mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ocsp response date checking

Browse Source
This commit is contained in:
John Safranek 2012-06-01 11:57:03 -07:00
parent ca7bf0d01e
commit 6120f03173
3 changed files with 43 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
ctaocrypt/src/asn.c
View File

@ -4232,6 +4232,8 @@ static int DecodeSingleResponse(byte* source,
if (GetBasicDate(source, &index, cs->thisDate,
&cs->thisDateFormat, size) < 0)
return ASN_PARSE_E;
if (!ValidateDate(cs->thisDate, cs->thisDateFormat, BEFORE))
return ASN_BEFORE_DATE_E;
/* The following items are optional. Only check for them if there is more
* unprocessed data in the singleResponse wrapper. */
@ -4361,11 +4363,11 @@ static int DecodeResponseData(byte* source,
return ASN_PARSE_E;
/* save pointer to the producedAt time */
if (source[idx++] != ASN_GENERALIZED_TIME)
if (GetBasicDate(source, &idx, resp->producedDate,
&resp->producedDateFormat, size) < 0)
return ASN_PARSE_E;
if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
resp->producedAt = source + idx;
if (!ValidateDate(resp->producedDate, resp->producedDateFormat, BEFORE))
return ASN_BEFORE_DATE_E;
idx += length;
if (DecodeSingleResponse(source, &idx, resp, size) < 0)
@ -4481,8 +4483,7 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status,
resp->responseStatus = -1;
resp->response = NULL;
resp->responseSz = 0;
resp->producedAt = NULL;
resp->producedAtFormat = 0;
resp->producedDateFormat = 0;
resp->issuerHash = NULL;
resp->issuerKeyHash = NULL;
resp->sig = NULL;

5
cyassl/ctaocrypt/asn.h
View File

@ -378,8 +378,9 @@ struct OcspResponse {
byte* response; /* Pointer to beginning of OCSP Response */
word32 responseSz; /* length of the OCSP Response */
byte* producedAt; /* Time at which this response was signed */
byte producedAtFormat;/* format of the producedAt date */
byte producedDate[MAX_DATE_SIZE];
/* Date at which this response was signed */
byte producedDateFormat; /* format of the producedDate */
byte* issuerHash;
byte* issuerKeyHash;

44
src/ocsp.c
View File

@ -361,6 +361,7 @@ static CertStatus* find_cert_status(OCSP_Entry* ocspe, DecodedCert* cert)
XMEMCPY(stat->serial, cert->serial, cert->serialSz);
stat->serialSz = cert->serialSz;
stat->status = -1;
stat->nextDate[0] = 0;
ocspe->totalStatus++;
stat->next = ocspe->status;
@ -427,6 +428,22 @@ static int http_ocsp_transaction(CYASSL_OCSP* ocsp, DecodedCert* cert,
}
static int xstat2err(int stat)
{
switch (stat) {
case CERT_GOOD:
return 0;
break;
case CERT_REVOKED:
return OCSP_CERT_REVOKED;
break;
default:
return OCSP_CERT_UNKNOWN;
break;
}
}
int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
{
byte ocspReqBuf[SCRATCH_BUFFER_SIZE];
@ -460,6 +477,21 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
if (certStatus->status != -1)
{
if (!ValidateDate(certStatus->thisDate,
certStatus->thisDateFormat, BEFORE) ||
(certStatus->nextDate[0] == 0) ||
!ValidateDate(certStatus->nextDate,
certStatus->nextDateFormat, AFTER))
{
CYASSL_MSG("\tinvalid status date, looking up cert");
certStatus->status = -1;
}
else
{
CYASSL_MSG("\tusing cached status");
result = xstat2err(certStatus->status);
return result;
}
}
InitOcspRequest(&ocspRequest, cert, ocspReqBuf, ocspReqSz);
@ -478,17 +510,7 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
} else {
if (CompareOcspReqResp(&ocspRequest, &ocspResponse) == 0)
{
switch (ocspResponse.status[0].status) {
case CERT_GOOD:
result = 0;
break;
case CERT_REVOKED:
result = OCSP_CERT_REVOKED;
break;
default:
result = OCSP_CERT_UNKNOWN;
break;
}
result = xstat2err(ocspResponse.status->status);
}
else
{