Merge pull request #938 from dgarske/fix_asn_noocspoptcert

Fixes for OCSP workaround for incomplete cert chain
2017-05-26 17:02:31 -07:00
parent a44df73151 a0345f6ba9
commit c0408aebb4
1 changed files with 15 additions and 7 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -39,6 +39,7 @@ ASN Options:
 * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for sitatuon where entire cert
    chain is not loaded. This only matches on subject and public key and
    does not perform a PKI validation, so it is not a secure solution.
+    Only enabled for OCSP.
 */

 #ifndef NO_ASN
@ -4109,10 +4110,10 @@ static int GetValidity(DecodedCert* cert, int verify)
    if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
        return ASN_PARSE_E;

-    if (GetDate(cert, BEFORE) < 0 && verify)
+    if (GetDate(cert, BEFORE) < 0 && verify != NO_VERIFY)
        badDate = ASN_BEFORE_DATE_E;           /* continue parsing */

-    if (GetDate(cert, AFTER) < 0 && verify)
+    if (GetDate(cert, AFTER) < 0 && verify != NO_VERIFY)
        return ASN_AFTER_DATE_E;

    if (badDate != 0)
@ -6066,7 +6067,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)

            /* alternate lookup method using subject and match on public key */
        #ifdef WOLFSSL_NO_TRUSTED_CERTS_VERIFY
-            if (cert->ca == NULL) {
+            if (cert->ca == NULL && verify == VERIFY_OCSP) {
                if (cert->extSubjKeyIdSet) {
                    cert->ca = GetCA(cm, cert->extSubjKeyId);
                }
@ -6077,7 +6078,8 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
                    if ((cert->ca->pubKeySize == cert->pubKeySize) &&
                        (XMEMCMP(cert->ca->publicKey, cert->publicKey,
                                                cert->ca->pubKeySize) == 0)) {
-                        return 0;
+                        ret = 0; /* success */
+                        goto exit_pcr;
                    }
                }
            }
@ -6121,7 +6123,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)

    if (verify != NO_VERIFY && type != CA_TYPE && type != TRUSTED_PEER_TYPE) {
        if (cert->ca) {
-            if (verify == VERIFY) {
+            if (verify == VERIFY || verify == VERIFY_OCSP) {
                /* try to confirm/verify signature */
                if ((ret = ConfirmSignature(&cert->sigCtx,
                        cert->source + cert->certBegin,
@ -6151,6 +6153,10 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
        }
    }

+#ifdef WOLFSSL_NO_TRUSTED_CERTS_VERIFY
+exit_pcr:
+#endif
+
    if (badDate != 0)
        return badDate;

@ -10219,8 +10225,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,

        InitDecodedCert(&cert, resp->cert, resp->certSz, heap);
        /* Don't verify if we don't have access to Cert Manager. */
-        ret = ParseCertRelative(&cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY,
-                                cm);
+        ret = ParseCertRelative(&cert, CERT_TYPE,
+                                noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
        if (ret < 0) {
            WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
            FreeDecodedCert(&cert);
@ -10264,6 +10270,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
            WOLFSSL_MSG("\tOCSP Confirm signature failed");
            return ASN_OCSP_CONFIRM_E;
        }
+
+        (void)noVerify;
    }

    *ioIndex = idx;