Closed
Bug 339737
Opened 18 years ago
Closed 17 years ago
LIBPKIX OCSP checking calls CERT_VerifyCert
Categories
(NSS :: Libraries, enhancement, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12
People
(Reporter: richard.freedman, Assigned: alvolkov.bgs)
References
Details
(Whiteboard: PKIX)
The new OCSP handler written for libpkix uses the old ocsp routines to construct, encode, decode, etc., the ocsp messages. But handling of the ocsp response includes a call to CERT_VerifyOCSPResponseSignature, which calls ocsp_CheckSignature, which calls CERT_VerifyCert. This last routine, of course, lacks all the new features painstakingly added to libpkix.
A new routine will be written for verifying the signature of the ocsp response without using CERT_VerifyCert, using instead the libpkix replacement.
Updated•18 years ago
|
Assignee: richard.freedman → alexei.volkov.bugs
Assignee | ||
Updated•18 years ago
|
Whiteboard: PKIX
Comment 1•18 years ago
|
||
This task was supposed to have been completed by Richard.
Comment 4•17 years ago
|
||
It appears to be fixed in PKIX_PL_OcspResponse_UseBuildChain in pkix_pl_ocspresponse.c .
Comment 5•17 years ago
|
||
Agreed. This was fixed on the old PKIX branch before that was merged
to the trunk.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Version: 3.10 → trunk
Comment 6•13 years ago
|
||
Please reopen this bug. (For some reason, I can't reopen it.) Even though PKIX_PL_OcspResponse_UseBuildChain exists, it is never used. Consequently, when we are using libpkix as a replacement for the old cert chain validation logic, internally libpkix uses the old logic to validate OCSP responses and their cert chains. The call stack is like this:
pkix_OcspChecker_CheckExternal
pkix_pl_OcspResponse_VerifySignature
...
CERT_FindCertIssuer
...
ocsp_GetSignerCertificate
...
CERT_FindCertByName
...
...
pkix_pl_OcspResponse_VerifyResponse
...
CERT_VerifyCertChain
...
All of the ocsp_* and CERT_* calls in this call stack are wrong, because they use the old certificate "FindBest" selection logic.
Comment 7•13 years ago
|
||
Never mind, do not re-open this. See bug 551429 comment 11.
You need to log in
before you can comment on or make changes to this bug.
Description
•