From 974d80bbc1961921199fd6b63fef08eba4564695 Mon Sep 17 00:00:00 2001 From: Marcel Poul Date: Wed, 26 Sep 2012 11:50:22 +0000 Subject: [PATCH] OCSP response signature verification implemented --- emi.canl.canl-c/src/canl_ocsp.c | 16 ++++++++++++---- emi.canl.canl-c/src/canl_ocsp.h | 2 ++ emi.canl.canl-c/src/proxy/sslutils.c | 3 +-- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/emi.canl.canl-c/src/canl_ocsp.c b/emi.canl.canl-c/src/canl_ocsp.c index ba98ece..249d130 100644 --- a/emi.canl.canl-c/src/canl_ocsp.c +++ b/emi.canl.canl-c/src/canl_ocsp.c @@ -225,6 +225,17 @@ int set_ocsp_timeout(canl_ocsprequest_t *ocspreq, int timeout) return 0; } +int set_ocsp_chain(canl_ocsprequest_t *ocspreq, STACK_OF(X509) *chain) +{ + if (!ocspreq) + ocspreq = calloc(1, sizeof(*ocspreq)); + if (!ocspreq) + return 1; + if (chain) + ocspreq->cert_chain = chain; + return 0; +} + static canl_x509store_t * store_dup(canl_x509store_t *store_from) { @@ -388,7 +399,6 @@ int do_ocsp_verify (canl_ocsprequest_t *data) ASN1_GENERALIZEDTIME *producedAt, *thisUpdate, *nextUpdate; int timeout = -1; // -1 means no timeout - use blocking I/O unsigned long verify_flags = 0; - STACK_OF(X509) *verify_other = NULL; if (!data || !data->cert) { // TODO || !data->issuer ? result = EINVAL; //TODO error code @@ -481,7 +491,7 @@ int do_ocsp_verify (canl_ocsprequest_t *data) goto end; /* The last param. may be used when OCSP API is fully defined*/ - rc = OCSP_basic_verify(basic, verify_other, store, verify_flags); + rc = OCSP_basic_verify(basic, data->cert_chain, store, verify_flags); if (rc < 0) rc = OCSP_basic_verify(basic, NULL, store, 0); if (rc <= 0) { @@ -524,8 +534,6 @@ end: OCSP_BASICRESP_free(basic); if (chosenurl) free(chosenurl); - if (verify_other) - sk_X509_pop_free(verify_other, X509_free); if (store) X509_STORE_free(store); diff --git a/emi.canl.canl-c/src/canl_ocsp.h b/emi.canl.canl-c/src/canl_ocsp.h index 2ef7009..7e693f3 100644 --- a/emi.canl.canl-c/src/canl_ocsp.h +++ b/emi.canl.canl-c/src/canl_ocsp.h @@ -12,6 +12,7 @@ typedef struct { char *url; X509 *cert; X509 *issuer; + STACK_OF(X509) *cert_chain; canl_x509store_t *store; X509 *sign_cert; EVP_PKEY *sign_key; @@ -50,6 +51,7 @@ int set_ocsp_maxage(canl_ocsprequest_t *ocspreq, int maxage); int set_ocsp_url(canl_ocsprequest_t *ocspreq, char *url); int set_ocsp_issuer(canl_ocsprequest_t *ocspreq, X509 *issuer); int set_ocsp_store(canl_ocsprequest_t *ocspreq, canl_x509store_t *store); +int set_ocsp_chain(canl_ocsprequest_t *ocspreq, STACK_OF(X509) *chain); int ocsprequest_init(canl_ocsprequest_t **ocspreq); void ocsprequest_free(canl_ocsprequest_t *or); diff --git a/emi.canl.canl-c/src/proxy/sslutils.c b/emi.canl.canl-c/src/proxy/sslutils.c index 6d37d8b..15befe4 100644 --- a/emi.canl.canl-c/src/proxy/sslutils.c +++ b/emi.canl.canl-c/src/proxy/sslutils.c @@ -2204,7 +2204,6 @@ proxy_verify_callback( if (cert_dir){ canl_x509store_t *c_store = NULL; if (!canl_x509store_init(&c_store)) { - /* TODO This is obviously wrong, cert_dir is not ca_cert_dir*/ c_store->ca_dir = strdup(cert_dir); set_ocsp_store(ocsp_data, c_store); canl_x509store_free(c_store); @@ -2213,6 +2212,7 @@ proxy_verify_callback( } set_ocsp_skew(ocsp_data, MAX_VALIDITY_PERIOD); set_ocsp_maxage(ocsp_data, -1); + set_ocsp_chain(ocsp_data, ctx->chain); /*Timeout should be set here set_ocsp_timeout(pvd->timeout, -1); */ do_ocsp_verify (ocsp_data); @@ -2240,7 +2240,6 @@ fail_verify: } return(0); - } /********************************************************************** -- 1.8.2.3