diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-07-08 11:28:38 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-07-08 11:28:38 +0900 |
commit | bc5b7918066e5a49427b7e5f5af8189c2571ea27 (patch) | |
tree | 42066ed220ab84ba2d6589686111392310276aa0 /test/test_ocsp.rb | |
parent | c4702f20ee3af838867b1c515e75911c24da06ba (diff) | |
download | ruby-openssl-bc5b7918066e5a49427b7e5f5af8189c2571ea27.tar.gz |
ocsp: add workaround for OCSP_basic_verify() bugtopic/ocsp-basic-verify-bug
Older versions of OpenSSL have a bug that it doesn't use the
certificates passed to OCSP_basic_verify() for verifying the chain. This
can be a problem when the response is signed by a certificate issued by
an intermediate CA.
root_ca
|
intermediate_ca
|-------------|
end_entity ocsp_signer
When the certificate hierarchy is like this, and the response contains
only ocsp_signer certificate, the following code wrongly fails.
store = OpenSSL::X509::Store.new; store.add_cert(root_ca)
basic_response.verify([intermediate_ca], store)
So duplicate the OCSP_BASICRESP and add the certificates to the embedded
list first.
Diffstat (limited to 'test/test_ocsp.rb')
-rw-r--r-- | test/test_ocsp.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/test/test_ocsp.rb b/test/test_ocsp.rb index db7b139e..c59cf1b9 100644 --- a/test/test_ocsp.rb +++ b/test/test_ocsp.rb @@ -184,6 +184,17 @@ class OpenSSL::TestOCSP < OpenSSL::TestCase assert_equal false, bres.verify([], store1, OpenSSL::OCSP::NOCHAIN) end + def test_basic_response_sign_verify_use_extra_chain + # OpenSSL had a bug on this; test that our workaround works + cid = OpenSSL::OCSP::CertificateId.new(@cert2, @cert, OpenSSL::Digest::SHA256.new) + bres = OpenSSL::OCSP::BasicResponse.new + bres.add_status(cid, OpenSSL::OCSP::V_CERTSTATUS_GOOD, nil, -400, -300, 500, []) + bres.sign(@ocsp_cert, @ocsp_key, [], 0, "SHA256") + store1 = OpenSSL::X509::Store.new; store1.add_cert(@ca_cert) + assert_equal true, bres.verify([@cert], store1) + assert_equal false, bres.verify([], store1, OpenSSL::OCSP::NOCHAIN) + end + def test_basic_response_dup bres = OpenSSL::OCSP::BasicResponse.new cid = OpenSSL::OCSP::CertificateId.new(@cert, @ca_cert, OpenSSL::Digest::SHA1.new) |