Bug 1966989 - add Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING to the list of deferred OCSP stapling errors r=jschanck

When checking stapled OCSP, if the server stapled an unsuitable response (according to a small list of error codes), Firefox defers acting on that information and may try to fetch OCSP in the hopes of getting a suitable response. This patch adds Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING (the response didn't include a status for the certificate in question) to the list of these errors. Differential Revision: https://phabricator.services.mozilla.com/D249848
2025-05-19 18:22:02 +00:00
parent a1fcf2855e
commit bd76eb8d80
2 changed files with 10 additions and 8 deletions
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -910,7 +910,9 @@ Result NSSCertDBTrustDomain::CheckRevocationByOCSP(
    } else if (stapledOCSPResponseResult ==
                   Result::ERROR_OCSP_TRY_SERVER_LATER ||
               stapledOCSPResponseResult ==
-                   Result::ERROR_OCSP_INVALID_SIGNING_CERT) {
+                   Result::ERROR_OCSP_INVALID_SIGNING_CERT ||
+               stapledOCSPResponseResult ==
+                   Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING) {
      // Stapled OCSP response present but invalid for a small number of reasons
      // CAs/servers commonly get wrong. This will be treated similarly to an
      // expired stapled response.
--- a/security/manager/ssl/tests/unit/test_ocsp_stapling.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_stapling.js
@@ -224,23 +224,23 @@ function add_tests() {
    SEC_ERROR_OCSP_UNKNOWN_CERT,
    true
  );
+  // If the server staples an OCSP response that doesn't contain a status for
+  // the server certificate, we defer returning the error and attempt to fetch
+  // a more suitable response. If that fails, the deferred error is returned.
  add_ocsp_test(
    "ocsp-stapling-good-other.example.com",
    MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING,
+    true,
    true
  );
  // If the server doesn't staple an OCSP response, we continue as normal
  // (this means that even though stapling is enabled, we expect an OCSP
  // request).
-  add_connection_test(
+  add_ocsp_test(
    "ocsp-stapling-none.example.com",
    PRErrorCodeSuccess,
-    function () {
-      gExpectOCSPRequest = true;
-      clearOCSPCache();
-      clearSessionCache();
-      Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
-    }
+    true,
+    true
  );
  add_ocsp_test(
    "ocsp-stapling-empty.example.com",