This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push:
new 1ad879900 Expand verification of OCSP responses.
1ad879900 is described below
commit 1ad879900c10c29f2cff411a01ed6d8df1420fda
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Dec 11 08:55:40 2025 +0000
Expand verification of OCSP responses.
---
native/src/sslutils.c | 8 ++++++++
xdocs/miscellaneous/changelog.xml | 3 +++
2 files changed, 11 insertions(+)
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index 89b636846..9888bdb0b 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -1016,6 +1016,7 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req,
OCSP_RESPONSE *ocsp_res
OCSP_BASICRESP *bs;
OCSP_SINGLERESP *ss;
OCSP_CERTID *certid;
+ STACK_OF(X509) *certStack;
r = OCSP_response_status(ocsp_resp);
@@ -1030,6 +1031,13 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req,
OCSP_RESPONSE *ocsp_res
goto clean_bs;
}
+ certStack = OCSP_resp_get0_certs(bs);
+ if (OCSP_basic_verify(bs, certStack, X509_STORE_CTX_get0_store(ctx), 0) <=
0) {
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_SIGNATURE_FAILURE);
+ o = OCSP_STATUS_UNKNOWN;
+ goto clean_bs;
+ }
+
certid = OCSP_cert_to_id(NULL, cert, issuer);
if (certid == NULL) {
return OCSP_STATUS_UNKNOWN;
diff --git a/xdocs/miscellaneous/changelog.xml
b/xdocs/miscellaneous/changelog.xml
index b6e3da7e1..373719038 100644
--- a/xdocs/miscellaneous/changelog.xml
+++ b/xdocs/miscellaneous/changelog.xml
@@ -41,6 +41,9 @@
Include a nonce with OCSP requests and check the nonce, if any, in the
OCSP response. (markt)
</add>
+ <add>
+ Expand verification of OCSP responses. (markt)
+ </add>
</changelog>
</section>
<section name="Changes in 2.0.9">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
