From e7a58f46f97583a532b481bb1805aeb5208af565 Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Thu, 23 Nov 2023 16:52:55 +0100 Subject: [PATCH] x509: Correctly parse responderId as ASN.1 CHOICE in OCSP response The two OPTs that were used previously allowed to omit it completely (hence the fallback to ID_ANY), but that's invalid, so it's better to fail parsing. --- .../plugins/x509/x509_ocsp_response.c | 85 +++++++++---------- 1 file changed, 40 insertions(+), 45 deletions(-) diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index 89249c113d..a47bcc367c 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -612,49 +612,49 @@ static bool build_basicOCSPResponse(private_x509_ocsp_response_t *this, * ASN.1 definition of basicResponse */ static const asn1Object_t basicResponseObjects[] = { - { 0, "BasicOCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ - { 1, "tbsResponseData", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */ - { 2, "versionContext", ASN1_CONTEXT_C_0, ASN1_NONE | - ASN1_DEF }, /* 2 */ - { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */ - { 2, "responderIdContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 4 */ - { 3, "responderIdByName", ASN1_SEQUENCE, ASN1_OBJ }, /* 5 */ - { 2, "end choice", ASN1_EOC, ASN1_END }, /* 6 */ - { 2, "responderIdContext", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 7 */ - { 3, "responderIdByKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 8 */ - { 2, "end choice", ASN1_EOC, ASN1_END }, /* 9 */ - { 2, "producedAt", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 10 */ - { 2, "responses", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */ - { 2, "responseExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 12 */ - { 3, "responseExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 13 */ - { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 14 */ - { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 15 */ - { 5, "critical", ASN1_BOOLEAN, ASN1_BODY | - ASN1_DEF }, /* 16 */ - { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 17 */ - { 3, "end loop", ASN1_EOC, ASN1_END }, /* 18 */ - { 2, "end opt", ASN1_EOC, ASN1_END }, /* 19 */ - { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 20 */ - { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 21 */ - { 1, "certsContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 22 */ - { 2, "certs", ASN1_SEQUENCE, ASN1_LOOP }, /* 23 */ - { 3, "certificate", ASN1_SEQUENCE, ASN1_RAW }, /* 24 */ - { 2, "end loop", ASN1_EOC, ASN1_END }, /* 25 */ - { 1, "end opt", ASN1_EOC, ASN1_END }, /* 26 */ - { 0, "exit", ASN1_EOC, ASN1_EXIT } + { 0, "BasicOCSPResponse", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "tbsResponseData", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */ + { 2, "versionContext", ASN1_CONTEXT_C_0, ASN1_NONE|ASN1_DEF }, /* 2 */ + { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 3 */ + { 2, "responderId", ASN1_EOC, ASN1_CHOICE }, /* 4 */ + { 3, "responderIdContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 5 */ + { 4, "responderIdByName", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */ + { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 7 */ + { 3, "responderIdContext", ASN1_CONTEXT_C_2, ASN1_OPT }, /* 8 */ + { 4, "responderIdByKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 9 */ + { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 10 */ + { 2, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 11 */ + { 2, "producedAt", ASN1_GENERALIZEDTIME, ASN1_BODY }, /* 12 */ + { 2, "responses", ASN1_SEQUENCE, ASN1_OBJ }, /* 13 */ + { 2, "responseExtensionsContext", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 14 */ + { 3, "responseExtensions", ASN1_SEQUENCE, ASN1_LOOP }, /* 15 */ + { 4, "extension", ASN1_SEQUENCE, ASN1_NONE }, /* 16 */ + { 5, "extnID", ASN1_OID, ASN1_BODY }, /* 17 */ + { 5, "critical", ASN1_BOOLEAN, ASN1_BODY | ASN1_DEF }, /* 18 */ + { 5, "extnValue", ASN1_OCTET_STRING, ASN1_BODY }, /* 19 */ + { 3, "end loop", ASN1_EOC, ASN1_END }, /* 20 */ + { 2, "end opt", ASN1_EOC, ASN1_END }, /* 21 */ + { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 22 */ + { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 23 */ + { 1, "certsContext", ASN1_CONTEXT_C_0, ASN1_OPT }, /* 24 */ + { 2, "certs", ASN1_SEQUENCE, ASN1_LOOP }, /* 25 */ + { 3, "certificate", ASN1_SEQUENCE, ASN1_RAW }, /* 26 */ + { 2, "end loop", ASN1_EOC, ASN1_END }, /* 27 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 28 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } }; #define BASIC_RESPONSE_TBS_DATA 1 #define BASIC_RESPONSE_VERSION 3 -#define BASIC_RESPONSE_ID_BY_NAME 5 -#define BASIC_RESPONSE_ID_BY_KEY 8 -#define BASIC_RESPONSE_PRODUCED_AT 10 -#define BASIC_RESPONSE_RESPONSES 11 -#define BASIC_RESPONSE_EXT_ID 15 -#define BASIC_RESPONSE_CRITICAL 16 -#define BASIC_RESPONSE_EXT_VALUE 17 -#define BASIC_RESPONSE_ALGORITHM 20 -#define BASIC_RESPONSE_SIGNATURE 21 -#define BASIC_RESPONSE_CERTIFICATE 24 +#define BASIC_RESPONSE_ID_BY_NAME 6 +#define BASIC_RESPONSE_ID_BY_KEY 9 +#define BASIC_RESPONSE_PRODUCED_AT 12 +#define BASIC_RESPONSE_RESPONSES 13 +#define BASIC_RESPONSE_EXT_ID 17 +#define BASIC_RESPONSE_CRITICAL 18 +#define BASIC_RESPONSE_EXT_VALUE 19 +#define BASIC_RESPONSE_ALGORITHM 22 +#define BASIC_RESPONSE_SIGNATURE 23 +#define BASIC_RESPONSE_CERTIFICATE 26 /** * Parse a basicOCSPResponse @@ -756,11 +756,6 @@ end: parser->destroy(parser); if (success) { - if (!this->responderId) - { - this->responderId = identification_create_from_encoding(ID_ANY, - chunk_empty); - } success = parse_responses(this, responses, responses_level); } return success; -- 2.47.2