diff --git a/certs/ocsp/index0.txt b/certs/ocsp/index-ca-and-intermediate-cas.txt similarity index 100% rename from certs/ocsp/index0.txt rename to certs/ocsp/index-ca-and-intermediate-cas.txt diff --git a/certs/ocsp/index1.txt b/certs/ocsp/index-intermediate1-ca-issued-certs.txt similarity index 100% rename from certs/ocsp/index1.txt rename to certs/ocsp/index-intermediate1-ca-issued-certs.txt diff --git a/certs/ocsp/index2.txt b/certs/ocsp/index-intermediate2-ca-issued-certs.txt similarity index 100% rename from certs/ocsp/index2.txt rename to certs/ocsp/index-intermediate2-ca-issued-certs.txt diff --git a/certs/ocsp/index3.txt b/certs/ocsp/index-intermediate3-ca-issued-certs.txt similarity index 100% rename from certs/ocsp/index3.txt rename to certs/ocsp/index-intermediate3-ca-issued-certs.txt diff --git a/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh b/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh new file mode 100755 index 000000000..eecd81b58 --- /dev/null +++ b/certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +openssl ocsp -port 22221 -nmin 1 \ + -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ + -rsigner certs/ocsp/intermediate1-ca-cert.pem \ + -rkey certs/ocsp/intermediate1-ca-key.pem \ + -CA certs/ocsp/intermediate1-ca-cert.pem \ + $@ diff --git a/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh new file mode 100755 index 000000000..debfd63bb --- /dev/null +++ b/certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +openssl ocsp -port 22221 -nmin 1 \ + -index certs/ocsp/index-intermediate1-ca-issued-certs.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate1-ca-cert.pem \ + $@ diff --git a/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh new file mode 100755 index 000000000..0d06c5be1 --- /dev/null +++ b/certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +openssl ocsp -port 22222 -nmin 1 \ + -index certs/ocsp/index-intermediate2-ca-issued-certs.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate2-ca-cert.pem \ + $@ diff --git a/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh b/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh new file mode 100755 index 000000000..5e6a5173c --- /dev/null +++ b/certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +openssl ocsp -port 22223 -nmin 1 \ + -index certs/ocsp/index-intermediate3-ca-issued-certs.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate3-ca-cert.pem \ + $@ diff --git a/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh b/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh new file mode 100755 index 000000000..d3c3bc1ad --- /dev/null +++ b/certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +openssl ocsp -port 22220 -nmin 1 \ + -index certs/ocsp/index-ca-and-intermediate-cas.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/root-ca-cert.pem \ + $@ diff --git a/certs/ocsp/ocspd0.sh b/certs/ocsp/ocspd0.sh deleted file mode 100755 index d0aa0b953..000000000 --- a/certs/ocsp/ocspd0.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22220 -nmin 1 \ - -index certs/ocsp/index0.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/root-ca-cert.pem \ - $@ diff --git a/certs/ocsp/ocspd1.sh b/certs/ocsp/ocspd1.sh deleted file mode 100755 index 91448c004..000000000 --- a/certs/ocsp/ocspd1.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22221 -nmin 1 \ - -index certs/ocsp/index1.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/intermediate1-ca-cert.pem \ - $@ diff --git a/certs/ocsp/ocspd2.sh b/certs/ocsp/ocspd2.sh deleted file mode 100755 index a7748b337..000000000 --- a/certs/ocsp/ocspd2.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22222 -nmin 1 \ - -index certs/ocsp/index2.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/intermediate2-ca-cert.pem \ - $@ diff --git a/certs/ocsp/ocspd3.sh b/certs/ocsp/ocspd3.sh deleted file mode 100755 index 3e53ceb71..000000000 --- a/certs/ocsp/ocspd3.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -openssl ocsp -port 22223 -nmin 1 \ - -index certs/ocsp/index3.txt \ - -rsigner certs/ocsp/ocsp-responder-cert.pem \ - -rkey certs/ocsp/ocsp-responder-key.pem \ - -CA certs/ocsp/intermediate3-ca-cert.pem \ - $@ diff --git a/scripts/include.am b/scripts/include.am index 442d758f7..c1180cbd1 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -26,13 +26,15 @@ endif if BUILD_OCSP_STAPLING dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test scripts/ocsp-stapling.log: scripts/ocsp.log +dist_noinst_SCRIPTS+= scripts/ocsp-stapling-with-ca-as-responder.test +scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp-stapling.log endif if BUILD_OCSP_STAPLING_V2 dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test if BUILD_OCSP_STAPLING -scripts/ocsp-stapling2.log: scripts/ocsp-stapling.log +scripts/ocsp-stapling2.log: scripts/ocsp-stapling-with-ca-as-responder.log else scripts/ocsp-stapling2.log: scripts/ocsp.log endif diff --git a/scripts/ocsp-stapling-with-ca-as-responder.test b/scripts/ocsp-stapling-with-ca-as-responder.test new file mode 100755 index 000000000..49a8fe536 --- /dev/null +++ b/scripts/ocsp-stapling-with-ca-as-responder.test @@ -0,0 +1,39 @@ +#!/bin/sh + +# ocsp-stapling.test + +trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT + +server=login.live.com +ca=certs/external/ca-verisign-g5.pem + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# is our desired server there? - login.live.com doesn't answers PING +#./scripts/ping.test $server 2 + +# client test against the server +./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +# setup ocsp responder +./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh & +sleep 1 +[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 + +# client test against our own server - GOOD CERT +./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & +sleep 1 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +# client test against our own server - REVOKED CERT +./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & +sleep 1 +./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 + +exit 0 diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index e8984b0aa..3511d4a36 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -18,7 +18,7 @@ RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # setup ocsp responder -./certs/ocsp/ocspd1.sh & +./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh & sleep 1 [ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index 16bd81823..db48161d8 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -7,9 +7,9 @@ trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 # setup ocsp responders -./certs/ocsp/ocspd0.sh & -./certs/ocsp/ocspd2.sh & -./certs/ocsp/ocspd3.sh & +./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh & +./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh & +./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh & sleep 1 [ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 03153a0f4..83a2c602c 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -36,10 +36,12 @@ ASN Options: * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName. * WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer must still be trusted) - * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for sitatuon where entire cert + * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert chain is not loaded. This only matches on subject and public key and does not perform a PKI validation, so it is not a secure solution. Only enabled for OCSP. + * WOLFSSL_NO_OCSP_ISSUER_CHECK: Can be defined for backwards compatibility to + disable checking of OCSP subject hash with issuer hash. */ #ifndef NO_ASN @@ -10757,6 +10759,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return ASN_PARSE_E; InitDecodedCert(&cert, resp->cert, resp->certSz, heap); + /* Don't verify if we don't have access to Cert Manager. */ ret = ParseCertRelative(&cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY_OCSP, cm); @@ -10766,6 +10769,21 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return ret; } +#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK + if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) { + if (XMEMCMP(cert.subjectHash, + resp->issuerHash, KEYID_SIZE) == 0) { + WOLFSSL_MSG("\tOCSP Response signed by issuer"); + } + else { + WOLFSSL_MSG("\tOCSP Responder key usage check failed"); + + FreeDecodedCert(&cert); + return BAD_OCSP_RESPONDER; + } + } +#endif + /* ConfirmSignature is blocking here */ ret = ConfirmSignature(&cert.sigCtx, resp->response, resp->responseSz, diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index b5b578d5a..edd06afc6 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -425,6 +425,9 @@ const char* wc_GetErrorString(int error) case ASYNC_OP_E: return "Async operation error"; + case BAD_OCSP_RESPONDER: + return "Invalid OCSP Responder, missing specific key usage extensions"; + default: return "unknown error number"; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 3afddfdd5..460b3f4e1 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -930,7 +930,7 @@ int error_test() /* Values that are not or no longer error codes. */ int missing[] = { -122, -123, -124, -127, -128, -129, -161, -162, -163, -164, -165, -166, -167, -168, -169, - -178, -179, -233, + -179, -233, 0 }; /* Check that all errors have a string and it's the same through the two diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index df29accc4..99c27d18e 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -106,6 +106,7 @@ enum { UNICODE_SIZE_E = -175, /* Unicode password too big */ NO_PASSWORD = -176, /* no password provided by user */ ALT_NAME_E = -177, /* alt name size problem, too big */ + BAD_OCSP_RESPONDER = -178, /* missing key usage extensions */ AES_GCM_AUTH_E = -180, /* AES-GCM Authentication check failure */ AES_CCM_AUTH_E = -181, /* AES-CCM Authentication check failure */