static VALUE ossl_ocspbres_get_status(VALUE self) { OCSP_BASICRESP *bs; OCSP_SINGLERESP *single; OCSP_CERTID *cid; ASN1_TIME *revtime, *thisupd, *nextupd; int status, reason; X509_EXTENSION *x509ext; VALUE ret, ary, ext; int count, ext_count, i, j; GetOCSPBasicRes(self, bs); ret = rb_ary_new(); count = OCSP_resp_count(bs); for(i = 0; i < count; i++) { single = OCSP_resp_get0(bs, i); if(!single) continue; revtime = thisupd = nextupd = NULL; status = OCSP_single_get0_status(single, &reason, &revtime, &thisupd, &nextupd); if(status < 0) continue; if(!(cid = OCSP_CERTID_dup(single->certId))) ossl_raise(eOCSPError, NULL); ary = rb_ary_new(); rb_ary_push(ary, ossl_ocspcertid_new(cid)); rb_ary_push(ary, INT2NUM(status)); rb_ary_push(ary, INT2NUM(reason)); rb_ary_push(ary, revtime ? asn1time_to_time(revtime) : Qnil); rb_ary_push(ary, thisupd ? asn1time_to_time(thisupd) : Qnil); rb_ary_push(ary, nextupd ? asn1time_to_time(nextupd) : Qnil); ext = rb_ary_new(); ext_count = OCSP_SINGLERESP_get_ext_count(single); for(j = 0; j < ext_count; j++) { x509ext = OCSP_SINGLERESP_get_ext(single, j); rb_ary_push(ext, ossl_x509ext_new(x509ext)); } rb_ary_push(ary, ext); rb_ary_push(ret, ary); } return ret; }
GTlsCertificateFlags g_tls_database_openssl_verify_ocsp_response (GTlsDatabaseOpenssl *self, GTlsCertificate *chain, OCSP_RESPONSE *resp) { GTlsCertificateFlags errors = 0; #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) GTlsDatabaseOpensslPrivate *priv; STACK_OF(X509) *chain_openssl = NULL; OCSP_BASICRESP *basic_resp = NULL; int ocsp_status = 0; int i; ocsp_status = OCSP_response_status (resp); if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { errors = G_TLS_CERTIFICATE_GENERIC_ERROR; goto end; } basic_resp = OCSP_response_get1_basic (resp); if (basic_resp == NULL) { errors = G_TLS_CERTIFICATE_GENERIC_ERROR; goto end; } chain_openssl = convert_certificate_chain_to_openssl (G_TLS_CERTIFICATE_OPENSSL (chain)); priv = g_tls_database_openssl_get_instance_private (self); if ((chain_openssl == NULL) || (priv->store == NULL)) { errors = G_TLS_CERTIFICATE_GENERIC_ERROR; goto end; } if (OCSP_basic_verify (basic_resp, chain_openssl, priv->store, 0) <= 0) { errors = G_TLS_CERTIFICATE_GENERIC_ERROR; goto end; } for (i = 0; i < OCSP_resp_count (basic_resp); i++) { OCSP_SINGLERESP *single_resp = OCSP_resp_get0 (basic_resp, i); ASN1_GENERALIZEDTIME *revocation_time = NULL; ASN1_GENERALIZEDTIME *this_update_time = NULL; ASN1_GENERALIZEDTIME *next_update_time = NULL; int crl_reason = 0; int cert_status = 0; if (single_resp == NULL) continue; cert_status = OCSP_single_get0_status (single_resp, &crl_reason, &revocation_time, &this_update_time, &next_update_time); if (!OCSP_check_validity (this_update_time, next_update_time, 300L, -1L)) { errors = G_TLS_CERTIFICATE_GENERIC_ERROR; goto end; } switch (cert_status) { case V_OCSP_CERTSTATUS_GOOD: break; case V_OCSP_CERTSTATUS_REVOKED: errors = G_TLS_CERTIFICATE_REVOKED; goto end; case V_OCSP_CERTSTATUS_UNKNOWN: errors = G_TLS_CERTIFICATE_GENERIC_ERROR; goto end; } } end: if (basic_resp != NULL) OCSP_BASICRESP_free (basic_resp); if (resp != NULL) OCSP_RESPONSE_free (resp); #endif return errors; }
s2n_cert_validation_code s2n_x509_validator_validate_cert_stapled_ocsp_response(struct s2n_x509_validator *validator, struct s2n_connection *conn, const uint8_t *ocsp_response_raw, uint32_t ocsp_response_length) { if (validator->skip_cert_validation || !validator->check_stapled_ocsp) { return S2N_CERT_OK; } #if !S2N_OCSP_STAPLING_SUPPORTED /* Default to safety */ return S2N_CERT_ERR_UNTRUSTED; #else OCSP_RESPONSE *ocsp_response = NULL; OCSP_BASICRESP *basic_response = NULL; s2n_cert_validation_code ret_val = S2N_CERT_ERR_INVALID; if (!ocsp_response_raw) { return ret_val; } ocsp_response = d2i_OCSP_RESPONSE(NULL, &ocsp_response_raw, ocsp_response_length); if (!ocsp_response) { goto clean_up; } int ocsp_status = OCSP_response_status(ocsp_response); if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { goto clean_up; } basic_response = OCSP_response_get1_basic(ocsp_response); if (!basic_response) { goto clean_up; } int i; int certs_in_chain = sk_X509_num(validator->cert_chain); int certs_in_ocsp = sk_X509_num(OCSP_GET_CERTS(basic_response)); if (certs_in_chain >= 2 && certs_in_ocsp >= 1) { X509 *responder = sk_X509_value(OCSP_GET_CERTS(basic_response), certs_in_ocsp - 1); /*check to see if one of the certs in the chain is an issuer of the cert in the ocsp response.*/ /*if so it needs to be added to the OCSP verification chain.*/ for (i = 0; i < certs_in_chain; i++) { X509 *issuer = sk_X509_value(validator->cert_chain, i); int issuer_value = X509_check_issued(issuer, responder); if (issuer_value == X509_V_OK) { if (!OCSP_basic_add1_cert(basic_response, issuer)) { goto clean_up; } } } } int ocsp_verify_err = OCSP_basic_verify(basic_response, validator->cert_chain, validator->trust_store->trust_store, 0); /* do the crypto checks on the response.*/ if (!ocsp_verify_err) { ret_val = S2N_CERT_ERR_EXPIRED; goto clean_up; } /* for each response check the timestamps and the status. */ for (i = 0; i < OCSP_resp_count(basic_response); i++) { int status_reason; ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd; OCSP_SINGLERESP *single_response = OCSP_resp_get0(basic_response, i); if (!single_response) { goto clean_up; } ocsp_status = OCSP_single_get0_status(single_response, &status_reason, &revtime, &thisupd, &nextupd); uint64_t this_update = 0; int thisupd_err = s2n_asn1_time_to_nano_since_epoch_ticks((const char *) thisupd->data, (uint32_t) thisupd->length, &this_update); uint64_t next_update = 0; int nextupd_err = s2n_asn1_time_to_nano_since_epoch_ticks((const char *) nextupd->data, (uint32_t) nextupd->length, &next_update); uint64_t current_time = 0; int current_time_err = conn->config->wall_clock(conn->config->sys_clock_ctx, ¤t_time); if (thisupd_err || nextupd_err || current_time_err) { ret_val = S2N_CERT_ERR_UNTRUSTED; goto clean_up; } if (current_time < this_update || current_time > next_update) { ret_val = S2N_CERT_ERR_EXPIRED; goto clean_up; } switch (ocsp_status) { case V_OCSP_CERTSTATUS_GOOD: break; case V_OCSP_CERTSTATUS_REVOKED: ret_val = S2N_CERT_ERR_REVOKED; goto clean_up; case V_OCSP_CERTSTATUS_UNKNOWN: goto clean_up; default: goto clean_up; } } ret_val = S2N_CERT_OK; clean_up: if (basic_response) { OCSP_BASICRESP_free(basic_response); } if (ocsp_response) { OCSP_RESPONSE_free(ocsp_response); } return ret_val; #endif /* S2N_OCSP_STAPLING_SUPPORTED */ }