Skip to content

Commit

Permalink
Handle redirect on AIA issuer fetch
Browse files Browse the repository at this point in the history
IB-7006

Signed-off-by: Raul Metsma <raul@metsma.ee>
  • Loading branch information
metsma committed Oct 20, 2021
1 parent 1f8a027 commit e011075
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 12 deletions.
31 changes: 21 additions & 10 deletions src/crypto/OCSP.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -299,15 +299,6 @@ void OCSP::verifyResponse(const X509Cert &cert) const
if(!resp)
THROW("Failed to verify OCSP response.");

// Find issuer before OCSP validation to activate region TSL
X509Cert issuer = X509CertStore::instance()->findIssuer(cert, X509CertStore::CA);
if(!issuer)
{
Exception e(EXCEPTION_PARAMS("Certificate status: unknown"));
e.setCode(Exception::CertificateUnknown);
throw e;
}

time_t t = util::date::ASN1TimeToTime_t(producedAt());
SCOPE(X509_STORE, store, X509CertStore::createStore(X509CertStore::OCSP, &t));
STACK_OF(X509) *stack = sk_X509_new_null();
Expand All @@ -322,8 +313,28 @@ void OCSP::verifyResponse(const X509Cert &cert) const
//all checks enabled fails trust bit check, cant use OCSP_NOEXPLICIT instead using OCSP_NOCHECKS
int result = OCSP_basic_verify(basic.get(), stack, store.get(), OCSP_NOCHECKS);
sk_X509_free(stack);
if(result <= 0)
if(result != 1)
{
unsigned long err = ERR_get_error();
if(ERR_GET_LIB(err) == ERR_LIB_OCSP &&
(ERR_GET_REASON(err) == OCSP_R_CERTIFICATE_VERIFY_ERROR ||
ERR_GET_REASON(err) == OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND))
{
Exception e(EXCEPTION_PARAMS("Failed to verify OCSP Responder certificate"));
e.setCode(Exception::CertificateUnknown);
throw e;
}
THROW_OPENSSLEXCEPTION("Failed to verify OCSP response.");
}

// Find issuer before OCSP validation to activate region TSL
X509Cert issuer = X509CertStore::instance()->findIssuer(cert, X509CertStore::CA);
if(!issuer)
{
Exception e(EXCEPTION_PARAMS("Certificate status: unknown"));
e.setCode(Exception::CertificateUnknown);
throw e;
}

int status = V_OCSP_CERTSTATUS_UNKNOWN;
for(int i = 0, count = OCSP_resp_count(basic.get()); i < count; ++i)
Expand Down
2 changes: 1 addition & 1 deletion src/crypto/X509Cert.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,7 @@ X509Cert::X509Cert(const vector<unsigned char> &bytes, Format format)
X509Cert::X509Cert(const unsigned char *bytes, size_t size, Format format)
{
if(!bytes || size == 0)
THROW("No bytes given to parse X509.");
return;
if(format == Der)
{
const unsigned char *p = bytes;
Expand Down
4 changes: 3 additions & 1 deletion src/crypto/X509CertStore.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,9 @@ X509Cert X509CertStore::issuerFromAIA(const X509Cert &cert) const
}
if(url.empty())
return X509Cert();
Connect::Result result = Connect(url, "GET", 0, {}).exec();
Connect::Result result = Connect(url, "GET").exec();
if(result.isRedirect())
result = Connect(result.headers["Location"], "GET").exec();
return X509Cert((const unsigned char*)result.content.c_str(), result.content.size());
}

Expand Down

0 comments on commit e011075

Please sign in to comment.