mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-07-31 11:17:29 +02:00
ocsp response date checking
This commit is contained in:
John Safranek
@ -4232,6 +4232,8 @@ static int DecodeSingleResponse(byte* source,
|
|||||||
if (GetBasicDate(source, &index, cs->thisDate,
|
if (GetBasicDate(source, &index, cs->thisDate,
|
||||||
&cs->thisDateFormat, size) < 0)
|
&cs->thisDateFormat, size) < 0)
|
||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
|
if (!ValidateDate(cs->thisDate, cs->thisDateFormat, BEFORE))
|
||||||
|
return ASN_BEFORE_DATE_E;
|
||||||
|
|
||||||
/* The following items are optional. Only check for them if there is more
|
/* The following items are optional. Only check for them if there is more
|
||||||
* unprocessed data in the singleResponse wrapper. */
|
* unprocessed data in the singleResponse wrapper. */
|
||||||
@ -4361,11 +4363,11 @@ static int DecodeResponseData(byte* source,
|
|||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
|
|
||||||
/* save pointer to the producedAt time */
|
/* save pointer to the producedAt time */
|
||||||
if (source[idx++] != ASN_GENERALIZED_TIME)
|
if (GetBasicDate(source, &idx, resp->producedDate,
|
||||||
|
&resp->producedDateFormat, size) < 0)
|
||||||
return ASN_PARSE_E;
|
return ASN_PARSE_E;
|
||||||
if (GetLength(source, &idx, &length, size) < 0)
|
if (!ValidateDate(resp->producedDate, resp->producedDateFormat, BEFORE))
|
||||||
return ASN_PARSE_E;
|
return ASN_BEFORE_DATE_E;
|
||||||
resp->producedAt = source + idx;
|
|
||||||
idx += length;
|
idx += length;
|
||||||
|
|
||||||
if (DecodeSingleResponse(source, &idx, resp, size) < 0)
|
if (DecodeSingleResponse(source, &idx, resp, size) < 0)
|
||||||
@ -4481,8 +4483,7 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status,
|
|||||||
resp->responseStatus = -1;
|
resp->responseStatus = -1;
|
||||||
resp->response = NULL;
|
resp->response = NULL;
|
||||||
resp->responseSz = 0;
|
resp->responseSz = 0;
|
||||||
resp->producedAt = NULL;
|
resp->producedDateFormat = 0;
|
||||||
resp->producedAtFormat = 0;
|
|
||||||
resp->issuerHash = NULL;
|
resp->issuerHash = NULL;
|
||||||
resp->issuerKeyHash = NULL;
|
resp->issuerKeyHash = NULL;
|
||||||
resp->sig = NULL;
|
resp->sig = NULL;
|
||||||
|
|||||||
@ -378,8 +378,9 @@ struct OcspResponse {
|
|||||||
byte* response; /* Pointer to beginning of OCSP Response */
|
byte* response; /* Pointer to beginning of OCSP Response */
|
||||||
word32 responseSz; /* length of the OCSP Response */
|
word32 responseSz; /* length of the OCSP Response */
|
||||||
|
|
||||||
byte* producedAt; /* Time at which this response was signed */
|
byte producedDate[MAX_DATE_SIZE];
|
||||||
byte producedAtFormat;/* format of the producedAt date */
|
/* Date at which this response was signed */
|
||||||
|
byte producedDateFormat; /* format of the producedDate */
|
||||||
byte* issuerHash;
|
byte* issuerHash;
|
||||||
byte* issuerKeyHash;
|
byte* issuerKeyHash;
|
||||||
|
|
||||||
|
|||||||
44
src/ocsp.c
44
src/ocsp.c
@ -361,6 +361,7 @@ static CertStatus* find_cert_status(OCSP_Entry* ocspe, DecodedCert* cert)
|
|||||||
XMEMCPY(stat->serial, cert->serial, cert->serialSz);
|
XMEMCPY(stat->serial, cert->serial, cert->serialSz);
|
||||||
stat->serialSz = cert->serialSz;
|
stat->serialSz = cert->serialSz;
|
||||||
stat->status = -1;
|
stat->status = -1;
|
||||||
|
stat->nextDate[0] = 0;
|
||||||
ocspe->totalStatus++;
|
ocspe->totalStatus++;
|
||||||
|
|
||||||
stat->next = ocspe->status;
|
stat->next = ocspe->status;
|
||||||
@ -427,6 +428,22 @@ static int http_ocsp_transaction(CYASSL_OCSP* ocsp, DecodedCert* cert,
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static int xstat2err(int stat)
|
||||||
|
{
|
||||||
|
switch (stat) {
|
||||||
|
case CERT_GOOD:
|
||||||
|
return 0;
|
||||||
|
break;
|
||||||
|
case CERT_REVOKED:
|
||||||
|
return OCSP_CERT_REVOKED;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
return OCSP_CERT_UNKNOWN;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
|
int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
|
||||||
{
|
{
|
||||||
byte ocspReqBuf[SCRATCH_BUFFER_SIZE];
|
byte ocspReqBuf[SCRATCH_BUFFER_SIZE];
|
||||||
@ -460,6 +477,21 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
|
|||||||
|
|
||||||
if (certStatus->status != -1)
|
if (certStatus->status != -1)
|
||||||
{
|
{
|
||||||
|
if (!ValidateDate(certStatus->thisDate,
|
||||||
|
certStatus->thisDateFormat, BEFORE) ||
|
||||||
|
(certStatus->nextDate[0] == 0) ||
|
||||||
|
!ValidateDate(certStatus->nextDate,
|
||||||
|
certStatus->nextDateFormat, AFTER))
|
||||||
|
{
|
||||||
|
CYASSL_MSG("\tinvalid status date, looking up cert");
|
||||||
|
certStatus->status = -1;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
CYASSL_MSG("\tusing cached status");
|
||||||
|
result = xstat2err(certStatus->status);
|
||||||
|
return result;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
InitOcspRequest(&ocspRequest, cert, ocspReqBuf, ocspReqSz);
|
InitOcspRequest(&ocspRequest, cert, ocspReqBuf, ocspReqSz);
|
||||||
@ -478,17 +510,7 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
|
|||||||
} else {
|
} else {
|
||||||
if (CompareOcspReqResp(&ocspRequest, &ocspResponse) == 0)
|
if (CompareOcspReqResp(&ocspRequest, &ocspResponse) == 0)
|
||||||
{
|
{
|
||||||
switch (ocspResponse.status[0].status) {
|
result = xstat2err(ocspResponse.status->status);
|
||||||
case CERT_GOOD:
|
|
||||||
result = 0;
|
|
||||||
break;
|
|
||||||
case CERT_REVOKED:
|
|
||||||
result = OCSP_CERT_REVOKED;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
result = OCSP_CERT_UNKNOWN;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user