Changeset 9c4ae9c2 in mod_gnutls


Ignore:
Timestamp:
Jul 13, 2021, 5:10:33 PM (5 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master
Children:
70cf137
Parents:
b8e9e11
Message:

Use the issuer certificate directly to verify OCSP responses

The detour over a trust list is unnecessary by using
gnutls_ocsp_resp_verify_direct(), which simplifies the code a lot, and
also avoids a current bug in gnutls_ocsp_resp_verify() [1].

[1] https://gitlab.com/gnutls/gnutls/-/issues/1254

Location:
src
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_ocsp.c

    rb8e9e11 r9c4ae9c2  
    184184    }
    185185
    186     /* issuer is set to a reference, so musn't be cleaned up */
    187     gnutls_x509_crt_t issuer;
    188     ret = gnutls_x509_trust_list_get_issuer(*req_data->trust, req_data->cert,
    189                                             &issuer, 0);
    190     if (ret != GNUTLS_E_SUCCESS)
    191     {
    192         ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
    193                      "Could not get issuer from trust list: %s (%d)",
    194                      gnutls_strerror(ret), ret);
    195         gnutls_ocsp_req_deinit(r);
    196         return ret;
    197     }
    198 
    199186    /* Use SHA1 for issuer name hash and issuer key hash, for
    200187     * compliance with "lightweight" OCSP profile specified in RFC
    201188     * 5019. */
    202189    ret = gnutls_ocsp_req_add_cert(r, GNUTLS_DIG_SHA1,
    203                                    issuer, req_data->cert);
     190                                   req_data->issuer, req_data->cert);
    204191
    205192    if (ret != GNUTLS_E_SUCCESS)
     
    288275        ap_get_module_config(s->module_config, &gnutls_module);
    289276
    290     if (req_data->trust == NULL)
    291     {
    292         ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, s,
    293                      "No OCSP trust list available for server \"%s\"!",
    294                      s->server_hostname);
    295         return GNUTLS_E_NO_CERTIFICATE_FOUND;
    296     }
    297 
    298277    gnutls_ocsp_resp_t resp;
    299278    int ret = gnutls_ocsp_resp_init(&resp);
     
    324303
    325304    unsigned int verify;
    326     ret = gnutls_ocsp_resp_verify(resp, *(req_data->trust), &verify, 0);
     305    ret = gnutls_ocsp_resp_verify_direct(resp, req_data->issuer, &verify, 0);
    327306    if (ret != GNUTLS_E_SUCCESS)
    328307    {
     
    939918
    940919
    941 int mgs_create_ocsp_trust_list(gnutls_x509_trust_list_t *tl,
    942                                const gnutls_x509_crt_t *chain,
    943                                const int num)
    944 {
    945     int added = 0;
    946     int ret = gnutls_x509_trust_list_init(tl, num);
    947 
    948     if (ret == GNUTLS_E_SUCCESS)
    949         added = gnutls_x509_trust_list_add_cas(*tl, chain, num, 0);
    950 
    951     if (added != num)
    952         ret = GNUTLS_E_CERTIFICATE_ERROR;
    953 
    954     /* Clean up trust list in case of error */
    955     if (ret != GNUTLS_E_SUCCESS)
    956         gnutls_x509_trust_list_deinit(*tl, 0);
    957 
    958     return ret;
    959 }
    960 
    961 
    962 
    963 apr_status_t mgs_cleanup_trust_list(void *data)
    964 {
    965     gnutls_x509_trust_list_t *tl = (gnutls_x509_trust_list_t *) data;
    966     gnutls_x509_trust_list_deinit(*tl, 0);
    967     return APR_SUCCESS;
    968 }
    969 
    970 
    971 
    972920apr_uri_t * mgs_cert_get_ocsp_uri(apr_pool_t *p, gnutls_x509_crt_t cert)
    973921{
     
    11741122        return "Could not read fingerprint from certificate!";
    11751123
    1176     ocsp->trust = apr_palloc(pconf,
    1177                              sizeof(gnutls_x509_trust_list_t));
    1178     /* Only the direct issuer may sign the OCSP response or an
    1179      * OCSP signer. */
    1180     int ret = mgs_create_ocsp_trust_list(
    1181         ocsp->trust, &(sc->certs_x509_crt_chain[idx + 1]), 1);
    1182     if (ret != GNUTLS_E_SUCCESS)
    1183     {
    1184         ap_log_error(APLOG_MARK, APLOG_ERR, APR_EGENERAL, server,
    1185                      "Could not create OCSP trust list: %s (%d)",
    1186                      gnutls_strerror(ret), ret);
    1187         return "Could not build trust list for OCSP stapling!";
    1188     }
    1189     /* deinit trust list when the config pool is destroyed */
    1190     apr_pool_cleanup_register(pconf, ocsp->trust,
    1191                               mgs_cleanup_trust_list,
    1192                               apr_pool_cleanup_null);
     1124    ocsp->issuer = sc->certs_x509_crt_chain[idx + 1];
    11931125    return NULL;
    11941126}
  • src/gnutls_ocsp.h

    rb8e9e11 r9c4ae9c2  
    4444    /** The certificate the following elements refer to. */
    4545    gnutls_x509_crt_t cert;
     46    /** Issuer certificate, used for verifying OCSP responses. */
     47    gnutls_x509_crt_t issuer;
    4648    /** OCSP URI extracted from the certificate. NULL if unset. */
    4749    apr_uri_t *uri;
     
    4951     * precedence over uri. */
    5052    char *response_file;
    51     /** Trust list to verify OCSP responses for stapling. Should
    52      * usually only contain the CA that signed the certificate. */
    53     gnutls_x509_trust_list_t *trust;
    5453    /** Certificate fingerprint, used as cache key for the OCSP
    5554     * response. */
Note: See TracChangeset for help on using the changeset viewer.