Re: [FEATURE] OCSP functionality patch
Hi! I made some changes reflecting Erwann comments. Here they are: 1) OCSP URL processing logic now fully conforms to RFC2560 with following additional settings: - User can disable OCSP for the particular CA making OCSP verification succeed for all certificates, issued by that CA; - User can force OCSP url for the CA. This way all certs issued by that CA will be validated against OCSP using the forced url, totally ignoring certificate-provided OCSP url (good thing is that this will work for certificates without AuthorityInfoAccess extension). 2) X509_V_FLAG_OCSP_NO_NONCE flag is introduced. Setting it with X509_STORE_set_flags() will disable nonce usage in OCSP verification and increase protocol efficiency, making it insecure(!!!). 3) Issuer certificates are now taken from the certificate chain built by OpenSSL, thus eliminating additional overhead and potential problems with identical CA names on this level. 4) OCSP verification now reports meaningful errors to the client's callback instead of ambiguous X509_V_ERR_APPLICATION_VERIFICATION. Patch is attached. P.S I tested this patch with OpenLDAP and it seems to work pretty fine with OpenSSL ocsp server. On Fri, 2012-06-08 at 16:54 +0200, Erwann Abalea wrote: Bonjour, If the OCSP URL isn't found in the supplied certificate, you're trying to find it in its issuer? That's not standard, even if it can work. It seems you're looking for the issuer by its subject name. When you have several CA certificates with the same name in your store (that's permitted), you may not get the real issuer certificate, and the calculated issuerKeyHash will be wrong. Please don't add a nonce, at least not by default. Looking at our busy OCSP responders, *nobody* asks for a nonce, and it's perfect like this. Having a nonce may provide you a benefit, but it defeats CA optimizations (cached responses, mainly). It seems the supplied code doesn't check for a dedicated OCSP responder's certificate validity (not necessary if this certificate has an OCSPNoCheck extension, but some don't have this extension). Le 08/06/2012 13:07, Alexander Komyagin a écrit : [...] How it works: 1) OCSP revocation check is done right before CRL check 2) first, OpenSSL tries to get the OCSP url for the certificate being checked - it's either forced url or embedded into the certificate. 3) if it fails, issuer shall be found 4) if OCSP validation for issuer is disabled, we completely trust him and the check is successful. 5) otherwise, we extract issuer OCSP url the same way as in (2) and use it to check. = Possible errors: - X509_V_ERR_CERT_UNKNOWN [OCSP responder never heard about this certificate] - X509_V_ERR_CERT_REVOKED [Certificate had been revoked] - X509_V_ERR_APPLICATION_VERIFICATION [for everything else] P.S OCSP querying code was taken from OpenSSL ocsp app. Also I still want to add additional error codes for reporting OCSP-related failures during verification (obviously, APPLICATION_VERIFICATION_FAILURE doesn't tell you much). -- Best wishes, Alexander Komyagin diff --git a/apps/apps.c b/apps/apps.c index 4e11915..47f8c2f 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2338,8 +2338,12 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_CB_ISSUER_CHECK; else if (!strcmp(arg, -crl_check)) flags |= X509_V_FLAG_CRL_CHECK; + else if (!strcmp(arg, -ocsp_check)) + flags |= X509_V_FLAG_OCSP_CHECK; else if (!strcmp(arg, -crl_check_all)) flags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; + else if (!strcmp(arg, -ocsp_check_all)) + flags |= X509_V_FLAG_OCSP_CHECK|X509_V_FLAG_OCSP_CHECK_ALL; else if (!strcmp(arg, -policy_check)) flags |= X509_V_FLAG_POLICY_CHECK; else if (!strcmp(arg, -explicit_policy)) diff --git a/apps/verify.c b/apps/verify.c index b9749dc..8eeaf7b 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -65,6 +65,8 @@ #include openssl/x509.h #include openssl/x509v3.h #include openssl/pem.h +#include openssl/x509_vfy_ocsp.h +#include openssl/ocsp_clnt.h #undef PROG #define PROG verify_main @@ -88,6 +90,8 @@ int MAIN(int argc, char **argv) X509_STORE *cert_ctx=NULL; X509_LOOKUP *lookup=NULL; X509_VERIFY_PARAM *vpm = NULL; + char *ocsp_url = NULL; + int ocsp_validate = X509_OCSP_VALIDATE_ENABLED; #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif @@ -95,6 +99,7 @@ int MAIN(int argc, char **argv) cert_ctx=X509_STORE_new(); if (cert_ctx == NULL) goto end; X509_STORE_set_verify_cb(cert_ctx,cb); + X509_STORE_set_ocsp_process_resp(cert_ctx, ocsp_process_responder); ERR_load_crypto_strings(); @@ -123,6 +128,16 @@ int MAIN(int argc, char **argv) if (argc-- 1) goto end; CAfile= *(++argv); } + else if (strcmp(*argv,-ocsp_url) == 0) +{ +if (argc-- 1) goto end; +ocsp_url= *(++argv); +} + else if (strcmp(*argv,-ocsp_validate) == 0) +{
[FEATURE] OCSP functionality patch
Hi! Attached patch seamlessly integrates OCSP client functionality into OpenSSL verification routines -- the thing OpenSSL currently missing. This patch makes it possible for every app that uses OpenSSL for SSL/TLS connections -- like racoon, openldap, openvpn -- to check certificates against OCSP responder without any redesign. OCSP checks are incorporated in the internal certificate revocation check procedure (just like CRL's check) -- as they should be. = Easy to use: Assuming your certificates have embedded OCSP responder URLs, you just need to add call to X509_STORE_set_flags(some_x509_store, X509_V_FLAG_OCSP_CHECK); after you have created SSL_CTX (so you can access X509_STORE object). Then optionally you can add check for X509_V_ERR_CERT_UNKNOWN verification status in your SSL verification callback. = API follows: 1) 2 new verification flags (to use with X509_STORE_set_flags() and X509_STORE_CTX_set_flags()): - X509_V_FLAG_OCSP_CHECK [enable OCSP checks] - X509_V_FLAG_OCSP_CHECK_ALL [check the whole chain] These controls are main and this way OCSP is fully controlled by global OpenSSL verification parameters. 2) Special OCSP (X509_CERT_OCSP) opts struct with 2 fields added to X509 certificate: - char* ocsp_url [forced OCSP responder URL for this cert] - int ocsp_validate [enable/disable OCSP check for this cert, enabled by default] 3) cool stuff! - int X509_set_cert_ocsp_opt(X509_STORE *cert_ctx, const char *name, const char *ocsp_url, const int ocsp_validate) [ this one sets above-mentioned OCSP options for some cert given it's filename. Corresponding X509 structure shall be already present in the cert_ctx. Very handy one.] = How it works: 1) OCSP revocation check is done right before CRL check 2) first, OpenSSL tries to get the OCSP url for the certificate being checked - it's either forced url or embedded into the certificate. 3) if it fails, issuer shall be found 4) if OCSP validation for issuer is disabled, we completely trust him and the check is successful. 5) otherwise, we extract issuer OCSP url the same way as in (2) and use it to check. = Possible errors: - X509_V_ERR_CERT_UNKNOWN [OCSP responder never heard about this certificate] - X509_V_ERR_CERT_REVOKED [Certificate had been revoked] - X509_V_ERR_APPLICATION_VERIFICATION [for everything else] P.S OCSP querying code was taken from OpenSSL ocsp app. Also I still want to add additional error codes for reporting OCSP-related failures during verification (obviously, APPLICATION_VERIFICATION_FAILURE doesn't tell you much). -- Best wishes, Alexander Komyagin diff --git a/apps/apps.c b/apps/apps.c index 4e11915..47f8c2f 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2338,8 +2338,12 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_CB_ISSUER_CHECK; else if (!strcmp(arg, -crl_check)) flags |= X509_V_FLAG_CRL_CHECK; + else if (!strcmp(arg, -ocsp_check)) + flags |= X509_V_FLAG_OCSP_CHECK; else if (!strcmp(arg, -crl_check_all)) flags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; + else if (!strcmp(arg, -ocsp_check_all)) + flags |= X509_V_FLAG_OCSP_CHECK|X509_V_FLAG_OCSP_CHECK_ALL; else if (!strcmp(arg, -policy_check)) flags |= X509_V_FLAG_POLICY_CHECK; else if (!strcmp(arg, -explicit_policy)) diff --git a/apps/verify.c b/apps/verify.c index b9749dc..8eeaf7b 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -65,6 +65,8 @@ #include openssl/x509.h #include openssl/x509v3.h #include openssl/pem.h +#include openssl/x509_vfy_ocsp.h +#include openssl/ocsp_clnt.h #undef PROG #define PROG verify_main @@ -88,6 +90,10 @@ int MAIN(int argc, char **argv) X509_STORE *cert_ctx=NULL; X509_LOOKUP *lookup=NULL; X509_VERIFY_PARAM *vpm = NULL; +#ifndef OPENSSL_NO_OCSP + char *ocsp_url = NULL; + int ocsp_validate = X509_OCSP_VALIDATE_ENABLED; +#endif #ifndef OPENSSL_NO_ENGINE char *engine=NULL; #endif @@ -95,6 +101,9 @@ int MAIN(int argc, char **argv) cert_ctx=X509_STORE_new(); if (cert_ctx == NULL) goto end; X509_STORE_set_verify_cb(cert_ctx,cb); +#ifndef OPENSSL_NO_OCSP + X509_STORE_set_ocsp_process_resp(cert_ctx, ocsp_process_responder); +#endif ERR_load_crypto_strings(); @@ -123,6 +132,18 @@ int MAIN(int argc, char **argv) if (argc-- 1) goto end; CAfile= *(++argv); } +#ifndef OPENSSL_NO_OCSP + else if (strcmp(*argv,-ocsp_url) == 0) +{ +if (argc-- 1) goto end; +ocsp_url= *(++argv); +} + else if (strcmp(*argv,-ocsp_validate) == 0) +{ +if (argc-- 1) goto end; +ocsp_validate = atoi(*(++argv)); +} +#endif else if (args_verify(argv, argc, badarg, bio_err, vpm)) { @@ -222,6 +243,20 @@ int MAIN(int argc, char **argv) goto end; } +#ifndef OPENSSL_NO_OCSP + if (ocsp_url CAfile) + { + BIO_printf(bio_err, Setting OCSP params for %s (%s,%d)...
Re: [FEATURE] OCSP functionality patch
Bonjour, If the OCSP URL isn't found in the supplied certificate, you're trying to find it in its issuer? That's not standard, even if it can work. It seems you're looking for the issuer by its subject name. When you have several CA certificates with the same name in your store (that's permitted), you may not get the real issuer certificate, and the calculated issuerKeyHash will be wrong. Please don't add a nonce, at least not by default. Looking at our busy OCSP responders, *nobody* asks for a nonce, and it's perfect like this. Having a nonce may provide you a benefit, but it defeats CA optimizations (cached responses, mainly). It seems the supplied code doesn't check for a dedicated OCSP responder's certificate validity (not necessary if this certificate has an OCSPNoCheck extension, but some don't have this extension). Le 08/06/2012 13:07, Alexander Komyagin a écrit : [...] How it works: 1) OCSP revocation check is done right before CRL check 2) first, OpenSSL tries to get the OCSP url for the certificate being checked - it's either forced url or embedded into the certificate. 3) if it fails, issuer shall be found 4) if OCSP validation for issuer is disabled, we completely trust him and the check is successful. 5) otherwise, we extract issuer OCSP url the same way as in (2) and use it to check. = Possible errors: - X509_V_ERR_CERT_UNKNOWN [OCSP responder never heard about this certificate] - X509_V_ERR_CERT_REVOKED [Certificate had been revoked] - X509_V_ERR_APPLICATION_VERIFICATION [for everything else] P.S OCSP querying code was taken from OpenSSL ocsp app. Also I still want to add additional error codes for reporting OCSP-related failures during verification (obviously, APPLICATION_VERIFICATION_FAILURE doesn't tell you much). -- Erwann ABALEA - Un forum peut répondre à plusieurs besoins à la fois Ici, le groupe des débutants dépasse en nombre le groupe des utilisateur middle-class ce qui provoque inévitablement des tensions. -+- EF - Guide du Neuneu d'Usenet - La lutte des middle classes -+- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [FEATURE] OCSP functionality patch
Hi, Erwann! Thanks for your comments. On Fri, 2012-06-08 at 16:54 +0200, Erwann Abalea wrote: Bonjour, If the OCSP URL isn't found in the supplied certificate, you're trying to find it in its issuer? That's not standard, even if it can work. Yeah, my bad. Wasn't a good idea. It seems you're looking for the issuer by its subject name. When you have several CA certificates with the same name in your store (that's permitted), you may not get the real issuer certificate, and the calculated issuerKeyHash will be wrong. Nice catch! I think I can use already formed ctx-chain for that purpose. Please don't add a nonce, at least not by default. Looking at our busy OCSP responders, *nobody* asks for a nonce, and it's perfect like this. Having a nonce may provide you a benefit, but it defeats CA optimizations (cached responses, mainly). Hmm... probably introducing some new verification flag X509_OCSP_USE_NONCE would be sufficient. It seems the supplied code doesn't check for a dedicated OCSP responder's certificate validity (not necessary if this certificate has an OCSPNoCheck extension, but some don't have this extension). OCSP responder's certificate revocation status is only checked against CRL's. (via OCSP_basic_verify()). Le 08/06/2012 13:07, Alexander Komyagin a écrit : [...] How it works: 1) OCSP revocation check is done right before CRL check 2) first, OpenSSL tries to get the OCSP url for the certificate being checked - it's either forced url or embedded into the certificate. 3) if it fails, issuer shall be found 4) if OCSP validation for issuer is disabled, we completely trust him and the check is successful. 5) otherwise, we extract issuer OCSP url the same way as in (2) and use it to check. = Possible errors: - X509_V_ERR_CERT_UNKNOWN [OCSP responder never heard about this certificate] - X509_V_ERR_CERT_REVOKED [Certificate had been revoked] - X509_V_ERR_APPLICATION_VERIFICATION [for everything else] P.S OCSP querying code was taken from OpenSSL ocsp app. Also I still want to add additional error codes for reporting OCSP-related failures during verification (obviously, APPLICATION_VERIFICATION_FAILURE doesn't tell you much). -- Best wishes, Alexander Komyagin __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org