svn commit: r1773567 - in /serf/branches/ocsp-verification: BRANCH-README serf.h serf_bucket_types.h src/context.c

Sun, 11 Dec 2016 04:33:29 -0800 

Author: brane
Date: Sun Dec 11 12:32:57 2016
New Revision: 1773567

URL: http://svn.apache.org/viewvc?rev=1773567&view=rev
Log:
On the ocsp-verification branch: Prepare prototypes and error codes
for OCSP response creation and verification.

* BRANCH-README: Update branch docs.

* serf.h
  (SERF_ERROR_SSL_OCSP_RESPONSE_CERT_REVOKED,
   SERF_ERROR_SSL_OCSP_RESPONSE_CERT_UNKNOWN,
   SERF_ERROR_SSL_OCSP_RESPONSE_INVALID): New error codes.
  (SERF_OCSP_UNGOOD_ERROR): New error-checking utility macro.

* serf_bucket_types.h
  (serf_ssl_ocsp_request_create,
   serf_ssl_ocsp_response_verify): New prototypes.

* src/context.c
  (serf_error_string): Add error strings for the new error codes.

Modified:
    serf/branches/ocsp-verification/BRANCH-README
    serf/branches/ocsp-verification/serf.h
    serf/branches/ocsp-verification/serf_bucket_types.h
    serf/branches/ocsp-verification/src/context.c

Modified: serf/branches/ocsp-verification/BRANCH-README
URL: 
http://svn.apache.org/viewvc/serf/branches/ocsp-verification/BRANCH-README?rev=1773567&r1=1773566&r2=1773567&view=diff
==============================================================================
--- serf/branches/ocsp-verification/BRANCH-README (original)
+++ serf/branches/ocsp-verification/BRANCH-README Sun Dec 11 12:32:57 2016
@@ -46,22 +46,32 @@ These are the proposed changes:
      through serf_ssl_load_cert_file() is neither easy nor sane).
 
 
-3. serf_ocsp_request_create()
+3. serf_ssl_ocsp_request_create()
 
    Add a new function that can be used from within a request setup
    handler to create an OCSP request:
 
-       apr_status_t serf_ocsp_request_create(
+       apr_status_t serf_ssl_ocsp_request_create(
            const serf_ssl_certificate_t *server_cert,
            const serf_ssl_certificate_t *issuer_cert,
-           const char **ocsp_request,
+           const void **ocsp_request,
+           apr_size_t *ocsp_request_size,
+           const void **nonce,
+           apr_size_t *nonce_size,
            apr_pool_t *pool);
 
    Docstring:
 
      Constructs an OCSP verification request for @a server_cert with
-     issuer certificate @a issuer_cert, returning the DER encoded
-     request in @a ocsp_request, allocated from @a pool.
+     issuer certificate @a issuer_cert, Retyurns the DER encoded
+     request in @a ocsp_request and its size in @a ocsp_request_size.
+
+     If @a nonce is not @c NULL, the request will contain a randomly
+     generated nonce, which will be returned in @a *nonce and its
+     size in @a nonce_size. If @a nonce is @c NULL, @a nonce_size
+     is ignored.
+
+     The request and nonce will be allocated from @a pool.
 
    Discussion:
 
@@ -72,6 +82,54 @@ These are the proposed changes:
      request headers.
 
 
-4. serf_ocsp_response_parse()
+4. serf_ssl_ocsp_response_verify()
+
+   Add a new function that can be used from within a response handler
+   to verify an OCSP response:
+
+       apr_status_t serf_ssl_ocsp_response_verify(
+           const void *ocsp_response,
+           apr_size_t ocsp_response_size,
+           const serf_ssl_certificate_t *server_cert,
+           const serf_ssl_certificate_t *issuer_cert,
+           const void *nonce,
+           apr_size_t nonce_size,
+           apr_time_t *this_update,
+           apr_time_t *next_update,
+           apr_time_t *produced_at,
+           apr_pool_t *pool);
+
+   Docstring:
+
+     Check if the given @a ocsp_response of size @a ocsp_response_size
+     is valid for the given @a server_cert, @a issuer_cert and @a nonce.
+
+     If @a nonce is @c NULL, the response _must not_ contain a nonce.
+     Otherwise, it must contain an identical nonce with size @a nonce_size.
+
+     The @a this_update, @a next_update and @a produced_at output arguments
+     are described in RFC 2560, section 2.4 and, when not @c NULL, will be
+     set from the parsed response. Any of these times that are not present
+     in the response will be set to the epoch, i.e., @c APR_TIME_C(0).
+
+     Uses @a pool for temporary allocations.
+
+   Discussion:
+
+     Parses and verifies the OCSP response received in the HTTP response
+     body as per RFC 2560, section 3.2.
+
+
+5. New error codes and macros
+
+       #define SERF_ERROR_SSL_OCSP_RESPONSE_CERT_REVOKED
+       #define SERF_ERROR_SSL_OCSP_RESPONSE_CERT_UNKNOWN
+       #define SERF_ERROR_SSL_OCSP_RESPONSE_INVALID
+
+       #define SERF_OCSP_UNGOOD_ERROR(status)
+
+   Discussion:
 
-   TBD: Parse an OCSP response.
+     These error codes are returned from serf_ssl_ocsp_response_verify().
+     The SERF_OCSP_UNGOOD_ERROR() macro combines the _CERT_REVOKED
+     and _CERT_UNKNOWN error codes..

Modified: serf/branches/ocsp-verification/serf.h
URL: 
http://svn.apache.org/viewvc/serf/branches/ocsp-verification/serf.h?rev=1773567&r1=1773566&r2=1773567&view=diff
==============================================================================
--- serf/branches/ocsp-verification/serf.h (original)
+++ serf/branches/ocsp-verification/serf.h Sun Dec 11 12:32:57 2016
@@ -143,6 +143,19 @@ typedef struct serf_config_t serf_config
    on a connection that uses HTTP pipelining. */
 #define SERF_ERROR_SSL_NEGOTIATE_IN_PROGRESS (SERF_ERROR_START + 73)
 
+/* OCSP responder says that the certificate is revoked. */
+#define SERF_ERROR_SSL_OCSP_RESPONSE_CERT_REVOKED (SERF_ERROR_START + 74)
+
+/* OCSP responder says that the certificate is unknown. */
+#define SERF_ERROR_SSL_OCSP_RESPONSE_CERT_UNKNOWN (SERF_ERROR_START + 75)
+
+/* The response from an OCSP responder was not valid. */
+#define SERF_ERROR_SSL_OCSP_RESPONSE_INVALID (SERF_ERROR_START + 76)
+
+#define SERF_OCSP_UNGOOD_ERROR(status) ((status) \
+    && ((SERF_ERROR_SSL_OCSP_CERT_REVOKED == (status)) \
+        ||(SERF_ERROR_SSL_OCSP_CERT_UNKNOWN == (status))))
+
 /* General authentication related errors */
 #define SERF_ERROR_AUTHN_FAILED (SERF_ERROR_START + 90)
 

Modified: serf/branches/ocsp-verification/serf_bucket_types.h
URL: 
http://svn.apache.org/viewvc/serf/branches/ocsp-verification/serf_bucket_types.h?rev=1773567&r1=1773566&r2=1773567&view=diff
==============================================================================
--- serf/branches/ocsp-verification/serf_bucket_types.h (original)
+++ serf/branches/ocsp-verification/serf_bucket_types.h Sun Dec 11 12:32:57 2016
@@ -769,6 +769,53 @@ apr_status_t
 serf_ssl_check_cert_status_request(serf_ssl_context_t *ssl_ctx, int enabled);
 
 /**
+ * Constructs an OCSP verification request for @a server_cert with
+ * issuer certificate @a issuer_cert, Retyurns the DER encoded
+ * request in @a ocsp_request and its size in @a ocsp_request_size.
+ *
+ * If @a nonce is not @c NULL, the request will contain a randomly
+ * generated nonce, which will be returned in @a *nonce and its
+ * size in @a nonce_size. If @a nonce is @c NULL, @a nonce_size
+ * is ignored.
+ *
+ * The request and nonce will be allocated from @a pool.
+ */
+apr_status_t serf_ssl_ocsp_request_create(
+    const serf_ssl_certificate_t *server_cert,
+    const serf_ssl_certificate_t *issuer_cert,
+    const void **ocsp_request,
+    apr_size_t *ocsp_request_size,
+    const void **nonce,
+    apr_size_t *nonce_size,
+    apr_pool_t *pool);
+
+/**
+ * Check if the given @a ocsp_response of size @a ocsp_response_size
+ * is valid for the given @a server_cert, @a issuer_cert and @a nonce.
+ *
+ * If @a nonce is @c NULL, the response _must not_ contain a nonce.
+ * Otherwise, it must contain an identical nonce with size @a nonce_size.
+ *
+ * The @a this_update, @a next_update and @a produced_at output arguments
+ * are described in RFC 2560, section 2.4 and, when not @c NULL, will be
+ * set from the parsed response. Any of these times that are not present
+ * in the response will be set to the epoch, i.e., @c APR_TIME_C(0).
+ *
+ * Uses @a pool for temporary allocations.
+ */
+apr_status_t serf_ssl_ocsp_response_verify(
+    const void *ocsp_response,
+    apr_size_t ocsp_response_size,
+    const serf_ssl_certificate_t *server_cert,
+    const serf_ssl_certificate_t *issuer_cert,
+    const void *nonce,
+    apr_size_t nonce_size,
+    apr_time_t *this_update,
+    apr_time_t *next_update,
+    apr_time_t *produced_at,
+    apr_pool_t *pool);
+
+/**
  * Enable or disable SSL compression on a SSL session.
  * @a enabled = 1 to enable compression, 0 to disable compression.
  * Default = disabled.

Modified: serf/branches/ocsp-verification/src/context.c
URL: 
http://svn.apache.org/viewvc/serf/branches/ocsp-verification/src/context.c?rev=1773567&r1=1773566&r2=1773567&view=diff
==============================================================================
--- serf/branches/ocsp-verification/src/context.c (original)
+++ serf/branches/ocsp-verification/src/context.c Sun Dec 11 12:32:57 2016
@@ -389,6 +389,13 @@ const char *serf_error_string(apr_status
         return "An error occurred during SSL setup";
     case SERF_ERROR_SSL_CERT_FAILED:
         return "An SSL certificate related error occurred ";
+    case SERF_ERROR_SSL_OCSP_RESPONSE_CERT_REVOKED:
+        return "An OCSP responder declared an SSL certificate is revoked";
+    case SERF_ERROR_SSL_OCSP_RESPONSE_CERT_UNKNOWN:
+        return "An OCSP responder declared an SSL certificate is unknown";
+    case SERF_ERROR_SSL_OCSP_RESPONSE_INVALID:
+        return "An OCSP responder returned an invalid response";
+
     case SERF_ERROR_AUTHN_FAILED:
         return "An error occurred during authentication";
     case SERF_ERROR_AUTHN_NOT_SUPPORTED:

Reply via email to