Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.3:Update
Botan.17748
Botan-CVE-2022-43705.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File Botan-CVE-2022-43705.patch of Package Botan.17748
diff --git a/src/lib/x509/certstor.h b/src/lib/x509/certstor.h index 36d2e4a..82cd385 100644 --- a/src/lib/x509/certstor.h +++ b/src/lib/x509/certstor.h @@ -93,6 +93,12 @@ class BOTAN_PUBLIC_API(2,0) Certificate_Store_In_Memory final : public Certifica */ explicit Certificate_Store_In_Memory(const X509_Certificate& cert); + /** + * Adds given certificate list to the store. + */ + explicit Certificate_Store_In_Memory(std::vector<std::shared_ptr<const X509_Certificate>> certs) + : m_certs(std::move(certs)) {} + /** * Create an empty store. */ diff --git a/src/lib/x509/ocsp.cpp b/src/lib/x509/ocsp.cpp index de229d4..7437ea6 100644 --- a/src/lib/x509/ocsp.cpp +++ b/src/lib/x509/ocsp.cpp @@ -241,7 +241,6 @@ Certificate_Status_Code Response::check_signature(const std::vector<Certificate_ { for(size_t i = 0; i < m_certs.size(); ++i) { - // Check all CA certificates in the (assumed validated) EE cert path if(!m_signer_name.empty() && m_certs[i].subject_dn() == m_signer_name) { signing_cert = std::make_shared<const X509_Certificate>(m_certs[i]); @@ -254,6 +253,73 @@ Certificate_Status_Code Response::check_signature(const std::vector<Certificate_ break; } } + + // RFC 6960 4.2.2.2 + // OCSP signing delegation SHALL be designated by the inclusion of + // id-kp-OCSPSigning in an extended key usage certificate extension + // included in the OCSP response signer's certificate. This certificate + // MUST be issued directly by the CA that is identified in the request. + // + // The CA SHOULD use the same issuing key to issue a delegation + // certificate as that used to sign the certificate being checked for + // revocation. Systems relying on OCSP responses MUST recognize a + // delegation certificate as being issued by the CA that issued the + // certificate in question only if the delegation certificate and the + // certificate being checked for revocation were signed by the same key. + // + // I.e. it is safe to assume that the certificate's issuer also signed the + // responder's certificate. + // + // Note: The 'SHOULD' in the second paragraph above allows for backward + // compatibility to RFC 2560 that is "strongly discouraged". This + // implementation explicitly _does not_ implement this backward + // compatibility. + if(signing_cert) + { + const auto issuer = + Certificate_Store_In_Memory(ee_cert_path) + .find_cert(signing_cert->issuer_dn(), signing_cert->authority_key_id()); + + // User did not provide the certificate path to verify the delegation + if(!issuer) + { + return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND; + } + + if(!issuer->is_CA_cert()) + { + return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND; + } + + // Sub-optimal fix for CVE-2022-43705 found in Botan 2.19.2 and older. + // + // This certificate validation is incomplete. Missing checks: + // * validity check against the reference time + // * revocation status check of the responder certificate + // * certificate extension validations + // * ... potentially more + // + // A more comprehensive validation will be introduced with Botan 3.0 + try + { + const auto issuer_pubkey = issuer->load_subject_public_key(); + const auto sig = signing_cert->verify_signature(*issuer_pubkey); + + if(sig != Certificate_Status_Code::VERIFIED) + { + return Certificate_Status_Code::OCSP_SIGNATURE_ERROR; + } + + if(!signing_cert->has_ex_constraint(OIDS::lookup("PKIX.OCSPSigning"))) + { + return Certificate_Status_Code::OCSP_RESPONSE_MISSING_KEYUSAGE; + } + } + catch(const Exception& ex) + { + return Certificate_Status_Code::OCSP_SIGNATURE_ERROR; + } + } } if(!signing_cert) diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp index 9d886ca..53d60c4 100644 --- a/src/lib/x509/x509path.cpp +++ b/src/lib/x509/x509path.cpp @@ -222,7 +222,11 @@ PKIX::check_ocsp(const std::vector<std::shared_ptr<const X509_Certificate>>& cer { try { - Certificate_Status_Code ocsp_signature_status = ocsp_responses.at(i)->check_signature(trusted_certstores, cert_path); + // When verifying intermediate certificates we need to truncate the + // cert_path so that the intermediate under investigation becomes the + // last certificate in the chain. + std::vector<std::shared_ptr<const X509_Certificate>> ocsp_cert_path(cert_path.begin() + i, cert_path.end()); + Certificate_Status_Code ocsp_signature_status = ocsp_responses.at(i)->check_signature(trusted_certstores, ocsp_cert_path); if(ocsp_signature_status == Certificate_Status_Code::OCSP_SIGNATURE_OK) { diff --git a/src/tests/data/x509/ocsp/bdr-int.pem b/src/tests/data/x509/ocsp/bdr-int.pem new file mode 100644 index 0000000..299fb22 --- /dev/null +++ b/src/tests/data/x509/ocsp/bdr-int.pem @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGHzCCBQegAwIBAgIDD+SOMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF +MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD +bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0xNjExMTYwOTQ2MTlaFw0yOTExMDUwODUw +NDZaMF4xCzAJBgNVBAYTAkRFMRUwEwYDVQQKEwxELVRydXN0IEdtYkgxHzAdBgNV +BAMTFkQtVFJVU1QgQ0EgMi0yIEVWIDIwMTYxFzAVBgNVBGETDk5UUkRFLUhSQjc0 +MzQ2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4PbGGVT4nCH+CzaZ +kZDWqXWiXbBu3UEpSPBmAKDepwkoc7b13vVlRrvehBm11yUNzaN7thsqB+VXEyF4 +OuxkCJkZRCJUfrS1zdnZXptf361oahCX+ch2E4Hdedeet45mypwKsD7FqSdz01KY +o6wFQMnnZsRQtamilglAgT03iTUf+Yn8a5msV7fscpfkLUGCtjeM2eWgfZ2I0pqi +m3DYrQU5/8in6DtZLrIAgZpnQsgJiB3glx0YcBXs5YZR9bfhOP71nLvM+9vkxNR4 +V90SOnwEzCbj5VforuNgP0sptC2TSPiqNG9sgdySBobz9aO5ryqG21GXMcfFp0vC +z2kxrwIDAQABo4IC8jCCAu4wHwYDVR0jBBgwFoAU05SKTGITKhkuzK9yin0215oc +3GcwggElBggrBgEFBQcBAQSCARcwggETMDcGCCsGAQUFBzABhitodHRwOi8vcm9v +dC1jMy1jYTItZXYtMjAwOS5vY3NwLmQtdHJ1c3QubmV0MFAGCCsGAQUFBzAChkRo +dHRwOi8vd3d3LmQtdHJ1c3QubmV0L2NnaS1iaW4vRC1UUlVTVF9Sb290X0NsYXNz +XzNfQ0FfMl9FVl8yMDA5LmNydDCBhQYIKwYBBQUHMAKGeWxkYXA6Ly9kaXJlY3Rv +cnkuZC10cnVzdC5uZXQvQ049RC1UUlVTVCUyMFJvb3QlMjBDbGFzcyUyMDMlMjBD +QSUyMDIlMjBFViUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NBQ2VydGlm +aWNhdGU/YmFzZT8wfwYDVR0gBHgwdjAJBgcEAIvsQAEEMA0GCysGAQQBpTQCgRYE +MFoGCysGAQQBpTQCgUoBMEswSQYIKwYBBQUHAgEWPWh0dHA6Ly93d3cuZC10cnVz +dC5uZXQvaW50ZXJuZXQvZmlsZXMvRC1UUlVTVF9DU01fUEtJX0NQUy5wZGYwgd0G +A1UdHwSB1TCB0jCBh6CBhKCBgYZ/bGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l +dC9DTj1ELVRSVVNUJTIwUm9vdCUyMENsYXNzJTIwMyUyMENBJTIwMiUyMEVWJTIw +MjAwOSxPPUQtVHJ1c3QlMjBHbWJILEM9REU/Y2VydGlmaWNhdGVyZXZvY2F0aW9u +bGlzdDBGoESgQoZAaHR0cDovL2NybC5kLXRydXN0Lm5ldC9jcmwvZC10cnVzdF9y +b290X2NsYXNzXzNfY2FfMl9ldl8yMDA5LmNybDAdBgNVHQ4EFgQUIa9qJphx6SYK +1duhjPfbpp2lJVwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw +DQYJKoZIhvcNAQELBQADggEBAEITrEZFU4bOy+274S2THOe9lewgYy+5OYh/Wr7Q +WzRi/bMU6GRtag9fCnIsXon3+2wKGL22JgjI+WnZa5TRiazUOdtOjCEuwxXXMYH/ +PaBBb/BXmfGlEHGHL/ljNQauOrsfIQXXDYTfZk9jwLQgPmF54Ulm6oLsUrvYp1nq +4jSAyWOY+mcxFlGgZPt5jdL1DSkzdLtdWfGs+1USqmx/IBZLfCwavdk0Dm5fwQSG +iI+av54kU0E4ziDEOJ25rfiOBGqjh+4NFegAaQlTeVp1zOCjtKCf9YWDS8BgJT+O +Ri2UKV/O8WaWZ3qRLuVavpng14sx4oa8FLM9sKBWvI+H5XU= +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/ocsp/bdr-root.pem b/src/tests/data/x509/ocsp/bdr-root.pem new file mode 100644 index 0000000..0a1a2b2 --- /dev/null +++ b/src/tests/data/x509/ocsp/bdr-root.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIDCYP0MA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF +MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD +bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0wOTExMDUwODUwNDZaFw0yOTExMDUwODUw +NDZaMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNV +BAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAJnxhDRwui+3MKCOvXwEz75ivJn9gpfSegpn +ljgJ9hBOlSJzmY3aFS3nBfwZcyK3jpgAvDw9rKFs+9Z5JUut8Mxk2og+KbgPCdM0 +3TP1YtHhzRnp7hhPTFiu4h7WDFsVWtg6uMQYZB7jM7K1iXdODL/ZlGsTl28So/6Z +qQTMFexgaDbtCHu39b+T7WYxg4zGcTSHThfqr4uRjRxWQa4iN1438h3Z0S0NL2lR +p75mpoo6Kr3HGrHhFPC+Oh25z1uxav60sUYgovseO3Dvk5h9jHOW8sXvhXCtKSb8 +HgQ+HKDYD8tSg2J87otTlZCpV6LqYQXY+U3EJ/pure3511H3a6UCAwEAAaOCASQw +ggEgMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNOUikxiEyoZLsyvcop9Ntea +HNxnMA4GA1UdDwEB/wQEAwIBBjCB3QYDVR0fBIHVMIHSMIGHoIGEoIGBhn9sZGFw +Oi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xh +c3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1E +RT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQt +dHJ1c3QubmV0L2NybC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDku +Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA07XtaPKSUiO8aEXUHL7P+PPoeUSbrh/Yp +3uDx1MYkCenBz1UbtDDZzhr+BlGmFaQt77JLvyAoJUnRpjZ3NOhk31KxEcdzes05 +nsKtjHEh8lprr988TlWvsoRlFIm5d8sqMb7Po23Pb0iUMkZv53GMoKaEGTcH8gNF +CSuGdXzfX2lXANtu2KZyIktQ1HWYVt+3GP9DQ1CuekR78HlR10M9p9OB0/DJT7na +xpeG0ILD5EJt/rDiZE4OJudANCa1CInXCGNjOCd1HjPqbqjdn5lPdE2BiYBL3ZqX +KVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVvw9y4AyHqnxbxLFS1 +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/ocsp/bdr.pem b/src/tests/data/x509/ocsp/bdr.pem new file mode 100644 index 0000000..604defc --- /dev/null +++ b/src/tests/data/x509/ocsp/bdr.pem @@ -0,0 +1,80 @@ +-----BEGIN CERTIFICATE----- +MIIOhDCCDWygAwIBAgIQR2P0PtEycYOZmkQw8teHNzANBgkqhkiG9w0BAQsFADBe +MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMR8wHQYDVQQDExZE +LVRSVVNUIENBIDItMiBFViAyMDE2MRcwFQYDVQRhEw5OVFJERS1IUkI3NDM0NjAe +Fw0yMjAzMjUwODE1NDVaFw0yMzAzMjgwNzE1NDVaMIIBIjELMAkGA1UEBhMCREUx +HTAbBgNVBAoTFEJ1bmRlc2RydWNrZXJlaSBHbWJIMQswCQYDVQQLEwJJVDEbMBkG +A1UEAxMSYnVuZGVzZHJ1Y2tlcmVpLmRlMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgsr +BgEEAYI3PAIBAxMCREUxDjAMBgNVBBEMBTEwOTY5MR0wGwYDVQQPDBRQcml2YXRl +IE9yZ2FuaXphdGlvbjEcMBoGA1UECRMTS29tbWFuZGFudGVuc3RyLiAxODEUMBIG +A1UEBRMLSFJCIDcwNzY0IEIxFzAVBgsrBgEEAYI3PAIBAQwGQmVybGluMRcwFQYL +KwYBBAGCNzwCAQIMBkJlcmxpbjEPMA0GA1UECBMGQmVybGluMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEA3B1Rp2V3DQSrr57KSDLsZ6mUJ0Y9LWhcLvTo +b84DN1Y/U9ZCyGGJ2hYiDnwPpcIHFfp1v+jUaiE8Km4VA6tkG8o6Y5w2BMM9Ej20 +z2kwOtVdSh1wdC9zinmuGwjshmw2eSvr1C77y3jN6P1qDyjACdAQ6SM8hKV5JxFz +g0+UAN0lO51C9v61EXjteByo6ikDEGnjFc+fC5kQGGJGRy4+I1vfgIsYri1LhGOS +86xH9o4RejCiM5Az4wfMgzobmeizsugAljxXcwMpVM8jA/rzUyRUqAwjsIcC4qFt +K1tj7vQy9bpUN3xWc6VDvZjFOat/z551I6JM6kPshN5DoW6O0s3H7BoxSx0N69UA ++zb/Fefk/oy6BR4jwwvJboHjaOpliZUC/2uXOd2pp4/MCyhILz2ikRr6EMD7qCDd +9QFabRFjKe1GzKs0Uh6ewlrX1IHs4REmmf6f5+gCeBWGrwGAWhm69Pdbv2NgfS4t +OYob8Z2APvr+QsVsuwch7bcX99wp67gaw1Cgtsz4iAKLw73Aza6dJxoH6cC5x6PD +Fkpoo6sXYNVovVBPVDuq5Wnd+qvSBsjzlzILUQCfuVn+CcttYzFKMMX2LHvSSRhB +A64iOouMS/sWGvdamvqrlzUpKoeIpJhPit0D23xNq48LpEaHs3CZFsvung29Z9Vg +8flG6h0CAwEAAaOCCXYwgglyMIIBKwYDVR0RBIIBIjCCAR6CBmJkci5kZYIed3d3 +LnN1cHBvcnQuYnVuZGVzZHJ1Y2tlcmVpLmRlgg53d3cuc2lnbi1tZS5kZYIWd3d3 +LmJ1bmRlc2RydWNrZXJlaS5kZYIXd3d3LmJ1bmRlc2RydWNrZXJlaS5jb22CCnd3 +dy5iZHIuZGWCGnN1cHBvcnQuYnVuZGVzZHJ1Y2tlcmVpLmRlggpzaWduLW1lLmRl +ghpzZXJ2aWNlLmJ1bmRlc2RydWNrZXJlaS5kZYIdaW50ZXJha3Rpdi5idW5kZXNk +cnVja2VyZWkuZGWCG2hlbHBkZXNrLmJ1bmRlc2RydWNrZXJlaS5kZYISYnVuZGVz +ZHJ1Y2tlcmVpLmRlghNidW5kZXNkcnVja2VyZWkuY29tMB0GA1UdDgQWBBShj278 +UTgPVPGLerrSzyQ18D831TAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw +DgYDVR0PAQH/BAQDAgWgMIIBCQYIKwYBBQUHAQEEgfwwgfkwOgYIKwYBBQUHMAGG +Lmh0dHA6Ly9kLXRydXN0LWNhLTItMi1ldi0yMDE2Lm9jc3AuZC10cnVzdC5uZXQw +RQYIKwYBBQUHMAKGOWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY2dpLWJpbi9ELVRS +VVNUX0NBXzItMl9FVl8yMDE2LmNydDB0BggrBgEFBQcwAoZobGRhcDovL2RpcmVj +dG9yeS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwQ0ElMjAyLTIlMjBFViUyMDIw +MTYsTz1ELVRydXN0JTIwR21iSCxDPURFP2NBQ2VydGlmaWNhdGU/YmFzZT8wgfsG +A1UdHwSB8zCB8DCB7aCB6qCB54ZubGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l +dC9DTj1ELVRSVVNUJTIwQ0ElMjAyLTIlMjBFViUyMDIwMTYsTz1ELVRydXN0JTIw +R21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3SGNWh0dHA6Ly9jcmwu +ZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfY2FfMi0yX2V2XzIwMTYuY3Jshj5odHRw +Oi8vY2RuLmQtdHJ1c3QtY2xvdWRjcmwubmV0L2NybC9kLXRydXN0X2NhXzItMl9l +dl8yMDE2LmNybDCB5wYIKwYBBQUHAQMEgdowgdcwCAYGBACORgEBMIG1BgYEAI5G +AQUwgaowUxZNaHR0cDovL3d3dy5kLXRydXN0Lm5ldC9pbnRlcm5ldC9maWxlcy9E +LVRSVVNUX1BLSV9EaXNjbG9zdXJlX1N0YXRlbWVudF9kZS5wZGYTAmRlMFMWTWh0 +dHA6Ly93d3cuZC10cnVzdC5uZXQvaW50ZXJuZXQvZmlsZXMvRC1UUlVTVF9QS0lf +RGlzY2xvc3VyZV9TdGF0ZW1lbnRfZW4ucGRmEwJlbjATBgYEAI5GAQYwCQYHBACO +RgEGAzCBiQYDVR0gBIGBMH8wCQYHBACL7EABBDAHBgVngQwBATANBgsrBgEEAaU0 +AoEWBDBaBgsrBgEEAaU0AoFKATBLMEkGCCsGAQUFBwIBFj1odHRwOi8vd3d3LmQt +dHJ1c3QubmV0L2ludGVybmV0L2ZpbGVzL0QtVFJVU1RfQ1NNX1BLSV9DUFMucGRm +MB8GA1UdIwQYMBaAFCGvaiaYcekmCtXboYz326adpSVcMIIETwYKKwYBBAHWeQIE +AgSCBD8EggQ7BDkAdwCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAA +AX/AJVyRAAAEAwBIMEYCIQDHYr2J0KhX9Qw2DZcpukdrMtTPrSkQTG3WQ+9TJbfv +fAIhAIsgHLLnR3DBqqikp7qjOg2ge3rhLKae4EcfJ5OYH3bzAHcAs3N3B+GEUPhj +htYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAF/wCVdigAABAMASDBGAiEAv5hGLqwU +NARYcml1ScV/JumKME8Gh/+KFLd76xi69cICIQC5aK3LduJomzCkxLZecyDhIghV +zNwsNbB1XQY9TBepLAB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1u +AAABf8AlXP8AAAQDAEcwRQIgPkK0U2XQA0b4SS89AFPNRFo3TdcdNm90Z8015UBb +MpcCIQDMUkJimfKU5IvKyO7D8ibgsJSHE+NASD15Pixf8L25+wB2AFWB1MIWkDYB +SuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABf8AlXY8AAAQDAEcwRQIhAKX9i888 +VPeAjIztEESfZ8Izy051gTTSl9D1GBH7Z810AiBrBtrXTu+V39yPAfIK7YBpgsvS +C0vB8MCe1Q1nR5KK+gB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS +AAABf8AlXTsAAAQDAEgwRgIhAPeWQ8o/CaW5HpEA3UkszILAlsKnixEHRDGFMl8q +GN+rAiEAmBQ7TBG8Xgru2e5c3GdUXecmDVjwI/G1ZthSFmMvNlgAdwBvU3asMfAx +GdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAX/AJV4ZAAAEAwBIMEYCIQC1HlH1 +MYjMp1pvFYmNXafGXvJ6oIiGiUtd1kHRtCt76QIhALj7dbiBFP4b9elj5kYMDPT0 +PAoflviX/f8klXtTFG27AHUA6H6nZgvCbPYALvVyXT/g4zG5OTu5L79Y6zuQSdr1 +Q1oAAAF/wCVhLwAABAMARjBEAiBszHijSAeBf3cec2LQgegrIJ3I4P9EQX28ZQ4S +yTvmDgIgMvxYYvRNu7+RY4AnFAZAhN9eX4WwXLrEdPOPhhxs0TwAdAA1zxkbv7Fs +V78PrUxtQsu7ticgJlHqP+Eq76gDwzvWTAAAAX/AJWAHAAAEAwBFMEMCIBhApuJO +EqEb0oq/6VWxM6jz2dbD7+ZjBDuvOioO/Cf9Ah9/QAHSUTU043F7VdV/REB12XGY +a63YqZJJeeIgTuZDAHYAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJkA +AAF/wCVfSQAABAMARzBFAiEA4036r9QS+ngcG4FMBUc1Z36BywbwF00pHprDpNMQ +KhUCIGzTcK+3DnLBJOxwScoow/EJq39GmZV1sZz93r/d5qNdMA0GCSqGSIb3DQEB +CwUAA4IBAQBZvYmRmtu1gQLCA+QqN5C7ftPr0ioULQPBsmX8gHmQ1iHPrBrC99Ef +UD0//QB8V/aWqbt1NNdFXXEslN0V591m13uF7cp27SUjxNFwkPG2oypoqNM42I0U +136fs26VzFbLe/MLNLTiiTkIp4HfSnLoactqvWapU9X6pzRk3CoKbaGHkPpIn467 +6uq08dss4+W9DROLZynwuswtxhLdk4pi82mnIs0t8A+ZOHwKPrQ9zi8Mtc7T9xPY +PuGpbWQMTGKzCOjki81OvuD0ZU//hfHIM8Nh3Fb1LQ3ZRMudYdW+noIaW4FQRY2W +Pr1qU9fkcHml0htVexwhF6m1x5HZ332p +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/ocsp/mychain_ee.pem b/src/tests/data/x509/ocsp/mychain_ee.pem new file mode 100644 index 0000000..23b0363 --- /dev/null +++ b/src/tests/data/x509/ocsp/mychain_ee.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDXDCCAkSgAwIBAgIUQCu8J4C8/lLpesu+yxmEcgboaKwwDQYJKoZIhvcNAQEL +BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN +BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMzA5MjIxMDAwMDBaMDsx +GzAZBgNVBAMMEk15IE9DU1AgRW5kIEVudGl0eTELMAkGA1UEBhMCREUxDzANBgNV +BAcMBkJlcmxpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjSgFM7 +veKLCerCj8LbDH2eyE/wsgt75EugNON2xcuxdnZKXl9kQP/lq2tjQF9VUKvUr7C0 +4BDTyXjg+0RnH8EUp2fooDsrJu9k1i+lDWFtAYAYYrYYxGMFzCC/h+GBD0FCFBwL +3gpZwPitoDga6jtPbtv/RwFMuPy7b0KUpNMkVAeaT/KVmqc/l+SgLqDEZciiMcaC +GG1rkMnElR7c/0lg5xNITXS1t1Z9bHbpO7lH5xDoFcSTEhOcDdFkN923sbfTT3m9 +4oKHYFDUSoAc+Y2jbwbDK+g6MyCwIiwdyUF+Kgv1fdacWxZMmr2aOA5CX/1+ZeX1 +97ameyxkyA2DZfsCAwEAAaNaMFgwHwYDVR0jBBgwFoAUm5xBswA2BO40FM22Q/5K +RR6PtNMwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFKnd1WBRL4H/ +IhofGjvLhtGSNh9lMA0GCSqGSIb3DQEBCwUAA4IBAQCoYIhu/w1Hp2aByrbV7Plm +aUhBJovJHqa3KixgSrV6Td6URaCSGHAiAFj1j0/dqzKL7QHMZYs43JRODuABAjsn +SktrpuoA+FILuSZXMm3UFEqNNJzFTwZLC3lSpxT1zvQ4PDgx4xFTMi9pyvGnDHjt +jkPLuLfjgI5PShcIB0Hd6yS07pBFdg/Dr3fCSU7OBAC4o44ubUa5kASvX35zjWoj +NulehNs+aa6Fm7qqSt4mz24qvnOG3SyYpkNKeu/FQjaKXV35A0tGN2ibEHSn0JBp +rZqzfegU5UuZrpGs3xUVeIH+rQdW8uBlllXP38djJ7mLb/3b1vLWakljPqAOOlsm +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/ocsp/mychain_int.pem b/src/tests/data/x509/ocsp/mychain_int.pem new file mode 100644 index 0000000..f9bd11a --- /dev/null +++ b/src/tests/data/x509/ocsp/mychain_int.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDcTCCAlmgAwIBAgIUP4pG/mdA98wntpdjLKKDv50V4twwDQYJKoZIhvcNAQEL +BQAwODEYMBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0G +A1UEBwwGQmVybGluMB4XDTIyMDkyMjEwMDAwMFoXDTIzMDkyMjEwMDAwMFowOTEZ +MBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzANBgNVBAcM +BkJlcmxpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAODHbsMfDefJ +fryKz8fY8AfCE8uAr5CzJ2gXQcIQd0rBJTPQxaxZ950+QbSfPAPAeFa1OWRc/Xby +3DXvtQ3yt879mvxAvsdvlUYOsOOi8b9tap3vLVSc668BJwByNwBZmAF6ByKsC4Yj +wwH7rfekE2KU89LzH0wWDJOybo/N62kXuzt23dO4uUXJat6ZlEghmzhAzHyfFdeD +H8V/7x7c6iQBFz0NSCeo/gzFzVNO0jKbyvScQmfLOvbwTm91nXPs6MWICzsNOliJ +vtfkJsqheq7dVX9HdLfh/1tdFx1WaPhtVf3VTolPGTs9w7hh6uaWsHZpFTbiK0Mc +DeNQkoX1ikcCAwEAAaNyMHAwHwYDVR0jBBgwFoAUk/nNvUAjr/JUj93s2WMZm25Y +zHUwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUH +AwkwHQYDVR0OBBYEFJucQbMANgTuNBTNtkP+SkUej7TTMA0GCSqGSIb3DQEBCwUA +A4IBAQCN1CeGhYZr/ghM45N0auoTJ+U5lAah3g6c7lGS6x6+XyaueI+Pxy0wC/1C +UCjEbErD44utxk+816uUnhmUOqSrDejV0xxPnQYokziOw8flLKm8/Y5ngQ14VshX +oJZMdaQywe3Je34b6t/BZZaZx/dtXHtkDTBdBgOXiv/O7JMDqEQzFb8uC3MPpM1b +TtC58Rtvh8nhy5ieig/uaXBIwcyc4ujlllzjmwV1yNg6iY1QVj3GMRsxvI1ZFkaZ +eZnbFNqwx5ZLL61c/cBV8pG47DKSqBhV9osWCK/vc6WHYcwyYBJ5YIuykl/zs41o +knoudoJ3BFGS9PaFZZQCA78WnYsd +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem b/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem new file mode 100644 index 0000000..6e65f1c --- /dev/null +++ b/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgjCCAmqgAwIBAgIUFkhEhhLqatMopup9/noUhdFx5EkwDQYJKoZIhvcNAQEL +BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN +BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMjEwMDcxMDAwMDBaMDox +GjAYBgNVBAMMEU15IE9DU1AgUmVzcG9uZGVyMQswCQYDVQQGEwJERTEPMA0GA1UE +BwwGQmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3N3l6YZy +pFShnQWmMyplXu3JaDjUxlrNwEs6Dn5flUC0eAZVN+uaXws+tG//wV487n+OXnyh +Zgz1Mt97J1wYhw7R9bQakPrmkYztrTmTKemS70sWjrsH0Od/S851sv3qAGylWiKb +1n0SawRPo6T5bvYADwwGESRKmWwOwPIv2KdsZ3kUhN9aPj06CMVJIRYVennZRt4X +4tcpgpB/eBp4/iEmfe3BzrFgf9YJG4qcbM84lULGLOnVNuUbbEIlBe75U71OR8dV +El65LSMAVDQovjTV3mdQcLQNOiNnBlNDDaJEi590ki59qnFbJO0Zsf7a/rpHz/4J +LqK8b2by8KoFpwIDAQABo4GAMH4wHwYDVR0jBBgwFoAUm5xBswA2BO40FM22Q/5K +RR6PtNMwCQYDVR0TBAIwADALBgNVHQ8EBAMCAYIwEwYDVR0lBAwwCgYIKwYBBQUH +AwkwDwYJKwYBBQUHMAEFBAIFADAdBgNVHQ4EFgQU7cI/PXYEpWH9l6Bnu36V6Nzv +/MowDQYJKoZIhvcNAQELBQADggEBALv6KUJ0I/Kd/4ofDQHcgrHOe3u26zs1LC5J +X9ZMoLRwN2LbzwWogIg3DEYqLAr0whpiDDcueVQVxK0rYrI1kWAZYi/wkmdOI5D7 +GNtHxdMty62XgOLb4LwGmEMQ7SLH2GgEAgKjJAIVJ5TMlxH8NV2/hrQhmXDpkZc/ ++6I881LDW2273p8vKXxYnI1EFTdCVa9XnNJr3U+yhC9plf+gSr51iXyQf9MPdZ91 +fg187LQkn6oIRtKL7yZMAajemcTkU8avoF1+EX01Z5nu/v2Hgtp2VFDKvCrud+e/ +iKFLYBlsnqfNyZt4n3PAxDP5ziZ5adH2ELCvPDkJ3nneAhvP5So= +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem b/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem new file mode 100644 index 0000000..0cac96b --- /dev/null +++ b/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDbDCCAlSgAwIBAgIUXMtIzKLTZ3oKE92bXWKGdS16GCYwDQYJKoZIhvcNAQEL +BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN +BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMjEwMDcxMDAwMDBaMDox +GjAYBgNVBAMMEU15IE9DU1AgUmVzcG9uZGVyMQswCQYDVQQGEwJERTEPMA0GA1UE +BwwGQmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3N3l6YZy +pFShnQWmMyplXu3JaDjUxlrNwEs6Dn5flUC0eAZVN+uaXws+tG//wV487n+OXnyh +Zgz1Mt97J1wYhw7R9bQakPrmkYztrTmTKemS70sWjrsH0Od/S851sv3qAGylWiKb +1n0SawRPo6T5bvYADwwGESRKmWwOwPIv2KdsZ3kUhN9aPj06CMVJIRYVennZRt4X +4tcpgpB/eBp4/iEmfe3BzrFgf9YJG4qcbM84lULGLOnVNuUbbEIlBe75U71OR8dV +El65LSMAVDQovjTV3mdQcLQNOiNnBlNDDaJEi590ki59qnFbJO0Zsf7a/rpHz/4J +LqK8b2by8KoFpwIDAQABo2swaTAfBgNVHSMEGDAWgBSbnEGzADYE7jQUzbZD/kpF +Ho+00zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgkrBgEFBQcwAQUEAgUAMB0G +A1UdDgQWBBTtwj89dgSlYf2XoGe7fpXo3O/8yjANBgkqhkiG9w0BAQsFAAOCAQEA +V17YOra6yl0wTjt6QbQDXxm5m02CpW3EZs8x1M8yZadWXK9dJ6mo7vetqF3nnOzd +TxesfAWigkrSZjR7HHHXXO5S9OjFLEyft+Xbx9+t8216Lbqk7WierREz1C21yCpn +B76DiQRXqY2lEm1cpgkZeSc+SSfoN4oOyXCb/r+sgEebXGHrQhqgdFAWq3BmF6U+ +VyIXG7PiJGoTmlJ9gfkr0+Y0MxNpTIr6OPc9H6+N4mYPhcj/9emTcj6R+0PvfAZC +GRc8U3fCW3UdPOTE28f86ZvMduavCZCSU4m74nZnzY6eKR83KNCjB0gJzYhwqcRm +f9I5C+O6SocALwTGGYkMbg== +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/ocsp/mychain_root.pem b/src/tests/data/x509/ocsp/mychain_root.pem new file mode 100644 index 0000000..192d71b --- /dev/null +++ b/src/tests/data/x509/ocsp/mychain_root.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDsDCCApigAwIBAgIUWMiulqiEbnZwrB5iI7tL724j7qswDQYJKoZIhvcNAQEL +BQAwODEYMBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0G +A1UEBwwGQmVybGluMB4XDTIyMDkyMjEwMDAwMFoXDTIzMDkyMjEwMDAwMFowODEY +MBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0GA1UEBwwG +QmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAukN6nemvQcIX +zq+/DKFsJWjQif6sTP2zXfZtpw445LagOt8T9fGFgv6BSNTFp/TMRatQMAfZteH8 +ExzInhOIatwZgOKfG5tE+OH+tOuo9JrgWQRMGrhCV4fClDOv3sPAvduYm00muazD +HeusESr/ykoA3HmJpS62EeOvMsY991TGSoTUSPLXJOyVTT5EcHdLrmosIBNx4nN9 +8xN5ENbhz/lZa3z1+NEtruMhDY5s13POVgpXRCZmgyhl6uCl0HZOYPfoWZwbZfuh +S6U9s0C+JMRjcz1fLyBW2dgsWG6TRSsF6R83DkFQx/9kazfjv/mOqLMw1irT3K0E +wtsxe0aKfQIDAQABo4GxMIGuMF0GA1UdIwRWMFShPKQ6MDgxGDAWBgNVBAMMD015 +IE9DU1AgUm9vdCBDQTELMAkGA1UEBhMCREUxDzANBgNVBAcMBkJlcmxpboIUWMiu +lqiEbnZwrB5iI7tL724j7qswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAYYwEwYD +VR0lBAwwCgYIKwYBBQUHAwkwHQYDVR0OBBYEFJP5zb1AI6/yVI/d7NljGZtuWMx1 +MA0GCSqGSIb3DQEBCwUAA4IBAQCdGyFlbaBkoLgLwM2q91VcLUHAp54Gp6vvLavq +p+65K7sdzzFj/6P9p6Dsa0BJ3bXba0pfJ10f9nFHOIFISb0Aptmm34XjBwvUckbb +LYDU7InmyS5aeAIxK9+G7TllLfSslPQJspSxWWZkp3cY4Ys7bGidb1ad620F2cMe +I2c09zhQuySbLDgaCc2Hg9Z3trb6S91Mmk6P+fQMzqq0XkfUOqzmEm2D7lFb3G76 +DI6CouYjoIYndVEN6oVVIcD+01Emxssy60aO6wS5MaM8TbcCdx3ZxYCdKj6YcdRf +XhEN1KonHRKP71iZrlw/W+GfVvt1dJx5V5fqh3mGZVvk7Sc7 +-----END CERTIFICATE----- diff --git a/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem b/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem new file mode 100644 index 0000000..9381a3e --- /dev/null +++ b/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1TCCAr2gAwIBAgIUQi+O3XGTkbU8ihDwXOrV18vdTvMwDQYJKoZIhvcNAQEL +BQAwNzEXMBUGA1UEAwwORm9yZ2VkIE9DU1AgQ0ExCzAJBgNVBAYTAkRFMQ8wDQYD +VQQHDAZCZXJsaW4wHhcNMTYxMTE4MTEwMDAwWhcNMTcxMTE4MTEwMDAwWjB+MQsw +CQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xFDAS +BgNVBAoMC0hhY2tlcnNwYWNlMRowGAYDVQQLDBFPQ1NQIEJyZWFraW5nIExhYjEb +MBkGA1UEAwwSRm9yZ2VkIE9DU1AgU2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAq72Y4p9gCPcoNELOB5i104jhbzbEWfcXhAdXkmufOFFVVveq +HbiGx5GLi46cJATjSQoOL86Jwgp/v0nZukfQFIsWJGjG3eDQnMBGaAH9+SZh+udP +dhcuOvFqvFBkKk6rMIcW0Tqx2ixZUG7275JrqjEyNUjAGA9fRSkGoWyca/P6QCjE +sgAMr82n0XahLi7VVL0v/DcRK7h9slJJbG9UBmHuwPYU5C5Z9iQKCh3JZ3oOgO4d +OuAGXrRm69znN5jlkBxgowJbgPn4Xp2QyAZl2A0/mou3U9WuVGDOUDLRL1UbCv/T +VyX/WyUsAV54apAkxM9Hd5yZermoIZ7gPCv40wIDAQABo4GRMIGOMB8GA1UdIwQY +MBaAFE4W+nR1DcTuZYBY/YXQinJ1Y5PjMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeA +MBMGA1UdJQQMMAoGCCsGAQUFBwMJMB8GA1UdEQQYMBaCFG9jc3AuaGFja2Vyc3Bh +Y2Uub3JnMB0GA1UdDgQWBBQAUq7vwa5MkBmRG9GuRC7N2F97BjANBgkqhkiG9w0B +AQsFAAOCAQEAzS/5VHLcyTkvnodS18mlkp6r4fKkxhrLR2cyGhQPqwEqkq+l4U8k +UMnem31+XoVHt8nN7N0+aOCna7xhvxzWDQioahG4oSxW3R0FNbO4+HXEBkUqbJQo +JaVxSc4vXYjXgLvvhcSAbwfg7o3jInHszCLWoEpNEWGI0Un/ngJX0E8H374LiPnd +Z7W8bNvqRgbpbZJmrgVfm2T3NIWlMYCB8GqyZMA/uLUtxkv25LTCsCTGKhn/ZQoI +XxCZ4OvZDbxLmGj+5GsgJUHVKVhDomo0fJQh+KrMw+0IyjFVjjyroN6d1A3JPmbL +dKUfISvTkfDCj67y8iASBRCOEs7EB4JzSg== +-----END CERTIFICATE----- diff --git a/src/tests/test_x509_path.cpp b/src/tests/test_x509_path.cpp index 0e9f8eb..3b090fb 100644 --- a/src/tests/test_x509_path.cpp +++ b/src/tests/test_x509_path.cpp @@ -656,6 +656,142 @@ std::vector<Test::Result> BSI_Path_Validation_Tests::run() BOTAN_REGISTER_TEST("x509_path_bsi", BSI_Path_Validation_Tests); +class Path_Validation_With_OCSP_Tests final : public Test + { + public: + Botan::X509_Certificate load_test_X509_cert(const std::string& path) + { + return Botan::X509_Certificate(Test::data_file(path)); + } + + std::shared_ptr<const Botan::OCSP::Response> load_test_OCSP_resp(const std::string& path) + { + return std::make_shared<const Botan::OCSP::Response>(Test::read_binary_data_file(path)); + } + + Test::Result validate_with_ocsp_with_authorized_responder() + { + Test::Result result("path check with ocsp response from authorized responder certificate"); + Botan::Certificate_Store_In_Memory trusted; + + auto restrictions = Botan::Path_Validation_Restrictions(true, // require revocation info + 110, // minimum key strength + true); // OCSP for all intermediates + + auto ee = load_test_X509_cert("x509/ocsp/bdr.pem"); + auto ca = load_test_X509_cert("x509/ocsp/bdr-int.pem"); + auto trust_root = load_test_X509_cert("x509/ocsp/bdr-root.pem"); + + // These OCSP responses are signed by an authorized OCSP responder + // certificate issued by `ca` and `trust_root` respectively. Note that + // the responder certificates contain the "OCSP No Check" extension, + // meaning that they themselves do not need a revocation check via OCSP. + auto ocsp_ee = load_test_OCSP_resp("x509/ocsp/bdr-ocsp-resp.der"); + auto ocsp_ca = load_test_OCSP_resp("x509/ocsp/bdr-int-ocsp-resp.der"); + + trusted.add_certificate(trust_root); + const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, trust_root }; + + auto check_path = [&](const std::chrono::system_clock::time_point valid_time, + const Botan::Certificate_Status_Code expected) + { + const auto path_result = Botan::x509_path_validate(cert_path, restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED, + valid_time, std::chrono::milliseconds(0), {ocsp_ee, ocsp_ca}); + + return result.confirm(std::string("Status: '") + Botan::to_string(expected) + + "' should match '" + Botan::to_string(path_result.result()) + "'", + path_result.result()==expected); + }; + + check_path(Botan::calendar_point(2022, 9, 18, 16, 30, 0).to_std_timepoint(), + Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID); + check_path(Botan::calendar_point(2022, 9, 19, 16, 30, 0).to_std_timepoint(), + Botan::Certificate_Status_Code::OK); + check_path(Botan::calendar_point(2022, 9, 20, 16, 30, 0).to_std_timepoint(), + Botan::Certificate_Status_Code::OCSP_HAS_EXPIRED); + + return result; + } + + Test::Result validate_with_forged_ocsp_using_self_signed_cert() + { + Test::Result result("path check with forged ocsp using self-signed certificate (CVE-2022-43705)"); + Botan::Certificate_Store_In_Memory trusted; + + auto restrictions = Botan::Path_Validation_Restrictions(true, // require revocation info + 110, // minimum key strength + false); // OCSP for all intermediates + + auto ee = load_test_X509_cert("x509/ocsp/randombit.pem"); + auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem"); + auto trust_root = load_test_X509_cert("x509/ocsp/identrust.pem"); + trusted.add_certificate(trust_root); + + const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, trust_root }; + + auto check_path = [&](const std::string &forged_ocsp, + const Botan::Certificate_Status_Code expected) + { + auto ocsp = load_test_OCSP_resp(forged_ocsp); + const auto path_result = Botan::x509_path_validate(cert_path, restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED, + Botan::calendar_point(2016, 11, 18, 12, 30, 0).to_std_timepoint(), std::chrono::milliseconds(0), {ocsp}); + + result.confirm(std::string("Path validation with forged OCSP response should fail with '") + Botan::to_string(expected) + "'", + path_result.result() == expected); + result.test_note(std::string("Failed with: ") + Botan::to_string(path_result.result())); + }; + + // In both cases the path validation should detect the forged OCSP + // response and generate an appropriate error. By no means it should + // follow the unauthentic OCSP response. + check_path("x509/ocsp/randombit_ocsp_forged_valid.der", Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND); + check_path("x509/ocsp/randombit_ocsp_forged_revoked.der", Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND); + + return result; + } + + Test::Result validate_with_ocsp_self_signed_by_intermediate_cert() + { + Test::Result result("path check with ocsp response for intermediate that is (maliciously) self-signed by the intermediate"); + Botan::Certificate_Store_In_Memory trusted; + + auto restrictions = Botan::Path_Validation_Restrictions(true, // require revocation info + 110, // minimum key strength + true); // OCSP for all intermediates + + auto ee = load_test_X509_cert("x509/ocsp/mychain_ee.pem"); + auto ca = load_test_X509_cert("x509/ocsp/mychain_int.pem"); + auto trust_root = load_test_X509_cert("x509/ocsp/mychain_root.pem"); + + // this OCSP response for EE is valid (signed by intermediate cert) + auto ocsp_ee = load_test_OCSP_resp("x509/ocsp/mychain_ocsp_for_ee.der"); + + // this OCSP response for Intermediate is malicious (signed by intermediate itself) + auto ocsp_ca = load_test_OCSP_resp("x509/ocsp/mychain_ocsp_for_int_self_signed.der"); + + trusted.add_certificate(trust_root); + const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, trust_root }; + + const auto path_result = Botan::x509_path_validate(cert_path, restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED, + Botan::calendar_point(2022, 9, 22, 22, 30, 0).to_std_timepoint(), std::chrono::milliseconds(0), {ocsp_ee, ocsp_ca}); + result.confirm("should reject intermediate OCSP response", path_result.result() == Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND); + result.test_note(std::string("Failed with: ") + Botan::to_string(path_result.result())); + + return result; + } + + std::vector<Test::Result> run() override + { + return {validate_with_ocsp_with_authorized_responder(), + validate_with_forged_ocsp_using_self_signed_cert(), + validate_with_ocsp_self_signed_by_intermediate_cert()}; + } + +}; + + +BOTAN_REGISTER_TEST("x509_path_with_ocsp", Path_Validation_With_OCSP_Tests); + #endif }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor