Skip to content

Commit

Permalink
Handle redirect on AIA issuer fetch
Browse files Browse the repository at this point in the history 
IB-7006

Signed-off-by: Raul Metsma <raul@metsma.ee>
  • Loading branch information
@metsma
metsma committed Oct 7, 2021
1 parent b42174f commit d6af5d6
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 12 deletions.
18 changes: 9 additions & 9 deletions src/crypto/OCSP.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -299,15 +299,6 @@ void OCSP::verifyResponse(const X509Cert &cert) const
if(!resp)
THROW("Failed to verify OCSP response.");

// Find issuer before OCSP validation to activate region TSL
X509Cert issuer = X509CertStore::instance()->findIssuer(cert, X509CertStore::CA);
if(!issuer)
{
Exception e(EXCEPTION_PARAMS("Certificate status: unknown"));
e.setCode(Exception::CertificateUnknown);
throw e;
}

time_t t = util::date::ASN1TimeToTime_t(producedAt());
SCOPE(X509_STORE, store, X509CertStore::createStore(X509CertStore::OCSP, &t));
STACK_OF(X509) *stack = sk_X509_new_null();
Expand All @@ -325,6 +316,15 @@ void OCSP::verifyResponse(const X509Cert &cert) const
if(result <= 0)
THROW_OPENSSLEXCEPTION("Failed to verify OCSP response.");

// Find issuer before OCSP validation to activate region TSL
X509Cert issuer = X509CertStore::instance()->findIssuer(cert, X509CertStore::CA);
if(!issuer)
{
Exception e(EXCEPTION_PARAMS("Certificate status: unknown"));
e.setCode(Exception::CertificateUnknown);
throw e;
}

int status = V_OCSP_CERTSTATUS_UNKNOWN;
for(int i = 0, count = OCSP_resp_count(basic.get()); i < count; ++i)
{
Expand Down
2 changes: 1 addition & 1 deletion src/crypto/X509Cert.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ X509Cert::X509Cert(const vector<unsigned char> &bytes, Format format)
X509Cert::X509Cert(const unsigned char *bytes, size_t size, Format format)
{
if(!bytes || size == 0)
THROW("No bytes given to parse X509.");
return;
if(format == Der)
{
const unsigned char *p = bytes;
Expand Down
6 changes: 4 additions & 2 deletions src/crypto/X509CertStore.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,9 @@ X509Cert X509CertStore::issuerFromAIA(const X509Cert &cert) const
}
if(url.empty())
return X509Cert();
Connect::Result result = Connect(url, "GET", 0, {}).exec();
Connect::Result result = Connect(url, "GET").exec();
if(result.isRedirect())
result = Connect(result.headers["Location"], "GET").exec();
return X509Cert((const unsigned char*)result.content.c_str(), result.content.size());
}

Expand Down Expand Up @@ -278,7 +280,7 @@ bool X509CertStore::verify(const X509Cert &cert, bool noqscd) const
return all_of(policySet.cbegin(), policySet.cend(), containsPolicy);
};
auto matchKeyUsageSet = [&keyUsage](const map<X509Cert::KeyUsage,bool> &keyUsageSet){
return all_of(keyUsageSet.cbegin(), keyUsageSet.cend(), [&keyUsage](const pair<X509Cert::KeyUsage,bool> &keyUsageBit){
return all_of(keyUsageSet.cbegin(), keyUsageSet.cend(), [&keyUsage](pair<X509Cert::KeyUsage, bool> keyUsageBit) {
return (find(keyUsage.cbegin(), keyUsage.cend(), keyUsageBit.first) != keyUsage.cend()) == keyUsageBit.second;
});
};
Expand Down

0 comments on commit d6af5d6

Please sign in to comment.