Merge pull request #731 from moisesguimaraes/fixes-ocsp-responder

adds OCSP Responder extKeyUsage validation
This commit is contained in:
toddouska
2017-06-22 11:43:51 -07:00
committed by GitHub
21 changed files with 110 additions and 39 deletions

View File

@ -0,0 +1,8 @@
#!/bin/sh
openssl ocsp -port 22221 -nmin 1 \
-index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
-rsigner certs/ocsp/intermediate1-ca-cert.pem \
-rkey certs/ocsp/intermediate1-ca-key.pem \
-CA certs/ocsp/intermediate1-ca-cert.pem \
$@

View File

@ -0,0 +1,8 @@
#!/bin/sh
openssl ocsp -port 22221 -nmin 1 \
-index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate1-ca-cert.pem \
$@

View File

@ -0,0 +1,8 @@
#!/bin/sh
openssl ocsp -port 22222 -nmin 1 \
-index certs/ocsp/index-intermediate2-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate2-ca-cert.pem \
$@

View File

@ -0,0 +1,8 @@
#!/bin/sh
openssl ocsp -port 22223 -nmin 1 \
-index certs/ocsp/index-intermediate3-ca-issued-certs.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate3-ca-cert.pem \
$@

View File

@ -0,0 +1,8 @@
#!/bin/sh
openssl ocsp -port 22220 -nmin 1 \
-index certs/ocsp/index-ca-and-intermediate-cas.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/root-ca-cert.pem \
$@

View File

@ -1,8 +0,0 @@
#!/bin/sh
openssl ocsp -port 22220 -nmin 1 \
-index certs/ocsp/index0.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/root-ca-cert.pem \
$@

View File

@ -1,8 +0,0 @@
#!/bin/sh
openssl ocsp -port 22221 -nmin 1 \
-index certs/ocsp/index1.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate1-ca-cert.pem \
$@

View File

@ -1,8 +0,0 @@
#!/bin/sh
openssl ocsp -port 22222 -nmin 1 \
-index certs/ocsp/index2.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate2-ca-cert.pem \
$@

View File

@ -1,8 +0,0 @@
#!/bin/sh
openssl ocsp -port 22223 -nmin 1 \
-index certs/ocsp/index3.txt \
-rsigner certs/ocsp/ocsp-responder-cert.pem \
-rkey certs/ocsp/ocsp-responder-key.pem \
-CA certs/ocsp/intermediate3-ca-cert.pem \
$@

View File

@ -26,13 +26,15 @@ endif
if BUILD_OCSP_STAPLING if BUILD_OCSP_STAPLING
dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
scripts/ocsp-stapling.log: scripts/ocsp.log scripts/ocsp-stapling.log: scripts/ocsp.log
dist_noinst_SCRIPTS+= scripts/ocsp-stapling-with-ca-as-responder.test
scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp-stapling.log
endif endif
if BUILD_OCSP_STAPLING_V2 if BUILD_OCSP_STAPLING_V2
dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test
if BUILD_OCSP_STAPLING if BUILD_OCSP_STAPLING
scripts/ocsp-stapling2.log: scripts/ocsp-stapling.log scripts/ocsp-stapling2.log: scripts/ocsp-stapling-with-ca-as-responder.log
else else
scripts/ocsp-stapling2.log: scripts/ocsp.log scripts/ocsp-stapling2.log: scripts/ocsp.log
endif endif

View File

@ -0,0 +1,39 @@
#!/bin/sh
# ocsp-stapling.test
trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
server=login.live.com
ca=certs/external/ca-verisign-g5.pem
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# is our desired server there? - login.live.com doesn't answers PING
#./scripts/ping.test $server 2
# client test against the server
./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
# setup ocsp responder
./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh &
sleep 1
[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
# client test against our own server - GOOD CERT
./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
# client test against our own server - REVOKED CERT
./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem &
sleep 1
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
RESULT=$?
[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1
exit 0

View File

@ -18,7 +18,7 @@ RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
# setup ocsp responder # setup ocsp responder
./certs/ocsp/ocspd1.sh & ./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
sleep 1 sleep 1
[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 [ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0

View File

@ -7,9 +7,9 @@ trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 [ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
# setup ocsp responders # setup ocsp responders
./certs/ocsp/ocspd0.sh & ./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
./certs/ocsp/ocspd2.sh & ./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
./certs/ocsp/ocspd3.sh & ./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
sleep 1 sleep 1
[ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 [ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0

View File

@ -36,10 +36,12 @@ ASN Options:
* WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName. * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName.
* WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer * WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer
must still be trusted) must still be trusted)
* WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for sitatuon where entire cert * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert
chain is not loaded. This only matches on subject and public key and chain is not loaded. This only matches on subject and public key and
does not perform a PKI validation, so it is not a secure solution. does not perform a PKI validation, so it is not a secure solution.
Only enabled for OCSP. Only enabled for OCSP.
* WOLFSSL_NO_OCSP_ISSUER_CHECK: Can be defined for backwards compatibility to
disable checking of OCSP subject hash with issuer hash.
*/ */
#ifndef NO_ASN #ifndef NO_ASN
@ -10757,6 +10759,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
return ASN_PARSE_E; return ASN_PARSE_E;
InitDecodedCert(&cert, resp->cert, resp->certSz, heap); InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
/* Don't verify if we don't have access to Cert Manager. */ /* Don't verify if we don't have access to Cert Manager. */
ret = ParseCertRelative(&cert, CERT_TYPE, ret = ParseCertRelative(&cert, CERT_TYPE,
noVerify ? NO_VERIFY : VERIFY_OCSP, cm); noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
@ -10766,6 +10769,21 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
return ret; return ret;
} }
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
if (XMEMCMP(cert.subjectHash,
resp->issuerHash, KEYID_SIZE) == 0) {
WOLFSSL_MSG("\tOCSP Response signed by issuer");
}
else {
WOLFSSL_MSG("\tOCSP Responder key usage check failed");
FreeDecodedCert(&cert);
return BAD_OCSP_RESPONDER;
}
}
#endif
/* ConfirmSignature is blocking here */ /* ConfirmSignature is blocking here */
ret = ConfirmSignature(&cert.sigCtx, ret = ConfirmSignature(&cert.sigCtx,
resp->response, resp->responseSz, resp->response, resp->responseSz,

View File

@ -425,6 +425,9 @@ const char* wc_GetErrorString(int error)
case ASYNC_OP_E: case ASYNC_OP_E:
return "Async operation error"; return "Async operation error";
case BAD_OCSP_RESPONDER:
return "Invalid OCSP Responder, missing specific key usage extensions";
default: default:
return "unknown error number"; return "unknown error number";

View File

@ -930,7 +930,7 @@ int error_test()
/* Values that are not or no longer error codes. */ /* Values that are not or no longer error codes. */
int missing[] = { -122, -123, -124, -127, -128, -129, int missing[] = { -122, -123, -124, -127, -128, -129,
-161, -162, -163, -164, -165, -166, -167, -168, -169, -161, -162, -163, -164, -165, -166, -167, -168, -169,
-178, -179, -233, -179, -233,
0 }; 0 };
/* Check that all errors have a string and it's the same through the two /* Check that all errors have a string and it's the same through the two

View File

@ -106,6 +106,7 @@ enum {
UNICODE_SIZE_E = -175, /* Unicode password too big */ UNICODE_SIZE_E = -175, /* Unicode password too big */
NO_PASSWORD = -176, /* no password provided by user */ NO_PASSWORD = -176, /* no password provided by user */
ALT_NAME_E = -177, /* alt name size problem, too big */ ALT_NAME_E = -177, /* alt name size problem, too big */
BAD_OCSP_RESPONDER = -178, /* missing key usage extensions */
AES_GCM_AUTH_E = -180, /* AES-GCM Authentication check failure */ AES_GCM_AUTH_E = -180, /* AES-GCM Authentication check failure */
AES_CCM_AUTH_E = -181, /* AES-CCM Authentication check failure */ AES_CCM_AUTH_E = -181, /* AES-CCM Authentication check failure */