mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

improves OCSP response signature verification;

Browse Source 
reference: RFC 2560 -  Section 4.2.2.2  Authorized Responders:

   The key that signs a certificate’s status information need not be the
   same key that signed the certificate. It is necessary however to
   ensure that the entity signing this information is authorized to do
   so.  Therefore, a certificate’s issuer MUST either sign the OCSP
   responses itself or it MUST explicitly designate this authority to
   another entity.
This commit is contained in:
Moisés Guimarães 2015-10-26 19:33:35 -03:00
parent a47f98ee19
commit f37ea955ec
4 changed files with 23 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/internal.c
View File

@ -4846,7 +4846,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
InitOcspResponse(response, status, input +*inOutIdx, status_length);
if ((ret = OcspResponseDecode(response)) == 0) {
if ((ret = OcspResponseDecode(response, ssl->ctx->cm)) == 0) {
if (response->responseStatus != OCSP_SUCCESSFUL)
ret = BAD_CERTIFICATE_STATUS_ERROR;
else if (CompareOcspReqResp(request, response) != 0)

2
src/ocsp.c
View File

@ -294,7 +294,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest)
XMEMSET(newStatus, 0, sizeof(CertStatus));
InitOcspResponse(ocspResponse, newStatus, response, ret);
OcspResponseDecode(ocspResponse);
OcspResponseDecode(ocspResponse, ocsp->cm);
if (ocspResponse->responseStatus != OCSP_SUCCESSFUL)
ret = OCSP_LOOKUP_FAIL;

26
wolfcrypt/src/asn.c
View File

@ -8645,12 +8645,13 @@ static int DecodeCerts(byte* source,
return 0;
}
static int DecodeBasicOcspResponse(byte* source,
word32* ioIndex, OcspResponse* resp, word32 size)
static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
OcspResponse* resp, word32 size, void* cm)
{
int length;
word32 idx = *ioIndex;
word32 end_index;
int ret;
WOLFSSL_ENTER("DecodeBasicOcspResponse");
@ -8686,13 +8687,12 @@ static int DecodeBasicOcspResponse(byte* source,
if (idx < end_index)
{
DecodedCert cert;
int ret;
if (DecodeCerts(source, &idx, resp, size) < 0)
return ASN_PARSE_E;
InitDecodedCert(&cert, resp->cert, resp->certSz, 0);
ret = ParseCertRelative(&cert, CA_TYPE, NO_VERIFY, 0);
ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm);
if (ret < 0)
return ret;
@ -8707,6 +8707,20 @@ static int DecodeBasicOcspResponse(byte* source,
return ASN_OCSP_CONFIRM_E;
}
}
else {
Signer* ca = GetCA(cm, resp->issuerHash);
if (ca)
ret = ConfirmSignature(resp->response, resp->responseSz,
ca->publicKey, ca->pubKeySize, ca->keyOID,
resp->sig, resp->sigSz, resp->sigOID, NULL);
if (!ca || ret == 0)
{
WOLFSSL_MSG("\tOCSP Confirm signature failed");
return ASN_OCSP_CONFIRM_E;
}
}
*ioIndex = idx;
return 0;
@ -8735,7 +8749,7 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status,
}
int OcspResponseDecode(OcspResponse* resp)
int OcspResponseDecode(OcspResponse* resp, void* cm)
{
int length = 0;
word32 idx = 0;
@ -8779,7 +8793,7 @@ int OcspResponseDecode(OcspResponse* resp)
if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
if (DecodeBasicOcspResponse(source, &idx, resp, size) < 0)
if (DecodeBasicOcspResponse(source, &idx, resp, size, cm) < 0)
return ASN_PARSE_E;
return 0;

2
wolfssl/wolfcrypt/asn.h
View File

@ -720,7 +720,7 @@ struct OcspRequest {
WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32);
WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*);
WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*);
WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte);
WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*);