Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package Botan for openSUSE:Factory checked in at 2022-11-18 15:43:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/Botan (Old) and /work/SRC/openSUSE:Factory/.Botan.new.1597 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "Botan" Fri Nov 18 15:43:37 2022 rev:63 rq:1036531 version:2.19.3 Changes: -------- --- /work/SRC/openSUSE:Factory/Botan/Botan.changes 2022-06-13 13:03:32.369200595 +0200 +++ /work/SRC/openSUSE:Factory/.Botan.new.1597/Botan.changes 2022-11-18 15:44:10.262730243 +0100 @@ -1,0 +2,9 @@ +Thu Nov 17 21:26:01 UTC 2022 - Jason Sikes <jsi...@suse.com> + +- Update to 2.19.3: + * validate that an embedded certificate was issued by the end-entity + issuing certificate authority when checking OCSP responses. + * CVE-2022-43705 + * bsc#1205509 + +------------------------------------------------------------------- Old: ---- Botan-2.19.2.tar.xz Botan-2.19.2.tar.xz.asc New: ---- Botan-2.19.3.tar.xz Botan-2.19.3.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ Botan.spec ++++++ --- /var/tmp/diff_new_pack.E7ATnN/_old 2022-11-18 15:44:10.866732897 +0100 +++ /var/tmp/diff_new_pack.E7ATnN/_new 2022-11-18 15:44:10.870732914 +0100 @@ -20,7 +20,7 @@ %define version_suffix 2-19 %define short_version 2 Name: Botan -Version: 2.19.2 +Version: 2.19.3 Release: 0 Summary: A C++ Crypto Library License: BSD-2-Clause ++++++ Botan-2.19.2.tar.xz -> Botan-2.19.3.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/doc/security.rst new/Botan-2.19.3/doc/security.rst --- old/Botan-2.19.2/doc/security.rst 2022-06-03 19:29:40.000000000 +0200 +++ new/Botan-2.19.3/doc/security.rst 2022-11-16 12:19:19.000000000 +0100 @@ -15,6 +15,30 @@ This key can be found in the file ``doc/pgpkey.txt`` or online at https://keybase.io/jacklloyd and on most PGP keyservers. +2022 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* 2022-11-16: Failure to correctly check OCSP responder embedded certificate + + OCSP responses for some end entity are either signed by the issuing CA certificate of + the PKI, or an OCSP responder certificate that the PKI authorized to sign responses in + their name. In the latter case, the responder certificate (and its validation path + certificate) may be embedded into the OCSP response and clients must verify that such + certificates are indeed authorized by the CA when validating OCSP responses. + + The OCSP implementation failed to verify that an authorized responder certificate + embedded in an OCSP response is authorized by the issuing CA. As a result, any valid + signature by an embedded certificate passed the check and was allowed to make claims + about the revocation status of certificates of any CA. + + Attackers that are in a position to spoof OCSP responses for a client could therefore + render legitimate certificates of a 3rd party CA as revoked or even use a compromised + (and actually revoked) certificate by spoofing an OCSP-"OK" response. E.g. an attacker + could exploit this to impersonate a legitimate TLS server using a compromised + certificate of that host and get around the revocation check using OCSP stapling. + + Introduced in 1.11.34, fixed in 2.19.3 + 2020 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/news.rst new/Botan-2.19.3/news.rst --- old/Botan-2.19.2/news.rst 2022-06-03 19:29:40.000000000 +0200 +++ new/Botan-2.19.3/news.rst 2022-11-16 12:19:19.000000000 +0100 @@ -1,7 +1,14 @@ Release Notes ======================================== -Version 2.19.2, Not Yet Released +Version 2.19.3, 2022-11-16 +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +* CVE-2022-43705: A malicious OCSP responder could forge OCSP + responses due to a failure to validate that an embedded certificate + was issued by the end-entity issuing certificate authority. + +Version 2.19.2, 2022-06-03 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ * Add support for parallel computation in Argon2 (GH #2937 #2926) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/readme.rst new/Botan-2.19.3/readme.rst --- old/Botan-2.19.2/readme.rst 2022-06-03 19:29:40.000000000 +0200 +++ new/Botan-2.19.3/readme.rst 2022-11-16 12:19:19.000000000 +0100 @@ -27,9 +27,9 @@ <https://botan.randombit.net/security.html>`_ for contact information. The latest release is -`2.19.2 <https://botan.randombit.net/releases/Botan-2.19.2.tar.xz>`_ -`(sig) <https://botan.randombit.net/releases/Botan-2.19.2.tar.xz.asc>`_, -released on 2022-06-03. +`2.19.3 <https://botan.randombit.net/releases/Botan-2.19.3.tar.xz>`_ +`(sig) <https://botan.randombit.net/releases/Botan-2.19.3.tar.xz.asc>`_, +released on 2022-11-16. All releases are signed with a `PGP key <https://botan.randombit.net/pgpkey.txt>`_. See the `release notes <https://botan.randombit.net/news.html>`_ for what is new. Botan is also available through most diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/build-data/version.txt new/Botan-2.19.3/src/build-data/version.txt --- old/Botan-2.19.2/src/build-data/version.txt 2022-06-03 19:29:40.000000000 +0200 +++ new/Botan-2.19.3/src/build-data/version.txt 2022-11-16 12:19:19.000000000 +0100 @@ -1,11 +1,11 @@ release_major = 2 release_minor = 19 -release_patch = 2 +release_patch = 3 release_suffix = '' release_so_abi_rev = 19 # These are set by the distribution script -release_vc_rev = 'git:a85eaffe863a401ba312be5e1403bca80e70221e' -release_datestamp = 20220603 +release_vc_rev = 'git:15dc32f12d05e99a267f0fc47d88b678b71b8b05' +release_datestamp = 20221116 release_type = 'release' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/lib/x509/certstor.h new/Botan-2.19.3/src/lib/x509/certstor.h --- old/Botan-2.19.2/src/lib/x509/certstor.h 2022-06-03 19:29:40.000000000 +0200 +++ new/Botan-2.19.3/src/lib/x509/certstor.h 2022-11-16 12:19:19.000000000 +0100 @@ -96,6 +96,12 @@ explicit Certificate_Store_In_Memory(const X509_Certificate& cert); /** + * Adds given certificate list to the store. + */ + explicit Certificate_Store_In_Memory(std::vector<std::shared_ptr<const X509_Certificate>> certs) + : m_certs(std::move(certs)) {} + + /** * Create an empty store. */ Certificate_Store_In_Memory() = default; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/lib/x509/ocsp.cpp new/Botan-2.19.3/src/lib/x509/ocsp.cpp --- old/Botan-2.19.2/src/lib/x509/ocsp.cpp 2022-06-03 19:29:40.000000000 +0200 +++ new/Botan-2.19.3/src/lib/x509/ocsp.cpp 2022-11-16 12:19:19.000000000 +0100 @@ -241,7 +241,6 @@ { for(size_t i = 0; i < m_certs.size(); ++i) { - // Check all CA certificates in the (assumed validated) EE cert path if(!m_signer_name.empty() && m_certs[i].subject_dn() == m_signer_name) { signing_cert = std::make_shared<const X509_Certificate>(m_certs[i]); @@ -254,6 +253,73 @@ break; } } + + // RFC 6960 4.2.2.2 + // OCSP signing delegation SHALL be designated by the inclusion of + // id-kp-OCSPSigning in an extended key usage certificate extension + // included in the OCSP response signer's certificate. This certificate + // MUST be issued directly by the CA that is identified in the request. + // + // The CA SHOULD use the same issuing key to issue a delegation + // certificate as that used to sign the certificate being checked for + // revocation. Systems relying on OCSP responses MUST recognize a + // delegation certificate as being issued by the CA that issued the + // certificate in question only if the delegation certificate and the + // certificate being checked for revocation were signed by the same key. + // + // I.e. it is safe to assume that the certificate's issuer also signed the + // responder's certificate. + // + // Note: The 'SHOULD' in the second paragraph above allows for backward + // compatibility to RFC 2560 that is "strongly discouraged". This + // implementation explicitly _does not_ implement this backward + // compatibility. + if(signing_cert) + { + const auto issuer = + Certificate_Store_In_Memory(ee_cert_path) + .find_cert(signing_cert->issuer_dn(), signing_cert->authority_key_id()); + + // User did not provide the certificate path to verify the delegation + if(!issuer) + { + return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND; + } + + if(!issuer->is_CA_cert()) + { + return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND; + } + + // Sub-optimal fix for CVE-2022-43705 found in Botan 2.19.2 and older. + // + // This certificate validation is incomplete. Missing checks: + // * validity check against the reference time + // * revocation status check of the responder certificate + // * certificate extension validations + // * ... potentially more + // + // A more comprehensive validation will be introduced with Botan 3.0 + try + { + const auto issuer_pubkey = issuer->load_subject_public_key(); + const auto sig = signing_cert->verify_signature(*issuer_pubkey); + + if(sig != Certificate_Status_Code::VERIFIED) + { + return Certificate_Status_Code::OCSP_SIGNATURE_ERROR; + } + + if(!signing_cert->has_ex_constraint(OID::from_string("PKIX.OCSPSigning"))) + { + return Certificate_Status_Code::OCSP_RESPONSE_MISSING_KEYUSAGE; + } + } + catch(const Exception& ex) + { + return Certificate_Status_Code::OCSP_SIGNATURE_ERROR; + } + } } if(!signing_cert) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/lib/x509/x509path.cpp new/Botan-2.19.3/src/lib/x509/x509path.cpp --- old/Botan-2.19.2/src/lib/x509/x509path.cpp 2022-06-03 19:29:40.000000000 +0200 +++ new/Botan-2.19.3/src/lib/x509/x509path.cpp 2022-11-16 12:19:19.000000000 +0100 @@ -234,7 +234,11 @@ { try { - Certificate_Status_Code ocsp_signature_status = ocsp_responses.at(i)->check_signature(trusted_certstores, cert_path); + // When verifying intermediate certificates we need to truncate the + // cert_path so that the intermediate under investigation becomes the + // last certificate in the chain. + std::vector<std::shared_ptr<const X509_Certificate>> ocsp_cert_path(cert_path.begin() + i, cert_path.end()); + Certificate_Status_Code ocsp_signature_status = ocsp_responses.at(i)->check_signature(trusted_certstores, ocsp_cert_path); if(ocsp_signature_status == Certificate_Status_Code::OCSP_SIGNATURE_OK) { Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-int-ocsp-resp.der and new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-int-ocsp-resp.der differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-int.pem new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-int.pem --- old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-int.pem 1970-01-01 01:00:00.000000000 +0100 +++ new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-int.pem 2022-11-16 12:19:19.000000000 +0100 @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGHzCCBQegAwIBAgIDD+SOMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF +MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD +bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0xNjExMTYwOTQ2MTlaFw0yOTExMDUwODUw +NDZaMF4xCzAJBgNVBAYTAkRFMRUwEwYDVQQKEwxELVRydXN0IEdtYkgxHzAdBgNV +BAMTFkQtVFJVU1QgQ0EgMi0yIEVWIDIwMTYxFzAVBgNVBGETDk5UUkRFLUhSQjc0 +MzQ2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4PbGGVT4nCH+CzaZ +kZDWqXWiXbBu3UEpSPBmAKDepwkoc7b13vVlRrvehBm11yUNzaN7thsqB+VXEyF4 +OuxkCJkZRCJUfrS1zdnZXptf361oahCX+ch2E4Hdedeet45mypwKsD7FqSdz01KY +o6wFQMnnZsRQtamilglAgT03iTUf+Yn8a5msV7fscpfkLUGCtjeM2eWgfZ2I0pqi +m3DYrQU5/8in6DtZLrIAgZpnQsgJiB3glx0YcBXs5YZR9bfhOP71nLvM+9vkxNR4 +V90SOnwEzCbj5VforuNgP0sptC2TSPiqNG9sgdySBobz9aO5ryqG21GXMcfFp0vC +z2kxrwIDAQABo4IC8jCCAu4wHwYDVR0jBBgwFoAU05SKTGITKhkuzK9yin0215oc +3GcwggElBggrBgEFBQcBAQSCARcwggETMDcGCCsGAQUFBzABhitodHRwOi8vcm9v +dC1jMy1jYTItZXYtMjAwOS5vY3NwLmQtdHJ1c3QubmV0MFAGCCsGAQUFBzAChkRo +dHRwOi8vd3d3LmQtdHJ1c3QubmV0L2NnaS1iaW4vRC1UUlVTVF9Sb290X0NsYXNz +XzNfQ0FfMl9FVl8yMDA5LmNydDCBhQYIKwYBBQUHMAKGeWxkYXA6Ly9kaXJlY3Rv +cnkuZC10cnVzdC5uZXQvQ049RC1UUlVTVCUyMFJvb3QlMjBDbGFzcyUyMDMlMjBD +QSUyMDIlMjBFViUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NBQ2VydGlm +aWNhdGU/YmFzZT8wfwYDVR0gBHgwdjAJBgcEAIvsQAEEMA0GCysGAQQBpTQCgRYE +MFoGCysGAQQBpTQCgUoBMEswSQYIKwYBBQUHAgEWPWh0dHA6Ly93d3cuZC10cnVz +dC5uZXQvaW50ZXJuZXQvZmlsZXMvRC1UUlVTVF9DU01fUEtJX0NQUy5wZGYwgd0G +A1UdHwSB1TCB0jCBh6CBhKCBgYZ/bGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l +dC9DTj1ELVRSVVNUJTIwUm9vdCUyMENsYXNzJTIwMyUyMENBJTIwMiUyMEVWJTIw +MjAwOSxPPUQtVHJ1c3QlMjBHbWJILEM9REU/Y2VydGlmaWNhdGVyZXZvY2F0aW9u +bGlzdDBGoESgQoZAaHR0cDovL2NybC5kLXRydXN0Lm5ldC9jcmwvZC10cnVzdF9y +b290X2NsYXNzXzNfY2FfMl9ldl8yMDA5LmNybDAdBgNVHQ4EFgQUIa9qJphx6SYK +1duhjPfbpp2lJVwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw +DQYJKoZIhvcNAQELBQADggEBAEITrEZFU4bOy+274S2THOe9lewgYy+5OYh/Wr7Q +WzRi/bMU6GRtag9fCnIsXon3+2wKGL22JgjI+WnZa5TRiazUOdtOjCEuwxXXMYH/ +PaBBb/BXmfGlEHGHL/ljNQauOrsfIQXXDYTfZk9jwLQgPmF54Ulm6oLsUrvYp1nq +4jSAyWOY+mcxFlGgZPt5jdL1DSkzdLtdWfGs+1USqmx/IBZLfCwavdk0Dm5fwQSG +iI+av54kU0E4ziDEOJ25rfiOBGqjh+4NFegAaQlTeVp1zOCjtKCf9YWDS8BgJT+O +Ri2UKV/O8WaWZ3qRLuVavpng14sx4oa8FLM9sKBWvI+H5XU= +-----END CERTIFICATE----- Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-ocsp-resp.der and new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-ocsp-resp.der differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-root.pem new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-root.pem --- old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr-root.pem 1970-01-01 01:00:00.000000000 +0100 +++ new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr-root.pem 2022-11-16 12:19:19.000000000 +0100 @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIDCYP0MA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF +MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD +bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0wOTExMDUwODUwNDZaFw0yOTExMDUwODUw +NDZaMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNV +BAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAJnxhDRwui+3MKCOvXwEz75ivJn9gpfSegpn +ljgJ9hBOlSJzmY3aFS3nBfwZcyK3jpgAvDw9rKFs+9Z5JUut8Mxk2og+KbgPCdM0 +3TP1YtHhzRnp7hhPTFiu4h7WDFsVWtg6uMQYZB7jM7K1iXdODL/ZlGsTl28So/6Z +qQTMFexgaDbtCHu39b+T7WYxg4zGcTSHThfqr4uRjRxWQa4iN1438h3Z0S0NL2lR +p75mpoo6Kr3HGrHhFPC+Oh25z1uxav60sUYgovseO3Dvk5h9jHOW8sXvhXCtKSb8 +HgQ+HKDYD8tSg2J87otTlZCpV6LqYQXY+U3EJ/pure3511H3a6UCAwEAAaOCASQw +ggEgMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNOUikxiEyoZLsyvcop9Ntea +HNxnMA4GA1UdDwEB/wQEAwIBBjCB3QYDVR0fBIHVMIHSMIGHoIGEoIGBhn9sZGFw +Oi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xh +c3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1E +RT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQt +dHJ1c3QubmV0L2NybC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDku +Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA07XtaPKSUiO8aEXUHL7P+PPoeUSbrh/Yp +3uDx1MYkCenBz1UbtDDZzhr+BlGmFaQt77JLvyAoJUnRpjZ3NOhk31KxEcdzes05 +nsKtjHEh8lprr988TlWvsoRlFIm5d8sqMb7Po23Pb0iUMkZv53GMoKaEGTcH8gNF +CSuGdXzfX2lXANtu2KZyIktQ1HWYVt+3GP9DQ1CuekR78HlR10M9p9OB0/DJT7na +xpeG0ILD5EJt/rDiZE4OJudANCa1CInXCGNjOCd1HjPqbqjdn5lPdE2BiYBL3ZqX +KVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVvw9y4AyHqnxbxLFS1 +-----END CERTIFICATE----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr.pem new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr.pem --- old/Botan-2.19.2/src/tests/data/x509/ocsp/bdr.pem 1970-01-01 01:00:00.000000000 +0100 +++ new/Botan-2.19.3/src/tests/data/x509/ocsp/bdr.pem 2022-11-16 12:19:19.000000000 +0100 @@ -0,0 +1,80 @@ +-----BEGIN CERTIFICATE----- +MIIOhDCCDWygAwIBAgIQR2P0PtEycYOZmkQw8teHNzANBgkqhkiG9w0BAQsFADBe +MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMR8wHQYDVQQDExZE +LVRSVVNUIENBIDItMiBFViAyMDE2MRcwFQYDVQRhEw5OVFJERS1IUkI3NDM0NjAe +Fw0yMjAzMjUwODE1NDVaFw0yMzAzMjgwNzE1NDVaMIIBIjELMAkGA1UEBhMCREUx +HTAbBgNVBAoTFEJ1bmRlc2RydWNrZXJlaSBHbWJIMQswCQYDVQQLEwJJVDEbMBkG +A1UEAxMSYnVuZGVzZHJ1Y2tlcmVpLmRlMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgsr +BgEEAYI3PAIBAxMCREUxDjAMBgNVBBEMBTEwOTY5MR0wGwYDVQQPDBRQcml2YXRl +IE9yZ2FuaXphdGlvbjEcMBoGA1UECRMTS29tbWFuZGFudGVuc3RyLiAxODEUMBIG +A1UEBRMLSFJCIDcwNzY0IEIxFzAVBgsrBgEEAYI3PAIBAQwGQmVybGluMRcwFQYL +KwYBBAGCNzwCAQIMBkJlcmxpbjEPMA0GA1UECBMGQmVybGluMIICIjANBgkqhkiG +9w0BAQEFAAOCAg8AMIICCgKCAgEA3B1Rp2V3DQSrr57KSDLsZ6mUJ0Y9LWhcLvTo +b84DN1Y/U9ZCyGGJ2hYiDnwPpcIHFfp1v+jUaiE8Km4VA6tkG8o6Y5w2BMM9Ej20 +z2kwOtVdSh1wdC9zinmuGwjshmw2eSvr1C77y3jN6P1qDyjACdAQ6SM8hKV5JxFz +g0+UAN0lO51C9v61EXjteByo6ikDEGnjFc+fC5kQGGJGRy4+I1vfgIsYri1LhGOS +86xH9o4RejCiM5Az4wfMgzobmeizsugAljxXcwMpVM8jA/rzUyRUqAwjsIcC4qFt +K1tj7vQy9bpUN3xWc6VDvZjFOat/z551I6JM6kPshN5DoW6O0s3H7BoxSx0N69UA ++zb/Fefk/oy6BR4jwwvJboHjaOpliZUC/2uXOd2pp4/MCyhILz2ikRr6EMD7qCDd +9QFabRFjKe1GzKs0Uh6ewlrX1IHs4REmmf6f5+gCeBWGrwGAWhm69Pdbv2NgfS4t +OYob8Z2APvr+QsVsuwch7bcX99wp67gaw1Cgtsz4iAKLw73Aza6dJxoH6cC5x6PD +Fkpoo6sXYNVovVBPVDuq5Wnd+qvSBsjzlzILUQCfuVn+CcttYzFKMMX2LHvSSRhB +A64iOouMS/sWGvdamvqrlzUpKoeIpJhPit0D23xNq48LpEaHs3CZFsvung29Z9Vg +8flG6h0CAwEAAaOCCXYwgglyMIIBKwYDVR0RBIIBIjCCAR6CBmJkci5kZYIed3d3 +LnN1cHBvcnQuYnVuZGVzZHJ1Y2tlcmVpLmRlgg53d3cuc2lnbi1tZS5kZYIWd3d3 +LmJ1bmRlc2RydWNrZXJlaS5kZYIXd3d3LmJ1bmRlc2RydWNrZXJlaS5jb22CCnd3 +dy5iZHIuZGWCGnN1cHBvcnQuYnVuZGVzZHJ1Y2tlcmVpLmRlggpzaWduLW1lLmRl +ghpzZXJ2aWNlLmJ1bmRlc2RydWNrZXJlaS5kZYIdaW50ZXJha3Rpdi5idW5kZXNk +cnVja2VyZWkuZGWCG2hlbHBkZXNrLmJ1bmRlc2RydWNrZXJlaS5kZYISYnVuZGVz +ZHJ1Y2tlcmVpLmRlghNidW5kZXNkcnVja2VyZWkuY29tMB0GA1UdDgQWBBShj278 +UTgPVPGLerrSzyQ18D831TAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw +DgYDVR0PAQH/BAQDAgWgMIIBCQYIKwYBBQUHAQEEgfwwgfkwOgYIKwYBBQUHMAGG +Lmh0dHA6Ly9kLXRydXN0LWNhLTItMi1ldi0yMDE2Lm9jc3AuZC10cnVzdC5uZXQw +RQYIKwYBBQUHMAKGOWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY2dpLWJpbi9ELVRS +VVNUX0NBXzItMl9FVl8yMDE2LmNydDB0BggrBgEFBQcwAoZobGRhcDovL2RpcmVj +dG9yeS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwQ0ElMjAyLTIlMjBFViUyMDIw +MTYsTz1ELVRydXN0JTIwR21iSCxDPURFP2NBQ2VydGlmaWNhdGU/YmFzZT8wgfsG +A1UdHwSB8zCB8DCB7aCB6qCB54ZubGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l +dC9DTj1ELVRSVVNUJTIwQ0ElMjAyLTIlMjBFViUyMDIwMTYsTz1ELVRydXN0JTIw +R21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3SGNWh0dHA6Ly9jcmwu +ZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfY2FfMi0yX2V2XzIwMTYuY3Jshj5odHRw +Oi8vY2RuLmQtdHJ1c3QtY2xvdWRjcmwubmV0L2NybC9kLXRydXN0X2NhXzItMl9l +dl8yMDE2LmNybDCB5wYIKwYBBQUHAQMEgdowgdcwCAYGBACORgEBMIG1BgYEAI5G +AQUwgaowUxZNaHR0cDovL3d3dy5kLXRydXN0Lm5ldC9pbnRlcm5ldC9maWxlcy9E +LVRSVVNUX1BLSV9EaXNjbG9zdXJlX1N0YXRlbWVudF9kZS5wZGYTAmRlMFMWTWh0 +dHA6Ly93d3cuZC10cnVzdC5uZXQvaW50ZXJuZXQvZmlsZXMvRC1UUlVTVF9QS0lf +RGlzY2xvc3VyZV9TdGF0ZW1lbnRfZW4ucGRmEwJlbjATBgYEAI5GAQYwCQYHBACO +RgEGAzCBiQYDVR0gBIGBMH8wCQYHBACL7EABBDAHBgVngQwBATANBgsrBgEEAaU0 +AoEWBDBaBgsrBgEEAaU0AoFKATBLMEkGCCsGAQUFBwIBFj1odHRwOi8vd3d3LmQt +dHJ1c3QubmV0L2ludGVybmV0L2ZpbGVzL0QtVFJVU1RfQ1NNX1BLSV9DUFMucGRm +MB8GA1UdIwQYMBaAFCGvaiaYcekmCtXboYz326adpSVcMIIETwYKKwYBBAHWeQIE +AgSCBD8EggQ7BDkAdwCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAA +AX/AJVyRAAAEAwBIMEYCIQDHYr2J0KhX9Qw2DZcpukdrMtTPrSkQTG3WQ+9TJbfv +fAIhAIsgHLLnR3DBqqikp7qjOg2ge3rhLKae4EcfJ5OYH3bzAHcAs3N3B+GEUPhj +htYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAF/wCVdigAABAMASDBGAiEAv5hGLqwU +NARYcml1ScV/JumKME8Gh/+KFLd76xi69cICIQC5aK3LduJomzCkxLZecyDhIghV +zNwsNbB1XQY9TBepLAB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1u +AAABf8AlXP8AAAQDAEcwRQIgPkK0U2XQA0b4SS89AFPNRFo3TdcdNm90Z8015UBb +MpcCIQDMUkJimfKU5IvKyO7D8ibgsJSHE+NASD15Pixf8L25+wB2AFWB1MIWkDYB +SuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABf8AlXY8AAAQDAEcwRQIhAKX9i888 +VPeAjIztEESfZ8Izy051gTTSl9D1GBH7Z810AiBrBtrXTu+V39yPAfIK7YBpgsvS +C0vB8MCe1Q1nR5KK+gB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS +AAABf8AlXTsAAAQDAEgwRgIhAPeWQ8o/CaW5HpEA3UkszILAlsKnixEHRDGFMl8q +GN+rAiEAmBQ7TBG8Xgru2e5c3GdUXecmDVjwI/G1ZthSFmMvNlgAdwBvU3asMfAx +GdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAX/AJV4ZAAAEAwBIMEYCIQC1HlH1 +MYjMp1pvFYmNXafGXvJ6oIiGiUtd1kHRtCt76QIhALj7dbiBFP4b9elj5kYMDPT0 +PAoflviX/f8klXtTFG27AHUA6H6nZgvCbPYALvVyXT/g4zG5OTu5L79Y6zuQSdr1 +Q1oAAAF/wCVhLwAABAMARjBEAiBszHijSAeBf3cec2LQgegrIJ3I4P9EQX28ZQ4S +yTvmDgIgMvxYYvRNu7+RY4AnFAZAhN9eX4WwXLrEdPOPhhxs0TwAdAA1zxkbv7Fs +V78PrUxtQsu7ticgJlHqP+Eq76gDwzvWTAAAAX/AJWAHAAAEAwBFMEMCIBhApuJO +EqEb0oq/6VWxM6jz2dbD7+ZjBDuvOioO/Cf9Ah9/QAHSUTU043F7VdV/REB12XGY +a63YqZJJeeIgTuZDAHYAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJkA +AAF/wCVfSQAABAMARzBFAiEA4036r9QS+ngcG4FMBUc1Z36BywbwF00pHprDpNMQ +KhUCIGzTcK+3DnLBJOxwScoow/EJq39GmZV1sZz93r/d5qNdMA0GCSqGSIb3DQEB +CwUAA4IBAQBZvYmRmtu1gQLCA+QqN5C7ftPr0ioULQPBsmX8gHmQ1iHPrBrC99Ef +UD0//QB8V/aWqbt1NNdFXXEslN0V591m13uF7cp27SUjxNFwkPG2oypoqNM42I0U +136fs26VzFbLe/MLNLTiiTkIp4HfSnLoactqvWapU9X6pzRk3CoKbaGHkPpIn467 +6uq08dss4+W9DROLZynwuswtxhLdk4pi82mnIs0t8A+ZOHwKPrQ9zi8Mtc7T9xPY +PuGpbWQMTGKzCOjki81OvuD0ZU//hfHIM8Nh3Fb1LQ3ZRMudYdW+noIaW4FQRY2W +Pr1qU9fkcHml0htVexwhF6m1x5HZ332p +-----END CERTIFICATE----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ee.pem new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ee.pem --- old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ee.pem 1970-01-01 01:00:00.000000000 +0100 +++ new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ee.pem 2022-11-16 12:19:19.000000000 +0100 @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDXDCCAkSgAwIBAgIUQCu8J4C8/lLpesu+yxmEcgboaKwwDQYJKoZIhvcNAQEL +BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN +BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMzA5MjIxMDAwMDBaMDsx +GzAZBgNVBAMMEk15IE9DU1AgRW5kIEVudGl0eTELMAkGA1UEBhMCREUxDzANBgNV +BAcMBkJlcmxpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjSgFM7 +veKLCerCj8LbDH2eyE/wsgt75EugNON2xcuxdnZKXl9kQP/lq2tjQF9VUKvUr7C0 +4BDTyXjg+0RnH8EUp2fooDsrJu9k1i+lDWFtAYAYYrYYxGMFzCC/h+GBD0FCFBwL +3gpZwPitoDga6jtPbtv/RwFMuPy7b0KUpNMkVAeaT/KVmqc/l+SgLqDEZciiMcaC +GG1rkMnElR7c/0lg5xNITXS1t1Z9bHbpO7lH5xDoFcSTEhOcDdFkN923sbfTT3m9 +4oKHYFDUSoAc+Y2jbwbDK+g6MyCwIiwdyUF+Kgv1fdacWxZMmr2aOA5CX/1+ZeX1 +97ameyxkyA2DZfsCAwEAAaNaMFgwHwYDVR0jBBgwFoAUm5xBswA2BO40FM22Q/5K +RR6PtNMwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFKnd1WBRL4H/ +IhofGjvLhtGSNh9lMA0GCSqGSIb3DQEBCwUAA4IBAQCoYIhu/w1Hp2aByrbV7Plm +aUhBJovJHqa3KixgSrV6Td6URaCSGHAiAFj1j0/dqzKL7QHMZYs43JRODuABAjsn +SktrpuoA+FILuSZXMm3UFEqNNJzFTwZLC3lSpxT1zvQ4PDgx4xFTMi9pyvGnDHjt +jkPLuLfjgI5PShcIB0Hd6yS07pBFdg/Dr3fCSU7OBAC4o44ubUa5kASvX35zjWoj +NulehNs+aa6Fm7qqSt4mz24qvnOG3SyYpkNKeu/FQjaKXV35A0tGN2ibEHSn0JBp +rZqzfegU5UuZrpGs3xUVeIH+rQdW8uBlllXP38djJ7mLb/3b1vLWakljPqAOOlsm +-----END CERTIFICATE----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int.pem new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int.pem --- old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int.pem 1970-01-01 01:00:00.000000000 +0100 +++ new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int.pem 2022-11-16 12:19:19.000000000 +0100 @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDcTCCAlmgAwIBAgIUP4pG/mdA98wntpdjLKKDv50V4twwDQYJKoZIhvcNAQEL +BQAwODEYMBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0G +A1UEBwwGQmVybGluMB4XDTIyMDkyMjEwMDAwMFoXDTIzMDkyMjEwMDAwMFowOTEZ +MBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzANBgNVBAcM +BkJlcmxpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAODHbsMfDefJ +fryKz8fY8AfCE8uAr5CzJ2gXQcIQd0rBJTPQxaxZ950+QbSfPAPAeFa1OWRc/Xby +3DXvtQ3yt879mvxAvsdvlUYOsOOi8b9tap3vLVSc668BJwByNwBZmAF6ByKsC4Yj +wwH7rfekE2KU89LzH0wWDJOybo/N62kXuzt23dO4uUXJat6ZlEghmzhAzHyfFdeD +H8V/7x7c6iQBFz0NSCeo/gzFzVNO0jKbyvScQmfLOvbwTm91nXPs6MWICzsNOliJ +vtfkJsqheq7dVX9HdLfh/1tdFx1WaPhtVf3VTolPGTs9w7hh6uaWsHZpFTbiK0Mc +DeNQkoX1ikcCAwEAAaNyMHAwHwYDVR0jBBgwFoAUk/nNvUAjr/JUj93s2WMZm25Y +zHUwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUH +AwkwHQYDVR0OBBYEFJucQbMANgTuNBTNtkP+SkUej7TTMA0GCSqGSIb3DQEBCwUA +A4IBAQCN1CeGhYZr/ghM45N0auoTJ+U5lAah3g6c7lGS6x6+XyaueI+Pxy0wC/1C +UCjEbErD44utxk+816uUnhmUOqSrDejV0xxPnQYokziOw8flLKm8/Y5ngQ14VshX +oJZMdaQywe3Je34b6t/BZZaZx/dtXHtkDTBdBgOXiv/O7JMDqEQzFb8uC3MPpM1b +TtC58Rtvh8nhy5ieig/uaXBIwcyc4ujlllzjmwV1yNg6iY1QVj3GMRsxvI1ZFkaZ +eZnbFNqwx5ZLL61c/cBV8pG47DKSqBhV9osWCK/vc6WHYcwyYBJ5YIuykl/zs41o +knoudoJ3BFGS9PaFZZQCA78WnYsd +-----END CERTIFICATE----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem --- old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem 1970-01-01 01:00:00.000000000 +0100 +++ new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem 2022-11-16 12:19:19.000000000 +0100 @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDgjCCAmqgAwIBAgIUFkhEhhLqatMopup9/noUhdFx5EkwDQYJKoZIhvcNAQEL +BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN +BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMjEwMDcxMDAwMDBaMDox +GjAYBgNVBAMMEU15IE9DU1AgUmVzcG9uZGVyMQswCQYDVQQGEwJERTEPMA0GA1UE +BwwGQmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3N3l6YZy +pFShnQWmMyplXu3JaDjUxlrNwEs6Dn5flUC0eAZVN+uaXws+tG//wV487n+OXnyh +Zgz1Mt97J1wYhw7R9bQakPrmkYztrTmTKemS70sWjrsH0Od/S851sv3qAGylWiKb +1n0SawRPo6T5bvYADwwGESRKmWwOwPIv2KdsZ3kUhN9aPj06CMVJIRYVennZRt4X +4tcpgpB/eBp4/iEmfe3BzrFgf9YJG4qcbM84lULGLOnVNuUbbEIlBe75U71OR8dV +El65LSMAVDQovjTV3mdQcLQNOiNnBlNDDaJEi590ki59qnFbJO0Zsf7a/rpHz/4J +LqK8b2by8KoFpwIDAQABo4GAMH4wHwYDVR0jBBgwFoAUm5xBswA2BO40FM22Q/5K +RR6PtNMwCQYDVR0TBAIwADALBgNVHQ8EBAMCAYIwEwYDVR0lBAwwCgYIKwYBBQUH +AwkwDwYJKwYBBQUHMAEFBAIFADAdBgNVHQ4EFgQU7cI/PXYEpWH9l6Bnu36V6Nzv +/MowDQYJKoZIhvcNAQELBQADggEBALv6KUJ0I/Kd/4ofDQHcgrHOe3u26zs1LC5J +X9ZMoLRwN2LbzwWogIg3DEYqLAr0whpiDDcueVQVxK0rYrI1kWAZYi/wkmdOI5D7 +GNtHxdMty62XgOLb4LwGmEMQ7SLH2GgEAgKjJAIVJ5TMlxH8NV2/hrQhmXDpkZc/ ++6I881LDW2273p8vKXxYnI1EFTdCVa9XnNJr3U+yhC9plf+gSr51iXyQf9MPdZ91 +fg187LQkn6oIRtKL7yZMAajemcTkU8avoF1+EX01Z5nu/v2Hgtp2VFDKvCrud+e/ +iKFLYBlsnqfNyZt4n3PAxDP5ziZ5adH2ELCvPDkJ3nneAhvP5So= +-----END CERTIFICATE----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem --- old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem 1970-01-01 01:00:00.000000000 +0100 +++ new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem 2022-11-16 12:19:19.000000000 +0100 @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDbDCCAlSgAwIBAgIUXMtIzKLTZ3oKE92bXWKGdS16GCYwDQYJKoZIhvcNAQEL +BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN +BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMjEwMDcxMDAwMDBaMDox +GjAYBgNVBAMMEU15IE9DU1AgUmVzcG9uZGVyMQswCQYDVQQGEwJERTEPMA0GA1UE +BwwGQmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3N3l6YZy +pFShnQWmMyplXu3JaDjUxlrNwEs6Dn5flUC0eAZVN+uaXws+tG//wV487n+OXnyh +Zgz1Mt97J1wYhw7R9bQakPrmkYztrTmTKemS70sWjrsH0Od/S851sv3qAGylWiKb +1n0SawRPo6T5bvYADwwGESRKmWwOwPIv2KdsZ3kUhN9aPj06CMVJIRYVennZRt4X +4tcpgpB/eBp4/iEmfe3BzrFgf9YJG4qcbM84lULGLOnVNuUbbEIlBe75U71OR8dV +El65LSMAVDQovjTV3mdQcLQNOiNnBlNDDaJEi590ki59qnFbJO0Zsf7a/rpHz/4J +LqK8b2by8KoFpwIDAQABo2swaTAfBgNVHSMEGDAWgBSbnEGzADYE7jQUzbZD/kpF +Ho+00zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgkrBgEFBQcwAQUEAgUAMB0G +A1UdDgQWBBTtwj89dgSlYf2XoGe7fpXo3O/8yjANBgkqhkiG9w0BAQsFAAOCAQEA +V17YOra6yl0wTjt6QbQDXxm5m02CpW3EZs8x1M8yZadWXK9dJ6mo7vetqF3nnOzd +TxesfAWigkrSZjR7HHHXXO5S9OjFLEyft+Xbx9+t8216Lbqk7WierREz1C21yCpn +B76DiQRXqY2lEm1cpgkZeSc+SSfoN4oOyXCb/r+sgEebXGHrQhqgdFAWq3BmF6U+ +VyIXG7PiJGoTmlJ9gfkr0+Y0MxNpTIr6OPc9H6+N4mYPhcj/9emTcj6R+0PvfAZC +GRc8U3fCW3UdPOTE28f86ZvMduavCZCSU4m74nZnzY6eKR83KNCjB0gJzYhwqcRm +f9I5C+O6SocALwTGGYkMbg== +-----END CERTIFICATE----- Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ocsp_for_ee.der and new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ocsp_for_ee.der differ Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_delegate_signed.der and new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_delegate_signed.der differ Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_delegate_signed_malformed.der and new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_delegate_signed_malformed.der differ Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_root_signed.der and new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ocsp_for_ee_root_signed.der differ Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_ocsp_for_int_self_signed.der and new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_ocsp_for_int_self_signed.der differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_root.pem new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_root.pem --- old/Botan-2.19.2/src/tests/data/x509/ocsp/mychain_root.pem 1970-01-01 01:00:00.000000000 +0100 +++ new/Botan-2.19.3/src/tests/data/x509/ocsp/mychain_root.pem 2022-11-16 12:19:19.000000000 +0100 @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDsDCCApigAwIBAgIUWMiulqiEbnZwrB5iI7tL724j7qswDQYJKoZIhvcNAQEL +BQAwODEYMBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0G +A1UEBwwGQmVybGluMB4XDTIyMDkyMjEwMDAwMFoXDTIzMDkyMjEwMDAwMFowODEY +MBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0GA1UEBwwG +QmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAukN6nemvQcIX +zq+/DKFsJWjQif6sTP2zXfZtpw445LagOt8T9fGFgv6BSNTFp/TMRatQMAfZteH8 +ExzInhOIatwZgOKfG5tE+OH+tOuo9JrgWQRMGrhCV4fClDOv3sPAvduYm00muazD +HeusESr/ykoA3HmJpS62EeOvMsY991TGSoTUSPLXJOyVTT5EcHdLrmosIBNx4nN9 +8xN5ENbhz/lZa3z1+NEtruMhDY5s13POVgpXRCZmgyhl6uCl0HZOYPfoWZwbZfuh +S6U9s0C+JMRjcz1fLyBW2dgsWG6TRSsF6R83DkFQx/9kazfjv/mOqLMw1irT3K0E +wtsxe0aKfQIDAQABo4GxMIGuMF0GA1UdIwRWMFShPKQ6MDgxGDAWBgNVBAMMD015 +IE9DU1AgUm9vdCBDQTELMAkGA1UEBhMCREUxDzANBgNVBAcMBkJlcmxpboIUWMiu +lqiEbnZwrB5iI7tL724j7qswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAYYwEwYD +VR0lBAwwCgYIKwYBBQUHAwkwHQYDVR0OBBYEFJP5zb1AI6/yVI/d7NljGZtuWMx1 +MA0GCSqGSIb3DQEBCwUAA4IBAQCdGyFlbaBkoLgLwM2q91VcLUHAp54Gp6vvLavq +p+65K7sdzzFj/6P9p6Dsa0BJ3bXba0pfJ10f9nFHOIFISb0Aptmm34XjBwvUckbb +LYDU7InmyS5aeAIxK9+G7TllLfSslPQJspSxWWZkp3cY4Ys7bGidb1ad620F2cMe +I2c09zhQuySbLDgaCc2Hg9Z3trb6S91Mmk6P+fQMzqq0XkfUOqzmEm2D7lFb3G76 +DI6CouYjoIYndVEN6oVVIcD+01Emxssy60aO6wS5MaM8TbcCdx3ZxYCdKj6YcdRf +XhEN1KonHRKP71iZrlw/W+GfVvt1dJx5V5fqh3mGZVvk7Sc7 +-----END CERTIFICATE----- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem new/Botan-2.19.3/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem --- old/Botan-2.19.2/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem 1970-01-01 01:00:00.000000000 +0100 +++ new/Botan-2.19.3/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem 2022-11-16 12:19:19.000000000 +0100 @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1TCCAr2gAwIBAgIUQi+O3XGTkbU8ihDwXOrV18vdTvMwDQYJKoZIhvcNAQEL +BQAwNzEXMBUGA1UEAwwORm9yZ2VkIE9DU1AgQ0ExCzAJBgNVBAYTAkRFMQ8wDQYD +VQQHDAZCZXJsaW4wHhcNMTYxMTE4MTEwMDAwWhcNMTcxMTE4MTEwMDAwWjB+MQsw +CQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xFDAS +BgNVBAoMC0hhY2tlcnNwYWNlMRowGAYDVQQLDBFPQ1NQIEJyZWFraW5nIExhYjEb +MBkGA1UEAwwSRm9yZ2VkIE9DU1AgU2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOC +AQ8AMIIBCgKCAQEAq72Y4p9gCPcoNELOB5i104jhbzbEWfcXhAdXkmufOFFVVveq +HbiGx5GLi46cJATjSQoOL86Jwgp/v0nZukfQFIsWJGjG3eDQnMBGaAH9+SZh+udP +dhcuOvFqvFBkKk6rMIcW0Tqx2ixZUG7275JrqjEyNUjAGA9fRSkGoWyca/P6QCjE +sgAMr82n0XahLi7VVL0v/DcRK7h9slJJbG9UBmHuwPYU5C5Z9iQKCh3JZ3oOgO4d +OuAGXrRm69znN5jlkBxgowJbgPn4Xp2QyAZl2A0/mou3U9WuVGDOUDLRL1UbCv/T +VyX/WyUsAV54apAkxM9Hd5yZermoIZ7gPCv40wIDAQABo4GRMIGOMB8GA1UdIwQY +MBaAFE4W+nR1DcTuZYBY/YXQinJ1Y5PjMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeA +MBMGA1UdJQQMMAoGCCsGAQUFBwMJMB8GA1UdEQQYMBaCFG9jc3AuaGFja2Vyc3Bh +Y2Uub3JnMB0GA1UdDgQWBBQAUq7vwa5MkBmRG9GuRC7N2F97BjANBgkqhkiG9w0B +AQsFAAOCAQEAzS/5VHLcyTkvnodS18mlkp6r4fKkxhrLR2cyGhQPqwEqkq+l4U8k +UMnem31+XoVHt8nN7N0+aOCna7xhvxzWDQioahG4oSxW3R0FNbO4+HXEBkUqbJQo +JaVxSc4vXYjXgLvvhcSAbwfg7o3jInHszCLWoEpNEWGI0Un/ngJX0E8H374LiPnd +Z7W8bNvqRgbpbZJmrgVfm2T3NIWlMYCB8GqyZMA/uLUtxkv25LTCsCTGKhn/ZQoI +XxCZ4OvZDbxLmGj+5GsgJUHVKVhDomo0fJQh+KrMw+0IyjFVjjyroN6d1A3JPmbL +dKUfISvTkfDCj67y8iASBRCOEs7EB4JzSg== +-----END CERTIFICATE----- Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/randombit_ocsp_forged_revoked.der and new/Botan-2.19.3/src/tests/data/x509/ocsp/randombit_ocsp_forged_revoked.der differ Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/randombit_ocsp_forged_valid.der and new/Botan-2.19.3/src/tests/data/x509/ocsp/randombit_ocsp_forged_valid.der differ Binary files old/Botan-2.19.2/src/tests/data/x509/ocsp/randombit_ocsp_forged_valid_nocerts.der and new/Botan-2.19.3/src/tests/data/x509/ocsp/randombit_ocsp_forged_valid_nocerts.der differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/Botan-2.19.2/src/tests/test_x509_path.cpp new/Botan-2.19.3/src/tests/test_x509_path.cpp --- old/Botan-2.19.2/src/tests/test_x509_path.cpp 2022-06-03 19:29:40.000000000 +0200 +++ new/Botan-2.19.3/src/tests/test_x509_path.cpp 2022-11-16 12:19:19.000000000 +0100 @@ -1076,12 +1076,126 @@ return result; } + Test::Result validate_with_ocsp_with_authorized_responder() + { + Test::Result result("path check with ocsp response from authorized responder certificate"); + Botan::Certificate_Store_In_Memory trusted; + + auto restrictions = Botan::Path_Validation_Restrictions(true, // require revocation info + 110, // minimum key strength + true); // OCSP for all intermediates + + auto ee = load_test_X509_cert("x509/ocsp/bdr.pem"); + auto ca = load_test_X509_cert("x509/ocsp/bdr-int.pem"); + auto trust_root = load_test_X509_cert("x509/ocsp/bdr-root.pem"); + + // These OCSP responses are signed by an authorized OCSP responder + // certificate issued by `ca` and `trust_root` respectively. Note that + // the responder certificates contain the "OCSP No Check" extension, + // meaning that they themselves do not need a revocation check via OCSP. + auto ocsp_ee = load_test_OCSP_resp("x509/ocsp/bdr-ocsp-resp.der"); + auto ocsp_ca = load_test_OCSP_resp("x509/ocsp/bdr-int-ocsp-resp.der"); + + trusted.add_certificate(trust_root); + const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, trust_root }; + + auto check_path = [&](const std::chrono::system_clock::time_point valid_time, + const Botan::Certificate_Status_Code expected) + { + const auto path_result = Botan::x509_path_validate(cert_path, restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED, + valid_time, std::chrono::milliseconds(0), {ocsp_ee, ocsp_ca}); + + return result.confirm(std::string("Status: '") + Botan::to_string(expected) + + "' should match '" + Botan::to_string(path_result.result()) + "'", + path_result.result()==expected); + }; + + check_path(Botan::calendar_point(2022, 9, 18, 16, 30, 0).to_std_timepoint(), + Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID); + check_path(Botan::calendar_point(2022, 9, 19, 16, 30, 0).to_std_timepoint(), + Botan::Certificate_Status_Code::OK); + check_path(Botan::calendar_point(2022, 9, 20, 16, 30, 0).to_std_timepoint(), + Botan::Certificate_Status_Code::OCSP_HAS_EXPIRED); + + return result; + } + + Test::Result validate_with_forged_ocsp_using_self_signed_cert() + { + Test::Result result("path check with forged ocsp using self-signed certificate (CVE-2022-43705)"); + Botan::Certificate_Store_In_Memory trusted; + + auto restrictions = Botan::Path_Validation_Restrictions(true, // require revocation info + 110, // minimum key strength + false); // OCSP for all intermediates + + auto ee = load_test_X509_cert("x509/ocsp/randombit.pem"); + auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem"); + auto trust_root = load_test_X509_cert("x509/ocsp/identrust.pem"); + trusted.add_certificate(trust_root); + + const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, trust_root }; + + auto check_path = [&](const std::string &forged_ocsp, + const Botan::Certificate_Status_Code expected) + { + auto ocsp = load_test_OCSP_resp(forged_ocsp); + const auto path_result = Botan::x509_path_validate(cert_path, restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED, + Botan::calendar_point(2016, 11, 18, 12, 30, 0).to_std_timepoint(), std::chrono::milliseconds(0), {ocsp}); + + result.confirm(std::string("Path validation with forged OCSP response should fail with '") + Botan::to_string(expected) + "'", + path_result.result() == expected); + result.test_note(std::string("Failed with: ") + Botan::to_string(path_result.result())); + }; + + // In both cases the path validation should detect the forged OCSP + // response and generate an appropriate error. By no means it should + // follow the unauthentic OCSP response. + check_path("x509/ocsp/randombit_ocsp_forged_valid.der", Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND); + check_path("x509/ocsp/randombit_ocsp_forged_revoked.der", Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND); + + return result; + } + + Test::Result validate_with_ocsp_self_signed_by_intermediate_cert() + { + Test::Result result("path check with ocsp response for intermediate that is (maliciously) self-signed by the intermediate"); + Botan::Certificate_Store_In_Memory trusted; + + auto restrictions = Botan::Path_Validation_Restrictions(true, // require revocation info + 110, // minimum key strength + true); // OCSP for all intermediates + + auto ee = load_test_X509_cert("x509/ocsp/mychain_ee.pem"); + auto ca = load_test_X509_cert("x509/ocsp/mychain_int.pem"); + auto trust_root = load_test_X509_cert("x509/ocsp/mychain_root.pem"); + + // this OCSP response for EE is valid (signed by intermediate cert) + auto ocsp_ee = load_test_OCSP_resp("x509/ocsp/mychain_ocsp_for_ee.der"); + + // this OCSP response for Intermediate is malicious (signed by intermediate itself) + auto ocsp_ca = load_test_OCSP_resp("x509/ocsp/mychain_ocsp_for_int_self_signed.der"); + + trusted.add_certificate(trust_root); + const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, trust_root }; + + const auto path_result = Botan::x509_path_validate(cert_path, restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED, + Botan::calendar_point(2022, 9, 22, 22, 30, 0).to_std_timepoint(), std::chrono::milliseconds(0), {ocsp_ee, ocsp_ca}); + result.confirm("should reject intermediate OCSP response", path_result.result() == Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND); + result.test_note(std::string("Failed with: ") + Botan::to_string(path_result.result())); + + return result; + } + std::vector<Test::Result> run() override { return {validate_with_ocsp_with_next_update_without_max_age(), validate_with_ocsp_with_next_update_with_max_age(), validate_with_ocsp_without_next_update_without_max_age(), - validate_with_ocsp_without_next_update_with_max_age()}; + validate_with_ocsp_without_next_update_with_max_age(), + validate_with_ocsp_with_authorized_responder(), + validate_with_forged_ocsp_using_self_signed_cert(), + validate_with_ocsp_self_signed_by_intermediate_cert()}; } };