This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 1.3.x in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit 1f433c5605310622a2597150a80b774b4d6ebfe5 Author: Mark Thomas <[email protected]> AuthorDate: Thu Dec 11 08:55:40 2025 +0000 Expand verification of OCSP responses. --- native/src/sslutils.c | 8 ++++++++ xdocs/miscellaneous/changelog.xml | 3 +++ 2 files changed, 11 insertions(+) diff --git a/native/src/sslutils.c b/native/src/sslutils.c index 7c2740bbe..5ca4e8b55 100644 --- a/native/src/sslutils.c +++ b/native/src/sslutils.c @@ -1036,6 +1036,7 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_res OCSP_BASICRESP *bs; OCSP_SINGLERESP *ss; OCSP_CERTID *certid; + STACK_OF(X509) *certStack; r = OCSP_response_status(ocsp_resp); @@ -1050,6 +1051,13 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req, OCSP_RESPONSE *ocsp_res goto clean_bs; } + certStack = OCSP_resp_get0_certs(bs); + if (OCSP_basic_verify(bs, certStack, X509_STORE_CTX_get0_store(ctx), 0) <= 0) { + X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_SIGNATURE_FAILURE); + o = OCSP_STATUS_UNKNOWN; + goto clean_bs; + } + certid = OCSP_cert_to_id(NULL, cert, issuer); if (certid == NULL) { return OCSP_STATUS_UNKNOWN; diff --git a/xdocs/miscellaneous/changelog.xml b/xdocs/miscellaneous/changelog.xml index 6af9b4c56..22bbc9201 100644 --- a/xdocs/miscellaneous/changelog.xml +++ b/xdocs/miscellaneous/changelog.xml @@ -56,6 +56,9 @@ Include a nonce with OCSP requests and check the nonce, if any, in the OCSP response. (markt) </add> + <add> + Expand verification of OCSP responses. (markt) + </add> </changelog> </section> <section name="Changes in 1.3.1"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
