From: Remi Tricot-Le Breton Date: Mon, 9 Jan 2023 11:02:43 +0000 (+0100) Subject: MINOR: ssl: Create temp X509_STORE filled with cert chain when checking ocsp response X-Git-Tag: v2.8-dev2~87 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8bdd0050e2f3419a61721d281b7216c628d10722;p=thirdparty%2Fhaproxy.git MINOR: ssl: Create temp X509_STORE filled with cert chain when checking ocsp response When calling OCSP_basic_verify to check the validity of the received OCSP response, we need to provide an untrusted certificate chain as well as an X509_STORE holding only trusted certificates. Since the certificate chain and the issuer certificate are all provided by the user, we assume that they are valid and we add them all to a temporary store. This enables to focus only on the response's validity. --- diff --git a/src/ssl_ocsp.c b/src/ssl_ocsp.c index a969565f9b..165c16ca93 100644 --- a/src/ssl_ocsp.c +++ b/src/ssl_ocsp.c @@ -728,16 +728,30 @@ int ssl_ocsp_check_response(STACK_OF(X509) *chain, X509 *issuer, goto end; } - /* Add ocsp issuer certificate to a store in order verify the ocsp - * response. */ + /* Create a temporary store in which we add the certificate's chain + * certificates. We assume that all those certificates can be trusted + * because they were provided by the user. + * The only ssl item that needs to be verified here is the OCSP + * response. + */ store = X509_STORE_new(); if (!store) { memprintf(err, "X509_STORE_new() failed"); goto end; } - X509_STORE_add_cert(store, issuer); - if (OCSP_basic_verify(basic, chain, store, 0) != 1) { + if (chain) { + int i = 0; + for (i = 0; i < sk_X509_num(chain); i++) { + X509 *cert = sk_X509_value(chain, i); + X509_STORE_add_cert(store, cert); + } + } + + if (issuer) + X509_STORE_add_cert(store, issuer); + + if (OCSP_basic_verify(basic, chain, store, OCSP_TRUSTOTHER) != 1) { memprintf(err, "OCSP_basic_verify() failed"); goto end; }