Closed
Bug 972753
Opened 12 years ago
Closed 11 years ago
Test decoding of OCSP response that contains multiple certificates
Categories
(Core :: Security: PSM, defect, P4)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla31
People
(Reporter: briansmith, Assigned: keeler)
References
Details
Attachments
(1 file, 1 obsolete file)
|
61.61 KB,
patch
|
cviecco
:
review+
|
Details | Diff | Splinter Review |
No description provided.
|
Reporter | |
Comment 1•12 years ago
|
||
In particular, we should make sure we're unwrapping the sequences appropriately when there are multiple certificates. Look for this code:
// Unwrap the SEQUENCE that contains the certificate, which is itself a
// SEQUENCE.
|
|
Reporter | |
Updated•11 years ago
|
No longer blocks: mozilla::pkix
|
|
Reporter | |
Updated•11 years ago
|
Blocks: mozilla::pkix-beta
|
|
Reporter | |
Updated•11 years ago
|
Priority: -- → P4
|
Assignee | |
Comment 3•11 years ago
|
||
This actually tests delegated responses as well as having multiple certificates in the OCSP response.
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8398666 -
Flags: review?(cviecco)
Attachment #8398666 -
Flags: feedback?(brian)
|
||
Comment 4•11 years ago
|
||
Comment on attachment 8398666 [details] [diff] [review]
patch
Review of attachment 8398666 [details] [diff] [review]:
-----------------------------------------------------------------
just minor nits for readability
::: security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@@ +146,5 @@
>
> make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning"
> make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
>
> +make_EE delegatedSigner 'CN=Test Delegated Responder' testCA "invalid.invalid.invalid" "--extKeyUsage ocspResponder"
no-subjectaltname.invalid (? readabilityy)
::: security/pkix/test/lib/pkixtestutil.h
@@ +35,5 @@
> pkix::ScopedCERTCertificate issuerCert; // The issuer of the subject
> pkix::ScopedCERTCertificate signerCert; // This cert signs the response
> uint8_t responseStatus; // See the OCSPResponseStatus enum in rfc 6960
> bool skipResponseBytes; // If true, don't include responseBytes
> + pkix::ScopedCERTCertificate includedCertificates[4];
make the 4 a const int or #define
Attachment #8398666 -
Flags: review?(cviecco) → review+
|
|
Assignee | |
Comment 5•11 years ago
|
||
Attachment #8398666 -
Attachment is obsolete: true
Attachment #8398666 -
Flags: feedback?(brian)
Attachment #8407082 -
Flags: review?(cviecco)
|
|
||
Updated•11 years ago
|
Attachment #8407082 -
Flags: review?(cviecco) → review+
|
|
Assignee | |
Comment 6•11 years ago
|
||
Thanks, Camilo.
https://tbpl.mozilla.org/?tree=Try&rev=6337d1fde760
|
|
Assignee | |
Comment 7•11 years ago
|
||
|
||
Comment 8•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in
before you can comment on or make changes to this bug.
Description
•