What were you trying to do that didn't work?

NSS ocspclnt fails to verify response signed by a delegated OCSP responder with critical id-pkix-ocsp-nocheck extension.

The actual scenario is as follows:

1. Create a PKI structure with separate OCSP server and leaf certificates
2. Start ocsp responder with the certificate (a custom java OCSP responder, same code for RHEL-9 and RHEL-10 except that java-17 is used on RHEL-9 and java-21 on RHEL-10)
3. Try to verify any certificate using NSS ocspclnt

On RHEL-9 verification succeeds - Verification of certificate "server” succeeded. On RHEL-10 it fails - Verification of certificate "server" failed.  Reason: Peer's Certificate has been revoked.

With NSS_DISABLE_PKIX_VERIFY=1 verification succeed on RHEL-10 too. Hence this looks like a bug in libpkix.

Please provide the package NVR for which the bug is seen:

nss-3.101, nss-3.112 

How reproducible is this bug?:

• See above
• This is also tested by /Sanity/test-OCSP-client

Expected results

Verification suceeded.

Actual results

Verification of certificate "server" failed.  Reason: Peer's Certificate has been revoked.