Sorry, forgot to cc to the mailing list. I am used to mailman doing this
automatically ^^
Am 28.05.2013 12:17, schrieb Michael Brown:
On Monday 27 May 2013 12:40:23 Christian Stroehmeier wrote:
I am currently tasked with porting all our legacy pxe installations to
ipxe. To authenticate we have a restricted area on a webserver and get
the ipxe script via HTTPS.
This worked very well and straightforward, until that webserver got a
new certificate which now offers OCSP.
Somehow the OCSP request ipxe sends does not work (works in Firefox, so
the responder should be set up correctly).
Any insights on that? I compiled ipxe with all three relevant
CA/intermediate certificates relevant, and DEBUG=x509:3,ocsp:3 resulted
in the log attached to this mail.
The webserver in question is https://groups.uni-paderborn.de/, feel free
to try it yourself.
I am completely unfamiliar with OCSP and have only basic knowledge of
SSL, so any help would be appreciated.
It seems as though your OCSP response includes several certificates:
CN=DFN-Verein PCA Global - G01
CN=Universitaet Paderborn CA - G01
CN=PN: OCSP-Responder (the OCSP signing cert)
The OCSP data structure does allow for multiple certificates, but RFC2560
mandates that the OCSP signing certificate must either be the original cert's
issuer, or must be directly signed by the original cert's issuer. iPXE
therefore assumes (in ocsp_parse_certs()) that there is exactly one certificate
to be parsed from the OCSP response, since any other certificates would be
either invalid or extraneous.
iPXE is thus taking the first certificate ("DFN-Verein PCA Global - G01") from
the OCSP response and attempting to use that as the OCSP signing certificate.
This fails, since that certificate is not the one used for OCSP signing.
You can work around the problem by ensuring that your OCSP responder includes
only its own certificate ("PN: OCSP-Responder"), or by ensuring that this
certificate is first in the certificate chain.
Alternatively, patches to automatically identify the signing cert via the
"Certificate ID" field of the OCSP response data are welcome!
Michael
Hi,
thanks for your elaborate answer. I forwarded this to our certificate
guys and they came up with a simple idea of a patch. I did some fixing
so it would actually compile, and now it works for me. I am not really
familiar with your workflow regarding patches, so I figured I just
attach it here :)
Chris
--- original/src/crypto/ocsp.c 2012-12-18 15:58:15.000000000 +0100
+++ patched/src/crypto/ocsp.c 2013-05-29 11:55:19.000000000 +0200
@@ -497,6 +497,10 @@
return 0;
}
+// forward declaration
+static int ocsp_check_signature ( struct ocsp_check *ocsp,
+ struct x509_certificate *signer );
+
/**
* Parse OCSP certificates
*
@@ -509,30 +513,47 @@
struct ocsp_response *response = &ocsp->response;
struct asn1_cursor cursor;
int rc;
+ int foundcert = 0;
/* Enter certs */
memcpy ( &cursor, raw, sizeof ( cursor ) );
asn1_enter ( &cursor, ASN1_EXPLICIT_TAG ( 0 ) );
asn1_enter ( &cursor, ASN1_SEQUENCE );
- /* Parse certificate, if present. The data structure permits
- * multiple certificates, but the protocol requires that the
- * OCSP signing certificate must either be the issuer itself,
- * or must be directly issued by the issuer (see RFC2560
- * section 4.2.2.2 "Authorized Responders").
- */
- if ( ( cursor.len != 0 ) &&
- ( ( rc = x509_certificate ( cursor.data, cursor.len,
- &response->signer ) ) != 0 ) ) {
- DBGC ( ocsp, "OCSP %p \"%s\" could not parse certificate: "
- "%s\n", ocsp, ocsp->cert->subject.name, strerror ( rc ));
- DBGC_HDA ( ocsp, 0, cursor.data, cursor.len );
- return rc;
- }
- DBGC2 ( ocsp, "OCSP %p \"%s\" response is signed by \"%s\"\n", ocsp,
- ocsp->cert->subject.name, response->signer->subject.name );
+ /* Scan through certificate list and try to find the OCSP responder
cert. */
- return 0;
+ for ( ; cursor.len ; asn1_skip_any ( &cursor ) ) {
+
+ /* Parse certificate, if present. The data structure permits
+ * multiple certificates, but the protocol requires that the
+ * OCSP signing certificate must either be the issuer itself,
+ * or must be directly issued by the issuer (see RFC2560
+ * section 4.2.2.2 "Authorized Responders").
+ */
+ if ( ( cursor.len != 0 ) &&
+ ( ( rc = x509_certificate ( cursor.data, cursor.len,
+ &response->signer ) ) != 0 ) ) {
+ DBGC ( ocsp, "OCSP %p \"%s\" could not parse
certificate: "
+ "%s\n", ocsp, ocsp->cert->subject.name,
strerror ( rc ));
+ DBGC_HDA ( ocsp, 0, cursor.data, cursor.len );
+ return rc;
+ }
+ /* Check wether the cert actually signed the response */
+ if ( ocsp_check_signature (ocsp, response->signer) == 0 ){
+ /* Yes, found the correct OCSP responder cert */
+ foundcert = 1;
+ break;
+ }
+ }
+ if( foundcert == 1) {
+ DBGC2 ( ocsp, "OCSP %p \"%s\" response is signed by \"%s\"\n",
ocsp,
+ ocsp->cert->subject.name,
response->signer->subject.name );
+ return 0;
+ } else {
+ DBGC ( ocsp, "OCSP %p \"%s\" none of the certs in the responses
matches the signature.",
+ ocsp, ocsp->cert->subject.name);
+ return 1;
+ }
}
/**
_______________________________________________
ipxe-devel mailing list
[email protected]
https://lists.ipxe.org/mailman/listinfo.cgi/ipxe-devel
