Idenfity relationship between OCSP issuer and cert

Add code to identify the relationship between the OCSP request issuer certificate and the certificate whose status was requested. According to RFC 6960 Section 4.2.2.2 the OCSP response issuer can be: 1. A locally configured signing authority. - This has not been implemented at this stage 2. The certificate of the CA that issued the certificate in question 3. A certificate that includes the value of id-kp-OCSPSigning in an extended key usage extension and is issued by the CA that issued the certificate in question Note that at this stage the relationship between the certificates has only been validated based on the information supplied within the OCSP response.
2026-04-06 04:25:43 +02:00 · 2017-11-11 11:53:49 +00:00
parent 9dc28c0357
commit d48a4a62dd
1 changed files with 58 additions and 0 deletions
--- a/library/x509_ocsp.c
+++ b/library/x509_ocsp.c
@@ -1429,6 +1429,64 @@ static int x509_ocsp_verify_response_issuer(
                                mbedtls_x509_crt *issuer,
                                uint32_t *flags )
 {
+    int ret;
+    int is_parent = 0;
+    mbedtls_x509_crt *parent;
+
+    /* Check whether the issuer is the parent of the requested certificate */
+    if( ( ret = x509_ocsp_is_parent_crt( single_resp, issuer,
+                                                        &is_parent ) ) != 0 )
+    {
+        return( ret );
+    }
+    else if( is_parent != 0 )
+    {
+        /*
+         * Condition 2 has been met, try to build a chain of trust from the
+         * crt upwards
+         */
+        // TODO
+    }
+
+    /* Check that the issuer includes the value of id-kp-OCSPSigning */
+    // TODO
+
+    /*
+     * Try to find the parent of the requested certificate.
+     *
+     * TODO: Currently we try to locate the parent in the untrusted chain,
+     * and the trust_ca chain. Should we also look in the OCSP response's
+     * certs list? RFC 6960 Section 4.2.1 states that "the responder MAY
+     * include certificates in the certs field of BasicOCSPResponse that
+     * help the OCSP client verify the responder's signature". Strictly
+     * speaking we do notuse the parent to directly verify the response's,
+     * so we do not search the parent
+     */
+    if( ( ret = x509_ocsp_find_parent_crt( single_resp, chain,
+                                                            &parent ) ) != 0 )
+    {
+        return( ret );
+    }
+    else if( parent == NULL )
+    {
+        if( ( ret = x509_ocsp_find_parent_crt( single_resp, trust_ca,
+                                                            &parent ) ) != 0 )
+        {
+            return( ret );
+        }
+        else if( parent == NULL )
+        {
+            *flags |= MBEDTLS_X509_BADOCSP_RESPONSE_ISSUER_NOT_TRUSTED;
+            return( 0 );
+        }
+    }
+
+    /*
+     * Condition 3 has been met, try to build a chain of trust from the
+     * issuer upwards and verify that *parent is the parent of crt
+     */
+    // TODO
+
    return( 0 );
 }