Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package Botan for openSUSE:Factory checked 
in at 2022-11-18 15:43:37
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/Botan (Old)
 and      /work/SRC/openSUSE:Factory/.Botan.new.1597 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "Botan"

Fri Nov 18 15:43:37 2022 rev:63 rq:1036531 version:2.19.3

Changes:
--------
--- /work/SRC/openSUSE:Factory/Botan/Botan.changes      2022-06-13 
13:03:32.369200595 +0200
+++ /work/SRC/openSUSE:Factory/.Botan.new.1597/Botan.changes    2022-11-18 
15:44:10.262730243 +0100
@@ -1,0 +2,9 @@
+Thu Nov 17 21:26:01 UTC 2022 - Jason Sikes <jsi...@suse.com>
+
+- Update to 2.19.3:
+  * validate that an embedded certificate was issued by the end-entity
+    issuing certificate authority when checking OCSP responses.
+  * CVE-2022-43705
+  * bsc#1205509
+
+-------------------------------------------------------------------

Old:
----
  Botan-2.19.2.tar.xz
  Botan-2.19.2.tar.xz.asc

New:
----
  Botan-2.19.3.tar.xz
  Botan-2.19.3.tar.xz.asc

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ Botan.spec ++++++
--- /var/tmp/diff_new_pack.E7ATnN/_old  2022-11-18 15:44:10.866732897 +0100
+++ /var/tmp/diff_new_pack.E7ATnN/_new  2022-11-18 15:44:10.870732914 +0100
@@ -20,7 +20,7 @@
 %define version_suffix 2-19
 %define short_version 2
 Name:           Botan
-Version:        2.19.2
+Version:        2.19.3
 Release:        0
 Summary:        A C++ Crypto Library
 License:        BSD-2-Clause

++++++ Botan-2.19.2.tar.xz -> Botan-2.19.3.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/doc/security.rst 
new/Botan-2.19.3/doc/security.rst
--- old/Botan-2.19.2/doc/security.rst   2022-06-03 19:29:40.000000000 +0200
+++ new/Botan-2.19.3/doc/security.rst   2022-11-16 12:19:19.000000000 +0100
@@ -15,6 +15,30 @@
 This key can be found in the file ``doc/pgpkey.txt`` or online at
 https://keybase.io/jacklloyd and on most PGP keyservers.
 
+2022
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* 2022-11-16: Failure to correctly check OCSP responder embedded certificate
+
+  OCSP responses for some end entity are either signed by the issuing CA 
certificate of
+  the PKI, or an OCSP responder certificate that the PKI authorized to sign 
responses in
+  their name. In the latter case, the responder certificate (and its 
validation path
+  certificate) may be embedded into the OCSP response and clients must verify 
that such
+  certificates are indeed authorized by the CA when validating OCSP responses.
+
+  The OCSP implementation failed to verify that an authorized responder 
certificate
+  embedded in an OCSP response is authorized by the issuing CA. As a result, 
any valid
+  signature by an embedded certificate passed the check and was allowed to 
make claims
+  about the revocation status of certificates of any CA.
+
+  Attackers that are in a position to spoof OCSP responses for a client could 
therefore
+  render legitimate certificates of a 3rd party CA as revoked or even use a 
compromised
+  (and actually revoked) certificate by spoofing an OCSP-"OK" response. E.g. 
an attacker
+  could exploit this to impersonate a legitimate TLS server using a compromised
+  certificate of that host and get around the revocation check using OCSP 
stapling.
+
+  Introduced in 1.11.34, fixed in 2.19.3
+
 2020
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/news.rst new/Botan-2.19.3/news.rst
--- old/Botan-2.19.2/news.rst   2022-06-03 19:29:40.000000000 +0200
+++ new/Botan-2.19.3/news.rst   2022-11-16 12:19:19.000000000 +0100
@@ -1,7 +1,14 @@
 Release Notes
 ========================================
 
-Version 2.19.2, Not Yet Released
+Version 2.19.3, 2022-11-16
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+* CVE-2022-43705: A malicious OCSP responder could forge OCSP
+  responses due to a failure to validate that an embedded certificate
+  was issued by the end-entity issuing certificate authority.
+
+Version 2.19.2, 2022-06-03
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 * Add support for parallel computation in Argon2 (GH #2937 #2926)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/readme.rst new/Botan-2.19.3/readme.rst
--- old/Botan-2.19.2/readme.rst 2022-06-03 19:29:40.000000000 +0200
+++ new/Botan-2.19.3/readme.rst 2022-11-16 12:19:19.000000000 +0100
@@ -27,9 +27,9 @@
 <https://botan.randombit.net/security.html>`_ for contact information.
 
 The latest release is
-`2.19.2 <https://botan.randombit.net/releases/Botan-2.19.2.tar.xz>`_
-`(sig) <https://botan.randombit.net/releases/Botan-2.19.2.tar.xz.asc>`_,
-released on 2022-06-03.
+`2.19.3 <https://botan.randombit.net/releases/Botan-2.19.3.tar.xz>`_
+`(sig) <https://botan.randombit.net/releases/Botan-2.19.3.tar.xz.asc>`_,
+released on 2022-11-16.
 All releases are signed with a `PGP key 
<https://botan.randombit.net/pgpkey.txt>`_.
 See the `release notes <https://botan.randombit.net/news.html>`_ for
 what is new. Botan is also available through most
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/src/build-data/version.txt 
new/Botan-2.19.3/src/build-data/version.txt
--- old/Botan-2.19.2/src/build-data/version.txt 2022-06-03 19:29:40.000000000 
+0200
+++ new/Botan-2.19.3/src/build-data/version.txt 2022-11-16 12:19:19.000000000 
+0100
@@ -1,11 +1,11 @@
 
 release_major = 2
 release_minor = 19
-release_patch = 2
+release_patch = 3
 release_suffix = ''
 release_so_abi_rev = 19
 
 # These are set by the distribution script
-release_vc_rev = 'git:a85eaffe863a401ba312be5e1403bca80e70221e'
-release_datestamp = 20220603
+release_vc_rev = 'git:15dc32f12d05e99a267f0fc47d88b678b71b8b05'
+release_datestamp = 20221116
 release_type = 'release'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/src/lib/x509/certstor.h 
new/Botan-2.19.3/src/lib/x509/certstor.h
--- old/Botan-2.19.2/src/lib/x509/certstor.h    2022-06-03 19:29:40.000000000 
+0200
+++ new/Botan-2.19.3/src/lib/x509/certstor.h    2022-11-16 12:19:19.000000000 
+0100
@@ -96,6 +96,12 @@
       explicit Certificate_Store_In_Memory(const X509_Certificate& cert);
 
       /**
+      * Adds given certificate list to the store.
+      */
+      explicit Certificate_Store_In_Memory(std::vector<std::shared_ptr<const 
X509_Certificate>> certs)
+         : m_certs(std::move(certs)) {}
+
+      /**
       * Create an empty store.
       */
       Certificate_Store_In_Memory() = default;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/src/lib/x509/ocsp.cpp 
new/Botan-2.19.3/src/lib/x509/ocsp.cpp
--- old/Botan-2.19.2/src/lib/x509/ocsp.cpp      2022-06-03 19:29:40.000000000 
+0200
+++ new/Botan-2.19.3/src/lib/x509/ocsp.cpp      2022-11-16 12:19:19.000000000 
+0100
@@ -241,7 +241,6 @@
       {
       for(size_t i = 0; i < m_certs.size(); ++i)
          {
-         // Check all CA certificates in the (assumed validated) EE cert path
          if(!m_signer_name.empty() && m_certs[i].subject_dn() == m_signer_name)
             {
             signing_cert = std::make_shared<const 
X509_Certificate>(m_certs[i]);
@@ -254,6 +253,73 @@
             break;
             }
          }
+
+      // RFC 6960 4.2.2.2
+      //    OCSP signing delegation SHALL be designated by the inclusion of
+      //    id-kp-OCSPSigning in an extended key usage certificate extension
+      //    included in the OCSP response signer's certificate. This 
certificate
+      //    MUST be issued directly by the CA that is identified in the 
request.
+      //
+      //    The CA SHOULD use the same issuing key to issue a delegation
+      //    certificate as that used to sign the certificate being checked for
+      //    revocation.  Systems relying on OCSP responses MUST recognize a
+      //    delegation certificate as being issued by the CA that issued the
+      //    certificate in question only if the delegation certificate and the
+      //    certificate being checked for revocation were signed by the same 
key.
+      //
+      // I.e. it is safe to assume that the certificate's issuer also signed 
the
+      // responder's certificate.
+      //
+      // Note: The 'SHOULD' in the second paragraph above allows for backward
+      //       compatibility to RFC 2560 that is "strongly discouraged". This
+      //       implementation explicitly _does not_ implement this backward
+      //       compatibility.
+      if(signing_cert)
+         {
+         const auto issuer =
+            Certificate_Store_In_Memory(ee_cert_path)
+               .find_cert(signing_cert->issuer_dn(), 
signing_cert->authority_key_id());
+
+         // User did not provide the certificate path to verify the delegation
+         if(!issuer)
+            {
+            return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND;
+            }
+
+         if(!issuer->is_CA_cert())
+            {
+            return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND;
+            }
+
+         // Sub-optimal fix for CVE-2022-43705 found in Botan 2.19.2 and older.
+         //
+         // This certificate validation is incomplete. Missing checks:
+         //  * validity check against the reference time
+         //  * revocation status check of the responder certificate
+         //  * certificate extension validations
+         //  * ... potentially more
+         //
+         // A more comprehensive validation will be introduced with Botan 3.0
+         try
+            {
+            const auto issuer_pubkey = issuer->load_subject_public_key();
+            const auto sig = signing_cert->verify_signature(*issuer_pubkey);
+
+            if(sig != Certificate_Status_Code::VERIFIED)
+               {
+               return Certificate_Status_Code::OCSP_SIGNATURE_ERROR;
+               }
+
+            
if(!signing_cert->has_ex_constraint(OID::from_string("PKIX.OCSPSigning")))
+               {
+               return Certificate_Status_Code::OCSP_RESPONSE_MISSING_KEYUSAGE;
+               }
+            }
+         catch(const Exception& ex)
+            {
+            return Certificate_Status_Code::OCSP_SIGNATURE_ERROR;
+            }
+         }
       }
 
    if(!signing_cert)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/src/lib/x509/x509path.cpp 
new/Botan-2.19.3/src/lib/x509/x509path.cpp
--- old/Botan-2.19.2/src/lib/x509/x509path.cpp  2022-06-03 19:29:40.000000000 
+0200
+++ new/Botan-2.19.3/src/lib/x509/x509path.cpp  2022-11-16 12:19:19.000000000 
+0100
@@ -234,7 +234,11 @@
          {
          try
             {
-            Certificate_Status_Code ocsp_signature_status = 
ocsp_responses.at(i)->check_signature(trusted_certstores, cert_path);
+            // When verifying intermediate certificates we need to truncate the
+            // cert_path so that the intermediate under investigation becomes 
the
+            // last certificate in the chain.
+            std::vector<std::shared_ptr<const X509_Certificate>> 
ocsp_cert_path(cert_path.begin() + i, cert_path.end());
+            Certificate_Status_Code ocsp_signature_status = 
ocsp_responses.at(i)->check_signature(trusted_certstores, ocsp_cert_path);
 
             if(ocsp_signature_status == 
Certificate_Status_Code::OCSP_SIGNATURE_OK)
                {
Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-int-ocsp-resp.der 
and new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-int-ocsp-resp.der differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-int.pem 
new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-int.pem
--- old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-int.pem       1970-01-01 
01:00:00.000000000 +0100
+++ new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-int.pem       2022-11-16 
12:19:19.000000000 +0100
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGHzCCBQegAwIBAgIDD+SOMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF
+MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD
+bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0xNjExMTYwOTQ2MTlaFw0yOTExMDUwODUw
+NDZaMF4xCzAJBgNVBAYTAkRFMRUwEwYDVQQKEwxELVRydXN0IEdtYkgxHzAdBgNV
+BAMTFkQtVFJVU1QgQ0EgMi0yIEVWIDIwMTYxFzAVBgNVBGETDk5UUkRFLUhSQjc0
+MzQ2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4PbGGVT4nCH+CzaZ
+kZDWqXWiXbBu3UEpSPBmAKDepwkoc7b13vVlRrvehBm11yUNzaN7thsqB+VXEyF4
+OuxkCJkZRCJUfrS1zdnZXptf361oahCX+ch2E4Hdedeet45mypwKsD7FqSdz01KY
+o6wFQMnnZsRQtamilglAgT03iTUf+Yn8a5msV7fscpfkLUGCtjeM2eWgfZ2I0pqi
+m3DYrQU5/8in6DtZLrIAgZpnQsgJiB3glx0YcBXs5YZR9bfhOP71nLvM+9vkxNR4
+V90SOnwEzCbj5VforuNgP0sptC2TSPiqNG9sgdySBobz9aO5ryqG21GXMcfFp0vC
+z2kxrwIDAQABo4IC8jCCAu4wHwYDVR0jBBgwFoAU05SKTGITKhkuzK9yin0215oc
+3GcwggElBggrBgEFBQcBAQSCARcwggETMDcGCCsGAQUFBzABhitodHRwOi8vcm9v
+dC1jMy1jYTItZXYtMjAwOS5vY3NwLmQtdHJ1c3QubmV0MFAGCCsGAQUFBzAChkRo
+dHRwOi8vd3d3LmQtdHJ1c3QubmV0L2NnaS1iaW4vRC1UUlVTVF9Sb290X0NsYXNz
+XzNfQ0FfMl9FVl8yMDA5LmNydDCBhQYIKwYBBQUHMAKGeWxkYXA6Ly9kaXJlY3Rv
+cnkuZC10cnVzdC5uZXQvQ049RC1UUlVTVCUyMFJvb3QlMjBDbGFzcyUyMDMlMjBD
+QSUyMDIlMjBFViUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NBQ2VydGlm
+aWNhdGU/YmFzZT8wfwYDVR0gBHgwdjAJBgcEAIvsQAEEMA0GCysGAQQBpTQCgRYE
+MFoGCysGAQQBpTQCgUoBMEswSQYIKwYBBQUHAgEWPWh0dHA6Ly93d3cuZC10cnVz
+dC5uZXQvaW50ZXJuZXQvZmlsZXMvRC1UUlVTVF9DU01fUEtJX0NQUy5wZGYwgd0G
+A1UdHwSB1TCB0jCBh6CBhKCBgYZ/bGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l
+dC9DTj1ELVRSVVNUJTIwUm9vdCUyMENsYXNzJTIwMyUyMENBJTIwMiUyMEVWJTIw
+MjAwOSxPPUQtVHJ1c3QlMjBHbWJILEM9REU/Y2VydGlmaWNhdGVyZXZvY2F0aW9u
+bGlzdDBGoESgQoZAaHR0cDovL2NybC5kLXRydXN0Lm5ldC9jcmwvZC10cnVzdF9y
+b290X2NsYXNzXzNfY2FfMl9ldl8yMDA5LmNybDAdBgNVHQ4EFgQUIa9qJphx6SYK
+1duhjPfbpp2lJVwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
+DQYJKoZIhvcNAQELBQADggEBAEITrEZFU4bOy+274S2THOe9lewgYy+5OYh/Wr7Q
+WzRi/bMU6GRtag9fCnIsXon3+2wKGL22JgjI+WnZa5TRiazUOdtOjCEuwxXXMYH/
+PaBBb/BXmfGlEHGHL/ljNQauOrsfIQXXDYTfZk9jwLQgPmF54Ulm6oLsUrvYp1nq
+4jSAyWOY+mcxFlGgZPt5jdL1DSkzdLtdWfGs+1USqmx/IBZLfCwavdk0Dm5fwQSG
+iI+av54kU0E4ziDEOJ25rfiOBGqjh+4NFegAaQlTeVp1zOCjtKCf9YWDS8BgJT+O
+Ri2UKV/O8WaWZ3qRLuVavpng14sx4oa8FLM9sKBWvI+H5XU=
+-----END CERTIFICATE-----
Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-ocsp-resp.der and 
new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-ocsp-resp.der differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-root.pem 
new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-root.pem
--- old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-root.pem      1970-01-01 
01:00:00.000000000 +0100
+++ new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-root.pem      2022-11-16 
12:19:19.000000000 +0100
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQzCCAyugAwIBAgIDCYP0MA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF
+MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD
+bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0wOTExMDUwODUwNDZaFw0yOTExMDUwODUw
+NDZaMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNV
+BAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAJnxhDRwui+3MKCOvXwEz75ivJn9gpfSegpn
+ljgJ9hBOlSJzmY3aFS3nBfwZcyK3jpgAvDw9rKFs+9Z5JUut8Mxk2og+KbgPCdM0
+3TP1YtHhzRnp7hhPTFiu4h7WDFsVWtg6uMQYZB7jM7K1iXdODL/ZlGsTl28So/6Z
+qQTMFexgaDbtCHu39b+T7WYxg4zGcTSHThfqr4uRjRxWQa4iN1438h3Z0S0NL2lR
+p75mpoo6Kr3HGrHhFPC+Oh25z1uxav60sUYgovseO3Dvk5h9jHOW8sXvhXCtKSb8
+HgQ+HKDYD8tSg2J87otTlZCpV6LqYQXY+U3EJ/pure3511H3a6UCAwEAAaOCASQw
+ggEgMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNOUikxiEyoZLsyvcop9Ntea
+HNxnMA4GA1UdDwEB/wQEAwIBBjCB3QYDVR0fBIHVMIHSMIGHoIGEoIGBhn9sZGFw
+Oi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xh
+c3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1E
+RT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQt
+dHJ1c3QubmV0L2NybC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDku
+Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA07XtaPKSUiO8aEXUHL7P+PPoeUSbrh/Yp
+3uDx1MYkCenBz1UbtDDZzhr+BlGmFaQt77JLvyAoJUnRpjZ3NOhk31KxEcdzes05
+nsKtjHEh8lprr988TlWvsoRlFIm5d8sqMb7Po23Pb0iUMkZv53GMoKaEGTcH8gNF
+CSuGdXzfX2lXANtu2KZyIktQ1HWYVt+3GP9DQ1CuekR78HlR10M9p9OB0/DJT7na
+xpeG0ILD5EJt/rDiZE4OJudANCa1CInXCGNjOCd1HjPqbqjdn5lPdE2BiYBL3ZqX
+KVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVvw9y4AyHqnxbxLFS1
+-----END CERTIFICATE-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr.pem 
new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr.pem
--- old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr.pem   1970-01-01 
01:00:00.000000000 +0100
+++ new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr.pem   2022-11-16 
12:19:19.000000000 +0100
@@ -0,0 +1,80 @@
+-----BEGIN CERTIFICATE-----
+MIIOhDCCDWygAwIBAgIQR2P0PtEycYOZmkQw8teHNzANBgkqhkiG9w0BAQsFADBe
+MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMR8wHQYDVQQDExZE
+LVRSVVNUIENBIDItMiBFViAyMDE2MRcwFQYDVQRhEw5OVFJERS1IUkI3NDM0NjAe
+Fw0yMjAzMjUwODE1NDVaFw0yMzAzMjgwNzE1NDVaMIIBIjELMAkGA1UEBhMCREUx
+HTAbBgNVBAoTFEJ1bmRlc2RydWNrZXJlaSBHbWJIMQswCQYDVQQLEwJJVDEbMBkG
+A1UEAxMSYnVuZGVzZHJ1Y2tlcmVpLmRlMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgsr
+BgEEAYI3PAIBAxMCREUxDjAMBgNVBBEMBTEwOTY5MR0wGwYDVQQPDBRQcml2YXRl
+IE9yZ2FuaXphdGlvbjEcMBoGA1UECRMTS29tbWFuZGFudGVuc3RyLiAxODEUMBIG
+A1UEBRMLSFJCIDcwNzY0IEIxFzAVBgsrBgEEAYI3PAIBAQwGQmVybGluMRcwFQYL
+KwYBBAGCNzwCAQIMBkJlcmxpbjEPMA0GA1UECBMGQmVybGluMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA3B1Rp2V3DQSrr57KSDLsZ6mUJ0Y9LWhcLvTo
+b84DN1Y/U9ZCyGGJ2hYiDnwPpcIHFfp1v+jUaiE8Km4VA6tkG8o6Y5w2BMM9Ej20
+z2kwOtVdSh1wdC9zinmuGwjshmw2eSvr1C77y3jN6P1qDyjACdAQ6SM8hKV5JxFz
+g0+UAN0lO51C9v61EXjteByo6ikDEGnjFc+fC5kQGGJGRy4+I1vfgIsYri1LhGOS
+86xH9o4RejCiM5Az4wfMgzobmeizsugAljxXcwMpVM8jA/rzUyRUqAwjsIcC4qFt
+K1tj7vQy9bpUN3xWc6VDvZjFOat/z551I6JM6kPshN5DoW6O0s3H7BoxSx0N69UA
++zb/Fefk/oy6BR4jwwvJboHjaOpliZUC/2uXOd2pp4/MCyhILz2ikRr6EMD7qCDd
+9QFabRFjKe1GzKs0Uh6ewlrX1IHs4REmmf6f5+gCeBWGrwGAWhm69Pdbv2NgfS4t
+OYob8Z2APvr+QsVsuwch7bcX99wp67gaw1Cgtsz4iAKLw73Aza6dJxoH6cC5x6PD
+Fkpoo6sXYNVovVBPVDuq5Wnd+qvSBsjzlzILUQCfuVn+CcttYzFKMMX2LHvSSRhB
+A64iOouMS/sWGvdamvqrlzUpKoeIpJhPit0D23xNq48LpEaHs3CZFsvung29Z9Vg
+8flG6h0CAwEAAaOCCXYwgglyMIIBKwYDVR0RBIIBIjCCAR6CBmJkci5kZYIed3d3
+LnN1cHBvcnQuYnVuZGVzZHJ1Y2tlcmVpLmRlgg53d3cuc2lnbi1tZS5kZYIWd3d3
+LmJ1bmRlc2RydWNrZXJlaS5kZYIXd3d3LmJ1bmRlc2RydWNrZXJlaS5jb22CCnd3
+dy5iZHIuZGWCGnN1cHBvcnQuYnVuZGVzZHJ1Y2tlcmVpLmRlggpzaWduLW1lLmRl
+ghpzZXJ2aWNlLmJ1bmRlc2RydWNrZXJlaS5kZYIdaW50ZXJha3Rpdi5idW5kZXNk
+cnVja2VyZWkuZGWCG2hlbHBkZXNrLmJ1bmRlc2RydWNrZXJlaS5kZYISYnVuZGVz
+ZHJ1Y2tlcmVpLmRlghNidW5kZXNkcnVja2VyZWkuY29tMB0GA1UdDgQWBBShj278
+UTgPVPGLerrSzyQ18D831TAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+DgYDVR0PAQH/BAQDAgWgMIIBCQYIKwYBBQUHAQEEgfwwgfkwOgYIKwYBBQUHMAGG
+Lmh0dHA6Ly9kLXRydXN0LWNhLTItMi1ldi0yMDE2Lm9jc3AuZC10cnVzdC5uZXQw
+RQYIKwYBBQUHMAKGOWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY2dpLWJpbi9ELVRS
+VVNUX0NBXzItMl9FVl8yMDE2LmNydDB0BggrBgEFBQcwAoZobGRhcDovL2RpcmVj
+dG9yeS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwQ0ElMjAyLTIlMjBFViUyMDIw
+MTYsTz1ELVRydXN0JTIwR21iSCxDPURFP2NBQ2VydGlmaWNhdGU/YmFzZT8wgfsG
+A1UdHwSB8zCB8DCB7aCB6qCB54ZubGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l
+dC9DTj1ELVRSVVNUJTIwQ0ElMjAyLTIlMjBFViUyMDIwMTYsTz1ELVRydXN0JTIw
+R21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3SGNWh0dHA6Ly9jcmwu
+ZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfY2FfMi0yX2V2XzIwMTYuY3Jshj5odHRw
+Oi8vY2RuLmQtdHJ1c3QtY2xvdWRjcmwubmV0L2NybC9kLXRydXN0X2NhXzItMl9l
+dl8yMDE2LmNybDCB5wYIKwYBBQUHAQMEgdowgdcwCAYGBACORgEBMIG1BgYEAI5G
+AQUwgaowUxZNaHR0cDovL3d3dy5kLXRydXN0Lm5ldC9pbnRlcm5ldC9maWxlcy9E
+LVRSVVNUX1BLSV9EaXNjbG9zdXJlX1N0YXRlbWVudF9kZS5wZGYTAmRlMFMWTWh0
+dHA6Ly93d3cuZC10cnVzdC5uZXQvaW50ZXJuZXQvZmlsZXMvRC1UUlVTVF9QS0lf
+RGlzY2xvc3VyZV9TdGF0ZW1lbnRfZW4ucGRmEwJlbjATBgYEAI5GAQYwCQYHBACO
+RgEGAzCBiQYDVR0gBIGBMH8wCQYHBACL7EABBDAHBgVngQwBATANBgsrBgEEAaU0
+AoEWBDBaBgsrBgEEAaU0AoFKATBLMEkGCCsGAQUFBwIBFj1odHRwOi8vd3d3LmQt
+dHJ1c3QubmV0L2ludGVybmV0L2ZpbGVzL0QtVFJVU1RfQ1NNX1BLSV9DUFMucGRm
+MB8GA1UdIwQYMBaAFCGvaiaYcekmCtXboYz326adpSVcMIIETwYKKwYBBAHWeQIE
+AgSCBD8EggQ7BDkAdwCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAA
+AX/AJVyRAAAEAwBIMEYCIQDHYr2J0KhX9Qw2DZcpukdrMtTPrSkQTG3WQ+9TJbfv
+fAIhAIsgHLLnR3DBqqikp7qjOg2ge3rhLKae4EcfJ5OYH3bzAHcAs3N3B+GEUPhj
+htYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAF/wCVdigAABAMASDBGAiEAv5hGLqwU
+NARYcml1ScV/JumKME8Gh/+KFLd76xi69cICIQC5aK3LduJomzCkxLZecyDhIghV
+zNwsNbB1XQY9TBepLAB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1u
+AAABf8AlXP8AAAQDAEcwRQIgPkK0U2XQA0b4SS89AFPNRFo3TdcdNm90Z8015UBb
+MpcCIQDMUkJimfKU5IvKyO7D8ibgsJSHE+NASD15Pixf8L25+wB2AFWB1MIWkDYB
+SuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABf8AlXY8AAAQDAEcwRQIhAKX9i888
+VPeAjIztEESfZ8Izy051gTTSl9D1GBH7Z810AiBrBtrXTu+V39yPAfIK7YBpgsvS
+C0vB8MCe1Q1nR5KK+gB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS
+AAABf8AlXTsAAAQDAEgwRgIhAPeWQ8o/CaW5HpEA3UkszILAlsKnixEHRDGFMl8q
+GN+rAiEAmBQ7TBG8Xgru2e5c3GdUXecmDVjwI/G1ZthSFmMvNlgAdwBvU3asMfAx
+GdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAX/AJV4ZAAAEAwBIMEYCIQC1HlH1
+MYjMp1pvFYmNXafGXvJ6oIiGiUtd1kHRtCt76QIhALj7dbiBFP4b9elj5kYMDPT0
+PAoflviX/f8klXtTFG27AHUA6H6nZgvCbPYALvVyXT/g4zG5OTu5L79Y6zuQSdr1
+Q1oAAAF/wCVhLwAABAMARjBEAiBszHijSAeBf3cec2LQgegrIJ3I4P9EQX28ZQ4S
+yTvmDgIgMvxYYvRNu7+RY4AnFAZAhN9eX4WwXLrEdPOPhhxs0TwAdAA1zxkbv7Fs
+V78PrUxtQsu7ticgJlHqP+Eq76gDwzvWTAAAAX/AJWAHAAAEAwBFMEMCIBhApuJO
+EqEb0oq/6VWxM6jz2dbD7+ZjBDuvOioO/Cf9Ah9/QAHSUTU043F7VdV/REB12XGY
+a63YqZJJeeIgTuZDAHYAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJkA
+AAF/wCVfSQAABAMARzBFAiEA4036r9QS+ngcG4FMBUc1Z36BywbwF00pHprDpNMQ
+KhUCIGzTcK+3DnLBJOxwScoow/EJq39GmZV1sZz93r/d5qNdMA0GCSqGSIb3DQEB
+CwUAA4IBAQBZvYmRmtu1gQLCA+QqN5C7ftPr0ioULQPBsmX8gHmQ1iHPrBrC99Ef
+UD0//QB8V/aWqbt1NNdFXXEslN0V591m13uF7cp27SUjxNFwkPG2oypoqNM42I0U
+136fs26VzFbLe/MLNLTiiTkIp4HfSnLoactqvWapU9X6pzRk3CoKbaGHkPpIn467
+6uq08dss4+W9DROLZynwuswtxhLdk4pi82mnIs0t8A+ZOHwKPrQ9zi8Mtc7T9xPY
+PuGpbWQMTGKzCOjki81OvuD0ZU//hfHIM8Nh3Fb1LQ3ZRMudYdW+noIaW4FQRY2W
+Pr1qU9fkcHml0htVexwhF6m1x5HZ332p
+-----END CERTIFICATE-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ee.pem 
new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ee.pem
--- old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ee.pem    1970-01-01 
01:00:00.000000000 +0100
+++ new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ee.pem    2022-11-16 
12:19:19.000000000 +0100
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDXDCCAkSgAwIBAgIUQCu8J4C8/lLpesu+yxmEcgboaKwwDQYJKoZIhvcNAQEL
+BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN
+BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMzA5MjIxMDAwMDBaMDsx
+GzAZBgNVBAMMEk15IE9DU1AgRW5kIEVudGl0eTELMAkGA1UEBhMCREUxDzANBgNV
+BAcMBkJlcmxpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjSgFM7
+veKLCerCj8LbDH2eyE/wsgt75EugNON2xcuxdnZKXl9kQP/lq2tjQF9VUKvUr7C0
+4BDTyXjg+0RnH8EUp2fooDsrJu9k1i+lDWFtAYAYYrYYxGMFzCC/h+GBD0FCFBwL
+3gpZwPitoDga6jtPbtv/RwFMuPy7b0KUpNMkVAeaT/KVmqc/l+SgLqDEZciiMcaC
+GG1rkMnElR7c/0lg5xNITXS1t1Z9bHbpO7lH5xDoFcSTEhOcDdFkN923sbfTT3m9
+4oKHYFDUSoAc+Y2jbwbDK+g6MyCwIiwdyUF+Kgv1fdacWxZMmr2aOA5CX/1+ZeX1
+97ameyxkyA2DZfsCAwEAAaNaMFgwHwYDVR0jBBgwFoAUm5xBswA2BO40FM22Q/5K
+RR6PtNMwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFKnd1WBRL4H/
+IhofGjvLhtGSNh9lMA0GCSqGSIb3DQEBCwUAA4IBAQCoYIhu/w1Hp2aByrbV7Plm
+aUhBJovJHqa3KixgSrV6Td6URaCSGHAiAFj1j0/dqzKL7QHMZYs43JRODuABAjsn
+SktrpuoA+FILuSZXMm3UFEqNNJzFTwZLC3lSpxT1zvQ4PDgx4xFTMi9pyvGnDHjt
+jkPLuLfjgI5PShcIB0Hd6yS07pBFdg/Dr3fCSU7OBAC4o44ubUa5kASvX35zjWoj
+NulehNs+aa6Fm7qqSt4mz24qvnOG3SyYpkNKeu/FQjaKXV35A0tGN2ibEHSn0JBp
+rZqzfegU5UuZrpGs3xUVeIH+rQdW8uBlllXP38djJ7mLb/3b1vLWakljPqAOOlsm
+-----END CERTIFICATE-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int.pem 
new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int.pem
--- old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int.pem   1970-01-01 
01:00:00.000000000 +0100
+++ new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int.pem   2022-11-16 
12:19:19.000000000 +0100
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcTCCAlmgAwIBAgIUP4pG/mdA98wntpdjLKKDv50V4twwDQYJKoZIhvcNAQEL
+BQAwODEYMBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0G
+A1UEBwwGQmVybGluMB4XDTIyMDkyMjEwMDAwMFoXDTIzMDkyMjEwMDAwMFowOTEZ
+MBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzANBgNVBAcM
+BkJlcmxpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAODHbsMfDefJ
+fryKz8fY8AfCE8uAr5CzJ2gXQcIQd0rBJTPQxaxZ950+QbSfPAPAeFa1OWRc/Xby
+3DXvtQ3yt879mvxAvsdvlUYOsOOi8b9tap3vLVSc668BJwByNwBZmAF6ByKsC4Yj
+wwH7rfekE2KU89LzH0wWDJOybo/N62kXuzt23dO4uUXJat6ZlEghmzhAzHyfFdeD
+H8V/7x7c6iQBFz0NSCeo/gzFzVNO0jKbyvScQmfLOvbwTm91nXPs6MWICzsNOliJ
+vtfkJsqheq7dVX9HdLfh/1tdFx1WaPhtVf3VTolPGTs9w7hh6uaWsHZpFTbiK0Mc
+DeNQkoX1ikcCAwEAAaNyMHAwHwYDVR0jBBgwFoAUk/nNvUAjr/JUj93s2WMZm25Y
+zHUwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUH
+AwkwHQYDVR0OBBYEFJucQbMANgTuNBTNtkP+SkUej7TTMA0GCSqGSIb3DQEBCwUA
+A4IBAQCN1CeGhYZr/ghM45N0auoTJ+U5lAah3g6c7lGS6x6+XyaueI+Pxy0wC/1C
+UCjEbErD44utxk+816uUnhmUOqSrDejV0xxPnQYokziOw8flLKm8/Y5ngQ14VshX
+oJZMdaQywe3Je34b6t/BZZaZx/dtXHtkDTBdBgOXiv/O7JMDqEQzFb8uC3MPpM1b
+TtC58Rtvh8nhy5ieig/uaXBIwcyc4ujlllzjmwV1yNg6iY1QVj3GMRsxvI1ZFkaZ
+eZnbFNqwx5ZLL61c/cBV8pG47DKSqBhV9osWCK/vc6WHYcwyYBJ5YIuykl/zs41o
+knoudoJ3BFGS9PaFZZQCA78WnYsd
+-----END CERTIFICATE-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem
 
new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem
--- 
old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem
   1970-01-01 01:00:00.000000000 +0100
+++ 
new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem
   2022-11-16 12:19:19.000000000 +0100
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgjCCAmqgAwIBAgIUFkhEhhLqatMopup9/noUhdFx5EkwDQYJKoZIhvcNAQEL
+BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN
+BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMjEwMDcxMDAwMDBaMDox
+GjAYBgNVBAMMEU15IE9DU1AgUmVzcG9uZGVyMQswCQYDVQQGEwJERTEPMA0GA1UE
+BwwGQmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3N3l6YZy
+pFShnQWmMyplXu3JaDjUxlrNwEs6Dn5flUC0eAZVN+uaXws+tG//wV487n+OXnyh
+Zgz1Mt97J1wYhw7R9bQakPrmkYztrTmTKemS70sWjrsH0Od/S851sv3qAGylWiKb
+1n0SawRPo6T5bvYADwwGESRKmWwOwPIv2KdsZ3kUhN9aPj06CMVJIRYVennZRt4X
+4tcpgpB/eBp4/iEmfe3BzrFgf9YJG4qcbM84lULGLOnVNuUbbEIlBe75U71OR8dV
+El65LSMAVDQovjTV3mdQcLQNOiNnBlNDDaJEi590ki59qnFbJO0Zsf7a/rpHz/4J
+LqK8b2by8KoFpwIDAQABo4GAMH4wHwYDVR0jBBgwFoAUm5xBswA2BO40FM22Q/5K
+RR6PtNMwCQYDVR0TBAIwADALBgNVHQ8EBAMCAYIwEwYDVR0lBAwwCgYIKwYBBQUH
+AwkwDwYJKwYBBQUHMAEFBAIFADAdBgNVHQ4EFgQU7cI/PXYEpWH9l6Bnu36V6Nzv
+/MowDQYJKoZIhvcNAQELBQADggEBALv6KUJ0I/Kd/4ofDQHcgrHOe3u26zs1LC5J
+X9ZMoLRwN2LbzwWogIg3DEYqLAr0whpiDDcueVQVxK0rYrI1kWAZYi/wkmdOI5D7
+GNtHxdMty62XgOLb4LwGmEMQ7SLH2GgEAgKjJAIVJ5TMlxH8NV2/hrQhmXDpkZc/
++6I881LDW2273p8vKXxYnI1EFTdCVa9XnNJr3U+yhC9plf+gSr51iXyQf9MPdZ91
+fg187LQkn6oIRtKL7yZMAajemcTkU8avoF1+EX01Z5nu/v2Hgtp2VFDKvCrud+e/
+iKFLYBlsnqfNyZt4n3PAxDP5ziZ5adH2ELCvPDkJ3nneAhvP5So=
+-----END CERTIFICATE-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem
 
new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem
--- 
old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem
 1970-01-01 01:00:00.000000000 +0100
+++ 
new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem
 2022-11-16 12:19:19.000000000 +0100
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIUXMtIzKLTZ3oKE92bXWKGdS16GCYwDQYJKoZIhvcNAQEL
+BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN
+BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMjEwMDcxMDAwMDBaMDox
+GjAYBgNVBAMMEU15IE9DU1AgUmVzcG9uZGVyMQswCQYDVQQGEwJERTEPMA0GA1UE
+BwwGQmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3N3l6YZy
+pFShnQWmMyplXu3JaDjUxlrNwEs6Dn5flUC0eAZVN+uaXws+tG//wV487n+OXnyh
+Zgz1Mt97J1wYhw7R9bQakPrmkYztrTmTKemS70sWjrsH0Od/S851sv3qAGylWiKb
+1n0SawRPo6T5bvYADwwGESRKmWwOwPIv2KdsZ3kUhN9aPj06CMVJIRYVennZRt4X
+4tcpgpB/eBp4/iEmfe3BzrFgf9YJG4qcbM84lULGLOnVNuUbbEIlBe75U71OR8dV
+El65LSMAVDQovjTV3mdQcLQNOiNnBlNDDaJEi590ki59qnFbJO0Zsf7a/rpHz/4J
+LqK8b2by8KoFpwIDAQABo2swaTAfBgNVHSMEGDAWgBSbnEGzADYE7jQUzbZD/kpF
+Ho+00zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgkrBgEFBQcwAQUEAgUAMB0G
+A1UdDgQWBBTtwj89dgSlYf2XoGe7fpXo3O/8yjANBgkqhkiG9w0BAQsFAAOCAQEA
+V17YOra6yl0wTjt6QbQDXxm5m02CpW3EZs8x1M8yZadWXK9dJ6mo7vetqF3nnOzd
+TxesfAWigkrSZjR7HHHXXO5S9OjFLEyft+Xbx9+t8216Lbqk7WierREz1C21yCpn
+B76DiQRXqY2lEm1cpgkZeSc+SSfoN4oOyXCb/r+sgEebXGHrQhqgdFAWq3BmF6U+
+VyIXG7PiJGoTmlJ9gfkr0+Y0MxNpTIr6OPc9H6+N4mYPhcj/9emTcj6R+0PvfAZC
+GRc8U3fCW3UdPOTE28f86ZvMduavCZCSU4m74nZnzY6eKR83KNCjB0gJzYhwqcRm
+f9I5C+O6SocALwTGGYkMbg==
+-----END CERTIFICATE-----
Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ocsp_for_ee.der 
and new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ocsp_for_ee.der differ
Binary files 
old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_delegate_signed.der
 and 
new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_delegate_signed.der
 differ
Binary files 
old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_delegate_signed_malformed.der
 and 
new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_delegate_signed_malformed.der
 differ
Binary files 
old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_root_signed.der 
and 
new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_root_signed.der 
differ
Binary files 
old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ocsp_for_int_self_signed.der 
and 
new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ocsp_for_int_self_signed.der 
differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_root.pem 
new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_root.pem
--- old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_root.pem  1970-01-01 
01:00:00.000000000 +0100
+++ new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_root.pem  2022-11-16 
12:19:19.000000000 +0100
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDsDCCApigAwIBAgIUWMiulqiEbnZwrB5iI7tL724j7qswDQYJKoZIhvcNAQEL
+BQAwODEYMBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0G
+A1UEBwwGQmVybGluMB4XDTIyMDkyMjEwMDAwMFoXDTIzMDkyMjEwMDAwMFowODEY
+MBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0GA1UEBwwG
+QmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAukN6nemvQcIX
+zq+/DKFsJWjQif6sTP2zXfZtpw445LagOt8T9fGFgv6BSNTFp/TMRatQMAfZteH8
+ExzInhOIatwZgOKfG5tE+OH+tOuo9JrgWQRMGrhCV4fClDOv3sPAvduYm00muazD
+HeusESr/ykoA3HmJpS62EeOvMsY991TGSoTUSPLXJOyVTT5EcHdLrmosIBNx4nN9
+8xN5ENbhz/lZa3z1+NEtruMhDY5s13POVgpXRCZmgyhl6uCl0HZOYPfoWZwbZfuh
+S6U9s0C+JMRjcz1fLyBW2dgsWG6TRSsF6R83DkFQx/9kazfjv/mOqLMw1irT3K0E
+wtsxe0aKfQIDAQABo4GxMIGuMF0GA1UdIwRWMFShPKQ6MDgxGDAWBgNVBAMMD015
+IE9DU1AgUm9vdCBDQTELMAkGA1UEBhMCREUxDzANBgNVBAcMBkJlcmxpboIUWMiu
+lqiEbnZwrB5iI7tL724j7qswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAYYwEwYD
+VR0lBAwwCgYIKwYBBQUHAwkwHQYDVR0OBBYEFJP5zb1AI6/yVI/d7NljGZtuWMx1
+MA0GCSqGSIb3DQEBCwUAA4IBAQCdGyFlbaBkoLgLwM2q91VcLUHAp54Gp6vvLavq
+p+65K7sdzzFj/6P9p6Dsa0BJ3bXba0pfJ10f9nFHOIFISb0Aptmm34XjBwvUckbb
+LYDU7InmyS5aeAIxK9+G7TllLfSslPQJspSxWWZkp3cY4Ys7bGidb1ad620F2cMe
+I2c09zhQuySbLDgaCc2Hg9Z3trb6S91Mmk6P+fQMzqq0XkfUOqzmEm2D7lFb3G76
+DI6CouYjoIYndVEN6oVVIcD+01Emxssy60aO6wS5MaM8TbcCdx3ZxYCdKj6YcdRf
+XhEN1KonHRKP71iZrlw/W+GfVvt1dJx5V5fqh3mGZVvk7Sc7
+-----END CERTIFICATE-----
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/Botan-2.19.2/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem 
new/Botan-2.19.3/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem
--- 
old/Botan-2.19.2/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem   
    1970-01-01 01:00:00.000000000 +0100
+++ 
new/Botan-2.19.3/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem   
    2022-11-16 12:19:19.000000000 +0100
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1TCCAr2gAwIBAgIUQi+O3XGTkbU8ihDwXOrV18vdTvMwDQYJKoZIhvcNAQEL
+BQAwNzEXMBUGA1UEAwwORm9yZ2VkIE9DU1AgQ0ExCzAJBgNVBAYTAkRFMQ8wDQYD
+VQQHDAZCZXJsaW4wHhcNMTYxMTE4MTEwMDAwWhcNMTcxMTE4MTEwMDAwWjB+MQsw
+CQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xFDAS
+BgNVBAoMC0hhY2tlcnNwYWNlMRowGAYDVQQLDBFPQ1NQIEJyZWFraW5nIExhYjEb
+MBkGA1UEAwwSRm9yZ2VkIE9DU1AgU2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAq72Y4p9gCPcoNELOB5i104jhbzbEWfcXhAdXkmufOFFVVveq
+HbiGx5GLi46cJATjSQoOL86Jwgp/v0nZukfQFIsWJGjG3eDQnMBGaAH9+SZh+udP
+dhcuOvFqvFBkKk6rMIcW0Tqx2ixZUG7275JrqjEyNUjAGA9fRSkGoWyca/P6QCjE
+sgAMr82n0XahLi7VVL0v/DcRK7h9slJJbG9UBmHuwPYU5C5Z9iQKCh3JZ3oOgO4d
+OuAGXrRm69znN5jlkBxgowJbgPn4Xp2QyAZl2A0/mou3U9WuVGDOUDLRL1UbCv/T
+VyX/WyUsAV54apAkxM9Hd5yZermoIZ7gPCv40wIDAQABo4GRMIGOMB8GA1UdIwQY
+MBaAFE4W+nR1DcTuZYBY/YXQinJ1Y5PjMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeA
+MBMGA1UdJQQMMAoGCCsGAQUFBwMJMB8GA1UdEQQYMBaCFG9jc3AuaGFja2Vyc3Bh
+Y2Uub3JnMB0GA1UdDgQWBBQAUq7vwa5MkBmRG9GuRC7N2F97BjANBgkqhkiG9w0B
+AQsFAAOCAQEAzS/5VHLcyTkvnodS18mlkp6r4fKkxhrLR2cyGhQPqwEqkq+l4U8k
+UMnem31+XoVHt8nN7N0+aOCna7xhvxzWDQioahG4oSxW3R0FNbO4+HXEBkUqbJQo
+JaVxSc4vXYjXgLvvhcSAbwfg7o3jInHszCLWoEpNEWGI0Un/ngJX0E8H374LiPnd
+Z7W8bNvqRgbpbZJmrgVfm2T3NIWlMYCB8GqyZMA/uLUtxkv25LTCsCTGKhn/ZQoI
+XxCZ4OvZDbxLmGj+5GsgJUHVKVhDomo0fJQh+KrMw+0IyjFVjjyroN6d1A3JPmbL
+dKUfISvTkfDCj67y8iASBRCOEs7EB4JzSg==
+-----END CERTIFICATE-----
Binary files 
old/Botan-2.19.2/src/tests/data/x509/ocsp/randombit_ocsp_forged_revoked.der and 
new/Botan-2.19.3/src/tests/data/x509/ocsp/randombit_ocsp_forged_revoked.der 
differ
Binary files 
old/Botan-2.19.2/src/tests/data/x509/ocsp/randombit_ocsp_forged_valid.der and 
new/Botan-2.19.3/src/tests/data/x509/ocsp/randombit_ocsp_forged_valid.der differ
Binary files 
old/Botan-2.19.2/src/tests/data/x509/ocsp/randombit_ocsp_forged_valid_nocerts.der
 and 
new/Botan-2.19.3/src/tests/data/x509/ocsp/randombit_ocsp_forged_valid_nocerts.der
 differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/Botan-2.19.2/src/tests/test_x509_path.cpp 
new/Botan-2.19.3/src/tests/test_x509_path.cpp
--- old/Botan-2.19.2/src/tests/test_x509_path.cpp       2022-06-03 
19:29:40.000000000 +0200
+++ new/Botan-2.19.3/src/tests/test_x509_path.cpp       2022-11-16 
12:19:19.000000000 +0100
@@ -1076,12 +1076,126 @@
          return result;
          }
 
+      Test::Result validate_with_ocsp_with_authorized_responder()
+         {
+         Test::Result result("path check with ocsp response from authorized 
responder certificate");
+         Botan::Certificate_Store_In_Memory trusted;
+
+         auto restrictions = Botan::Path_Validation_Restrictions(true,  // 
require revocation info
+                                                                 110,   // 
minimum key strength
+                                                                 true); // 
OCSP for all intermediates
+
+         auto ee = load_test_X509_cert("x509/ocsp/bdr.pem");
+         auto ca = load_test_X509_cert("x509/ocsp/bdr-int.pem");
+         auto trust_root = load_test_X509_cert("x509/ocsp/bdr-root.pem");
+
+         // These OCSP responses are signed by an authorized OCSP responder
+         // certificate issued by `ca` and `trust_root` respectively. Note that
+         // the responder certificates contain the "OCSP No Check" extension,
+         // meaning that they themselves do not need a revocation check via 
OCSP.
+         auto ocsp_ee = load_test_OCSP_resp("x509/ocsp/bdr-ocsp-resp.der");
+         auto ocsp_ca = load_test_OCSP_resp("x509/ocsp/bdr-int-ocsp-resp.der");
+
+         trusted.add_certificate(trust_root);
+         const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, 
trust_root };
+
+         auto check_path = [&](const std::chrono::system_clock::time_point 
valid_time,
+                               const Botan::Certificate_Status_Code expected)
+            {
+            const auto path_result = Botan::x509_path_validate(cert_path, 
restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED,
+                                     valid_time, std::chrono::milliseconds(0), 
{ocsp_ee, ocsp_ca});
+
+            return result.confirm(std::string("Status: '") + 
Botan::to_string(expected)
+                                  + "' should match '" + 
Botan::to_string(path_result.result()) + "'",
+                                  path_result.result()==expected);
+            };
+
+         check_path(Botan::calendar_point(2022, 9, 18, 16, 30, 
0).to_std_timepoint(),
+                    Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
+         check_path(Botan::calendar_point(2022, 9, 19, 16, 30, 
0).to_std_timepoint(),
+                    Botan::Certificate_Status_Code::OK);
+         check_path(Botan::calendar_point(2022, 9, 20, 16, 30, 
0).to_std_timepoint(),
+                    Botan::Certificate_Status_Code::OCSP_HAS_EXPIRED);
+
+         return result;
+         }
+
+      Test::Result validate_with_forged_ocsp_using_self_signed_cert()
+         {
+         Test::Result result("path check with forged ocsp using self-signed 
certificate (CVE-2022-43705)");
+         Botan::Certificate_Store_In_Memory trusted;
+
+         auto restrictions = Botan::Path_Validation_Restrictions(true,   // 
require revocation info
+                                                                 110,    // 
minimum key strength
+                                                                 false); // 
OCSP for all intermediates
+
+         auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");
+         auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");
+         auto trust_root = load_test_X509_cert("x509/ocsp/identrust.pem");
+         trusted.add_certificate(trust_root);
+
+         const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, 
trust_root };
+
+         auto check_path = [&](const std::string &forged_ocsp,
+                               const Botan::Certificate_Status_Code expected)
+            {
+               auto ocsp = load_test_OCSP_resp(forged_ocsp);
+               const auto path_result = Botan::x509_path_validate(cert_path, 
restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED,
+                                        Botan::calendar_point(2016, 11, 18, 
12, 30, 0).to_std_timepoint(), std::chrono::milliseconds(0), {ocsp});
+
+               result.confirm(std::string("Path validation with forged OCSP 
response should fail with '") + Botan::to_string(expected) + "'",
+                              path_result.result() == expected);
+               result.test_note(std::string("Failed with: ") + 
Botan::to_string(path_result.result()));
+            };
+
+         // In both cases the path validation should detect the forged OCSP
+         // response and generate an appropriate error. By no means it should
+         // follow the unauthentic OCSP response.
+         check_path("x509/ocsp/randombit_ocsp_forged_valid.der", 
Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND);
+         check_path("x509/ocsp/randombit_ocsp_forged_revoked.der", 
Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND);
+
+         return result;
+         }
+
+      Test::Result validate_with_ocsp_self_signed_by_intermediate_cert()
+         {
+         Test::Result result("path check with ocsp response for intermediate 
that is (maliciously) self-signed by the intermediate");
+         Botan::Certificate_Store_In_Memory trusted;
+
+         auto restrictions = Botan::Path_Validation_Restrictions(true,  // 
require revocation info
+                                                                 110,   // 
minimum key strength
+                                                                 true); // 
OCSP for all intermediates
+
+         auto ee = load_test_X509_cert("x509/ocsp/mychain_ee.pem");
+         auto ca = load_test_X509_cert("x509/ocsp/mychain_int.pem");
+         auto trust_root = load_test_X509_cert("x509/ocsp/mychain_root.pem");
+
+         // this OCSP response for EE is valid (signed by intermediate cert)
+         auto ocsp_ee = 
load_test_OCSP_resp("x509/ocsp/mychain_ocsp_for_ee.der");
+
+         // this OCSP response for Intermediate is malicious (signed by 
intermediate itself)
+         auto ocsp_ca = 
load_test_OCSP_resp("x509/ocsp/mychain_ocsp_for_int_self_signed.der");
+
+         trusted.add_certificate(trust_root);
+         const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, 
trust_root };
+
+         const auto path_result = Botan::x509_path_validate(cert_path, 
restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED,
+                                  Botan::calendar_point(2022, 9, 22, 22, 30, 
0).to_std_timepoint(), std::chrono::milliseconds(0), {ocsp_ee, ocsp_ca});
+         result.confirm("should reject intermediate OCSP response", 
path_result.result() == Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND);
+         result.test_note(std::string("Failed with: ") + 
Botan::to_string(path_result.result()));
+
+         return result;
+         }
+
       std::vector<Test::Result> run() override
          {
          return  {validate_with_ocsp_with_next_update_without_max_age(),
                   validate_with_ocsp_with_next_update_with_max_age(),
                   validate_with_ocsp_without_next_update_without_max_age(),
-                  validate_with_ocsp_without_next_update_with_max_age()};
+                  validate_with_ocsp_without_next_update_with_max_age(),
+                  validate_with_ocsp_with_authorized_responder(),
+                  validate_with_forged_ocsp_using_self_signed_cert(),
+                  validate_with_ocsp_self_signed_by_intermediate_cert()};
          }
 
    };

Reply via email to