diff options
author | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2017-11-02 14:40:12 +0100 |
---|---|---|
committer | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2017-11-02 19:33:38 +0100 |
commit | dbe42bca6a6c4b1c7a144ae01542c6a0d712131f (patch) | |
tree | 16e49196a57d5a7a66d8378dab95b5de4c294575 | |
parent | 6740dc3e28a85b06f9fffa4f0c9eb3e4b1d6e66d (diff) | |
download | key-manager-dbe42bca6a6c4b1c7a144ae01542c6a0d712131f.tar.gz key-manager-dbe42bca6a6c4b1c7a144ae01542c6a0d712131f.tar.bz2 key-manager-dbe42bca6a6c4b1c7a144ae01542c6a0d712131f.zip |
OCSP implementation updatesubmit/tizen/20171106.133424accepted/tizen/unified/20171107.055250
Add support for OCSP responses that does not contain
issuer certificate.
Change-Id: I7fd5367c4c5f34c1d672fcf8506af6a2e9b9d2f7
-rw-r--r-- | src/manager/service/certificate-store.cpp | 8 | ||||
-rw-r--r-- | src/manager/service/ocsp.cpp | 10 |
2 files changed, 15 insertions, 3 deletions
diff --git a/src/manager/service/certificate-store.cpp b/src/manager/service/certificate-store.cpp index f7ac84e3..871b8a9a 100644 --- a/src/manager/service/certificate-store.cpp +++ b/src/manager/service/certificate-store.cpp @@ -57,8 +57,8 @@ int CertificateStore::verifyCertificate( int ret; LogDebug("Certificate for verfication ptr: " << (void *)cert.getX509()); LogDebug("Verfication with " << untrustedVector.size() << - " untrusted certificates" << - trustedVector.size() << "trusted certificates" << + " untrusted certificates " << + trustedVector.size() << " trusted certificates" << " and system certificates set to: " << useTrustedSystemCertificates); @@ -108,6 +108,10 @@ int CertificateStore::verifyCertificate( int result = X509_verify_cert(csc.get()); // 1 == ok; 0 == fail; -1 == error LogDebug("Openssl verification result: " << result); + if (result == 0) { + int error = X509_STORE_CTX_get_error(csc.get()); + LogDebug("Verification error: " << X509_verify_cert_error_string(error)); + } if (result > 0) { STACK_OF(X509) *chain = X509_STORE_CTX_get_chain(csc.get()); diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp index 8c430f56..dcccf2ac 100644 --- a/src/manager/service/ocsp.cpp +++ b/src/manager/service/ocsp.cpp @@ -319,7 +319,15 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, X509_STORE_add_cert(trustedStore, issuer); } - int response = OCSP_basic_verify(bs, NULL, trustedStore, 0); + // Additional certificates to search for signer. + // OCSP response may not contain issuer certificate in this case + // we must pass it by 'other' certificates. + X509_STACK_PTR verifyOther = create_x509_stack(); + sk_X509_push(verifyOther.get(), issuer); + + int response = OCSP_basic_verify(bs, verifyOther.get(), trustedStore, 0); + + verifyOther.reset(); if (response <= 0) { OCSP_REQUEST_free(req); |