // If true, don't include responseBytes
> +  pkix::ScopedCERTCertificate includedCertificates[4];

make the 4 a const int or #define
Attachment #8398666 - Flags: review?(cviecco) → review+
Attached patch patch v2Splinter Review
Attachment #8398666 - Attachment is obsolete: true
Attachment #8398666 - Flags: feedback?(brian)
Attachment #8407082 - Flags: review?(cviecco)
Attachment #8407082 - Flags: review?(cviecco) → review+
https://hg.mozilla.org/mozilla-central/rev/b394e883b806
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in before you can comment on or make changes to this bug.