bug 1019198 - fail handshake if given an expired OCSP response and fetching a new one fails r=briansmith

security/certverifier/NSSCertDBTrustDomain.cpp

@@ -391,6 +391,13 @@ NSSCertDBTrustDomain::CheckRevocation(
       PR_SetError(cachedResponseErrorCode, 0);
       return SECFailure;
     }
+    if (stapledOCSPResponse) {
+      PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
+             ("NSSCertDBTrustDomain: returning SECFailure from expired "
+              "stapled response after OCSP request failure"));
+      PR_SetError(SEC_ERROR_OCSP_OLD_RESPONSE, 0);
+      return SECFailure;
+    }
 
     PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
            ("NSSCertDBTrustDomain: returning SECSuccess after "
@@ -414,10 +421,18 @@ NSSCertDBTrustDomain::CheckRevocation(
     return rv;
   }
 
+  if (stapledOCSPResponse) {
+    PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
+           ("NSSCertDBTrustDomain: returning SECFailure from expired stapled "
+            "response after OCSP request verification failure"));
+    PR_SetError(SEC_ERROR_OCSP_OLD_RESPONSE, 0);
+    return SECFailure;
+  }
+
   PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
          ("NSSCertDBTrustDomain: end of CheckRevocation"));
 
-  return SECSuccess;
+  return SECSuccess; // Soft fail -> success :(
 }
 
 SECStatus

security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js

@@ -48,9 +48,14 @@ let ocspResponseUnknown = ocspResponses[4];
 function run_test() {
   let ocspResponder = new HttpServer();
   ocspResponder.registerPrefixHandler("/", function(request, response) {
-    response.setStatusLine(request.httpVersion, 200, "OK");
-    response.setHeader("Content-Type", "application/ocsp-response");
-    response.write(gCurrentOCSPResponse);
+    if (gCurrentOCSPResponse) {
+      response.setStatusLine(request.httpVersion, 200, "OK");
+      response.setHeader("Content-Type", "application/ocsp-response");
+      response.write(gCurrentOCSPResponse);
+    } else {
+      response.setStatusLine(request.httpVersion, 500, "Internal Server Error");
+      response.write("Internal Server Error");
+    }
     gOCSPRequestCount++;
   });
   ocspResponder.start(8080);
@@ -83,14 +88,40 @@ function add_tests_in_mode(useMozillaPKIX)
                 ocspResponseGood);
   add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
                 ocspResponseGood);
-  add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
+  // With mozilla::pkix, if we can't fetch a more recent response when
+  // given an expired stapled response, we terminate the connection.
+  add_ocsp_test("ocsp-stapling-expired.example.com",
+                useMozillaPKIX
+                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
+                  : Cr.NS_OK,
                 expiredOCSPResponseGood);
-  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
+                useMozillaPKIX
+                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
+                  : Cr.NS_OK,
                 expiredOCSPResponseGood);
-  add_ocsp_test("ocsp-stapling-expired.example.com", Cr.NS_OK,
+  add_ocsp_test("ocsp-stapling-expired.example.com",
+                useMozillaPKIX
+                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
+                  : Cr.NS_OK,
                 oldValidityPeriodOCSPResponseGood);
-  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com", Cr.NS_OK,
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
+                useMozillaPKIX
+                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
+                  : Cr.NS_OK,
                 oldValidityPeriodOCSPResponseGood);
+  add_ocsp_test("ocsp-stapling-expired.example.com",
+                useMozillaPKIX
+                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
+                  : Cr.NS_OK,
+                null);
+  add_ocsp_test("ocsp-stapling-expired.example.com",
+                useMozillaPKIX
+                  ? getXPCOMStatusFromNSS(SEC_ERROR_OCSP_OLD_RESPONSE)
+                  : Cr.NS_OK,
+                null);
+  // Of course, if the newer response indicates Revoked or Unknown,
+  // that status must be returned.
   add_ocsp_test("ocsp-stapling-expired.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_REVOKED_CERTIFICATE),
                 ocspResponseRevoked);
@@ -100,6 +131,9 @@ function add_tests_in_mode(useMozillaPKIX)
   add_ocsp_test("ocsp-stapling-expired.example.com",
                 getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
                 ocspResponseUnknown);
+  add_ocsp_test("ocsp-stapling-expired-fresh-ca.example.com",
+                getXPCOMStatusFromNSS(SEC_ERROR_OCSP_UNKNOWN_CERT),
+                ocspResponseUnknown);
 
   if (useMozillaPKIX) {
     // These tests are verifying that an valid but very old response
@@ -124,11 +158,8 @@ function check_ocsp_stapling_telemetry() {
   do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
   do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response
   do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp.
-  do_check_eq(histogram.counts[3], 2 * 9 + 3); // 9 connections with an expired response
-                                               // 3 connection with a response
-                                               // considered expired due to being
-                                               // old but having an overly-long
-                                               // validity period
+  do_check_eq(histogram.counts[3], 2 * 12 + 3); // 12 connections with an expired response
+                                                // +3 more mozilla::pkix-only expired responses
   do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses
   run_next_test();
 }