mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-05 11:10:51 +02:00
Merge pull request #10303 from julek-wolfssl/zd/21675
ocsp: bind responder authorization to CertID issuerKeyHash
This commit is contained in:
Binary file not shown.
@@ -0,0 +1,92 @@
|
||||
Certificate:
|
||||
Data:
|
||||
Version: 3 (0x2)
|
||||
Serial Number: 199 (0xc7)
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
|
||||
Validity
|
||||
Not Before: Apr 27 16:12:19 2026 GMT
|
||||
Not After : Jan 21 16:12:19 2029 GMT
|
||||
Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
|
||||
Subject Public Key Info:
|
||||
Public Key Algorithm: rsaEncryption
|
||||
Public-Key: (2048 bit)
|
||||
Modulus:
|
||||
00:f3:c7:6e:93:4e:94:7d:9a:76:cb:3e:82:21:30:
|
||||
a0:a5:4a:a2:6c:80:bf:e6:a0:7d:6c:cc:aa:e6:94:
|
||||
f3:42:41:7f:1a:ba:5f:89:d2:84:67:81:4d:37:0b:
|
||||
26:ed:f8:f1:be:84:f5:33:9f:be:98:d1:88:86:c1:
|
||||
93:d3:8e:40:56:36:28:4f:14:c2:f7:a7:3b:ca:1d:
|
||||
ae:59:6b:5f:79:54:b6:2e:6e:4d:7f:4c:71:0d:fb:
|
||||
3a:6e:95:8f:96:44:3c:f2:91:01:cb:68:17:07:33:
|
||||
97:cb:32:55:47:03:64:0c:4b:16:2e:20:f8:65:c7:
|
||||
6a:52:e4:fd:a9:2d:de:39:0c:5f:1a:14:10:9d:c3:
|
||||
2d:15:c4:88:2e:19:58:e1:fd:69:12:81:d2:af:f6:
|
||||
62:44:b0:89:82:b5:f5:17:23:2b:73:8e:e3:55:14:
|
||||
43:a5:4a:7e:cb:96:62:8f:96:bf:5f:c3:82:dc:86:
|
||||
86:85:89:f8:8e:68:b2:ef:e5:2e:8c:b9:8d:56:13:
|
||||
19:65:e9:79:c5:29:dc:89:0b:dd:23:35:fe:d5:48:
|
||||
b6:2d:ad:ee:ee:6c:b8:3e:eb:79:1c:41:d1:b8:e5:
|
||||
0e:2f:2d:cf:d7:65:fa:71:6f:60:9b:90:30:43:da:
|
||||
c3:e2:1b:8f:da:ab:37:c5:38:88:6b:85:15:5b:24:
|
||||
72:bf
|
||||
Exponent: 65537 (0x10001)
|
||||
X509v3 extensions:
|
||||
X509v3 Basic Constraints:
|
||||
CA:TRUE
|
||||
X509v3 Subject Key Identifier:
|
||||
73:64:66:3E:9A:DE:12:EC:44:C2:5B:05:64:62:1D:63:23:43:55:E5
|
||||
X509v3 Authority Key Identifier:
|
||||
keyid:73:64:66:3E:9A:DE:12:EC:44:C2:5B:05:64:62:1D:63:23:43:55:E5
|
||||
DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
|
||||
serial:C7
|
||||
X509v3 Key Usage:
|
||||
Certificate Sign, CRL Sign
|
||||
Authority Information Access:
|
||||
OCSP - URI:http://127.0.0.1:22220
|
||||
Signature Algorithm: sha256WithRSAEncryption
|
||||
Signature Value:
|
||||
35:b1:f0:64:89:fe:7e:b3:5f:80:15:57:a0:8f:cd:fc:a0:2d:
|
||||
36:29:39:a3:ee:d6:c0:f3:c2:e6:31:2e:ce:9b:d4:a1:3e:dc:
|
||||
c7:0d:2a:ae:72:c6:fa:ee:77:d7:4b:98:c0:32:7e:d2:54:3f:
|
||||
41:34:09:22:f3:34:db:ff:4e:35:79:15:50:fa:e2:bd:37:1c:
|
||||
0e:dc:4e:b1:5a:5d:fd:be:bf:d1:75:02:9a:a8:61:da:d4:f1:
|
||||
35:b3:7e:9d:10:29:a8:cd:50:7c:3c:89:5e:a1:b2:51:e6:d8:
|
||||
4d:dd:cc:3d:b9:8e:5b:20:51:33:e0:03:57:e0:f7:5b:be:85:
|
||||
64:a7:8c:6d:40:56:cd:78:4f:6d:dc:04:f2:4a:f3:a1:29:3b:
|
||||
64:e5:db:a0:98:80:c8:6b:12:25:4c:18:40:2a:ce:b6:94:fe:
|
||||
58:bb:35:91:22:36:d7:29:70:53:2e:8b:be:e3:b7:08:d3:a8:
|
||||
66:19:ff:69:f0:c8:8f:b6:ea:21:bc:41:08:92:42:89:fd:d9:
|
||||
3a:9c:42:4b:c4:2e:81:4f:63:54:95:88:d9:56:66:08:dc:73:
|
||||
56:6a:97:5e:09:e5:fa:d2:52:3b:7f:bd:3b:1b:bb:f1:74:51:
|
||||
71:30:f3:ce:1c:21:75:89:97:7f:e4:38:f7:3e:66:c3:20:f3:
|
||||
c0:f3:38:c9
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIE6DCCA9CgAwIBAgICAMcwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT
|
||||
MRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQK
|
||||
DAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYGA1UEAwwPd29sZlNT
|
||||
TCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2
|
||||
MDQyNzE2MTIxOVoXDTI5MDEyMTE2MTIxOVowgZcxCzAJBgNVBAYTAlVTMRMwEQYD
|
||||
VQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xm
|
||||
U1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290
|
||||
IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjANBgkqhkiG
|
||||
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA88duk06UfZp2yz6CITCgpUqibIC/5qB9bMyq
|
||||
5pTzQkF/GrpfidKEZ4FNNwsm7fjxvoT1M5++mNGIhsGT045AVjYoTxTC96c7yh2u
|
||||
WWtfeVS2Lm5Nf0xxDfs6bpWPlkQ88pEBy2gXBzOXyzJVRwNkDEsWLiD4ZcdqUuT9
|
||||
qS3eOQxfGhQQncMtFcSILhlY4f1pEoHSr/ZiRLCJgrX1FyMrc47jVRRDpUp+y5Zi
|
||||
j5a/X8OC3IaGhYn4jmiy7+UujLmNVhMZZel5xSnciQvdIzX+1Ui2La3u7my4Put5
|
||||
HEHRuOUOLy3P12X6cW9gm5AwQ9rD4huP2qs3xTiIa4UVWyRyvwIDAQABo4IBOjCC
|
||||
ATYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUc2RmPpreEuxEwlsFZGIdYyNDVeUw
|
||||
gcUGA1UdIwSBvTCBuoAUc2RmPpreEuxEwlsFZGIdYyNDVeWhgZ2kgZowgZcxCzAJ
|
||||
BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl
|
||||
MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYGA1UE
|
||||
AwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
|
||||
Y29tggIAxzALBgNVHQ8EBAMCAQYwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB
|
||||
hhZodHRwOi8vMTI3LjAuMC4xOjIyMjIwMA0GCSqGSIb3DQEBCwUAA4IBAQA1sfBk
|
||||
if5+s1+AFVegj838oC02KTmj7tbA88LmMS7Om9ShPtzHDSqucsb67nfXS5jAMn7S
|
||||
VD9BNAki8zTb/041eRVQ+uK9NxwO3E6xWl39vr/RdQKaqGHa1PE1s36dECmozVB8
|
||||
PIleobJR5thN3cw9uY5bIFEz4ANX4PdbvoVkp4xtQFbNeE9t3ATySvOhKTtk5dug
|
||||
mIDIaxIlTBhAKs62lP5YuzWRIjbXKXBTLou+47cI06hmGf9p8MiPtuohvEEIkkKJ
|
||||
/dk6nEJLxC6BT2NUlYjZVmYI3HNWapdeCeX60lI7f707G7vxdFFxMPPOHCF1iZd/
|
||||
5Dj3PmbDIPPA8zjJ
|
||||
-----END CERTIFICATE-----
|
||||
Binary file not shown.
@@ -0,0 +1,28 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDzx26TTpR9mnbL
|
||||
PoIhMKClSqJsgL/moH1szKrmlPNCQX8aul+J0oRngU03Cybt+PG+hPUzn76Y0YiG
|
||||
wZPTjkBWNihPFML3pzvKHa5Za195VLYubk1/THEN+zpulY+WRDzykQHLaBcHM5fL
|
||||
MlVHA2QMSxYuIPhlx2pS5P2pLd45DF8aFBCdwy0VxIguGVjh/WkSgdKv9mJEsImC
|
||||
tfUXIytzjuNVFEOlSn7LlmKPlr9fw4LchoaFifiOaLLv5S6MuY1WExll6XnFKdyJ
|
||||
C90jNf7VSLYtre7ubLg+63kcQdG45Q4vLc/XZfpxb2CbkDBD2sPiG4/aqzfFOIhr
|
||||
hRVbJHK/AgMBAAECggEAI3Y/7hrQvALDxCYYLPbTb6gPP6RtBgITrMeLFtbVGi7H
|
||||
7B3vdu+SRjJHhrnPFHARzoqt1rAmvDlC2IOBWxWG42OmcnaNNBR2PJ0btzNI5K//
|
||||
fnqaOGnoykVhByQnio7rpMeWUL4YF3qYWr08LYPfQnCLzfMK31dmbp+UDM+402hi
|
||||
HSGW/EZBbVrLLjVNUta1F7FKQYx2Eq3P+Xaga58thJAoILsJItyE0iI+qK9zVWmQ
|
||||
xFkV99xKqpIq/IFWd86Z8QvrhZV2OdvF5uduUytfxz9Bql8dgK1dhDJvz2i3SPxV
|
||||
oDDwo10gG7Hi0/lk2vIwsZUDci6eNn0BDLwVudClwQKBgQD+5nde7SM5J18MLNMp
|
||||
EGFDLDCbcjFQoVuVRCVu1+mmO/7zC1ozwYtU+SzNmLvpvZYtUgDBlsAlP+rtsUOX
|
||||
ltwhTI56mCGK3TbK3HvqCLz6O4K8ty2es6uDBezQagVygOoVG4AirHLlL4FeZ/S0
|
||||
uvH48jWCqsdBL1NygNt4Kov9fwKBgQD01K6yGKwm6Hgvs/qtHA7kMaD0yQWelX4M
|
||||
SJdf/Rjq3/Nh5Cpj8Peu8KIjomnkQisFHqHnAqAiy1IGo8NbjvM/H0JOSTWy2ths
|
||||
l6zncle/uGXbjxqqfKecsqAOigXzJQhXtHvh+pSu5mOb+incKyAJ0ZpvAZFhcWIA
|
||||
1LT12LyqwQKBgG1E4psg0N6pUAdqF8McsHUZNmUMmLNV2GquYdWYXSLTyUDq9uoE
|
||||
5/OvNVOVS8ixavVWl9hlBU1yjwUB3lXXZ9omdVV8bbSXi+t+hOgYgtpKNIstgzLr
|
||||
FnT+TzwwltE1DiOqPE2g20gAC1cq/S2UjjIHsoSnLO92mDEXp/1lT8mFAoGAYEY+
|
||||
CASRtZ8Wm9OPUIFHDc7CN1/RGOI6NcRZ2kIhiULVZvoc/T3ld+JiL9cPAtZOKm44
|
||||
RioPJH+FWt0M1jUpS/oTzcsWFaXfExy1vjGFdfuh+iuU1dO86W6IaA84dbtrQ2nS
|
||||
iTNLQleQdeZyjYRbzeChdONN8t5uJlt+aWp4DkECgYAG5w5yilDcQedV231V1fcG
|
||||
IgPLkrwUVNusevAe9Jzqs6L+GwCjuR1fQ7nxfRHZOwGQNz6sMQkhVc15PI5Oer+A
|
||||
vbWDr93IlBjtrc6hYqMO3MwpNz2JKVF2T5+33lbS26dxhvzaXNVZdBdDtwIgCQ78
|
||||
CBGsRUzILXd0N1/ou7ASOg==
|
||||
-----END PRIVATE KEY-----
|
||||
@@ -55,6 +55,10 @@ EXTRA_DIST += \
|
||||
certs/ocsp/root-ca-cert.pem \
|
||||
certs/ocsp/root-ca-cert.der \
|
||||
certs/ocsp/root-ca-crl.pem \
|
||||
certs/ocsp/imposter-root-ca-key.pem \
|
||||
certs/ocsp/imposter-root-ca-key.der \
|
||||
certs/ocsp/imposter-root-ca-cert.pem \
|
||||
certs/ocsp/imposter-root-ca-cert.der \
|
||||
certs/ocsp/test-response.der \
|
||||
certs/ocsp/test-response-rsapss.der \
|
||||
certs/ocsp/test-response-nointern.der \
|
||||
|
||||
@@ -60,6 +60,30 @@ rm root-ca-cert.csr
|
||||
openssl x509 -in root-ca-cert.pem -text > tmp.pem
|
||||
mv tmp.pem root-ca-cert.pem
|
||||
|
||||
# imposter-root-ca: self-signed cert sharing the legitimate root-ca DN but
|
||||
# with a different key. Used to test that OCSP responder authorization is
|
||||
# bound to the CertID issuerKeyHash, not just the issuer name.
|
||||
openssl req \
|
||||
-new \
|
||||
-config "$WOLF_REQ_CONF" \
|
||||
-key imposter-root-ca-key.pem \
|
||||
-out imposter-root-ca-cert.csr \
|
||||
-subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com"
|
||||
|
||||
openssl x509 \
|
||||
-req -in imposter-root-ca-cert.csr \
|
||||
-extfile $1 \
|
||||
-extensions v3_ca \
|
||||
-days 1000 \
|
||||
-signkey imposter-root-ca-key.pem \
|
||||
-set_serial 199 \
|
||||
-out imposter-root-ca-cert.pem \
|
||||
-sha256
|
||||
|
||||
rm imposter-root-ca-cert.csr
|
||||
openssl x509 -in imposter-root-ca-cert.pem -text > imposter-root-ca-cert_tmp.pem
|
||||
mv imposter-root-ca-cert_tmp.pem imposter-root-ca-cert.pem
|
||||
|
||||
update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 $1
|
||||
update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 $1
|
||||
update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 $1 # REVOKED
|
||||
|
||||
@@ -54,6 +54,43 @@ check_result $? ""
|
||||
openssl rsa -in root-ca-key.pem -outform DER -out root-ca-key.der
|
||||
check_result $? ""
|
||||
|
||||
# imposter-root-ca: self-signed cert sharing the legitimate root-ca DN but with
|
||||
# a different key. Used to test that OCSP responder authorization is bound to
|
||||
# the CertID issuerKeyHash, not just the issuer name.
|
||||
echo "OCSP renew certs imposter root step 1"
|
||||
openssl req \
|
||||
-new \
|
||||
-key imposter-root-ca-key.pem \
|
||||
-out imposter-root-ca-cert.csr \
|
||||
-config ../renewcerts/wolfssl.cnf \
|
||||
-subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com"
|
||||
check_result $? ""
|
||||
|
||||
echo "OCSP renew certs imposter root step 2"
|
||||
openssl x509 \
|
||||
-req -in imposter-root-ca-cert.csr \
|
||||
-extfile openssl.cnf \
|
||||
-extensions v3_ca \
|
||||
-days 1000 \
|
||||
-signkey imposter-root-ca-key.pem \
|
||||
-set_serial 199 \
|
||||
-out imposter-root-ca-cert.pem
|
||||
check_result $? ""
|
||||
|
||||
rm imposter-root-ca-cert.csr
|
||||
echo "OCSP renew certs imposter root step 3"
|
||||
openssl x509 -in imposter-root-ca-cert.pem -text > tmp.pem
|
||||
check_result $? ""
|
||||
mv tmp.pem imposter-root-ca-cert.pem
|
||||
|
||||
echo "OCSP renew certs imposter root step 4"
|
||||
openssl x509 -in imposter-root-ca-cert.pem -outform DER \
|
||||
-out imposter-root-ca-cert.der
|
||||
check_result $? ""
|
||||
openssl rsa -in imposter-root-ca-key.pem -outform DER \
|
||||
-out imposter-root-ca-key.der
|
||||
check_result $? ""
|
||||
|
||||
# $1 cert, $2 name, $3 ca, $4 extensions, $5 serial
|
||||
update_cert() {
|
||||
echo "Updating certificate \"$1-cert.pem\""
|
||||
|
||||
+57
-43
@@ -584,8 +584,8 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
|
||||
}
|
||||
|
||||
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
|
||||
static int CheckOcspResponderChain(OcspEntry* single, byte* issuerHash,
|
||||
void* vp, Signer* pendingCAs) {
|
||||
static int CheckOcspResponderChain(OcspEntry* single, byte* issuerNameHash,
|
||||
byte* issuerKeyHash, void* vp, Signer* pendingCAs) {
|
||||
/* Attempt to build a chain up to cert's issuer */
|
||||
WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp;
|
||||
Signer* ca = NULL;
|
||||
@@ -602,54 +602,61 @@ static int CheckOcspResponderChain(OcspEntry* single, byte* issuerHash,
|
||||
* in OCSP request
|
||||
*/
|
||||
|
||||
/* Walk up the issuer chain from the responder's direct issuer toward a
|
||||
* self-signed root, capturing prev before reassigning ca so the
|
||||
* (ca == prev) self-signed termination check is meaningful. */
|
||||
ca = GetCAByName(cm, single->issuerHash);
|
||||
if (issuerKeyHash == NULL)
|
||||
return 0;
|
||||
|
||||
/* Select CertID issuer by key hash so a same-DN / different-key trust
|
||||
* anchor cannot hijack the starting point. */
|
||||
ca = GetCAByKeyHash(cm, single->issuerKeyHash);
|
||||
if (ca != NULL && XMEMCMP(ca->subjectNameHash, single->issuerHash,
|
||||
OCSP_DIGEST_SIZE) != 0) {
|
||||
ca = NULL;
|
||||
}
|
||||
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
|
||||
if (ca == NULL && pendingCAs != NULL) {
|
||||
ca = findSignerByName(pendingCAs, single->issuerHash);
|
||||
ca = findSignerByKeyHash(pendingCAs, single->issuerKeyHash);
|
||||
if (ca != NULL && XMEMCMP(ca->subjectNameHash, single->issuerHash,
|
||||
OCSP_DIGEST_SIZE) != 0) {
|
||||
ca = NULL;
|
||||
}
|
||||
}
|
||||
#else
|
||||
(void)pendingCAs;
|
||||
#endif
|
||||
while (ca != NULL) {
|
||||
if (XMEMCMP(issuerHash, ca->issuerNameHash, OCSP_DIGEST_SIZE) == 0) {
|
||||
for (; ca != NULL && ca != prev;
|
||||
prev = ca) {
|
||||
Signer* parent = GetCAByName(cm, ca->issuerNameHash);
|
||||
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
|
||||
if (parent == NULL && pendingCAs != NULL) {
|
||||
parent = findSignerByName(pendingCAs, ca->issuerNameHash);
|
||||
}
|
||||
#endif
|
||||
if (parent == NULL || parent == ca)
|
||||
break;
|
||||
|
||||
if (XMEMCMP(parent->subjectNameHash, issuerNameHash,
|
||||
OCSP_DIGEST_SIZE) == 0 &&
|
||||
XMEMCMP(parent->subjectKeyHash, issuerKeyHash,
|
||||
KEYID_SIZE) == 0) {
|
||||
WOLFSSL_MSG("\tOCSP Response signed by authorized "
|
||||
"responder delegated by issuer "
|
||||
"(found in chain)");
|
||||
passed = 1;
|
||||
break;
|
||||
}
|
||||
prev = ca;
|
||||
ca = GetCAByName(cm, prev->issuerNameHash);
|
||||
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
|
||||
/* Look up by the in-flight name (prev's issuer), not by
|
||||
* single->issuerHash; the latter would re-anchor the pendingCAs
|
||||
* walk to the bottom of the chain on every iteration. */
|
||||
if (ca == NULL && pendingCAs != NULL) {
|
||||
ca = findSignerByName(pendingCAs, prev->issuerNameHash);
|
||||
}
|
||||
#endif
|
||||
if (ca == prev) {
|
||||
break;
|
||||
}
|
||||
ca = parent;
|
||||
}
|
||||
return passed;
|
||||
}
|
||||
#endif
|
||||
|
||||
/**
|
||||
* Enforce https://www.rfc-editor.org/rfc/rfc6960#section-4.2.2.2
|
||||
* @param bs The basic OCSP response to verify
|
||||
* @param subjectHash The subject key hash of the OCSP responder certificate
|
||||
* @param extExtKeyUsage The extended key usage bits of the responder certificate
|
||||
* @param issuerHash The issuer name hash of the OCSP responder certificate
|
||||
* @param vp Unused (reserved for future use)
|
||||
* @return 1 if the responder is authorized to sign the response, 0 otherwise
|
||||
*/
|
||||
int CheckOcspResponder(OcspResponse *bs, byte* subjectHash,
|
||||
byte extExtKeyUsage, byte* issuerHash, void* vp)
|
||||
/* Enforce https://www.rfc-editor.org/rfc/rfc6960#section-4.2.2.2. Both halves
|
||||
* of CertID (issuerNameHash and issuerKeyHash) must match; name-only matching
|
||||
* would authorize a same-DN / different-key CA. issuerKeyHash may be NULL when
|
||||
* unavailable, which disables the delegated branch. */
|
||||
int CheckOcspResponder(OcspResponse *bs, byte* subjectNameHash,
|
||||
byte* subjectKeyHash, byte extExtKeyUsage, byte* issuerNameHash,
|
||||
byte* issuerKeyHash, void* vp)
|
||||
{
|
||||
int ret = 0;
|
||||
OcspEntry* single;
|
||||
@@ -664,29 +671,34 @@ int CheckOcspResponder(OcspResponse *bs, byte* subjectHash,
|
||||
/* In the future if this API is used more then it could be beneficial to
|
||||
* implement calling InitDecodedCert and ParseCertRelative here
|
||||
* automatically when cert == NULL. */
|
||||
if (bs == NULL || subjectHash == NULL || issuerHash == NULL)
|
||||
if (bs == NULL || subjectNameHash == NULL || issuerNameHash == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
/* Traverse the list and check that the cert has the authority to provide
|
||||
* an OCSP response for each entry. */
|
||||
for (single = bs->single; single != NULL; single = single->next) {
|
||||
int passed = 0;
|
||||
|
||||
if (XMEMCMP(subjectHash, single->issuerHash, OCSP_DIGEST_SIZE) == 0) {
|
||||
if (subjectKeyHash != NULL &&
|
||||
XMEMCMP(subjectNameHash, single->issuerHash,
|
||||
OCSP_DIGEST_SIZE) == 0 &&
|
||||
XMEMCMP(subjectKeyHash, single->issuerKeyHash,
|
||||
KEYID_SIZE) == 0) {
|
||||
WOLFSSL_MSG("\tOCSP Response signed by issuer");
|
||||
passed = 1;
|
||||
}
|
||||
else if ((extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) != 0) {
|
||||
if (XMEMCMP(issuerHash, single->issuerHash, OCSP_DIGEST_SIZE)
|
||||
== 0) {
|
||||
if (issuerKeyHash != NULL &&
|
||||
XMEMCMP(issuerNameHash, single->issuerHash,
|
||||
OCSP_DIGEST_SIZE) == 0 &&
|
||||
XMEMCMP(issuerKeyHash, single->issuerKeyHash,
|
||||
KEYID_SIZE) == 0) {
|
||||
WOLFSSL_MSG("\tOCSP Response signed by authorized responder "
|
||||
"delegated by issuer");
|
||||
passed = 1;
|
||||
}
|
||||
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
|
||||
else if (vp != NULL) {
|
||||
passed = CheckOcspResponderChain(single, issuerHash, vp,
|
||||
bs->pendingCAs);
|
||||
passed = CheckOcspResponderChain(single, issuerNameHash,
|
||||
issuerKeyHash, vp, bs->pendingCAs);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
@@ -1090,8 +1102,10 @@ static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert,
|
||||
}
|
||||
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
|
||||
if ((flags & WOLFSSL_OCSP_NOCHECKS) == 0) {
|
||||
ret = CheckOcspResponder(resp, c->subjectHash, c->extExtKeyUsage,
|
||||
c->issuerHash, st->cm);
|
||||
ret = CheckOcspResponder(resp, c->subjectHash, c->subjectKeyHash,
|
||||
c->extExtKeyUsage, c->issuerHash,
|
||||
(c->ca != NULL) ? c->ca->subjectKeyHash : NULL,
|
||||
st->cm);
|
||||
}
|
||||
else {
|
||||
ret = 0;
|
||||
|
||||
@@ -40751,6 +40751,7 @@ TEST_CASE testCases[] = {
|
||||
TEST_DECL(test_wolfSSL_inject),
|
||||
TEST_DECL(test_ocsp_status_callback),
|
||||
TEST_DECL(test_ocsp_basic_verify),
|
||||
TEST_DECL(test_ocsp_responder_keyhash_binding),
|
||||
TEST_DECL(test_ocsp_response_parsing),
|
||||
TEST_DECL(test_ocsp_certid_enc_dec),
|
||||
TEST_DECL(test_ocsp_certid_dup),
|
||||
|
||||
@@ -266,6 +266,23 @@ def create_response(rd: dict) -> rfc6960.OCSPResponse:
|
||||
for entry in rd.get('responses', []):
|
||||
if entry.get('certificate'):
|
||||
sr = single_response_from_cert(entry['certificate'], entry['status'])
|
||||
elif entry.get('name_cert') and entry.get('key_cert'):
|
||||
# Forge a CertID where issuerNameHash and issuerKeyHash are taken
|
||||
# from different certificates. Used to test that responder
|
||||
# authorization is bound to BOTH halves of the CertID.
|
||||
name_der = cert_pem_to_der(entry['name_cert'])
|
||||
name_cert, _ = decode(bytes(name_der), asn1Spec=rfc6960.Certificate())
|
||||
key_der = cert_pem_to_der(entry['key_cert'])
|
||||
key_cert, _ = decode(bytes(key_der), asn1Spec=rfc6960.Certificate())
|
||||
issuer_name_hash = sha1(encode(get_name(name_cert))).digest()
|
||||
issuer_key_hash = sha1(get_key(key_cert).asOctets()).digest()
|
||||
cid = cert_id_from_hash(issuer_name_hash, issuer_key_hash,
|
||||
entry['serial'])
|
||||
sr = rfc6960.SingleResponse().clone()
|
||||
sr.setComponentByName('certID', cid)
|
||||
sr['certStatus'] = cert_status(entry['status'])
|
||||
sr['thisUpdate'] = useful.GeneralizedTime().fromDateTime(
|
||||
datetime.now() - timedelta(days=1))
|
||||
else:
|
||||
sr = single_response(entry['issuer_cert'], entry['serial'], entry['status'])
|
||||
responses.append(sr)
|
||||
@@ -480,6 +497,28 @@ if __name__ == '__main__':
|
||||
'responder_key': WOLFSSL_OCSP_CERT_PATH + '../ca-key.pem',
|
||||
'name': 'resp_server_cert_unknown'
|
||||
},
|
||||
{
|
||||
# Forged response: CertID's issuerNameHash points at the legitimate
|
||||
# root CA, but issuerKeyHash points at the imposter root CA (same
|
||||
# DN, different key). Signed by the legitimate ocsp-responder so
|
||||
# the response signature alone verifies. Used to confirm that
|
||||
# responder authorization rejects mismatched CertID halves.
|
||||
'response_status': 0,
|
||||
'signature_algorithm': signature_algorithm(),
|
||||
'certs_path': [WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-cert.pem'],
|
||||
'responder_by_name': True,
|
||||
'responses': [
|
||||
{
|
||||
'name_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem',
|
||||
'key_cert': WOLFSSL_OCSP_CERT_PATH +
|
||||
'imposter-root-ca-cert.pem',
|
||||
'serial': 0x01,
|
||||
'status': CERT_GOOD
|
||||
}
|
||||
],
|
||||
'responder_key': WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-key.pem',
|
||||
'name': 'resp_certid_keyhash_mismatch'
|
||||
},
|
||||
]
|
||||
|
||||
with open('./tests/api/test_ocsp_test_blobs.h', 'w') as f:
|
||||
@@ -517,6 +556,7 @@ if __name__ == '__main__':
|
||||
add_certificate(WOLFSSL_OCSP_CERT_PATH + '../ca-cert.pem', f)
|
||||
add_certificate(WOLFSSL_OCSP_CERT_PATH + '../server-cert.pem', f)
|
||||
add_certificate(WOLFSSL_OCSP_CERT_PATH + 'intermediate1-ca-cert.pem', f)
|
||||
add_certificate(WOLFSSL_OCSP_CERT_PATH + 'imposter-root-ca-cert.pem', f)
|
||||
br = create_bad_response({
|
||||
'response_status': 0,
|
||||
'responder_by_key': True,
|
||||
|
||||
@@ -382,6 +382,48 @@ int test_ocsp_basic_verify(void)
|
||||
}
|
||||
#endif /* HAVE_OCSP && (OPENSSL_ALL || OPENSSL_EXTRA) */
|
||||
|
||||
#if defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && \
|
||||
!defined(NO_RSA) && !defined(WOLFSSL_NO_OCSP_ISSUER_CHECK)
|
||||
/* Verify that OCSP responder authorization is bound to BOTH halves of the
|
||||
* CertID (issuerNameHash AND issuerKeyHash). The forged response in
|
||||
* resp_certid_keyhash_mismatch was signed by the legitimate ocsp-responder
|
||||
* (so the response signature itself verifies) but its CertID pairs the
|
||||
* legitimate root CA's name hash with the imposter root CA's key hash. With
|
||||
* a name-only authorization check the response would be incorrectly
|
||||
* accepted; the CertID-bound check must reject it. */
|
||||
int test_ocsp_responder_keyhash_binding(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
WOLF_STACK_OF(WOLFSSL_X509)* certs = NULL;
|
||||
WOLFSSL_X509_STORE* store = NULL;
|
||||
const unsigned char* ptr = NULL;
|
||||
OcspResponse* response = NULL;
|
||||
|
||||
ExpectIntEQ(test_ocsp_create_x509store(&store, root_ca_cert_pem,
|
||||
sizeof(root_ca_cert_pem)),
|
||||
TEST_SUCCESS);
|
||||
ExpectIntEQ(test_create_stack_of_x509(&certs, ocsp_responder_cert_pem,
|
||||
sizeof(ocsp_responder_cert_pem)),
|
||||
TEST_SUCCESS);
|
||||
|
||||
ptr = (const unsigned char*)resp_certid_keyhash_mismatch;
|
||||
ExpectNotNull(response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr,
|
||||
sizeof(resp_certid_keyhash_mismatch)));
|
||||
ExpectIntNE(wolfSSL_OCSP_basic_verify(response, certs, store, 0),
|
||||
WOLFSSL_SUCCESS);
|
||||
|
||||
wolfSSL_OCSP_RESPONSE_free(response);
|
||||
wolfSSL_sk_X509_pop_free(certs, wolfSSL_X509_free);
|
||||
wolfSSL_X509_STORE_free(store);
|
||||
return EXPECT_RESULT();
|
||||
}
|
||||
#else
|
||||
int test_ocsp_responder_keyhash_binding(void)
|
||||
{
|
||||
return TEST_SKIPPED;
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(HAVE_OCSP) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \
|
||||
defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) && \
|
||||
defined(OPENSSL_ALL) && !defined(WOLFSSL_SMALL_CERT_VERIFY)
|
||||
|
||||
@@ -26,6 +26,7 @@ int test_ocsp_certid_enc_dec(void);
|
||||
int test_ocsp_certid_dup(void);
|
||||
int test_ocsp_status_callback(void);
|
||||
int test_ocsp_basic_verify(void);
|
||||
int test_ocsp_responder_keyhash_binding(void);
|
||||
int test_ocsp_response_parsing(void);
|
||||
int test_ocsp_tls_cert_cb(void);
|
||||
int test_ocsp_cert_unknown_crl_fallback(void);
|
||||
|
||||
@@ -1414,6 +1414,159 @@ unsigned char resp_server_cert_unknown[] = {
|
||||
0x4f, 0x6b, 0xb9, 0xec, 0xc8, 0x29,
|
||||
};
|
||||
|
||||
unsigned char resp_certid_keyhash_mismatch[] = {
|
||||
0x30, 0x82, 0x07, 0x04, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x06, 0xfd, 0x30,
|
||||
0x82, 0x06, 0xf9, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30,
|
||||
0x01, 0x01, 0x04, 0x82, 0x06, 0xea, 0x30, 0x82, 0x06, 0xe6, 0x30, 0x82,
|
||||
0x01, 0x06, 0xa1, 0x81, 0xa1, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, 0x09,
|
||||
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
|
||||
0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68,
|
||||
0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03,
|
||||
0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65,
|
||||
0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77,
|
||||
0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03,
|
||||
0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65,
|
||||
0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
|
||||
0x03, 0x0c, 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x4f,
|
||||
0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x64, 0x65,
|
||||
0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
|
||||
0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77,
|
||||
0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f,
|
||||
0x32, 0x30, 0x32, 0x36, 0x30, 0x34, 0x32, 0x36, 0x31, 0x38, 0x32, 0x36,
|
||||
0x33, 0x32, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06,
|
||||
0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1,
|
||||
0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52,
|
||||
0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0x64, 0x66, 0x3e, 0x9a, 0xde,
|
||||
0x12, 0xec, 0x44, 0xc2, 0x5b, 0x05, 0x64, 0x62, 0x1d, 0x63, 0x23, 0x43,
|
||||
0x55, 0xe5, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32,
|
||||
0x36, 0x30, 0x34, 0x32, 0x36, 0x31, 0x38, 0x32, 0x36, 0x33, 0x32, 0x5a,
|
||||
0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||
0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x45, 0x7f, 0xe9, 0x4a, 0x3b, 0x66,
|
||||
0x29, 0x88, 0xfb, 0x2a, 0xce, 0x7a, 0xd4, 0xcf, 0xe0, 0x98, 0xec, 0xd4,
|
||||
0x52, 0xb4, 0x98, 0x95, 0xd1, 0x0a, 0x60, 0x37, 0xae, 0x48, 0x9d, 0xc9,
|
||||
0x93, 0x49, 0xb1, 0x39, 0x2e, 0x03, 0x66, 0xb4, 0x97, 0x21, 0xc9, 0x60,
|
||||
0x1b, 0xda, 0x7d, 0xbd, 0x64, 0xb3, 0xf1, 0xc6, 0x73, 0xff, 0x48, 0xb1,
|
||||
0x5c, 0xe0, 0xa1, 0x2d, 0xd7, 0xab, 0x4e, 0x15, 0x51, 0x78, 0xab, 0x8c,
|
||||
0x1c, 0x47, 0x0f, 0x03, 0xfe, 0x49, 0xe2, 0x80, 0x94, 0xfe, 0x03, 0x62,
|
||||
0x16, 0x09, 0xf8, 0xda, 0x12, 0x12, 0x08, 0xf6, 0x8e, 0xea, 0x8e, 0x7c,
|
||||
0xdf, 0xbf, 0x17, 0xe2, 0xe8, 0x34, 0xb7, 0xef, 0x54, 0x51, 0xb1, 0x0e,
|
||||
0xd4, 0xec, 0x47, 0xcb, 0x3b, 0xc4, 0x1b, 0x7e, 0xd0, 0x2e, 0x61, 0x83,
|
||||
0x35, 0x1b, 0xec, 0x0d, 0xc0, 0xea, 0x62, 0xa2, 0x92, 0x8b, 0xff, 0x2e,
|
||||
0x6b, 0x96, 0x94, 0x29, 0x28, 0xe0, 0x7d, 0x33, 0x77, 0x09, 0xa4, 0xc4,
|
||||
0xd3, 0x89, 0x9d, 0x34, 0xce, 0xbc, 0xff, 0x46, 0xbf, 0x14, 0x7c, 0x87,
|
||||
0xdf, 0x96, 0xb8, 0xe9, 0x2d, 0x79, 0x49, 0xba, 0x9b, 0xcf, 0xf6, 0x86,
|
||||
0x13, 0x04, 0xab, 0x9f, 0x93, 0xf5, 0x3c, 0x01, 0x06, 0x05, 0x39, 0xa4,
|
||||
0xeb, 0xbc, 0xb2, 0x6b, 0xf9, 0x38, 0x60, 0xeb, 0xfd, 0x96, 0xf3, 0x85,
|
||||
0xb4, 0xca, 0x89, 0xf9, 0x16, 0x8a, 0xdd, 0x9c, 0xbc, 0x13, 0x75, 0xe8,
|
||||
0x5e, 0x86, 0x50, 0x5b, 0x29, 0x12, 0x7f, 0xbc, 0xfc, 0xe1, 0xf3, 0x10,
|
||||
0xb3, 0xf6, 0x20, 0x42, 0xe0, 0x58, 0xbc, 0x78, 0x87, 0x14, 0x56, 0xf4,
|
||||
0x68, 0xe4, 0x34, 0x11, 0xe9, 0x9e, 0x16, 0x17, 0x9f, 0x43, 0xe3, 0x69,
|
||||
0xcf, 0x91, 0x33, 0xfb, 0x2e, 0xef, 0x0a, 0xd0, 0xd5, 0x10, 0x32, 0x69,
|
||||
0x82, 0xe6, 0x50, 0x73, 0xfb, 0x58, 0x2d, 0x25, 0x56, 0x97, 0xa0, 0x82,
|
||||
0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, 0x04, 0xbe, 0x30, 0x82,
|
||||
0x03, 0xa6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d,
|
||||
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
|
||||
0x00, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
|
||||
0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
|
||||
0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74,
|
||||
0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c,
|
||||
0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e,
|
||||
0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53,
|
||||
0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
|
||||
0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67,
|
||||
0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77,
|
||||
0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x20,
|
||||
0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
|
||||
0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40,
|
||||
0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
|
||||
0x1e, 0x17, 0x0d, 0x32, 0x35, 0x31, 0x31, 0x31, 0x33, 0x32, 0x30, 0x34,
|
||||
0x31, 0x33, 0x35, 0x5a, 0x17, 0x0d, 0x32, 0x38, 0x30, 0x38, 0x30, 0x39,
|
||||
0x32, 0x30, 0x34, 0x31, 0x33, 0x35, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b,
|
||||
0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
|
||||
0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61,
|
||||
0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e,
|
||||
0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74,
|
||||
0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
|
||||
0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12,
|
||||
0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e,
|
||||
0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03,
|
||||
0x55, 0x04, 0x03, 0x0c, 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c,
|
||||
0x20, 0x4f, 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
|
||||
0x64, 0x65, 0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||
0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f,
|
||||
0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d,
|
||||
0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
|
||||
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
|
||||
0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb8, 0xba, 0x23,
|
||||
0xb4, 0xf6, 0xc3, 0x7b, 0x14, 0xc3, 0xa4, 0xf5, 0x1d, 0x61, 0xa1, 0xf5,
|
||||
0x1e, 0x63, 0xb9, 0x85, 0x23, 0x34, 0x50, 0x6d, 0xf8, 0x7c, 0xa2, 0x8a,
|
||||
0x04, 0x8b, 0xd5, 0x75, 0x5c, 0x2d, 0xf7, 0x63, 0x88, 0xd1, 0x07, 0x7a,
|
||||
0xea, 0x0b, 0x45, 0x35, 0x2b, 0xeb, 0x1f, 0xb1, 0x22, 0xb4, 0x94, 0x41,
|
||||
0x38, 0xe2, 0x9d, 0x74, 0xd6, 0x8b, 0x30, 0x22, 0x10, 0x51, 0xc5, 0xdb,
|
||||
0xca, 0x3f, 0x46, 0x2b, 0xfe, 0xe5, 0x5a, 0x3f, 0x41, 0x74, 0x67, 0x75,
|
||||
0x95, 0xa9, 0x94, 0xd5, 0xc3, 0xee, 0x42, 0xf8, 0x8d, 0xeb, 0x92, 0x95,
|
||||
0xe1, 0xd9, 0x65, 0xb7, 0x43, 0xc4, 0x18, 0xde, 0x16, 0x80, 0x90, 0xce,
|
||||
0x24, 0x35, 0x21, 0xc4, 0x55, 0xac, 0x5a, 0x51, 0xe0, 0x2e, 0x2d, 0xb3,
|
||||
0x0a, 0x5a, 0x4f, 0x4a, 0x73, 0x31, 0x50, 0xee, 0x4a, 0x16, 0xbd, 0x39,
|
||||
0x8b, 0xad, 0x05, 0x48, 0x87, 0xb1, 0x99, 0xe2, 0x10, 0xa7, 0x06, 0x72,
|
||||
0x67, 0xca, 0x5c, 0xd1, 0x97, 0xbd, 0xc8, 0xf1, 0x76, 0xf8, 0xe0, 0x4a,
|
||||
0xec, 0xbc, 0x93, 0xf4, 0x66, 0x4c, 0x28, 0x71, 0xd1, 0xd8, 0x66, 0x03,
|
||||
0xb4, 0x90, 0x30, 0xbb, 0x17, 0xb0, 0xfe, 0x97, 0xf5, 0x1e, 0xe8, 0xc7,
|
||||
0x5d, 0x9b, 0x8b, 0x11, 0x19, 0x12, 0x3c, 0xab, 0x82, 0x71, 0x78, 0xff,
|
||||
0xae, 0x3f, 0x32, 0xb2, 0x08, 0x71, 0xb2, 0x1b, 0x8c, 0x27, 0xac, 0x11,
|
||||
0xb8, 0xd8, 0x43, 0x49, 0xcf, 0xb0, 0x70, 0xb1, 0xf0, 0x8c, 0xae, 0xda,
|
||||
0x24, 0x87, 0x17, 0x3b, 0xd8, 0x04, 0x65, 0x6c, 0x00, 0x76, 0x50, 0xef,
|
||||
0x15, 0x08, 0xd7, 0xb4, 0x73, 0x68, 0x26, 0x14, 0x87, 0x95, 0xc3, 0x5f,
|
||||
0x6e, 0x61, 0xb8, 0x87, 0x84, 0xfa, 0x80, 0x1a, 0x0a, 0x8b, 0x98, 0xf3,
|
||||
0xe3, 0xff, 0x4e, 0x44, 0x1c, 0x65, 0x74, 0x7c, 0x71, 0x54, 0x65, 0xe5,
|
||||
0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x0a, 0x30, 0x82,
|
||||
0x01, 0x06, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30,
|
||||
0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
|
||||
0x32, 0x67, 0xe1, 0xb1, 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70,
|
||||
0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, 0x30, 0x81, 0xc4, 0x06,
|
||||
0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, 0x80, 0x14,
|
||||
0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7,
|
||||
0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, 0x9d, 0xa4,
|
||||
0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
|
||||
0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
|
||||
0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67,
|
||||
0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07,
|
||||
0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30,
|
||||
0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66,
|
||||
0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b,
|
||||
0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e,
|
||||
0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f,
|
||||
0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74,
|
||||
0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||
0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f,
|
||||
0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d,
|
||||
0x82, 0x01, 0x63, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c,
|
||||
0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09,
|
||||
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||
0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x22, 0xcf, 0xe2, 0xc4,
|
||||
0x3c, 0x0e, 0xcf, 0x43, 0xc2, 0x2b, 0x77, 0xd9, 0x53, 0xbb, 0xbf, 0x46,
|
||||
0x5a, 0x67, 0x26, 0x1f, 0xd6, 0x8c, 0xe2, 0xae, 0xd3, 0x6b, 0xda, 0x7c,
|
||||
0xa5, 0xb4, 0x79, 0x29, 0x0f, 0xb8, 0xf0, 0x14, 0x71, 0x90, 0x21, 0x7c,
|
||||
0x3c, 0x23, 0x2e, 0x5b, 0xb6, 0xb6, 0x66, 0xb5, 0xd2, 0xfd, 0x96, 0x21,
|
||||
0x4c, 0x7c, 0x9d, 0x9f, 0x85, 0x69, 0x8c, 0xd8, 0xc2, 0xbf, 0x3b, 0x1f,
|
||||
0x7b, 0xaf, 0x27, 0xb9, 0x30, 0x5b, 0x51, 0x4a, 0x16, 0x07, 0xa0, 0x14,
|
||||
0x80, 0x47, 0x31, 0x45, 0xf0, 0x31, 0x35, 0xb9, 0x93, 0x39, 0x77, 0x32,
|
||||
0x51, 0xa0, 0x8b, 0x93, 0x91, 0x96, 0x77, 0x41, 0x1a, 0x30, 0x15, 0xb8,
|
||||
0xe6, 0xeb, 0x49, 0x8e, 0x3c, 0xa5, 0x11, 0x46, 0x68, 0x13, 0xf5, 0x61,
|
||||
0x07, 0xac, 0x42, 0x3e, 0x69, 0xf3, 0x9f, 0x6b, 0x64, 0xd5, 0xe4, 0x42,
|
||||
0x1d, 0xed, 0x6c, 0xb7, 0x3b, 0xb1, 0x78, 0xc6, 0x9a, 0xb0, 0x38, 0xe2,
|
||||
0xe6, 0xfe, 0x5b, 0xc3, 0x87, 0x11, 0x49, 0x1e, 0x48, 0x73, 0x5a, 0x88,
|
||||
0x77, 0x89, 0xfb, 0xc7, 0x87, 0xef, 0x87, 0xe1, 0x17, 0x8b, 0x66, 0x16,
|
||||
0x44, 0x7c, 0x6e, 0x5f, 0x2d, 0x5a, 0x2f, 0xd0, 0xbe, 0x76, 0x69, 0x84,
|
||||
0xda, 0x3c, 0xa3, 0x4f, 0xbf, 0x00, 0xff, 0xcc, 0x67, 0x06, 0x16, 0x40,
|
||||
0x0f, 0x75, 0xdc, 0xe3, 0x20, 0xd6, 0x7b, 0x99, 0xc7, 0xbf, 0x38, 0x21,
|
||||
0x51, 0x30, 0x4a, 0x4b, 0x77, 0xd7, 0x39, 0xd3, 0xe2, 0x4d, 0x67, 0x68,
|
||||
0x0e, 0x7c, 0x95, 0xc4, 0x51, 0x22, 0xc4, 0x0f, 0x74, 0xa5, 0xdd, 0xf5,
|
||||
0xac, 0xa8, 0xf5, 0x8c, 0xfb, 0x90, 0xba, 0xff, 0x5e, 0x3e, 0x1f, 0xaa,
|
||||
0x7d, 0x61, 0xbb, 0xa4, 0x22, 0x35, 0x16, 0x64, 0xfc, 0x42, 0x27, 0x0b,
|
||||
0xc9, 0xe3, 0xba, 0x21, 0xad, 0x7b, 0x24, 0x2a, 0xa5, 0x25, 0xb7, 0xc4,
|
||||
};
|
||||
|
||||
unsigned char ocsp_responder_cert_pem[] = {
|
||||
0x30, 0x82, 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, 0x02, 0x01,
|
||||
0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
|
||||
@@ -1954,6 +2107,114 @@ unsigned char intermediate1_ca_cert_pem[] = {
|
||||
0xfb, 0xb8, 0x77, 0x01, 0x34, 0xaf, 0xcc, 0x0e,
|
||||
};
|
||||
|
||||
unsigned char imposter_root_ca_cert_pem[] = {
|
||||
0x30, 0x82, 0x04, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01,
|
||||
0x02, 0x02, 0x02, 0x00, 0xc7, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||
0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, 0x31,
|
||||
0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
|
||||
0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57,
|
||||
0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
|
||||
0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74,
|
||||
0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a,
|
||||
0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30,
|
||||
0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69,
|
||||
0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06,
|
||||
0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53,
|
||||
0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30,
|
||||
0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01,
|
||||
0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73,
|
||||
0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x36,
|
||||
0x30, 0x34, 0x32, 0x37, 0x31, 0x36, 0x31, 0x32, 0x31, 0x39, 0x5a, 0x17,
|
||||
0x0d, 0x32, 0x39, 0x30, 0x31, 0x32, 0x31, 0x31, 0x36, 0x31, 0x32, 0x31,
|
||||
0x39, 0x5a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
|
||||
0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
|
||||
0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67,
|
||||
0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07,
|
||||
0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30,
|
||||
0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66,
|
||||
0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b,
|
||||
0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e,
|
||||
0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f,
|
||||
0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74,
|
||||
0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||
0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f,
|
||||
0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d,
|
||||
0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
|
||||
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
|
||||
0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xf3, 0xc7, 0x6e,
|
||||
0x93, 0x4e, 0x94, 0x7d, 0x9a, 0x76, 0xcb, 0x3e, 0x82, 0x21, 0x30, 0xa0,
|
||||
0xa5, 0x4a, 0xa2, 0x6c, 0x80, 0xbf, 0xe6, 0xa0, 0x7d, 0x6c, 0xcc, 0xaa,
|
||||
0xe6, 0x94, 0xf3, 0x42, 0x41, 0x7f, 0x1a, 0xba, 0x5f, 0x89, 0xd2, 0x84,
|
||||
0x67, 0x81, 0x4d, 0x37, 0x0b, 0x26, 0xed, 0xf8, 0xf1, 0xbe, 0x84, 0xf5,
|
||||
0x33, 0x9f, 0xbe, 0x98, 0xd1, 0x88, 0x86, 0xc1, 0x93, 0xd3, 0x8e, 0x40,
|
||||
0x56, 0x36, 0x28, 0x4f, 0x14, 0xc2, 0xf7, 0xa7, 0x3b, 0xca, 0x1d, 0xae,
|
||||
0x59, 0x6b, 0x5f, 0x79, 0x54, 0xb6, 0x2e, 0x6e, 0x4d, 0x7f, 0x4c, 0x71,
|
||||
0x0d, 0xfb, 0x3a, 0x6e, 0x95, 0x8f, 0x96, 0x44, 0x3c, 0xf2, 0x91, 0x01,
|
||||
0xcb, 0x68, 0x17, 0x07, 0x33, 0x97, 0xcb, 0x32, 0x55, 0x47, 0x03, 0x64,
|
||||
0x0c, 0x4b, 0x16, 0x2e, 0x20, 0xf8, 0x65, 0xc7, 0x6a, 0x52, 0xe4, 0xfd,
|
||||
0xa9, 0x2d, 0xde, 0x39, 0x0c, 0x5f, 0x1a, 0x14, 0x10, 0x9d, 0xc3, 0x2d,
|
||||
0x15, 0xc4, 0x88, 0x2e, 0x19, 0x58, 0xe1, 0xfd, 0x69, 0x12, 0x81, 0xd2,
|
||||
0xaf, 0xf6, 0x62, 0x44, 0xb0, 0x89, 0x82, 0xb5, 0xf5, 0x17, 0x23, 0x2b,
|
||||
0x73, 0x8e, 0xe3, 0x55, 0x14, 0x43, 0xa5, 0x4a, 0x7e, 0xcb, 0x96, 0x62,
|
||||
0x8f, 0x96, 0xbf, 0x5f, 0xc3, 0x82, 0xdc, 0x86, 0x86, 0x85, 0x89, 0xf8,
|
||||
0x8e, 0x68, 0xb2, 0xef, 0xe5, 0x2e, 0x8c, 0xb9, 0x8d, 0x56, 0x13, 0x19,
|
||||
0x65, 0xe9, 0x79, 0xc5, 0x29, 0xdc, 0x89, 0x0b, 0xdd, 0x23, 0x35, 0xfe,
|
||||
0xd5, 0x48, 0xb6, 0x2d, 0xad, 0xee, 0xee, 0x6c, 0xb8, 0x3e, 0xeb, 0x79,
|
||||
0x1c, 0x41, 0xd1, 0xb8, 0xe5, 0x0e, 0x2f, 0x2d, 0xcf, 0xd7, 0x65, 0xfa,
|
||||
0x71, 0x6f, 0x60, 0x9b, 0x90, 0x30, 0x43, 0xda, 0xc3, 0xe2, 0x1b, 0x8f,
|
||||
0xda, 0xab, 0x37, 0xc5, 0x38, 0x88, 0x6b, 0x85, 0x15, 0x5b, 0x24, 0x72,
|
||||
0xbf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x3a, 0x30, 0x82,
|
||||
0x01, 0x36, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30,
|
||||
0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04,
|
||||
0x16, 0x04, 0x14, 0x73, 0x64, 0x66, 0x3e, 0x9a, 0xde, 0x12, 0xec, 0x44,
|
||||
0xc2, 0x5b, 0x05, 0x64, 0x62, 0x1d, 0x63, 0x23, 0x43, 0x55, 0xe5, 0x30,
|
||||
0x81, 0xc5, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xbd, 0x30, 0x81,
|
||||
0xba, 0x80, 0x14, 0x73, 0x64, 0x66, 0x3e, 0x9a, 0xde, 0x12, 0xec, 0x44,
|
||||
0xc2, 0x5b, 0x05, 0x64, 0x62, 0x1d, 0x63, 0x23, 0x43, 0x55, 0xe5, 0xa1,
|
||||
0x81, 0x9d, 0xa4, 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09,
|
||||
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
|
||||
0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68,
|
||||
0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03,
|
||||
0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65,
|
||||
0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77,
|
||||
0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03,
|
||||
0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65,
|
||||
0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
|
||||
0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72,
|
||||
0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09,
|
||||
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69,
|
||||
0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e,
|
||||
0x63, 0x6f, 0x6d, 0x82, 0x02, 0x00, 0xc7, 0x30, 0x0b, 0x06, 0x03, 0x55,
|
||||
0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x32, 0x06, 0x08,
|
||||
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24,
|
||||
0x30, 0x22, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
|
||||
0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x31, 0x32, 0x37,
|
||||
0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, 0x3a, 0x32, 0x32, 0x32, 0x32, 0x30,
|
||||
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||
0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x35, 0xb1, 0xf0, 0x64,
|
||||
0x89, 0xfe, 0x7e, 0xb3, 0x5f, 0x80, 0x15, 0x57, 0xa0, 0x8f, 0xcd, 0xfc,
|
||||
0xa0, 0x2d, 0x36, 0x29, 0x39, 0xa3, 0xee, 0xd6, 0xc0, 0xf3, 0xc2, 0xe6,
|
||||
0x31, 0x2e, 0xce, 0x9b, 0xd4, 0xa1, 0x3e, 0xdc, 0xc7, 0x0d, 0x2a, 0xae,
|
||||
0x72, 0xc6, 0xfa, 0xee, 0x77, 0xd7, 0x4b, 0x98, 0xc0, 0x32, 0x7e, 0xd2,
|
||||
0x54, 0x3f, 0x41, 0x34, 0x09, 0x22, 0xf3, 0x34, 0xdb, 0xff, 0x4e, 0x35,
|
||||
0x79, 0x15, 0x50, 0xfa, 0xe2, 0xbd, 0x37, 0x1c, 0x0e, 0xdc, 0x4e, 0xb1,
|
||||
0x5a, 0x5d, 0xfd, 0xbe, 0xbf, 0xd1, 0x75, 0x02, 0x9a, 0xa8, 0x61, 0xda,
|
||||
0xd4, 0xf1, 0x35, 0xb3, 0x7e, 0x9d, 0x10, 0x29, 0xa8, 0xcd, 0x50, 0x7c,
|
||||
0x3c, 0x89, 0x5e, 0xa1, 0xb2, 0x51, 0xe6, 0xd8, 0x4d, 0xdd, 0xcc, 0x3d,
|
||||
0xb9, 0x8e, 0x5b, 0x20, 0x51, 0x33, 0xe0, 0x03, 0x57, 0xe0, 0xf7, 0x5b,
|
||||
0xbe, 0x85, 0x64, 0xa7, 0x8c, 0x6d, 0x40, 0x56, 0xcd, 0x78, 0x4f, 0x6d,
|
||||
0xdc, 0x04, 0xf2, 0x4a, 0xf3, 0xa1, 0x29, 0x3b, 0x64, 0xe5, 0xdb, 0xa0,
|
||||
0x98, 0x80, 0xc8, 0x6b, 0x12, 0x25, 0x4c, 0x18, 0x40, 0x2a, 0xce, 0xb6,
|
||||
0x94, 0xfe, 0x58, 0xbb, 0x35, 0x91, 0x22, 0x36, 0xd7, 0x29, 0x70, 0x53,
|
||||
0x2e, 0x8b, 0xbe, 0xe3, 0xb7, 0x08, 0xd3, 0xa8, 0x66, 0x19, 0xff, 0x69,
|
||||
0xf0, 0xc8, 0x8f, 0xb6, 0xea, 0x21, 0xbc, 0x41, 0x08, 0x92, 0x42, 0x89,
|
||||
0xfd, 0xd9, 0x3a, 0x9c, 0x42, 0x4b, 0xc4, 0x2e, 0x81, 0x4f, 0x63, 0x54,
|
||||
0x95, 0x88, 0xd9, 0x56, 0x66, 0x08, 0xdc, 0x73, 0x56, 0x6a, 0x97, 0x5e,
|
||||
0x09, 0xe5, 0xfa, 0xd2, 0x52, 0x3b, 0x7f, 0xbd, 0x3b, 0x1b, 0xbb, 0xf1,
|
||||
0x74, 0x51, 0x71, 0x30, 0xf3, 0xce, 0x1c, 0x21, 0x75, 0x89, 0x97, 0x7f,
|
||||
0xe4, 0x38, 0xf7, 0x3e, 0x66, 0xc3, 0x20, 0xf3, 0xc0, 0xf3, 0x38, 0xc9,
|
||||
};
|
||||
|
||||
unsigned char resp_bad[] = {
|
||||
0x30, 0x82, 0x01, 0xa9, 0xa0, 0x82, 0x01, 0xa5, 0x30, 0x82, 0x01, 0xa1,
|
||||
0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04,
|
||||
|
||||
+16
-14
@@ -23260,17 +23260,15 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
|
||||
}
|
||||
|
||||
#ifdef HAVE_OCSP
|
||||
if (type != CA_TYPE &&
|
||||
type != TRUSTED_PEER_TYPE) {
|
||||
/* Need the CA's public key hash for OCSP */
|
||||
if (cert->ca) {
|
||||
XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash,
|
||||
KEYID_SIZE);
|
||||
}
|
||||
else if (cert->selfSigned) {
|
||||
XMEMCPY(cert->issuerKeyHash, cert->subjectKeyHash,
|
||||
KEYID_SIZE);
|
||||
}
|
||||
/* Needed for OCSP requests, and for binding responder authorization
|
||||
* to CertID's issuerKeyHash when this cert becomes a Signer. */
|
||||
if (cert->ca) {
|
||||
XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash,
|
||||
KEYID_SIZE);
|
||||
}
|
||||
else if (cert->selfSigned) {
|
||||
XMEMCPY(cert->issuerKeyHash, cert->subjectKeyHash,
|
||||
KEYID_SIZE);
|
||||
}
|
||||
#endif /* HAVE_OCSP */
|
||||
}
|
||||
@@ -23576,6 +23574,8 @@ int FillSigner(Signer* signer, DecodedCert* cert, int type, DerBuffer *der)
|
||||
#ifdef HAVE_OCSP
|
||||
XMEMCPY(signer->subjectKeyHash, cert->subjectKeyHash,
|
||||
KEYID_SIZE);
|
||||
XMEMCPY(signer->issuerKeyHash, cert->issuerKeyHash,
|
||||
KEYID_SIZE);
|
||||
#endif
|
||||
signer->keyUsage = cert->extKeyUsageSet ? cert->extKeyUsage
|
||||
: 0xFFFF;
|
||||
@@ -33666,7 +33666,8 @@ static int OcspRespCheck(OcspResponse *resp, Signer *responder, void* vp)
|
||||
return -1;
|
||||
|
||||
ret = CheckOcspResponder(resp, responder->subjectNameHash,
|
||||
responder->extKeyUsage, responder->issuerNameHash, vp);
|
||||
responder->subjectKeyHash, responder->extKeyUsage,
|
||||
responder->issuerNameHash, responder->issuerKeyHash, vp);
|
||||
if (ret != 0)
|
||||
return -1;
|
||||
|
||||
@@ -33754,8 +33755,9 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify,
|
||||
|
||||
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
|
||||
if (ret == 0 && !noVerify) {
|
||||
ret = CheckOcspResponder(resp, cert->subjectHash, cert->extExtKeyUsage,
|
||||
cert->issuerHash, cm);
|
||||
ret = CheckOcspResponder(resp, cert->subjectHash, cert->subjectKeyHash,
|
||||
cert->extExtKeyUsage, cert->issuerHash,
|
||||
(cert->ca != NULL) ? cert->ca->subjectKeyHash : NULL, cm);
|
||||
if (ret != 0) {
|
||||
WOLFSSL_MSG("\tOCSP Responder certificate issuer check failed");
|
||||
goto err;
|
||||
|
||||
+3
-2
@@ -74,8 +74,9 @@ WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int resp
|
||||
OcspEntry *entry, OcspRequest *ocspRequest,
|
||||
void* heap);
|
||||
|
||||
WOLFSSL_LOCAL int CheckOcspResponder(OcspResponse *bs, byte* subjectHash,
|
||||
byte extExtKeyUsage, byte* issuerHash, void* vp);
|
||||
WOLFSSL_LOCAL int CheckOcspResponder(OcspResponse *bs, byte* subjectNameHash,
|
||||
byte* subjectKeyHash, byte extExtKeyUsage, byte* issuerNameHash,
|
||||
byte* issuerKeyHash, void* vp);
|
||||
|
||||
/* Allocates and initializes a WOLFSSL_OCSP object */
|
||||
WOLFSSL_API WOLFSSL_OCSP* wc_NewOCSP(WOLFSSL_CERT_MANAGER* cm);
|
||||
|
||||
@@ -2228,6 +2228,11 @@ struct Signer {
|
||||
#endif
|
||||
#ifdef HAVE_OCSP
|
||||
byte subjectKeyHash[KEYID_SIZE];
|
||||
byte issuerKeyHash[KEYID_SIZE]; /* subject key hash of the immediate
|
||||
* issuer CA (i.e. the parent that signed
|
||||
* this cert), used to bind OCSP CertID
|
||||
* issuerKeyHash matching during responder
|
||||
* authorization checks */
|
||||
#endif
|
||||
#if defined(WOLFSSL_AKID_NAME) || defined(HAVE_CRL)
|
||||
byte serialHash[SIGNER_DIGEST_SIZE]; /* serial number hash */
|
||||
|
||||
Reference in New Issue
Block a user