Closed
Bug 977870
Opened 11 years ago
Closed 11 years ago
insanity::pkix: consume the rest of input when a CertID doesn't match in an OCSP response
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla31
People
(Reporter: keeler, Assigned: keeler)
References
Details
Attachments
(1 file, 1 obsolete file)
5.00 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
When not using NSS's OCSP cache, the test cases "ocsp-stapling-good-other.example.com" and "ocsp-stapling-empty.example.com" in test_ocsp_stapling.js cause VerifyEncodedOCSPResponse to return SEC_ERROR_BAD_DER, which it shouldn't. It should (probably) instead return SEC_ERROR_OCSP_UNKNOWN_CERT or SEC_ERROR_OCSP_MALFORMED_RESPONSE, respectively.
Assignee | ||
Comment 1•11 years ago
|
||
It turns out, when using Nested or NestedOf, if the whole input isn't consumed, SEC_ERROR_BAD_DER is returned. In CertID, if the response doesn't match the certificate we're interested in, der::Success is returned, but input hasn't been consumed. So, SEC_ERROR_BAD_DER ultimately gets returned. This patch patch makes it so the input gets consumed in these cases.
Comment 2•11 years ago
|
||
Comment on attachment 8391473 [details] [diff] [review]
patch
Review of attachment 8391473 [details] [diff] [review]:
-----------------------------------------------------------------
It seems like we need a test for the case where there are two SingleResponses in the OCSP response and the first one doesn't match. I will add this as part of bug 916629.
Attachment #8391473 -
Flags: review?(brian) → review+
Assignee | ||
Comment 3•11 years ago
|
||
I'm going to handle the other case where we return SEC_ERROR_BAD_DER in bug 984567.
No longer blocks: 984567
Summary: VerifyEncodedOCSPResponse should not return SEC_ERROR_BAD_DER → insanity::pkix: consume the rest of input when a CertID doesn't match in an OCSP response
Assignee | ||
Comment 4•11 years ago
|
||
This is just a subset of the previous patch - carrying over r+.
Attachment #8391473 -
Attachment is obsolete: true
Attachment #8392481 -
Flags: review+
Assignee | ||
Comment 5•11 years ago
|
||
Comment 6•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in
before you can comment on or make changes to this bug.
Description
•