Closed Bug 977870 Opened 7 years ago Closed 7 years ago

insanity::pkix: consume the rest of input when a CertID doesn't match in an OCSP response

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla31

People

(Reporter: keeler, Assigned: keeler)

References

Details

Attachments

(1 file, 1 obsolete file)

When not using NSS's OCSP cache, the test cases "ocsp-stapling-good-other.example.com" and "ocsp-stapling-empty.example.com" in test_ocsp_stapling.js cause VerifyEncodedOCSPResponse to return SEC_ERROR_BAD_DER, which it shouldn't. It should (probably) instead return SEC_ERROR_OCSP_UNKNOWN_CERT or SEC_ERROR_OCSP_MALFORMED_RESPONSE, respectively.
Attached patch patch (obsolete) — Splinter Review
It turns out, when using Nested or NestedOf, if the whole input isn't consumed, SEC_ERROR_BAD_DER is returned. In CertID, if the response doesn't match the certificate we're interested in, der::Success is returned, but input hasn't been consumed. So, SEC_ERROR_BAD_DER ultimately gets returned. This patch patch makes it so the input gets consumed in these cases.
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8391473 - Flags: review?(brian)
Comment on attachment 8391473 [details] [diff] [review]
patch

Review of attachment 8391473 [details] [diff] [review]:
-----------------------------------------------------------------

It seems like we need a test for the case where there are two SingleResponses in the OCSP response and the first one doesn't match. I will add this as part of bug 916629.
Attachment #8391473 - Flags: review?(brian) → review+
I'm going to handle the other case where we return SEC_ERROR_BAD_DER in bug 984567.
No longer blocks: 984567
Summary: VerifyEncodedOCSPResponse should not return SEC_ERROR_BAD_DER → insanity::pkix: consume the rest of input when a CertID doesn't match in an OCSP response
Attached patch patch v1.1Splinter Review
This is just a subset of the previous patch - carrying over r+.
Attachment #8391473 - Attachment is obsolete: true
Attachment #8392481 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/c2bc849c4169
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in before you can comment on or make changes to this bug.