This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
The following commit(s) were added to refs/heads/main by this push:
new e8f60b95e More verification of OCSP responses - timestamps
e8f60b95e is described below
commit e8f60b95e502064bcf6bbafae4e86c7e5ce6da71
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Dec 11 09:06:31 2025 +0000
More verification of OCSP responses - timestamps
---
native/include/ssl_private.h | 2 ++
native/src/sslutils.c | 19 ++++++++++++++++---
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/native/include/ssl_private.h b/native/include/ssl_private.h
index 96e21275c..d3de1fccf 100644
--- a/native/include/ssl_private.h
+++ b/native/include/ssl_private.h
@@ -218,6 +218,8 @@ extern ENGINE *tcn_ssl_engine;
#define OCSP_STATUS_OK 0
#define OCSP_STATUS_REVOKED 1
#define OCSP_STATUS_UNKNOWN 2
+/* 15 minutes - aligns with JSSE */
+#define OCSP_MAX_SKEW 900
#endif
#endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */
diff --git a/native/src/sslutils.c b/native/src/sslutils.c
index e71ebc8b8..a10c79739 100644
--- a/native/src/sslutils.c
+++ b/native/src/sslutils.c
@@ -1016,6 +1016,8 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req,
OCSP_RESPONSE *ocsp_res
OCSP_BASICRESP *bs;
OCSP_SINGLERESP *ss;
OCSP_CERTID *certid;
+ ASN1_GENERALIZEDTIME *thisupd;
+ ASN1_GENERALIZEDTIME *nextupd;
STACK_OF(X509) *certStack;
r = OCSP_response_status(ocsp_resp);
@@ -1023,7 +1025,7 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req,
OCSP_RESPONSE *ocsp_res
if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
return OCSP_STATUS_UNKNOWN;
}
-
+
bs = OCSP_response_get1_basic(ocsp_resp);
if (OCSP_check_nonce(ocsp_req, bs) == 0) {
X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_RESP_INVALID);
@@ -1046,7 +1048,18 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req,
OCSP_RESPONSE *ocsp_res
}
ss = OCSP_resp_get0(bs, OCSP_resp_find(bs, certid, -1)); /* find by serial
number and get the matching response */
- i = OCSP_single_get0_status(ss, NULL, NULL, NULL, NULL);
+ i = OCSP_single_get0_status(ss, NULL, NULL, &thisupd, &nextupd);
+ if (OCSP_check_validity(thisupd, nextupd, OCSP_MAX_SKEW, -1) <= 0) {
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_NOT_YET_VALID);
+ o = OCSP_STATUS_UNKNOWN;
+ goto clean_certid;
+ }
+ if (OCSP_check_validity(thisupd, nextupd, OCSP_MAX_SKEW, OCSP_MAX_SKEW) <=
0) {
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_OCSP_HAS_EXPIRED);
+ o = OCSP_STATUS_UNKNOWN;
+ goto clean_certid;
+ }
+
if (i == V_OCSP_CERTSTATUS_GOOD)
o = OCSP_STATUS_OK;
else if (i == V_OCSP_CERTSTATUS_REVOKED)
@@ -1054,7 +1067,7 @@ static int process_ocsp_response(OCSP_REQUEST *ocsp_req,
OCSP_RESPONSE *ocsp_res
else if (i == V_OCSP_CERTSTATUS_UNKNOWN)
o = OCSP_STATUS_UNKNOWN;
- /* we clean up */
+clean_certid:
OCSP_CERTID_free(certid);
clean_bs:
OCSP_BASICRESP_free(bs);
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
