forked from wolfSSL/wolfssl
Merge pull request #731 from moisesguimaraes/fixes-ocsp-responder
adds OCSP Responder extKeyUsage validation
This commit is contained in:
8
certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh
Executable file
8
certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh
Executable file
@ -0,0 +1,8 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
openssl ocsp -port 22221 -nmin 1 \
|
||||||
|
-index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
|
||||||
|
-rsigner certs/ocsp/intermediate1-ca-cert.pem \
|
||||||
|
-rkey certs/ocsp/intermediate1-ca-key.pem \
|
||||||
|
-CA certs/ocsp/intermediate1-ca-cert.pem \
|
||||||
|
$@
|
8
certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh
Executable file
8
certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh
Executable file
@ -0,0 +1,8 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
openssl ocsp -port 22221 -nmin 1 \
|
||||||
|
-index certs/ocsp/index-intermediate1-ca-issued-certs.txt \
|
||||||
|
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
||||||
|
-rkey certs/ocsp/ocsp-responder-key.pem \
|
||||||
|
-CA certs/ocsp/intermediate1-ca-cert.pem \
|
||||||
|
$@
|
8
certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh
Executable file
8
certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh
Executable file
@ -0,0 +1,8 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
openssl ocsp -port 22222 -nmin 1 \
|
||||||
|
-index certs/ocsp/index-intermediate2-ca-issued-certs.txt \
|
||||||
|
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
||||||
|
-rkey certs/ocsp/ocsp-responder-key.pem \
|
||||||
|
-CA certs/ocsp/intermediate2-ca-cert.pem \
|
||||||
|
$@
|
8
certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh
Executable file
8
certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh
Executable file
@ -0,0 +1,8 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
openssl ocsp -port 22223 -nmin 1 \
|
||||||
|
-index certs/ocsp/index-intermediate3-ca-issued-certs.txt \
|
||||||
|
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
||||||
|
-rkey certs/ocsp/ocsp-responder-key.pem \
|
||||||
|
-CA certs/ocsp/intermediate3-ca-cert.pem \
|
||||||
|
$@
|
8
certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh
Executable file
8
certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh
Executable file
@ -0,0 +1,8 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
openssl ocsp -port 22220 -nmin 1 \
|
||||||
|
-index certs/ocsp/index-ca-and-intermediate-cas.txt \
|
||||||
|
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
||||||
|
-rkey certs/ocsp/ocsp-responder-key.pem \
|
||||||
|
-CA certs/ocsp/root-ca-cert.pem \
|
||||||
|
$@
|
@ -1,8 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
openssl ocsp -port 22220 -nmin 1 \
|
|
||||||
-index certs/ocsp/index0.txt \
|
|
||||||
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
|
||||||
-rkey certs/ocsp/ocsp-responder-key.pem \
|
|
||||||
-CA certs/ocsp/root-ca-cert.pem \
|
|
||||||
$@
|
|
@ -1,8 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
openssl ocsp -port 22221 -nmin 1 \
|
|
||||||
-index certs/ocsp/index1.txt \
|
|
||||||
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
|
||||||
-rkey certs/ocsp/ocsp-responder-key.pem \
|
|
||||||
-CA certs/ocsp/intermediate1-ca-cert.pem \
|
|
||||||
$@
|
|
@ -1,8 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
openssl ocsp -port 22222 -nmin 1 \
|
|
||||||
-index certs/ocsp/index2.txt \
|
|
||||||
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
|
||||||
-rkey certs/ocsp/ocsp-responder-key.pem \
|
|
||||||
-CA certs/ocsp/intermediate2-ca-cert.pem \
|
|
||||||
$@
|
|
@ -1,8 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
openssl ocsp -port 22223 -nmin 1 \
|
|
||||||
-index certs/ocsp/index3.txt \
|
|
||||||
-rsigner certs/ocsp/ocsp-responder-cert.pem \
|
|
||||||
-rkey certs/ocsp/ocsp-responder-key.pem \
|
|
||||||
-CA certs/ocsp/intermediate3-ca-cert.pem \
|
|
||||||
$@
|
|
@ -26,13 +26,15 @@ endif
|
|||||||
if BUILD_OCSP_STAPLING
|
if BUILD_OCSP_STAPLING
|
||||||
dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
|
dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
|
||||||
scripts/ocsp-stapling.log: scripts/ocsp.log
|
scripts/ocsp-stapling.log: scripts/ocsp.log
|
||||||
|
dist_noinst_SCRIPTS+= scripts/ocsp-stapling-with-ca-as-responder.test
|
||||||
|
scripts/ocsp-stapling-with-ca-as-responder.log: scripts/ocsp-stapling.log
|
||||||
endif
|
endif
|
||||||
|
|
||||||
if BUILD_OCSP_STAPLING_V2
|
if BUILD_OCSP_STAPLING_V2
|
||||||
dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test
|
dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test
|
||||||
|
|
||||||
if BUILD_OCSP_STAPLING
|
if BUILD_OCSP_STAPLING
|
||||||
scripts/ocsp-stapling2.log: scripts/ocsp-stapling.log
|
scripts/ocsp-stapling2.log: scripts/ocsp-stapling-with-ca-as-responder.log
|
||||||
else
|
else
|
||||||
scripts/ocsp-stapling2.log: scripts/ocsp.log
|
scripts/ocsp-stapling2.log: scripts/ocsp.log
|
||||||
endif
|
endif
|
||||||
|
39
scripts/ocsp-stapling-with-ca-as-responder.test
Executable file
39
scripts/ocsp-stapling-with-ca-as-responder.test
Executable file
@ -0,0 +1,39 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# ocsp-stapling.test
|
||||||
|
|
||||||
|
trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
|
||||||
|
|
||||||
|
server=login.live.com
|
||||||
|
ca=certs/external/ca-verisign-g5.pem
|
||||||
|
|
||||||
|
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
|
||||||
|
|
||||||
|
# is our desired server there? - login.live.com doesn't answers PING
|
||||||
|
#./scripts/ping.test $server 2
|
||||||
|
|
||||||
|
# client test against the server
|
||||||
|
./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
|
||||||
|
RESULT=$?
|
||||||
|
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
|
||||||
|
|
||||||
|
# setup ocsp responder
|
||||||
|
./certs/ocsp/ocspd-intermediate1-ca-issued-certs-with-ca-as-responder.sh &
|
||||||
|
sleep 1
|
||||||
|
[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
|
||||||
|
|
||||||
|
# client test against our own server - GOOD CERT
|
||||||
|
./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem &
|
||||||
|
sleep 1
|
||||||
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
|
||||||
|
RESULT=$?
|
||||||
|
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
|
||||||
|
|
||||||
|
# client test against our own server - REVOKED CERT
|
||||||
|
./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem &
|
||||||
|
sleep 1
|
||||||
|
./examples/client/client -C -A certs/ocsp/root-ca-cert.pem -W 1
|
||||||
|
RESULT=$?
|
||||||
|
[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1
|
||||||
|
|
||||||
|
exit 0
|
@ -18,7 +18,7 @@ RESULT=$?
|
|||||||
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
|
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
|
||||||
|
|
||||||
# setup ocsp responder
|
# setup ocsp responder
|
||||||
./certs/ocsp/ocspd1.sh &
|
./certs/ocsp/ocspd-intermediate1-ca-issued-certs.sh &
|
||||||
sleep 1
|
sleep 1
|
||||||
[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
|
[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
|
||||||
|
|
||||||
|
@ -7,9 +7,9 @@ trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
|
|||||||
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
|
[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
|
||||||
|
|
||||||
# setup ocsp responders
|
# setup ocsp responders
|
||||||
./certs/ocsp/ocspd0.sh &
|
./certs/ocsp/ocspd-root-ca-and-intermediate-cas.sh &
|
||||||
./certs/ocsp/ocspd2.sh &
|
./certs/ocsp/ocspd-intermediate2-ca-issued-certs.sh &
|
||||||
./certs/ocsp/ocspd3.sh &
|
./certs/ocsp/ocspd-intermediate3-ca-issued-certs.sh &
|
||||||
sleep 1
|
sleep 1
|
||||||
[ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
|
[ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
|
||||||
|
|
||||||
|
@ -36,10 +36,12 @@ ASN Options:
|
|||||||
* WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName.
|
* WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName.
|
||||||
* WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer
|
* WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer
|
||||||
must still be trusted)
|
must still be trusted)
|
||||||
* WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for sitatuon where entire cert
|
* WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert
|
||||||
chain is not loaded. This only matches on subject and public key and
|
chain is not loaded. This only matches on subject and public key and
|
||||||
does not perform a PKI validation, so it is not a secure solution.
|
does not perform a PKI validation, so it is not a secure solution.
|
||||||
Only enabled for OCSP.
|
Only enabled for OCSP.
|
||||||
|
* WOLFSSL_NO_OCSP_ISSUER_CHECK: Can be defined for backwards compatibility to
|
||||||
|
disable checking of OCSP subject hash with issuer hash.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef NO_ASN
|
#ifndef NO_ASN
|
||||||
@ -10757,6 +10759,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
|
|||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
|
|
||||||
InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
|
InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
|
||||||
|
|
||||||
/* Don't verify if we don't have access to Cert Manager. */
|
/* Don't verify if we don't have access to Cert Manager. */
|
||||||
ret = ParseCertRelative(&cert, CERT_TYPE,
|
ret = ParseCertRelative(&cert, CERT_TYPE,
|
||||||
noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
|
noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
|
||||||
@ -10766,6 +10769,21 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
|
||||||
|
if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) {
|
||||||
|
if (XMEMCMP(cert.subjectHash,
|
||||||
|
resp->issuerHash, KEYID_SIZE) == 0) {
|
||||||
|
WOLFSSL_MSG("\tOCSP Response signed by issuer");
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
WOLFSSL_MSG("\tOCSP Responder key usage check failed");
|
||||||
|
|
||||||
|
FreeDecodedCert(&cert);
|
||||||
|
return BAD_OCSP_RESPONDER;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
/* ConfirmSignature is blocking here */
|
/* ConfirmSignature is blocking here */
|
||||||
ret = ConfirmSignature(&cert.sigCtx,
|
ret = ConfirmSignature(&cert.sigCtx,
|
||||||
resp->response, resp->responseSz,
|
resp->response, resp->responseSz,
|
||||||
|
@ -425,6 +425,9 @@ const char* wc_GetErrorString(int error)
|
|||||||
case ASYNC_OP_E:
|
case ASYNC_OP_E:
|
||||||
return "Async operation error";
|
return "Async operation error";
|
||||||
|
|
||||||
|
case BAD_OCSP_RESPONDER:
|
||||||
|
return "Invalid OCSP Responder, missing specific key usage extensions";
|
||||||
|
|
||||||
default:
|
default:
|
||||||
return "unknown error number";
|
return "unknown error number";
|
||||||
|
|
||||||
|
@ -930,7 +930,7 @@ int error_test()
|
|||||||
/* Values that are not or no longer error codes. */
|
/* Values that are not or no longer error codes. */
|
||||||
int missing[] = { -122, -123, -124, -127, -128, -129,
|
int missing[] = { -122, -123, -124, -127, -128, -129,
|
||||||
-161, -162, -163, -164, -165, -166, -167, -168, -169,
|
-161, -162, -163, -164, -165, -166, -167, -168, -169,
|
||||||
-178, -179, -233,
|
-179, -233,
|
||||||
0 };
|
0 };
|
||||||
|
|
||||||
/* Check that all errors have a string and it's the same through the two
|
/* Check that all errors have a string and it's the same through the two
|
||||||
|
@ -106,6 +106,7 @@ enum {
|
|||||||
UNICODE_SIZE_E = -175, /* Unicode password too big */
|
UNICODE_SIZE_E = -175, /* Unicode password too big */
|
||||||
NO_PASSWORD = -176, /* no password provided by user */
|
NO_PASSWORD = -176, /* no password provided by user */
|
||||||
ALT_NAME_E = -177, /* alt name size problem, too big */
|
ALT_NAME_E = -177, /* alt name size problem, too big */
|
||||||
|
BAD_OCSP_RESPONDER = -178, /* missing key usage extensions */
|
||||||
|
|
||||||
AES_GCM_AUTH_E = -180, /* AES-GCM Authentication check failure */
|
AES_GCM_AUTH_E = -180, /* AES-GCM Authentication check failure */
|
||||||
AES_CCM_AUTH_E = -181, /* AES-CCM Authentication check failure */
|
AES_CCM_AUTH_E = -181, /* AES-CCM Authentication check failure */
|
||||||
|
Reference in New Issue
Block a user