Merge pull request #10303 from julek-wolfssl/zd/21675

ocsp: bind responder authorization to CertID issuerKeyHash
This commit is contained in:
David Garske
2026-05-13 10:33:17 -07:00
committed by GitHub
16 changed files with 611 additions and 59 deletions
Binary file not shown.
+92
View File
@@ -0,0 +1,92 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 199 (0xc7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
Validity
Not Before: Apr 27 16:12:19 2026 GMT
Not After : Jan 21 16:12:19 2029 GMT
Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = info@wolfssl.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:f3:c7:6e:93:4e:94:7d:9a:76:cb:3e:82:21:30:
a0:a5:4a:a2:6c:80:bf:e6:a0:7d:6c:cc:aa:e6:94:
f3:42:41:7f:1a:ba:5f:89:d2:84:67:81:4d:37:0b:
26:ed:f8:f1:be:84:f5:33:9f:be:98:d1:88:86:c1:
93:d3:8e:40:56:36:28:4f:14:c2:f7:a7:3b:ca:1d:
ae:59:6b:5f:79:54:b6:2e:6e:4d:7f:4c:71:0d:fb:
3a:6e:95:8f:96:44:3c:f2:91:01:cb:68:17:07:33:
97:cb:32:55:47:03:64:0c:4b:16:2e:20:f8:65:c7:
6a:52:e4:fd:a9:2d:de:39:0c:5f:1a:14:10:9d:c3:
2d:15:c4:88:2e:19:58:e1:fd:69:12:81:d2:af:f6:
62:44:b0:89:82:b5:f5:17:23:2b:73:8e:e3:55:14:
43:a5:4a:7e:cb:96:62:8f:96:bf:5f:c3:82:dc:86:
86:85:89:f8:8e:68:b2:ef:e5:2e:8c:b9:8d:56:13:
19:65:e9:79:c5:29:dc:89:0b:dd:23:35:fe:d5:48:
b6:2d:ad:ee:ee:6c:b8:3e:eb:79:1c:41:d1:b8:e5:
0e:2f:2d:cf:d7:65:fa:71:6f:60:9b:90:30:43:da:
c3:e2:1b:8f:da:ab:37:c5:38:88:6b:85:15:5b:24:
72:bf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Key Identifier:
73:64:66:3E:9A:DE:12:EC:44:C2:5B:05:64:62:1D:63:23:43:55:E5
X509v3 Authority Key Identifier:
keyid:73:64:66:3E:9A:DE:12:EC:44:C2:5B:05:64:62:1D:63:23:43:55:E5
DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
serial:C7
X509v3 Key Usage:
Certificate Sign, CRL Sign
Authority Information Access:
OCSP - URI:http://127.0.0.1:22220
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
35:b1:f0:64:89:fe:7e:b3:5f:80:15:57:a0:8f:cd:fc:a0:2d:
36:29:39:a3:ee:d6:c0:f3:c2:e6:31:2e:ce:9b:d4:a1:3e:dc:
c7:0d:2a:ae:72:c6:fa:ee:77:d7:4b:98:c0:32:7e:d2:54:3f:
41:34:09:22:f3:34:db:ff:4e:35:79:15:50:fa:e2:bd:37:1c:
0e:dc:4e:b1:5a:5d:fd:be:bf:d1:75:02:9a:a8:61:da:d4:f1:
35:b3:7e:9d:10:29:a8:cd:50:7c:3c:89:5e:a1:b2:51:e6:d8:
4d:dd:cc:3d:b9:8e:5b:20:51:33:e0:03:57:e0:f7:5b:be:85:
64:a7:8c:6d:40:56:cd:78:4f:6d:dc:04:f2:4a:f3:a1:29:3b:
64:e5:db:a0:98:80:c8:6b:12:25:4c:18:40:2a:ce:b6:94:fe:
58:bb:35:91:22:36:d7:29:70:53:2e:8b:be:e3:b7:08:d3:a8:
66:19:ff:69:f0:c8:8f:b6:ea:21:bc:41:08:92:42:89:fd:d9:
3a:9c:42:4b:c4:2e:81:4f:63:54:95:88:d9:56:66:08:dc:73:
56:6a:97:5e:09:e5:fa:d2:52:3b:7f:bd:3b:1b:bb:f1:74:51:
71:30:f3:ce:1c:21:75:89:97:7f:e4:38:f7:3e:66:c3:20:f3:
c0:f3:38:c9
-----BEGIN CERTIFICATE-----
MIIE6DCCA9CgAwIBAgICAMcwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT
MRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQK
DAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYGA1UEAwwPd29sZlNT
TCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMB4XDTI2
MDQyNzE2MTIxOVoXDTI5MDEyMTE2MTIxOVowgZcxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xm
U1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290
IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA88duk06UfZp2yz6CITCgpUqibIC/5qB9bMyq
5pTzQkF/GrpfidKEZ4FNNwsm7fjxvoT1M5++mNGIhsGT045AVjYoTxTC96c7yh2u
WWtfeVS2Lm5Nf0xxDfs6bpWPlkQ88pEBy2gXBzOXyzJVRwNkDEsWLiD4ZcdqUuT9
qS3eOQxfGhQQncMtFcSILhlY4f1pEoHSr/ZiRLCJgrX1FyMrc47jVRRDpUp+y5Zi
j5a/X8OC3IaGhYn4jmiy7+UujLmNVhMZZel5xSnciQvdIzX+1Ui2La3u7my4Put5
HEHRuOUOLy3P12X6cW9gm5AwQ9rD4huP2qs3xTiIa4UVWyRyvwIDAQABo4IBOjCC
ATYwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUc2RmPpreEuxEwlsFZGIdYyNDVeUw
gcUGA1UdIwSBvTCBuoAUc2RmPpreEuxEwlsFZGIdYyNDVeWhgZ2kgZowgZcxCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl
MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYGA1UE
AwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
Y29tggIAxzALBgNVHQ8EBAMCAQYwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB
hhZodHRwOi8vMTI3LjAuMC4xOjIyMjIwMA0GCSqGSIb3DQEBCwUAA4IBAQA1sfBk
if5+s1+AFVegj838oC02KTmj7tbA88LmMS7Om9ShPtzHDSqucsb67nfXS5jAMn7S
VD9BNAki8zTb/041eRVQ+uK9NxwO3E6xWl39vr/RdQKaqGHa1PE1s36dECmozVB8
PIleobJR5thN3cw9uY5bIFEz4ANX4PdbvoVkp4xtQFbNeE9t3ATySvOhKTtk5dug
mIDIaxIlTBhAKs62lP5YuzWRIjbXKXBTLou+47cI06hmGf9p8MiPtuohvEEIkkKJ
/dk6nEJLxC6BT2NUlYjZVmYI3HNWapdeCeX60lI7f707G7vxdFFxMPPOHCF1iZd/
5Dj3PmbDIPPA8zjJ
-----END CERTIFICATE-----
Binary file not shown.
+28
View File
@@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDzx26TTpR9mnbL
PoIhMKClSqJsgL/moH1szKrmlPNCQX8aul+J0oRngU03Cybt+PG+hPUzn76Y0YiG
wZPTjkBWNihPFML3pzvKHa5Za195VLYubk1/THEN+zpulY+WRDzykQHLaBcHM5fL
MlVHA2QMSxYuIPhlx2pS5P2pLd45DF8aFBCdwy0VxIguGVjh/WkSgdKv9mJEsImC
tfUXIytzjuNVFEOlSn7LlmKPlr9fw4LchoaFifiOaLLv5S6MuY1WExll6XnFKdyJ
C90jNf7VSLYtre7ubLg+63kcQdG45Q4vLc/XZfpxb2CbkDBD2sPiG4/aqzfFOIhr
hRVbJHK/AgMBAAECggEAI3Y/7hrQvALDxCYYLPbTb6gPP6RtBgITrMeLFtbVGi7H
7B3vdu+SRjJHhrnPFHARzoqt1rAmvDlC2IOBWxWG42OmcnaNNBR2PJ0btzNI5K//
fnqaOGnoykVhByQnio7rpMeWUL4YF3qYWr08LYPfQnCLzfMK31dmbp+UDM+402hi
HSGW/EZBbVrLLjVNUta1F7FKQYx2Eq3P+Xaga58thJAoILsJItyE0iI+qK9zVWmQ
xFkV99xKqpIq/IFWd86Z8QvrhZV2OdvF5uduUytfxz9Bql8dgK1dhDJvz2i3SPxV
oDDwo10gG7Hi0/lk2vIwsZUDci6eNn0BDLwVudClwQKBgQD+5nde7SM5J18MLNMp
EGFDLDCbcjFQoVuVRCVu1+mmO/7zC1ozwYtU+SzNmLvpvZYtUgDBlsAlP+rtsUOX
ltwhTI56mCGK3TbK3HvqCLz6O4K8ty2es6uDBezQagVygOoVG4AirHLlL4FeZ/S0
uvH48jWCqsdBL1NygNt4Kov9fwKBgQD01K6yGKwm6Hgvs/qtHA7kMaD0yQWelX4M
SJdf/Rjq3/Nh5Cpj8Peu8KIjomnkQisFHqHnAqAiy1IGo8NbjvM/H0JOSTWy2ths
l6zncle/uGXbjxqqfKecsqAOigXzJQhXtHvh+pSu5mOb+incKyAJ0ZpvAZFhcWIA
1LT12LyqwQKBgG1E4psg0N6pUAdqF8McsHUZNmUMmLNV2GquYdWYXSLTyUDq9uoE
5/OvNVOVS8ixavVWl9hlBU1yjwUB3lXXZ9omdVV8bbSXi+t+hOgYgtpKNIstgzLr
FnT+TzwwltE1DiOqPE2g20gAC1cq/S2UjjIHsoSnLO92mDEXp/1lT8mFAoGAYEY+
CASRtZ8Wm9OPUIFHDc7CN1/RGOI6NcRZ2kIhiULVZvoc/T3ld+JiL9cPAtZOKm44
RioPJH+FWt0M1jUpS/oTzcsWFaXfExy1vjGFdfuh+iuU1dO86W6IaA84dbtrQ2nS
iTNLQleQdeZyjYRbzeChdONN8t5uJlt+aWp4DkECgYAG5w5yilDcQedV231V1fcG
IgPLkrwUVNusevAe9Jzqs6L+GwCjuR1fQ7nxfRHZOwGQNz6sMQkhVc15PI5Oer+A
vbWDr93IlBjtrc6hYqMO3MwpNz2JKVF2T5+33lbS26dxhvzaXNVZdBdDtwIgCQ78
CBGsRUzILXd0N1/ou7ASOg==
-----END PRIVATE KEY-----
+4
View File
@@ -55,6 +55,10 @@ EXTRA_DIST += \
certs/ocsp/root-ca-cert.pem \
certs/ocsp/root-ca-cert.der \
certs/ocsp/root-ca-crl.pem \
certs/ocsp/imposter-root-ca-key.pem \
certs/ocsp/imposter-root-ca-key.der \
certs/ocsp/imposter-root-ca-cert.pem \
certs/ocsp/imposter-root-ca-cert.der \
certs/ocsp/test-response.der \
certs/ocsp/test-response-rsapss.der \
certs/ocsp/test-response-nointern.der \
+24
View File
@@ -60,6 +60,30 @@ rm root-ca-cert.csr
openssl x509 -in root-ca-cert.pem -text > tmp.pem
mv tmp.pem root-ca-cert.pem
# imposter-root-ca: self-signed cert sharing the legitimate root-ca DN but
# with a different key. Used to test that OCSP responder authorization is
# bound to the CertID issuerKeyHash, not just the issuer name.
openssl req \
-new \
-config "$WOLF_REQ_CONF" \
-key imposter-root-ca-key.pem \
-out imposter-root-ca-cert.csr \
-subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com"
openssl x509 \
-req -in imposter-root-ca-cert.csr \
-extfile $1 \
-extensions v3_ca \
-days 1000 \
-signkey imposter-root-ca-key.pem \
-set_serial 199 \
-out imposter-root-ca-cert.pem \
-sha256
rm imposter-root-ca-cert.csr
openssl x509 -in imposter-root-ca-cert.pem -text > imposter-root-ca-cert_tmp.pem
mv imposter-root-ca-cert_tmp.pem imposter-root-ca-cert.pem
update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 $1
update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 $1
update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 $1 # REVOKED
+37
View File
@@ -54,6 +54,43 @@ check_result $? ""
openssl rsa -in root-ca-key.pem -outform DER -out root-ca-key.der
check_result $? ""
# imposter-root-ca: self-signed cert sharing the legitimate root-ca DN but with
# a different key. Used to test that OCSP responder authorization is bound to
# the CertID issuerKeyHash, not just the issuer name.
echo "OCSP renew certs imposter root step 1"
openssl req \
-new \
-key imposter-root-ca-key.pem \
-out imposter-root-ca-cert.csr \
-config ../renewcerts/wolfssl.cnf \
-subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com"
check_result $? ""
echo "OCSP renew certs imposter root step 2"
openssl x509 \
-req -in imposter-root-ca-cert.csr \
-extfile openssl.cnf \
-extensions v3_ca \
-days 1000 \
-signkey imposter-root-ca-key.pem \
-set_serial 199 \
-out imposter-root-ca-cert.pem
check_result $? ""
rm imposter-root-ca-cert.csr
echo "OCSP renew certs imposter root step 3"
openssl x509 -in imposter-root-ca-cert.pem -text > tmp.pem
check_result $? ""
mv tmp.pem imposter-root-ca-cert.pem
echo "OCSP renew certs imposter root step 4"
openssl x509 -in imposter-root-ca-cert.pem -outform DER \
-out imposter-root-ca-cert.der
check_result $? ""
openssl rsa -in imposter-root-ca-key.pem -outform DER \
-out imposter-root-ca-key.der
check_result $? ""
# $1 cert, $2 name, $3 ca, $4 extensions, $5 serial
update_cert() {
echo "Updating certificate \"$1-cert.pem\""
+57 -43
View File
@@ -584,8 +584,8 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
}
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
static int CheckOcspResponderChain(OcspEntry* single, byte* issuerHash,
void* vp, Signer* pendingCAs) {
static int CheckOcspResponderChain(OcspEntry* single, byte* issuerNameHash,
byte* issuerKeyHash, void* vp, Signer* pendingCAs) {
/* Attempt to build a chain up to cert's issuer */
WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp;
Signer* ca = NULL;
@@ -602,54 +602,61 @@ static int CheckOcspResponderChain(OcspEntry* single, byte* issuerHash,
* in OCSP request
*/
/* Walk up the issuer chain from the responder's direct issuer toward a
* self-signed root, capturing prev before reassigning ca so the
* (ca == prev) self-signed termination check is meaningful. */
ca = GetCAByName(cm, single->issuerHash);
if (issuerKeyHash == NULL)
return 0;
/* Select CertID issuer by key hash so a same-DN / different-key trust
* anchor cannot hijack the starting point. */
ca = GetCAByKeyHash(cm, single->issuerKeyHash);
if (ca != NULL && XMEMCMP(ca->subjectNameHash, single->issuerHash,
OCSP_DIGEST_SIZE) != 0) {
ca = NULL;
}
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
if (ca == NULL && pendingCAs != NULL) {
ca = findSignerByName(pendingCAs, single->issuerHash);
ca = findSignerByKeyHash(pendingCAs, single->issuerKeyHash);
if (ca != NULL && XMEMCMP(ca->subjectNameHash, single->issuerHash,
OCSP_DIGEST_SIZE) != 0) {
ca = NULL;
}
}
#else
(void)pendingCAs;
#endif
while (ca != NULL) {
if (XMEMCMP(issuerHash, ca->issuerNameHash, OCSP_DIGEST_SIZE) == 0) {
for (; ca != NULL && ca != prev;
prev = ca) {
Signer* parent = GetCAByName(cm, ca->issuerNameHash);
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
if (parent == NULL && pendingCAs != NULL) {
parent = findSignerByName(pendingCAs, ca->issuerNameHash);
}
#endif
if (parent == NULL || parent == ca)
break;
if (XMEMCMP(parent->subjectNameHash, issuerNameHash,
OCSP_DIGEST_SIZE) == 0 &&
XMEMCMP(parent->subjectKeyHash, issuerKeyHash,
KEYID_SIZE) == 0) {
WOLFSSL_MSG("\tOCSP Response signed by authorized "
"responder delegated by issuer "
"(found in chain)");
passed = 1;
break;
}
prev = ca;
ca = GetCAByName(cm, prev->issuerNameHash);
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
/* Look up by the in-flight name (prev's issuer), not by
* single->issuerHash; the latter would re-anchor the pendingCAs
* walk to the bottom of the chain on every iteration. */
if (ca == NULL && pendingCAs != NULL) {
ca = findSignerByName(pendingCAs, prev->issuerNameHash);
}
#endif
if (ca == prev) {
break;
}
ca = parent;
}
return passed;
}
#endif
/**
* Enforce https://www.rfc-editor.org/rfc/rfc6960#section-4.2.2.2
* @param bs The basic OCSP response to verify
* @param subjectHash The subject key hash of the OCSP responder certificate
* @param extExtKeyUsage The extended key usage bits of the responder certificate
* @param issuerHash The issuer name hash of the OCSP responder certificate
* @param vp Unused (reserved for future use)
* @return 1 if the responder is authorized to sign the response, 0 otherwise
*/
int CheckOcspResponder(OcspResponse *bs, byte* subjectHash,
byte extExtKeyUsage, byte* issuerHash, void* vp)
/* Enforce https://www.rfc-editor.org/rfc/rfc6960#section-4.2.2.2. Both halves
* of CertID (issuerNameHash and issuerKeyHash) must match; name-only matching
* would authorize a same-DN / different-key CA. issuerKeyHash may be NULL when
* unavailable, which disables the delegated branch. */
int CheckOcspResponder(OcspResponse *bs, byte* subjectNameHash,
byte* subjectKeyHash, byte extExtKeyUsage, byte* issuerNameHash,
byte* issuerKeyHash, void* vp)
{
int ret = 0;
OcspEntry* single;
@@ -664,29 +671,34 @@ int CheckOcspResponder(OcspResponse *bs, byte* subjectHash,
/* In the future if this API is used more then it could be beneficial to
* implement calling InitDecodedCert and ParseCertRelative here
* automatically when cert == NULL. */
if (bs == NULL || subjectHash == NULL || issuerHash == NULL)
if (bs == NULL || subjectNameHash == NULL || issuerNameHash == NULL)
return BAD_FUNC_ARG;
/* Traverse the list and check that the cert has the authority to provide
* an OCSP response for each entry. */
for (single = bs->single; single != NULL; single = single->next) {
int passed = 0;
if (XMEMCMP(subjectHash, single->issuerHash, OCSP_DIGEST_SIZE) == 0) {
if (subjectKeyHash != NULL &&
XMEMCMP(subjectNameHash, single->issuerHash,
OCSP_DIGEST_SIZE) == 0 &&
XMEMCMP(subjectKeyHash, single->issuerKeyHash,
KEYID_SIZE) == 0) {
WOLFSSL_MSG("\tOCSP Response signed by issuer");
passed = 1;
}
else if ((extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) != 0) {
if (XMEMCMP(issuerHash, single->issuerHash, OCSP_DIGEST_SIZE)
== 0) {
if (issuerKeyHash != NULL &&
XMEMCMP(issuerNameHash, single->issuerHash,
OCSP_DIGEST_SIZE) == 0 &&
XMEMCMP(issuerKeyHash, single->issuerKeyHash,
KEYID_SIZE) == 0) {
WOLFSSL_MSG("\tOCSP Response signed by authorized responder "
"delegated by issuer");
passed = 1;
}
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
else if (vp != NULL) {
passed = CheckOcspResponderChain(single, issuerHash, vp,
bs->pendingCAs);
passed = CheckOcspResponderChain(single, issuerNameHash,
issuerKeyHash, vp, bs->pendingCAs);
}
#endif
}
@@ -1090,8 +1102,10 @@ static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert,
}
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if ((flags & WOLFSSL_OCSP_NOCHECKS) == 0) {
ret = CheckOcspResponder(resp, c->subjectHash, c->extExtKeyUsage,
c->issuerHash, st->cm);
ret = CheckOcspResponder(resp, c->subjectHash, c->subjectKeyHash,
c->extExtKeyUsage, c->issuerHash,
(c->ca != NULL) ? c->ca->subjectKeyHash : NULL,
st->cm);
}
else {
ret = 0;
+1
View File
@@ -40751,6 +40751,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_inject),
TEST_DECL(test_ocsp_status_callback),
TEST_DECL(test_ocsp_basic_verify),
TEST_DECL(test_ocsp_responder_keyhash_binding),
TEST_DECL(test_ocsp_response_parsing),
TEST_DECL(test_ocsp_certid_enc_dec),
TEST_DECL(test_ocsp_certid_dup),
+40
View File
@@ -266,6 +266,23 @@ def create_response(rd: dict) -> rfc6960.OCSPResponse:
for entry in rd.get('responses', []):
if entry.get('certificate'):
sr = single_response_from_cert(entry['certificate'], entry['status'])
elif entry.get('name_cert') and entry.get('key_cert'):
# Forge a CertID where issuerNameHash and issuerKeyHash are taken
# from different certificates. Used to test that responder
# authorization is bound to BOTH halves of the CertID.
name_der = cert_pem_to_der(entry['name_cert'])
name_cert, _ = decode(bytes(name_der), asn1Spec=rfc6960.Certificate())
key_der = cert_pem_to_der(entry['key_cert'])
key_cert, _ = decode(bytes(key_der), asn1Spec=rfc6960.Certificate())
issuer_name_hash = sha1(encode(get_name(name_cert))).digest()
issuer_key_hash = sha1(get_key(key_cert).asOctets()).digest()
cid = cert_id_from_hash(issuer_name_hash, issuer_key_hash,
entry['serial'])
sr = rfc6960.SingleResponse().clone()
sr.setComponentByName('certID', cid)
sr['certStatus'] = cert_status(entry['status'])
sr['thisUpdate'] = useful.GeneralizedTime().fromDateTime(
datetime.now() - timedelta(days=1))
else:
sr = single_response(entry['issuer_cert'], entry['serial'], entry['status'])
responses.append(sr)
@@ -480,6 +497,28 @@ if __name__ == '__main__':
'responder_key': WOLFSSL_OCSP_CERT_PATH + '../ca-key.pem',
'name': 'resp_server_cert_unknown'
},
{
# Forged response: CertID's issuerNameHash points at the legitimate
# root CA, but issuerKeyHash points at the imposter root CA (same
# DN, different key). Signed by the legitimate ocsp-responder so
# the response signature alone verifies. Used to confirm that
# responder authorization rejects mismatched CertID halves.
'response_status': 0,
'signature_algorithm': signature_algorithm(),
'certs_path': [WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-cert.pem'],
'responder_by_name': True,
'responses': [
{
'name_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem',
'key_cert': WOLFSSL_OCSP_CERT_PATH +
'imposter-root-ca-cert.pem',
'serial': 0x01,
'status': CERT_GOOD
}
],
'responder_key': WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-key.pem',
'name': 'resp_certid_keyhash_mismatch'
},
]
with open('./tests/api/test_ocsp_test_blobs.h', 'w') as f:
@@ -517,6 +556,7 @@ if __name__ == '__main__':
add_certificate(WOLFSSL_OCSP_CERT_PATH + '../ca-cert.pem', f)
add_certificate(WOLFSSL_OCSP_CERT_PATH + '../server-cert.pem', f)
add_certificate(WOLFSSL_OCSP_CERT_PATH + 'intermediate1-ca-cert.pem', f)
add_certificate(WOLFSSL_OCSP_CERT_PATH + 'imposter-root-ca-cert.pem', f)
br = create_bad_response({
'response_status': 0,
'responder_by_key': True,
+42
View File
@@ -382,6 +382,48 @@ int test_ocsp_basic_verify(void)
}
#endif /* HAVE_OCSP && (OPENSSL_ALL || OPENSSL_EXTRA) */
#if defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA)) && \
!defined(NO_RSA) && !defined(WOLFSSL_NO_OCSP_ISSUER_CHECK)
/* Verify that OCSP responder authorization is bound to BOTH halves of the
* CertID (issuerNameHash AND issuerKeyHash). The forged response in
* resp_certid_keyhash_mismatch was signed by the legitimate ocsp-responder
* (so the response signature itself verifies) but its CertID pairs the
* legitimate root CA's name hash with the imposter root CA's key hash. With
* a name-only authorization check the response would be incorrectly
* accepted; the CertID-bound check must reject it. */
int test_ocsp_responder_keyhash_binding(void)
{
EXPECT_DECLS;
WOLF_STACK_OF(WOLFSSL_X509)* certs = NULL;
WOLFSSL_X509_STORE* store = NULL;
const unsigned char* ptr = NULL;
OcspResponse* response = NULL;
ExpectIntEQ(test_ocsp_create_x509store(&store, root_ca_cert_pem,
sizeof(root_ca_cert_pem)),
TEST_SUCCESS);
ExpectIntEQ(test_create_stack_of_x509(&certs, ocsp_responder_cert_pem,
sizeof(ocsp_responder_cert_pem)),
TEST_SUCCESS);
ptr = (const unsigned char*)resp_certid_keyhash_mismatch;
ExpectNotNull(response = wolfSSL_d2i_OCSP_RESPONSE(NULL, &ptr,
sizeof(resp_certid_keyhash_mismatch)));
ExpectIntNE(wolfSSL_OCSP_basic_verify(response, certs, store, 0),
WOLFSSL_SUCCESS);
wolfSSL_OCSP_RESPONSE_free(response);
wolfSSL_sk_X509_pop_free(certs, wolfSSL_X509_free);
wolfSSL_X509_STORE_free(store);
return EXPECT_RESULT();
}
#else
int test_ocsp_responder_keyhash_binding(void)
{
return TEST_SKIPPED;
}
#endif
#if defined(HAVE_OCSP) && defined(HAVE_SSL_MEMIO_TESTS_DEPENDENCIES) && \
defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(WOLFSSL_NO_TLS12) && \
defined(OPENSSL_ALL) && !defined(WOLFSSL_SMALL_CERT_VERIFY)
+1
View File
@@ -26,6 +26,7 @@ int test_ocsp_certid_enc_dec(void);
int test_ocsp_certid_dup(void);
int test_ocsp_status_callback(void);
int test_ocsp_basic_verify(void);
int test_ocsp_responder_keyhash_binding(void);
int test_ocsp_response_parsing(void);
int test_ocsp_tls_cert_cb(void);
int test_ocsp_cert_unknown_crl_fallback(void);
+261
View File
@@ -1414,6 +1414,159 @@ unsigned char resp_server_cert_unknown[] = {
0x4f, 0x6b, 0xb9, 0xec, 0xc8, 0x29,
};
unsigned char resp_certid_keyhash_mismatch[] = {
0x30, 0x82, 0x07, 0x04, 0x0a, 0x01, 0x00, 0xa0, 0x82, 0x06, 0xfd, 0x30,
0x82, 0x06, 0xf9, 0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30,
0x01, 0x01, 0x04, 0x82, 0x06, 0xea, 0x30, 0x82, 0x06, 0xe6, 0x30, 0x82,
0x01, 0x06, 0xa1, 0x81, 0xa1, 0x30, 0x81, 0x9e, 0x31, 0x0b, 0x30, 0x09,
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68,
0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03,
0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65,
0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77,
0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03,
0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65,
0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x04,
0x03, 0x0c, 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x4f,
0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x64, 0x65,
0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77,
0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x18, 0x0f,
0x32, 0x30, 0x32, 0x36, 0x30, 0x34, 0x32, 0x36, 0x31, 0x38, 0x32, 0x36,
0x33, 0x32, 0x5a, 0x30, 0x4f, 0x30, 0x4d, 0x30, 0x38, 0x30, 0x07, 0x06,
0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x04, 0x14, 0x44, 0xa8, 0xdb, 0xd1,
0xbc, 0x97, 0x0a, 0x83, 0x3b, 0x5b, 0x31, 0x9a, 0x4c, 0xb8, 0xd2, 0x52,
0x37, 0x15, 0x8a, 0x88, 0x04, 0x14, 0x73, 0x64, 0x66, 0x3e, 0x9a, 0xde,
0x12, 0xec, 0x44, 0xc2, 0x5b, 0x05, 0x64, 0x62, 0x1d, 0x63, 0x23, 0x43,
0x55, 0xe5, 0x02, 0x01, 0x01, 0x80, 0x00, 0x18, 0x0f, 0x32, 0x30, 0x32,
0x36, 0x30, 0x34, 0x32, 0x36, 0x31, 0x38, 0x32, 0x36, 0x33, 0x32, 0x5a,
0x30, 0x0b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
0x0b, 0x03, 0x82, 0x01, 0x01, 0x00, 0x45, 0x7f, 0xe9, 0x4a, 0x3b, 0x66,
0x29, 0x88, 0xfb, 0x2a, 0xce, 0x7a, 0xd4, 0xcf, 0xe0, 0x98, 0xec, 0xd4,
0x52, 0xb4, 0x98, 0x95, 0xd1, 0x0a, 0x60, 0x37, 0xae, 0x48, 0x9d, 0xc9,
0x93, 0x49, 0xb1, 0x39, 0x2e, 0x03, 0x66, 0xb4, 0x97, 0x21, 0xc9, 0x60,
0x1b, 0xda, 0x7d, 0xbd, 0x64, 0xb3, 0xf1, 0xc6, 0x73, 0xff, 0x48, 0xb1,
0x5c, 0xe0, 0xa1, 0x2d, 0xd7, 0xab, 0x4e, 0x15, 0x51, 0x78, 0xab, 0x8c,
0x1c, 0x47, 0x0f, 0x03, 0xfe, 0x49, 0xe2, 0x80, 0x94, 0xfe, 0x03, 0x62,
0x16, 0x09, 0xf8, 0xda, 0x12, 0x12, 0x08, 0xf6, 0x8e, 0xea, 0x8e, 0x7c,
0xdf, 0xbf, 0x17, 0xe2, 0xe8, 0x34, 0xb7, 0xef, 0x54, 0x51, 0xb1, 0x0e,
0xd4, 0xec, 0x47, 0xcb, 0x3b, 0xc4, 0x1b, 0x7e, 0xd0, 0x2e, 0x61, 0x83,
0x35, 0x1b, 0xec, 0x0d, 0xc0, 0xea, 0x62, 0xa2, 0x92, 0x8b, 0xff, 0x2e,
0x6b, 0x96, 0x94, 0x29, 0x28, 0xe0, 0x7d, 0x33, 0x77, 0x09, 0xa4, 0xc4,
0xd3, 0x89, 0x9d, 0x34, 0xce, 0xbc, 0xff, 0x46, 0xbf, 0x14, 0x7c, 0x87,
0xdf, 0x96, 0xb8, 0xe9, 0x2d, 0x79, 0x49, 0xba, 0x9b, 0xcf, 0xf6, 0x86,
0x13, 0x04, 0xab, 0x9f, 0x93, 0xf5, 0x3c, 0x01, 0x06, 0x05, 0x39, 0xa4,
0xeb, 0xbc, 0xb2, 0x6b, 0xf9, 0x38, 0x60, 0xeb, 0xfd, 0x96, 0xf3, 0x85,
0xb4, 0xca, 0x89, 0xf9, 0x16, 0x8a, 0xdd, 0x9c, 0xbc, 0x13, 0x75, 0xe8,
0x5e, 0x86, 0x50, 0x5b, 0x29, 0x12, 0x7f, 0xbc, 0xfc, 0xe1, 0xf3, 0x10,
0xb3, 0xf6, 0x20, 0x42, 0xe0, 0x58, 0xbc, 0x78, 0x87, 0x14, 0x56, 0xf4,
0x68, 0xe4, 0x34, 0x11, 0xe9, 0x9e, 0x16, 0x17, 0x9f, 0x43, 0xe3, 0x69,
0xcf, 0x91, 0x33, 0xfb, 0x2e, 0xef, 0x0a, 0xd0, 0xd5, 0x10, 0x32, 0x69,
0x82, 0xe6, 0x50, 0x73, 0xfb, 0x58, 0x2d, 0x25, 0x56, 0x97, 0xa0, 0x82,
0x04, 0xc6, 0x30, 0x82, 0x04, 0xc2, 0x30, 0x82, 0x04, 0xbe, 0x30, 0x82,
0x03, 0xa6, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x04, 0x30, 0x0d,
0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05,
0x00, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55,
0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74,
0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c,
0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e,
0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53,
0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c,
0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67,
0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77,
0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x20,
0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40,
0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30,
0x1e, 0x17, 0x0d, 0x32, 0x35, 0x31, 0x31, 0x31, 0x33, 0x32, 0x30, 0x34,
0x31, 0x33, 0x35, 0x5a, 0x17, 0x0d, 0x32, 0x38, 0x30, 0x38, 0x30, 0x39,
0x32, 0x30, 0x34, 0x31, 0x33, 0x35, 0x5a, 0x30, 0x81, 0x9e, 0x31, 0x0b,
0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31,
0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61,
0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e,
0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74,
0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12,
0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e,
0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x03,
0x55, 0x04, 0x03, 0x0c, 0x16, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c,
0x20, 0x4f, 0x43, 0x53, 0x50, 0x20, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
0x64, 0x65, 0x72, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48,
0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f,
0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d,
0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb8, 0xba, 0x23,
0xb4, 0xf6, 0xc3, 0x7b, 0x14, 0xc3, 0xa4, 0xf5, 0x1d, 0x61, 0xa1, 0xf5,
0x1e, 0x63, 0xb9, 0x85, 0x23, 0x34, 0x50, 0x6d, 0xf8, 0x7c, 0xa2, 0x8a,
0x04, 0x8b, 0xd5, 0x75, 0x5c, 0x2d, 0xf7, 0x63, 0x88, 0xd1, 0x07, 0x7a,
0xea, 0x0b, 0x45, 0x35, 0x2b, 0xeb, 0x1f, 0xb1, 0x22, 0xb4, 0x94, 0x41,
0x38, 0xe2, 0x9d, 0x74, 0xd6, 0x8b, 0x30, 0x22, 0x10, 0x51, 0xc5, 0xdb,
0xca, 0x3f, 0x46, 0x2b, 0xfe, 0xe5, 0x5a, 0x3f, 0x41, 0x74, 0x67, 0x75,
0x95, 0xa9, 0x94, 0xd5, 0xc3, 0xee, 0x42, 0xf8, 0x8d, 0xeb, 0x92, 0x95,
0xe1, 0xd9, 0x65, 0xb7, 0x43, 0xc4, 0x18, 0xde, 0x16, 0x80, 0x90, 0xce,
0x24, 0x35, 0x21, 0xc4, 0x55, 0xac, 0x5a, 0x51, 0xe0, 0x2e, 0x2d, 0xb3,
0x0a, 0x5a, 0x4f, 0x4a, 0x73, 0x31, 0x50, 0xee, 0x4a, 0x16, 0xbd, 0x39,
0x8b, 0xad, 0x05, 0x48, 0x87, 0xb1, 0x99, 0xe2, 0x10, 0xa7, 0x06, 0x72,
0x67, 0xca, 0x5c, 0xd1, 0x97, 0xbd, 0xc8, 0xf1, 0x76, 0xf8, 0xe0, 0x4a,
0xec, 0xbc, 0x93, 0xf4, 0x66, 0x4c, 0x28, 0x71, 0xd1, 0xd8, 0x66, 0x03,
0xb4, 0x90, 0x30, 0xbb, 0x17, 0xb0, 0xfe, 0x97, 0xf5, 0x1e, 0xe8, 0xc7,
0x5d, 0x9b, 0x8b, 0x11, 0x19, 0x12, 0x3c, 0xab, 0x82, 0x71, 0x78, 0xff,
0xae, 0x3f, 0x32, 0xb2, 0x08, 0x71, 0xb2, 0x1b, 0x8c, 0x27, 0xac, 0x11,
0xb8, 0xd8, 0x43, 0x49, 0xcf, 0xb0, 0x70, 0xb1, 0xf0, 0x8c, 0xae, 0xda,
0x24, 0x87, 0x17, 0x3b, 0xd8, 0x04, 0x65, 0x6c, 0x00, 0x76, 0x50, 0xef,
0x15, 0x08, 0xd7, 0xb4, 0x73, 0x68, 0x26, 0x14, 0x87, 0x95, 0xc3, 0x5f,
0x6e, 0x61, 0xb8, 0x87, 0x84, 0xfa, 0x80, 0x1a, 0x0a, 0x8b, 0x98, 0xf3,
0xe3, 0xff, 0x4e, 0x44, 0x1c, 0x65, 0x74, 0x7c, 0x71, 0x54, 0x65, 0xe5,
0x39, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x0a, 0x30, 0x82,
0x01, 0x06, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30,
0x00, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14,
0x32, 0x67, 0xe1, 0xb1, 0x79, 0xd2, 0x81, 0xfc, 0x9f, 0x23, 0x0c, 0x70,
0x40, 0x50, 0xb5, 0x46, 0x56, 0xb8, 0x30, 0x36, 0x30, 0x81, 0xc4, 0x06,
0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xbc, 0x30, 0x81, 0xb9, 0x80, 0x14,
0x73, 0xb0, 0x1c, 0xa4, 0x2f, 0x82, 0xcb, 0xcf, 0x47, 0xa5, 0x38, 0xd7,
0xb0, 0x04, 0x82, 0x3a, 0x7e, 0x72, 0x15, 0x21, 0xa1, 0x81, 0x9d, 0xa4,
0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67,
0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07,
0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30,
0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66,
0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b,
0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e,
0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f,
0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74,
0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48,
0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f,
0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d,
0x82, 0x01, 0x63, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c,
0x30, 0x0a, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09,
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x22, 0xcf, 0xe2, 0xc4,
0x3c, 0x0e, 0xcf, 0x43, 0xc2, 0x2b, 0x77, 0xd9, 0x53, 0xbb, 0xbf, 0x46,
0x5a, 0x67, 0x26, 0x1f, 0xd6, 0x8c, 0xe2, 0xae, 0xd3, 0x6b, 0xda, 0x7c,
0xa5, 0xb4, 0x79, 0x29, 0x0f, 0xb8, 0xf0, 0x14, 0x71, 0x90, 0x21, 0x7c,
0x3c, 0x23, 0x2e, 0x5b, 0xb6, 0xb6, 0x66, 0xb5, 0xd2, 0xfd, 0x96, 0x21,
0x4c, 0x7c, 0x9d, 0x9f, 0x85, 0x69, 0x8c, 0xd8, 0xc2, 0xbf, 0x3b, 0x1f,
0x7b, 0xaf, 0x27, 0xb9, 0x30, 0x5b, 0x51, 0x4a, 0x16, 0x07, 0xa0, 0x14,
0x80, 0x47, 0x31, 0x45, 0xf0, 0x31, 0x35, 0xb9, 0x93, 0x39, 0x77, 0x32,
0x51, 0xa0, 0x8b, 0x93, 0x91, 0x96, 0x77, 0x41, 0x1a, 0x30, 0x15, 0xb8,
0xe6, 0xeb, 0x49, 0x8e, 0x3c, 0xa5, 0x11, 0x46, 0x68, 0x13, 0xf5, 0x61,
0x07, 0xac, 0x42, 0x3e, 0x69, 0xf3, 0x9f, 0x6b, 0x64, 0xd5, 0xe4, 0x42,
0x1d, 0xed, 0x6c, 0xb7, 0x3b, 0xb1, 0x78, 0xc6, 0x9a, 0xb0, 0x38, 0xe2,
0xe6, 0xfe, 0x5b, 0xc3, 0x87, 0x11, 0x49, 0x1e, 0x48, 0x73, 0x5a, 0x88,
0x77, 0x89, 0xfb, 0xc7, 0x87, 0xef, 0x87, 0xe1, 0x17, 0x8b, 0x66, 0x16,
0x44, 0x7c, 0x6e, 0x5f, 0x2d, 0x5a, 0x2f, 0xd0, 0xbe, 0x76, 0x69, 0x84,
0xda, 0x3c, 0xa3, 0x4f, 0xbf, 0x00, 0xff, 0xcc, 0x67, 0x06, 0x16, 0x40,
0x0f, 0x75, 0xdc, 0xe3, 0x20, 0xd6, 0x7b, 0x99, 0xc7, 0xbf, 0x38, 0x21,
0x51, 0x30, 0x4a, 0x4b, 0x77, 0xd7, 0x39, 0xd3, 0xe2, 0x4d, 0x67, 0x68,
0x0e, 0x7c, 0x95, 0xc4, 0x51, 0x22, 0xc4, 0x0f, 0x74, 0xa5, 0xdd, 0xf5,
0xac, 0xa8, 0xf5, 0x8c, 0xfb, 0x90, 0xba, 0xff, 0x5e, 0x3e, 0x1f, 0xaa,
0x7d, 0x61, 0xbb, 0xa4, 0x22, 0x35, 0x16, 0x64, 0xfc, 0x42, 0x27, 0x0b,
0xc9, 0xe3, 0xba, 0x21, 0xad, 0x7b, 0x24, 0x2a, 0xa5, 0x25, 0xb7, 0xc4,
};
unsigned char ocsp_responder_cert_pem[] = {
0x30, 0x82, 0x04, 0xbe, 0x30, 0x82, 0x03, 0xa6, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x01, 0x04, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
@@ -1954,6 +2107,114 @@ unsigned char intermediate1_ca_cert_pem[] = {
0xfb, 0xb8, 0x77, 0x01, 0x34, 0xaf, 0xcc, 0x0e,
};
unsigned char imposter_root_ca_cert_pem[] = {
0x30, 0x82, 0x04, 0xe8, 0x30, 0x82, 0x03, 0xd0, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x02, 0x00, 0xc7, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48,
0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x81, 0x97, 0x31,
0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57,
0x61, 0x73, 0x68, 0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30,
0x0e, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74,
0x74, 0x6c, 0x65, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a,
0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30,
0x12, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69,
0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06,
0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53,
0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30,
0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01,
0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73,
0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x1e, 0x17, 0x0d, 0x32, 0x36,
0x30, 0x34, 0x32, 0x37, 0x31, 0x36, 0x31, 0x32, 0x31, 0x39, 0x5a, 0x17,
0x0d, 0x32, 0x39, 0x30, 0x31, 0x32, 0x31, 0x31, 0x36, 0x31, 0x32, 0x31,
0x39, 0x5a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55,
0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03,
0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68, 0x69, 0x6e, 0x67,
0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x07,
0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65, 0x31, 0x10, 0x30,
0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77, 0x6f, 0x6c, 0x66,
0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0b,
0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e,
0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f,
0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72, 0x6f, 0x6f, 0x74,
0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09, 0x2a, 0x86, 0x48,
0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6e, 0x66, 0x6f,
0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e, 0x63, 0x6f, 0x6d,
0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00,
0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xf3, 0xc7, 0x6e,
0x93, 0x4e, 0x94, 0x7d, 0x9a, 0x76, 0xcb, 0x3e, 0x82, 0x21, 0x30, 0xa0,
0xa5, 0x4a, 0xa2, 0x6c, 0x80, 0xbf, 0xe6, 0xa0, 0x7d, 0x6c, 0xcc, 0xaa,
0xe6, 0x94, 0xf3, 0x42, 0x41, 0x7f, 0x1a, 0xba, 0x5f, 0x89, 0xd2, 0x84,
0x67, 0x81, 0x4d, 0x37, 0x0b, 0x26, 0xed, 0xf8, 0xf1, 0xbe, 0x84, 0xf5,
0x33, 0x9f, 0xbe, 0x98, 0xd1, 0x88, 0x86, 0xc1, 0x93, 0xd3, 0x8e, 0x40,
0x56, 0x36, 0x28, 0x4f, 0x14, 0xc2, 0xf7, 0xa7, 0x3b, 0xca, 0x1d, 0xae,
0x59, 0x6b, 0x5f, 0x79, 0x54, 0xb6, 0x2e, 0x6e, 0x4d, 0x7f, 0x4c, 0x71,
0x0d, 0xfb, 0x3a, 0x6e, 0x95, 0x8f, 0x96, 0x44, 0x3c, 0xf2, 0x91, 0x01,
0xcb, 0x68, 0x17, 0x07, 0x33, 0x97, 0xcb, 0x32, 0x55, 0x47, 0x03, 0x64,
0x0c, 0x4b, 0x16, 0x2e, 0x20, 0xf8, 0x65, 0xc7, 0x6a, 0x52, 0xe4, 0xfd,
0xa9, 0x2d, 0xde, 0x39, 0x0c, 0x5f, 0x1a, 0x14, 0x10, 0x9d, 0xc3, 0x2d,
0x15, 0xc4, 0x88, 0x2e, 0x19, 0x58, 0xe1, 0xfd, 0x69, 0x12, 0x81, 0xd2,
0xaf, 0xf6, 0x62, 0x44, 0xb0, 0x89, 0x82, 0xb5, 0xf5, 0x17, 0x23, 0x2b,
0x73, 0x8e, 0xe3, 0x55, 0x14, 0x43, 0xa5, 0x4a, 0x7e, 0xcb, 0x96, 0x62,
0x8f, 0x96, 0xbf, 0x5f, 0xc3, 0x82, 0xdc, 0x86, 0x86, 0x85, 0x89, 0xf8,
0x8e, 0x68, 0xb2, 0xef, 0xe5, 0x2e, 0x8c, 0xb9, 0x8d, 0x56, 0x13, 0x19,
0x65, 0xe9, 0x79, 0xc5, 0x29, 0xdc, 0x89, 0x0b, 0xdd, 0x23, 0x35, 0xfe,
0xd5, 0x48, 0xb6, 0x2d, 0xad, 0xee, 0xee, 0x6c, 0xb8, 0x3e, 0xeb, 0x79,
0x1c, 0x41, 0xd1, 0xb8, 0xe5, 0x0e, 0x2f, 0x2d, 0xcf, 0xd7, 0x65, 0xfa,
0x71, 0x6f, 0x60, 0x9b, 0x90, 0x30, 0x43, 0xda, 0xc3, 0xe2, 0x1b, 0x8f,
0xda, 0xab, 0x37, 0xc5, 0x38, 0x88, 0x6b, 0x85, 0x15, 0x5b, 0x24, 0x72,
0xbf, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x01, 0x3a, 0x30, 0x82,
0x01, 0x36, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30,
0x03, 0x01, 0x01, 0xff, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04,
0x16, 0x04, 0x14, 0x73, 0x64, 0x66, 0x3e, 0x9a, 0xde, 0x12, 0xec, 0x44,
0xc2, 0x5b, 0x05, 0x64, 0x62, 0x1d, 0x63, 0x23, 0x43, 0x55, 0xe5, 0x30,
0x81, 0xc5, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xbd, 0x30, 0x81,
0xba, 0x80, 0x14, 0x73, 0x64, 0x66, 0x3e, 0x9a, 0xde, 0x12, 0xec, 0x44,
0xc2, 0x5b, 0x05, 0x64, 0x62, 0x1d, 0x63, 0x23, 0x43, 0x55, 0xe5, 0xa1,
0x81, 0x9d, 0xa4, 0x81, 0x9a, 0x30, 0x81, 0x97, 0x31, 0x0b, 0x30, 0x09,
0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30,
0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0c, 0x0a, 0x57, 0x61, 0x73, 0x68,
0x69, 0x6e, 0x67, 0x74, 0x6f, 0x6e, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03,
0x55, 0x04, 0x07, 0x0c, 0x07, 0x53, 0x65, 0x61, 0x74, 0x74, 0x6c, 0x65,
0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x07, 0x77,
0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03,
0x55, 0x04, 0x0b, 0x0c, 0x0b, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65,
0x72, 0x69, 0x6e, 0x67, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
0x03, 0x0c, 0x0f, 0x77, 0x6f, 0x6c, 0x66, 0x53, 0x53, 0x4c, 0x20, 0x72,
0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1f, 0x30, 0x1d, 0x06, 0x09,
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69,
0x6e, 0x66, 0x6f, 0x40, 0x77, 0x6f, 0x6c, 0x66, 0x73, 0x73, 0x6c, 0x2e,
0x63, 0x6f, 0x6d, 0x82, 0x02, 0x00, 0xc7, 0x30, 0x0b, 0x06, 0x03, 0x55,
0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x32, 0x06, 0x08,
0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24,
0x30, 0x22, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x31, 0x32, 0x37,
0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, 0x3a, 0x32, 0x32, 0x32, 0x32, 0x30,
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x35, 0xb1, 0xf0, 0x64,
0x89, 0xfe, 0x7e, 0xb3, 0x5f, 0x80, 0x15, 0x57, 0xa0, 0x8f, 0xcd, 0xfc,
0xa0, 0x2d, 0x36, 0x29, 0x39, 0xa3, 0xee, 0xd6, 0xc0, 0xf3, 0xc2, 0xe6,
0x31, 0x2e, 0xce, 0x9b, 0xd4, 0xa1, 0x3e, 0xdc, 0xc7, 0x0d, 0x2a, 0xae,
0x72, 0xc6, 0xfa, 0xee, 0x77, 0xd7, 0x4b, 0x98, 0xc0, 0x32, 0x7e, 0xd2,
0x54, 0x3f, 0x41, 0x34, 0x09, 0x22, 0xf3, 0x34, 0xdb, 0xff, 0x4e, 0x35,
0x79, 0x15, 0x50, 0xfa, 0xe2, 0xbd, 0x37, 0x1c, 0x0e, 0xdc, 0x4e, 0xb1,
0x5a, 0x5d, 0xfd, 0xbe, 0xbf, 0xd1, 0x75, 0x02, 0x9a, 0xa8, 0x61, 0xda,
0xd4, 0xf1, 0x35, 0xb3, 0x7e, 0x9d, 0x10, 0x29, 0xa8, 0xcd, 0x50, 0x7c,
0x3c, 0x89, 0x5e, 0xa1, 0xb2, 0x51, 0xe6, 0xd8, 0x4d, 0xdd, 0xcc, 0x3d,
0xb9, 0x8e, 0x5b, 0x20, 0x51, 0x33, 0xe0, 0x03, 0x57, 0xe0, 0xf7, 0x5b,
0xbe, 0x85, 0x64, 0xa7, 0x8c, 0x6d, 0x40, 0x56, 0xcd, 0x78, 0x4f, 0x6d,
0xdc, 0x04, 0xf2, 0x4a, 0xf3, 0xa1, 0x29, 0x3b, 0x64, 0xe5, 0xdb, 0xa0,
0x98, 0x80, 0xc8, 0x6b, 0x12, 0x25, 0x4c, 0x18, 0x40, 0x2a, 0xce, 0xb6,
0x94, 0xfe, 0x58, 0xbb, 0x35, 0x91, 0x22, 0x36, 0xd7, 0x29, 0x70, 0x53,
0x2e, 0x8b, 0xbe, 0xe3, 0xb7, 0x08, 0xd3, 0xa8, 0x66, 0x19, 0xff, 0x69,
0xf0, 0xc8, 0x8f, 0xb6, 0xea, 0x21, 0xbc, 0x41, 0x08, 0x92, 0x42, 0x89,
0xfd, 0xd9, 0x3a, 0x9c, 0x42, 0x4b, 0xc4, 0x2e, 0x81, 0x4f, 0x63, 0x54,
0x95, 0x88, 0xd9, 0x56, 0x66, 0x08, 0xdc, 0x73, 0x56, 0x6a, 0x97, 0x5e,
0x09, 0xe5, 0xfa, 0xd2, 0x52, 0x3b, 0x7f, 0xbd, 0x3b, 0x1b, 0xbb, 0xf1,
0x74, 0x51, 0x71, 0x30, 0xf3, 0xce, 0x1c, 0x21, 0x75, 0x89, 0x97, 0x7f,
0xe4, 0x38, 0xf7, 0x3e, 0x66, 0xc3, 0x20, 0xf3, 0xc0, 0xf3, 0x38, 0xc9,
};
unsigned char resp_bad[] = {
0x30, 0x82, 0x01, 0xa9, 0xa0, 0x82, 0x01, 0xa5, 0x30, 0x82, 0x01, 0xa1,
0x06, 0x09, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01, 0x04,
+16 -14
View File
@@ -23260,17 +23260,15 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
}
#ifdef HAVE_OCSP
if (type != CA_TYPE &&
type != TRUSTED_PEER_TYPE) {
/* Need the CA's public key hash for OCSP */
if (cert->ca) {
XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash,
KEYID_SIZE);
}
else if (cert->selfSigned) {
XMEMCPY(cert->issuerKeyHash, cert->subjectKeyHash,
KEYID_SIZE);
}
/* Needed for OCSP requests, and for binding responder authorization
* to CertID's issuerKeyHash when this cert becomes a Signer. */
if (cert->ca) {
XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash,
KEYID_SIZE);
}
else if (cert->selfSigned) {
XMEMCPY(cert->issuerKeyHash, cert->subjectKeyHash,
KEYID_SIZE);
}
#endif /* HAVE_OCSP */
}
@@ -23576,6 +23574,8 @@ int FillSigner(Signer* signer, DecodedCert* cert, int type, DerBuffer *der)
#ifdef HAVE_OCSP
XMEMCPY(signer->subjectKeyHash, cert->subjectKeyHash,
KEYID_SIZE);
XMEMCPY(signer->issuerKeyHash, cert->issuerKeyHash,
KEYID_SIZE);
#endif
signer->keyUsage = cert->extKeyUsageSet ? cert->extKeyUsage
: 0xFFFF;
@@ -33666,7 +33666,8 @@ static int OcspRespCheck(OcspResponse *resp, Signer *responder, void* vp)
return -1;
ret = CheckOcspResponder(resp, responder->subjectNameHash,
responder->extKeyUsage, responder->issuerNameHash, vp);
responder->subjectKeyHash, responder->extKeyUsage,
responder->issuerNameHash, responder->issuerKeyHash, vp);
if (ret != 0)
return -1;
@@ -33754,8 +33755,9 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify,
#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
if (ret == 0 && !noVerify) {
ret = CheckOcspResponder(resp, cert->subjectHash, cert->extExtKeyUsage,
cert->issuerHash, cm);
ret = CheckOcspResponder(resp, cert->subjectHash, cert->subjectKeyHash,
cert->extExtKeyUsage, cert->issuerHash,
(cert->ca != NULL) ? cert->ca->subjectKeyHash : NULL, cm);
if (ret != 0) {
WOLFSSL_MSG("\tOCSP Responder certificate issuer check failed");
goto err;
+3 -2
View File
@@ -74,8 +74,9 @@ WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int resp
OcspEntry *entry, OcspRequest *ocspRequest,
void* heap);
WOLFSSL_LOCAL int CheckOcspResponder(OcspResponse *bs, byte* subjectHash,
byte extExtKeyUsage, byte* issuerHash, void* vp);
WOLFSSL_LOCAL int CheckOcspResponder(OcspResponse *bs, byte* subjectNameHash,
byte* subjectKeyHash, byte extExtKeyUsage, byte* issuerNameHash,
byte* issuerKeyHash, void* vp);
/* Allocates and initializes a WOLFSSL_OCSP object */
WOLFSSL_API WOLFSSL_OCSP* wc_NewOCSP(WOLFSSL_CERT_MANAGER* cm);
+5
View File
@@ -2228,6 +2228,11 @@ struct Signer {
#endif
#ifdef HAVE_OCSP
byte subjectKeyHash[KEYID_SIZE];
byte issuerKeyHash[KEYID_SIZE]; /* subject key hash of the immediate
* issuer CA (i.e. the parent that signed
* this cert), used to bind OCSP CertID
* issuerKeyHash matching during responder
* authorization checks */
#endif
#if defined(WOLFSSL_AKID_NAME) || defined(HAVE_CRL)
byte serialHash[SIGNER_DIGEST_SIZE]; /* serial number hash */