Merge pull request #3361 from tmael/ocsp-nocheck

Add support for id-pkix-ocsp-nocheck
2020-10-13 15:46:02 -07:00
parent 048a3a8d5b a4bfa0dec7
commit b68828d3c9
3 changed files with 36 additions and 10 deletions
--- a/examples/client/client.c
+++ b/examples/client/client.c
@ -1099,6 +1099,9 @@ static const char* client_usage_msg[][66] = {
 #endif
 #ifdef HAVE_CURVE448
        "-8          Use X448 for key exchange\n",                      /* 65 */
+#endif
+#ifdef HAVE_CRL
+        "-C          Disable CRL\n",
 #endif
        NULL,
    },
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -1618,6 +1618,7 @@ static const byte wrapPwriKekOid[] = {42, 134, 72, 134, 247, 13, 1, 9, 16, 3,9};
 #ifdef HAVE_OCSP
    static const byte ocspBasicOid[]    = {43, 6, 1, 5, 5, 7, 48, 1, 1};
    static const byte ocspNonceOid[]    = {43, 6, 1, 5, 5, 7, 48, 1, 2};
+    static const byte ocspNoCheckOid[]  = {43, 6, 1, 5, 5, 7, 48, 1, 5};
 #endif /* HAVE_OCSP */

 /* certExtType */
@ -1655,7 +1656,6 @@ static const byte extExtKeyUsageCodeSigningOid[]  = {43, 6, 1, 5, 5, 7, 3, 3};
 static const byte extExtKeyUsageEmailProtectOid[] = {43, 6, 1, 5, 5, 7, 3, 4};
 static const byte extExtKeyUsageTimestampOid[]    = {43, 6, 1, 5, 5, 7, 3, 8};
 static const byte extExtKeyUsageOcspSignOid[]     = {43, 6, 1, 5, 5, 7, 3, 9};
-
 /* kdfType */
 static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12};

@ -2037,6 +2037,12 @@ const byte* OidFromId(word32 id, word32 type, word32* oidSz)
                    *oidSz = sizeof(extNameConsOid);
                    break;
            #endif
+            #ifdef HAVE_OCSP
+                case OCSP_NOCHECK_OID:
+                    oid = ocspNoCheckOid;
+                    *oidSz = sizeof(ocspNoCheckOid);
+                    break;
+            #endif
            }
            break;

@ -8875,7 +8881,14 @@ static int DecodeCertExtensions(DecodedCert* cert)
                }
                break;
        #endif
-
+        #ifdef HAVE_OCSP
+            case OCSP_NOCHECK_OID:
+                VERIFY_AND_SET_OID(cert->ocspNoCheckSet);
+                ret = GetASNNull(input, &idx, sz);
+                if (ret != 0)
+                    return ASN_PARSE_E;
+                break;
+        #endif
            default:
            #ifndef WOLFSSL_NO_ASN_STRICT
                /* While it is a failure to not support critical extensions,
@ -9347,6 +9360,11 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
                    return ret;
            }

+        #ifdef HAVE_OCSP
+            /* trust for the lifetime of the responder's cert*/
+            if (cert->ocspNoCheckSet && verify == VERIFY_OCSP)
+                verify = NO_VERIFY;
+        #endif
            /* advance past extensions */
            cert->srcIdx = cert->sigIndex;
        }
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@ -538,7 +538,9 @@ enum Extensions_Sum {
    POLICY_CONST_OID          = 150,
    ISSUE_ALT_NAMES_OID       = 132,
    TLS_FEATURE_OID           = 92,  /* id-pe 24 */
-    NETSCAPE_CT_OID           = 753  /* 2.16.840.1.113730.1.1 */
+    NETSCAPE_CT_OID           = 753, /* 2.16.840.1.113730.1.1 */
+    OCSP_NOCHECK_OID          = 121  /* 1.3.6.1.5.5.7.48.1.5
+                                         id-pkix-ocsp-nocheck */
 };

 enum CertificatePolicy_Sum {
@ -909,6 +911,9 @@ struct DecodedCert {
    byte weOwnAltNames : 1;        /* altNames haven't been given to copy */
    byte extKeyUsageSet : 1;
    byte extExtKeyUsageSet : 1;    /* Extended Key Usage set */
+#ifdef HAVE_OCSP
+    byte ocspNoCheckSet : 1;       /* id-pkix-ocsp-nocheck set */
+#endif
    byte extCRLdistSet : 1;
    byte extAuthInfoSet : 1;
    byte extBasicConstSet : 1;