Hi Martin,
Sorry for the delayed response. I had developed my own OCSP implementation
external to openssl prior to finding your code in the message archive, so I had
never actually integrated OCSP_check_validity() into your code. While trying
to integrate OCSP_check_validity() into your code this week, I discovered some
fundamental differences:
1) check_ocsp_times() verifies all times within a basic response, while
OCSP_check_validity() only tests a single response's this and next update
fields.
2) check_ocsp_times() utilizes ctx-param-check_time if it is set, while
OCSP_check_validity() does not.
3) check_ocsp_times() sets new, OCSP-specific ctx-error codes in the event
of a an invalid time, while OCSP_check_validity() sets OCSPerr codes (i.e.,
OCSP_R_ERROR_IN_THISUPDATE_FIELD, OCSP_R_STATUS_NOT_YET_VALID).
So in retrospect, it these function aren't a one-for-one swap. The best I
could come up with is inserting OCSP_check_validity() into check_ocsp_times()
inside of check_ocsp_times()'s for(i=0; isk_OCSP_SINGLERESP_num(); i++) loop
to do the thisUpdate/nextUpdate checking. Not the most elegant looking
solution, so I won't post it here.
OCSP_check_validity() still offers the benefit of a skew value, which simply
allows for the OCSP server and OCSP client system clocks to be a slightly out
of sync. Just take a look at ./crypto/ocsp/ocsp_cl.c to see how it works.
The memory fix in get_ocsp() is just 3 lines, as posted in my original email.
Please pardon my manual diffs:
int aiapos, i, ok = 0;
unsigned char *uri;
+ unsigned char* p;
if (!ctx-ocsp_ctx-dl_ocsp)
goto err;
and...
ctx-error = X509_V_ERR_APPLICATION_VERIFICATION;
goto err;
}
+ p = (unsigned char*)data-data;
if (!(aia = d2i_AUTHORITY_INFO_ACCESS(NULL,
- (const unsigned char
**)(data-data),
+ p,
data-length)))
{
ctx-error = X509_V_ERR_APPLICATION_VERIFICATION;
goto err;
Finally, I put the test for id-pkix-ocsp-nocheck in your check_ocsp function:
/* Check if the issuer of the OCSP certificate is the same as of the
* certificate currently checked.
*/
if (!(OCSP_basic_find_signer(ocsp_cert, basic, ctx-untrusted, 0)))
{
ctx-error = X509_V_ERR_OCSP_SIGNING_CERT_NOT_FOUND;
goto end;
}
- if (!(ctx-check_issued(ctx, ocsp_cert, issuer))
+ if (!((ctx-check_issued(ctx, ocsp_cert, issuer)) ||
+ (X509_get_ext_by_NID(ocsp_cert, NID_id_pkix_OCSP_noCheck,
-1
{
/* OCSP certificate could still be one of the authorized
responders */
if (!ctx-ocsp_ctx-auth_responders)
{
ctx-error = X509_V_ERR_OCSP_CERT_ISSUER_NOT_TRUSTED;
goto end;
}
int found = 0, i;
At this point I'm leaning towards my original, external OCSP implementation, as
yours unfortunately was never adopted by openssl. However, I did learn quite a
bit about OCSP by integrating, building and testing your solution.
BTW, my external implementation is based on the code in apps/oscp.c, and it is
tied into openssl's crypto code via X509_STORE_set_verify_cb_func(myStore,
myCb). I then rely on x509_vfy.c's internal_verify() to invoke my myCb
function with ok==1 once per certificate in the chain. My solution does not
have the tight CRL/OCSP coupling that yours has, but as stated before, I won't
be using CRLs.
Thanks again,
- Mike
Michael Siedzik | msied...@enterasys.com
-Original Message-
From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On
Behalf Of Martin Boßlet via RT
Sent: Monday, April 02, 2012 3:08 PM
Cc: openssl-dev@openssl.org
Subject: Re: [openssl.org #2417] [Enhancement] X509 verification with OCSP
support
Am 2. April 2012 17:12 schrieb Siedzik, Michael via RT r...@openssl.org:
Hi Martin,
Did this OCSP enhancement request ever gain any traction? I am adding X.509
support to an embedded system. Due to limited memory, my product is forced
to use OCSP for revocation checking rather than CRLs. This enhancement
should benefit anyone building an embedded system or who would like to use
OCSP for revocation checking.
Hi Michael,
unfortunately I am not aware of any reaction to this request. My goal was to
simplify hooking into the validation process by offering more dedicated
callbacks, making it easier to do online revocation checks with OpenSSL. I'm
glad it turned out to be useful for you!
I have successfully