diff options
author | olszomal <Malgorzata.Olszowka@stunnel.org> | 2024-01-05 13:41:59 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-03-12 14:02:13 +0100 |
commit | d6aafeb1076ed4eeda1b0ced11207e05b0e32b0d (patch) | |
tree | 70bda784315eaf1d1f7ea6a50b065963dae197db | |
parent | Doc: fix style (diff) | |
download | openssl-d6aafeb1076ed4eeda1b0ced11207e05b0e32b0d.tar.xz openssl-d6aafeb1076ed4eeda1b0ced11207e05b0e32b0d.zip |
Use the untrusted certificate chain to create a valid certificate ID for OCSP_request
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22192)
-rw-r--r-- | apps/s_server.c | 44 |
1 files changed, 30 insertions, 14 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index b1164d10cc..07086ef0f6 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -476,7 +476,10 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx, char *proxy = NULL, *no_proxy = NULL; int use_ssl; STACK_OF(OPENSSL_STRING) *aia = NULL; - X509 *x = NULL; + X509 *x = NULL, *cert; + X509_NAME *iname; + STACK_OF(X509) *chain = NULL; + SSL_CTX *ssl_ctx; X509_STORE_CTX *inctx = NULL; X509_OBJECT *obj; OCSP_REQUEST *req = NULL; @@ -487,6 +490,7 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx, /* Build up OCSP query from server certificate */ x = SSL_get_certificate(s); + iname = X509_get_issuer_name(x); aia = X509_get1_ocsp(x); if (aia != NULL) { if (!OSSL_HTTP_parse_url(sk_OPENSSL_STRING_value(aia, 0), &use_ssl, @@ -511,21 +515,33 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx, proxy = srctx->proxy; no_proxy = srctx->no_proxy; - inctx = X509_STORE_CTX_new(); - if (inctx == NULL) + ssl_ctx = SSL_get_SSL_CTX(s); + if (!SSL_CTX_get0_chain_certs(ssl_ctx, &chain)) goto err; - if (!X509_STORE_CTX_init(inctx, - SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)), - NULL, NULL)) - goto err; - obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509, - X509_get_issuer_name(x)); - if (obj == NULL) { - BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n"); - goto done; + for (i = 0; i < sk_X509_num(chain); i++) { + /* check the untrusted certificate chain (-cert_chain option) */ + cert = sk_X509_value(chain, i); + if (X509_name_cmp(iname, X509_get_subject_name(cert)) == 0) { + /* the issuer certificate is found */ + id = OCSP_cert_to_id(NULL, x, cert); + break; + } + } + if (id == NULL) { + inctx = X509_STORE_CTX_new(); + if (inctx == NULL) + goto err; + if (!X509_STORE_CTX_init(inctx, SSL_CTX_get_cert_store(ssl_ctx), + NULL, NULL)) + goto err; + obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509, iname); + if (obj == NULL) { + BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n"); + goto done; + } + id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj)); + X509_OBJECT_free(obj); } - id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj)); - X509_OBJECT_free(obj); if (id == NULL) goto err; req = OCSP_REQUEST_new(); |