bug 1045739 - (1/2) mozilla::pkix: stop checking revocation for expired certificates r=keeler

2024-09-13 09:24:08 -07:00 · 2014-08-14 12:02:55 -07:00 · 2014-08-14 12:02:55 -07:00 · 28142cee21
commit 28142cee21
parent 0491bc1d40
1 changed files with 18 additions and 9 deletions
--- a/security/pkix/lib/pkixbuild.cpp
+++ b/security/pkix/lib/pkixbuild.cpp
@ -50,7 +50,7 @@ public:
                   Time time, KeyPurposeId requiredEKUIfPresent,
                   const CertPolicyId& requiredPolicy,
                   /*optional*/ const Input* stapledOCSPResponse,
-                   unsigned int subCACount)
+                   unsigned int subCACount, Result deferredSubjectError)
    : trustDomain(trustDomain)
    , subject(subject)
    , time(time)
@ -58,6 +58,7 @@ public:
    , requiredPolicy(requiredPolicy)
    , stapledOCSPResponse(stapledOCSPResponse)
    , subCACount(subCACount)
+    , deferredSubjectError(deferredSubjectError)
    , result(Result::FATAL_ERROR_LIBRARY_FAILURE)
    , resultWasSet(false)
  {
@ -77,6 +78,7 @@ private:
  const CertPolicyId& requiredPolicy;
  /*optional*/ Input const* const stapledOCSPResponse;
  const unsigned int subCACount;
+  const Result deferredSubjectError;

  Result RecordResult(Result currentResult, /*out*/ bool& keepGoing);
  Result result;
@ -185,13 +187,19 @@ PathBuildingStep::Check(Input potentialIssuerDER,
    return RecordResult(rv, keepGoing);
  }

-  CertID certID(subject.GetIssuer(), potentialIssuer.GetSubjectPublicKeyInfo(),
-                subject.GetSerialNumber());
-  rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time,
-                                   stapledOCSPResponse,
-                                   subject.GetAuthorityInfoAccess());
-  if (rv != Success) {
-    return RecordResult(rv, keepGoing);
+  // We avoid doing revocation checking for expired certificates because OCSP
+  // responders are allowed to forget about expired certificates, and many OCSP
+  // responders return an error when asked for the status of an expired
+  // certificate.
+  if (deferredSubjectError != Result::ERROR_EXPIRED_CERTIFICATE) {
+    CertID certID(subject.GetIssuer(), potentialIssuer.GetSubjectPublicKeyInfo(),
+                  subject.GetSerialNumber());
+    rv = trustDomain.CheckRevocation(subject.endEntityOrCA, certID, time,
+                                     stapledOCSPResponse,
+                                     subject.GetAuthorityInfoAccess());
+    if (rv != Success) {
+      return RecordResult(rv, keepGoing);
+    }
  }

  return RecordResult(Success, keepGoing);
@ -268,7 +276,8 @@ BuildForward(TrustDomain& trustDomain,

  PathBuildingStep pathBuilder(trustDomain, subject, time,
                               requiredEKUIfPresent, requiredPolicy,
-                               stapledOCSPResponse, subCACount);
+                               stapledOCSPResponse, subCACount,
+                               deferredEndEntityError);

  // TODO(bug 965136): Add SKI/AKI matching optimizations
  rv = trustDomain.FindIssuer(subject.GetIssuer(), pathBuilder, time);