Re: [patch] ocspcheck: nextUpdate is optional according to RFC 6960

Wed, 06 Sep 2017 05:16:35 -0700 

On 09/06/17 04:40, Bob Beck wrote:

Andreas where are you seeing this as being a real issue - who is shipping
out OCSP responses without a next update field?
I've noticed this while playing with a local CA and a corresponding OCSP responder on my LAN. For openssl ocsp, the -nmin or -ndays argument is optional. If these arguments are not explicitly provided, the next update field will not be set. 




On Sat, Sep 2, 2017 at 11:28 AM, Andreas Bartelt <o...@bartula.de> wrote:


ocspcheck effectively treats a missing nextUpdate like an error, i.e., it
always provides a warning and no staplefile is written out. According to
RFC 6960, the nextUpdate field is optional. The following patch should
handle this case more gracefully and include a suitable debug message only
in case -vv is specified.

OK?

Index: src/usr.sbin/ocspcheck/ocspcheck.c
===================================================================
RCS file: /cvs/src/usr.sbin/ocspcheck/ocspcheck.c,v
retrieving revision 1.21
diff -u -p -u -r1.21 ocspcheck.c
--- src/usr.sbin/ocspcheck/ocspcheck.c  8 May 2017 20:15:34 -0000
  1.21
+++ src/usr.sbin/ocspcheck/ocspcheck.c  2 Sep 2017 17:09:00 -0000
@@ -368,7 +368,7 @@ validate_response(char *buf, size_t size
  {
         ASN1_GENERALIZEDTIME *revtime = NULL, *thisupd = NULL, *nextupd =
NULL;
         const unsigned char **p = (const unsigned char **)&buf;
-       int status, cert_status=0, crl_reason=0;
+       int status, cert_status=0, crl_reason=0, next_update=0;
         time_t now, rev_t = -1, this_t, next_t;
         OCSP_RESPONSE *resp;
         OCSP_BASICRESP *bresp;
@@ -447,12 +447,14 @@ validate_response(char *buf, size_t size
                 return 0;
         }
         if ((next_t = parse_ocsp_time(nextupd)) == -1) {
-               warnx("unable to parse next update time in OCSP reply");
-               return 0;
+               if (verbose >= 2)
+                       fprintf(stderr, "Optional timestamp for next
update not included in OCSP reply\n");
         }
+       else
+               next_update = 1;

         /* Don't allow this update to precede next update */
-       if (this_t >= next_t) {
+       if (next_update == 1 && this_t >= next_t) {
                 warnx("Invalid OCSP reply: this update >= next update");
                 return 0;
         }
@@ -481,7 +483,7 @@ validate_response(char *buf, size_t size
         /*
          * Check that next update is still valid
          */
-       if (next_t < now - JITTER_SEC) {
+       if (next_update == 1 && next_t < now - JITTER_SEC) {
                 warnx("Invalid OCSP reply: reply has expired (%s)",
                     ctime(&next_t));
                 return 0;
@@ -489,7 +491,8 @@ validate_response(char *buf, size_t size

         vspew("OCSP response validated from %s\n", host);
         vspew("    This Update: %s", ctime(&this_t));
-       vspew("    Next Update: %s", ctime(&next_t));
+       if (next_update == 1)
+               vspew("    Next Update: %s", ctime(&next_t));
         return 1;
  }

Reply via email to