From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 27 Mar 2023 15:32:57 +0000 (+0200)
Subject: revocation: Suppress some log messages for cached OCSP responses
X-Git-Tag: 5.9.11dr1~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e17a0ed88ee6c9c2c77fbb747e667a339819b49;p=thirdparty%2Fstrongswan.git

revocation: Suppress some log messages for cached OCSP responses

We don't have any information on the issuer of cached OCSP responses, in
particular if the OCSP response is issued by a dedicated OCSP signer,
whose certificate might not be contained in the response or even signed
by the same CA but could just be locally installed.  So the only way to
determine if a response applies to the current certificate and its CA
is searching for the response's issuer certificate and verifying that.

However, when using multiple CAs that provide revocation checking via
OCSP, in particular with multi-level CAs (e.g. like the
ikev2-multi-ca/ocsp-signers test scenario), we might have unrelated OCSP
responses in the cache when verifying a particular certificate.  In this
case we don't need any confusing

  ocsp response verification failed, no signer certificate '...' found

error messages because the response was for a different CA.

Similarly, if lots of clients of the same CA connect there could be lots
of OCSP responses in the cache that, while being applicable to the current
CA, don't have any information on the certificate we are currently
checking.  In this case all the

  ocsp response correctly signed by "..."
  ocsp response contains no status on our certificate

messages don't provide any value.

In the mentioned test scenario, we suppress the

  ocsp response verification failed, no signer certificate 'C=CH, O=strongSwan Project, OU=Research OCSP Signing Authority, CN=ocsp.research.strongswan.org' found

message from the cached OCSP response for carol's end-entity certificate
when verifying the "Research" intermediate CA certificate that issued
carol's certificate.

Then the

  ocsp response verification failed, no signer certificate 'C=CH, O=strongSwan Project, OU=Research OCSP Signing Authority, CN=ocsp.research.strongswan.org' found
  ocsp response verification failed, no signer certificate 'C=CH, O=strongSwan Project, OU=OCSP Signing Authority, CN=ocsp.strongswan.org' found

messages from the cached OCSP responses for carol's end-entity and
intermediate CA certificates when verifying dave's end-entity certificate.

And finally the

  ocsp response verification failed, no signer certificate 'C=CH, O=strongSwan Project, OU=Research OCSP Signing Authority, CN=ocsp.research.strongswan.org' found
    ocsp response correctly signed by "C=CH, O=strongSwan Project, OU=OCSP Signing Authority, CN=ocsp.strongswan.org"
    ocsp response contains no status on our certificate
  ocsp response verification failed, no signer certificate 'C=CH, O=strongSwan Project, OU=Sales OCSP Signing Authority, CN=ocsp.sales.strongswan.org' found

messages from the cached OCSP responses for carol's end-entity
certificate, the applicable but unrelated response for carol's "Research"
intermediate CA certificate and the response for dave's end-entity
certificate when verifying dave's "Sales" intermediate CA.
---

diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index 44303645dc..daa9db7973 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -138,7 +138,8 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject,
 /**
  * check the signature of an OCSP response
  */
-static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
+static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca,
+						bool cached)
 {
 	certificate_t *issuer, *subject;
 	identification_t *responder;
@@ -177,8 +178,11 @@ static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
 		found = TRUE;
 		if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL))
 		{
-			DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
-				 issuer->get_subject(issuer));
+			if (!cached)
+			{
+				DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
+					 issuer->get_subject(issuer));
+			}
 			verified = TRUE;
 			break;
 		}
@@ -204,8 +208,11 @@ static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
 				found = TRUE;
 				if (lib->credmgr->issued_by(lib->credmgr, subject, issuer, NULL))
 				{
-					DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
-						 issuer->get_subject(issuer));
+					if (!cached)
+					{
+						DBG1(DBG_CFG, "  ocsp response correctly signed by \"%Y\"",
+							 issuer->get_subject(issuer));
+					}
 					verified = TRUE;
 					break;
 				}
@@ -219,7 +226,7 @@ static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
 	lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
 	wrapper->destroy(wrapper);
 
-	if (!found)
+	if (!found && !cached)
 	{
 		DBG1(DBG_CFG, "ocsp response verification failed, "
 			 "no signer certificate '%Y' found", responder);
@@ -232,7 +239,7 @@ static bool verify_ocsp(ocsp_response_t *response, certificate_t *ca)
  */
 static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
 									  x509_t *subject, x509_t *issuer,
-									  cert_validation_t *valid, bool cache)
+									  cert_validation_t *valid, bool cached)
 {
 	ocsp_response_t *response;
 	time_t revocation, this_update, next_update, valid_until;
@@ -242,7 +249,7 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
 	response = (ocsp_response_t*)cand;
 
 	/* check ocsp signature */
-	if (!verify_ocsp(response, &issuer->interface))
+	if (!verify_ocsp(response, &issuer->interface, cached))
 	{
 		cand->destroy(cand);
 		return best;
@@ -263,7 +270,11 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
 		default:
 		case VALIDATION_FAILED:
 			/* candidate unusable, does not contain our cert */
-			DBG1(DBG_CFG, "  ocsp response contains no status on our certificate");
+			if (!cached)
+			{
+				DBG1(DBG_CFG, "  ocsp response contains no status on our "
+					 "certificate");
+			}
 			cand->destroy(cand);
 			return best;
 	}
@@ -278,7 +289,7 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best,
 			DBG1(DBG_CFG, "  ocsp response is valid: until %T",
 							 &valid_until, FALSE);
 			*valid = VALIDATION_GOOD;
-			if (cache)
+			if (!cached)
 			{	/* cache non-stale only, stale certs get refetched */
 				lib->credmgr->cache_cert(lib->credmgr, best);
 			}
@@ -322,7 +333,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
 	while (enumerator->enumerate(enumerator, &current))
 	{
 		current->get_ref(current);
-		best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE);
+		best = get_better_ocsp(current, best, subject, issuer, &valid, TRUE);
 		if (best && valid != VALIDATION_STALE)
 		{
 			DBG1(DBG_CFG, "  using cached ocsp response");
@@ -350,7 +361,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
 			if (current)
 			{
 				best = get_better_ocsp(current, best, subject, issuer,
-									   &valid, TRUE);
+									   &valid, FALSE);
 				if (best && valid != VALIDATION_STALE)
 				{
 					break;
@@ -373,7 +384,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer,
 			if (current)
 			{
 				best = get_better_ocsp(current, best, subject, issuer,
-									   &valid, TRUE);
+									   &valid, FALSE);
 				if (best && valid != VALIDATION_STALE)
 				{
 					break;