feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

ocsp: improve OCSP response signature validation

Browse Source 
- search for the signer in the CertificateManager if the embedded cert
  verification fails in original asn template.
This commit is contained in:
Marco Oliverio
2025-02-05 16:35:20 +00:00
parent 3e50c79c3b
commit 2c2eb2a285
1 changed files with 15 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
wolfcrypt/src/asn.c
View File

@@ -37361,6 +37361,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
#endif #endif
int ret; int ret;
int sigLength; int sigLength;
int sigValid = 0;
WOLFSSL_ENTER("DecodeBasicOcspResponse"); WOLFSSL_ENTER("DecodeBasicOcspResponse");
(void)heap; (void)heap;
@@ -37417,16 +37418,19 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
return ASN_PARSE_E; return ASN_PARSE_E;
ret = OcspCheckCert(resp, noVerify, noVerifySignature, cm, heap); ret = OcspCheckCert(resp, noVerify, noVerifySignature, cm, heap);
if (ret != 0) { if (ret == 0) {
WOLFSSL_MSG("\tOCSP Confirm signature failed"); sigValid = 1;
return ASN_OCSP_CONFIRM_E; }
else {
WOLFSSL_MSG("OCSP Internal certificate can't verify the response\n");
/* try to verify the OCSP response with CA certs */
ret = 0;
} }
} }
else else
#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */
if (!noVerifySignature) { if (!noVerifySignature && !sigValid) {
Signer* ca; Signer* ca;
int sigValid = -1;
SignatureCtx sigCtx; SignatureCtx sigCtx;
ca = OcspFindSigner(resp, cm); ca = OcspFindSigner(resp, cm);
if (ca == NULL) if (ca == NULL)
@@ -37457,6 +37461,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
int ret = 0; int ret = 0;
word32 idx = *ioIndex; word32 idx = *ioIndex;
Signer* ca = NULL; Signer* ca = NULL;
int sigValid = 0;
WOLFSSL_ENTER("DecodeBasicOcspResponse"); WOLFSSL_ENTER("DecodeBasicOcspResponse");
(void)heap; (void)heap;
@@ -37509,29 +37514,28 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
ret = OcspCheckCert(resp, noVerify, noVerifySignature, ret = OcspCheckCert(resp, noVerify, noVerifySignature,
(WOLFSSL_CERT_MANAGER*)cm, heap); (WOLFSSL_CERT_MANAGER*)cm, heap);
if (ret == 0) { if (ret == 0) {
noVerifySignature = 1; sigValid = 1;
} }
ret = 0; /* try to verify the OCSP response with CA certs */ ret = 0; /* try to verify the OCSP response with CA certs */
} }
#endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */ #endif /* WOLFSSL_NO_OCSP_OPTIONAL_CERTS */
/* try to verify using cm certs */ /* try to verify using cm certs */
if (ret == 0 && !noVerifySignature) if (ret == 0 && !noVerifySignature && !sigValid)
{ {
ca = OcspFindSigner(resp, (WOLFSSL_CERT_MANAGER*)cm); ca = OcspFindSigner(resp, (WOLFSSL_CERT_MANAGER*)cm);
if (ca == NULL) if (ca == NULL)
ret = ASN_NO_SIGNER_E; ret = ASN_NO_SIGNER_E;
} }
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if (ret == 0 && !noVerifySignature) { if (ret == 0 && !noVerifySignature && !sigValid) {
if (OcspRespCheck(resp, ca) != 0) { if (OcspRespCheck(resp, ca) != 0) {
ret = BAD_OCSP_RESPONDER; ret = BAD_OCSP_RESPONDER;
} }
} }
#endif #endif
if (ret == 0 && !noVerifySignature) { if (ret == 0 && !noVerifySignature && !sigValid) {
int sigValid = -1;
SignatureCtx sigCtx; SignatureCtx sigCtx;
/* Initialize he signature context. */ /* Initialize the signature context. */
InitSignatureCtx(&sigCtx, heap, INVALID_DEVID); InitSignatureCtx(&sigCtx, heap, INVALID_DEVID);
/* TODO: ConfirmSignature is blocking here */ /* TODO: ConfirmSignature is blocking here */