The responseType indicates a large portion of the syntax of an OCSP
response message. At this stage we only support OCSP Basic, so this
change ensure that the parser returns a failure code if the
responseType does not match the OID id-pkix-ocsp-basic.
Add missing dependency checks to check_config.h and documentation to
config.h. Note that SHA-1 is required for OCSP as RFC 6960 Section
4.4.2 specifies that the ResponderID byKey is the SHA-1 hash of the
responder's public key. That is, without SHA-1 we might not be able to
tell who signed the OCSP response.
Assign the type of response_id used in the OCSP response ID is recorded
before the actual ID is initialised. In this way, if the initialisation
call to a Name ID fails, the function mbedtls_x509_ocsp_response_free()
calls the correct free() function on the response ID avoiding potential
memory leaks.
Add 1 to a temporary buffer in x509_ocsp_info_certs() which is used to
construct the printing prefix to write an informational string of the
OCSP response for the user. The additional element added to the buffer
contains the \0 character. The missing element would cause a heap
overread of 1 when concatenating the prefix string with itself.
Add missing return statement in x509_ocsp_get_response() that would
otherwise allow the code to continue executing even though a parsing
failure has already been found.
Add a check at the beginning of the function
mbedtls_x509_ocsp_response_free() to ensure that the pointer passed to
is not NULL. This prevent a NULL pointer dereference that could lead to
crashes.
The new MBEDTLS_X509_OCSP_PARSE_C is a feature macro that can be
controlled from the config.h file to enable/disable the OCSP X509
feature at compile time.
Relocate the new OCSP and CRL X509 related errors to x509.h as the
error message generation scripts cannot handle these anywhere else.
Also, update the error.c file with the new human-readable strings
for the OCSP and CRL errors.
This patch removes several bound checks that were redundant due to the
structure of the code in which each function parses the top-level
components of ASN.1 structures and helper functions parse the sub-
components.
In the case of x509_ocsp_get_response(), the parsing of the OCTET
STRING was moved to its caller function as the main job of
x509_ocsp_get_response() is to parse the BasicOCSPResponse structure,
so the OCTET STRING is considered a top-level component similar to an
EXPLICIT tag
Populate the function x509_ocsp_get_certs() to parse the OPTIONAL list
of certificates in the BasicOCSPResponse ASN.1 structure of the OCSP
response:
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
x509_ocsp_get_certs() only parses the SEQUENCE OF (the EXPLICIT tag is
parsed by the caller) and delegates the actual parsing of the
certificate to the x509_crt.c module.
NOTE: The parsing of certificates in x509_ocsp.c is currently very
inefficient in terms of space as x509_ocsp.c and x509_crt.c both make
an internal copy of the buffer passed to them. This will be optimised
in the future.
Populate the function x509_ocsp_get_sig_alg() that parses the
signatureAlgorithm from the BasicOCSPResponse ASN.1 structure. The
parsing is actually done by the preexisting functions:
* mbedtls_x509_get_alg()
* mbedtls_x509_get_sig_alg()
This is only placeholder code that does not actually check that the
extensions are at least well formed. Therefore, the function
x509_ocsp_get_extensions() has been marked as TODO.
Strictly speaking, the CRLReason is a concept imported from the CRL
profile defined in RFC 5280 Section 5.3.1. However, this is a CRL
extension that is not implemented in mbed TLS. Therefore, this patch
introduces the relevant macros with revocation reasons and error return
codes in x509_crt.h. Also the function x509_ocsp_get_crl_reason() to
parse the CRLReason. If necessary, this code can later be migrated to
x509_crl.c.
The CRL reason ASN1. structure is specified in RFC 5280 Section 5.3.1
as follows:
CRLReason ::= ENUMERATED {
unspecified (0),
keyCompromise (1),
cACompromise (2),
affiliationChanged (3),
superseded (4),
cessationOfOperation (5),
certificateHold (6),
-- value 7 is not used
removeFromCRL (8),
privilegeWithdrawn (9),
aACompromise (10) }
Populate the function x509_ocsp_get_revoked_info() with code to parse the
following ASN.1 structure:
RevokedInfo ::= SEQUENCE {
revocationTime GeneralizedTime,
revocationReason [0] EXPLICIT CRLReason OPTIONAL }
x509_ocsp_get_revoked_info() parses the top level SEQUENCE and the EXPLICIT
OPTIONAL tag, but delegates the parsing of GeneralizedTime and
CRL reason (if present) to x509_ocsp_get_generalized_time() and
x509_ocsp_get_crl_reason() respectively.
Populate the function x509_ocsp_get_cert_status() with code that parses
the following ASN.1 structure:
CertStatus ::= CHOICE {
good [0] IMPLICIT NULL,
revoked [1] IMPLICIT RevokedInfo,
unknown [2] IMPLICIT UnknownInfo }
x509_ocsp_get_cert_status() parses the top level CHOICE and IMPLICIT
components. In the case of status good and unknown, their value is both
expected to be NULL because according to RFC 6960 Section 4.2:
UnknownInfo ::= NULL
Therefore, no further parsing is needed here. In the case of status
revoked, the parsing of Revoked info is delegated to a helper function.
Populate the function x509_ocsp_get_cert_id() that parses the following
ASN.1 structure:
CertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
issuerNameHash OCTET STRING, -- Hash of issuer's DN
issuerKeyHash OCTET STRING, -- Hash of issuer's public key
serialNumber CertificateSerialNumber }
x509_ocsp_get_cert_id() parses the top-level SEQUENCE component and
calls the following helpers for the actual contents of the CertID:
* mbedtls_x509_get_md_alg(): Parses the hashAlgorithm
* x509_ocsp_get_octet_string(): Parses the OCTET STRINGs
issuerNameHash and issuerKeyHash, but does not actually check
that the length or hashes are actually correct or correspond
to the expected length given the hashAlgorithm
* mbedtls_x509_get_serial: Parses the serialNumber
Populate the function x509_ocsp_get_single_response() that parses the
following ASN.1 structure:
SingleResponse ::= SEQUENCE {
certID CertID,
certStatus CertStatus,
thisUpdate GeneralizedTime,
nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
singleExtensions [1] EXPLICIT Extensions OPTIONAL }
x509_ocsp_get_single_response() parses the top-level SEQUENCE and the
two explicit tags. Note that the tagged values at the end of the
SingleResponse are optional so this function takes care of the
following cases using a switch statement:
* nextUpdate only
* nextUpdate followed by SingleExtensions
* singleExtensions only
Populate the function x509_ocsp_get_responses() that parses the
SEQUENCE OF tag in a BasicOCSPResponse. The function also calls its
helper function x509_ocsp_get_single_response() for each of the
SingleResponse(s) contained. Note that for each SingleResponse,
x509_ocsp_get_responses() must allocate a new internal struct
mbedtls_x509_ocsp_single_response where the parsed data will be
stored.
This change also populates the mbedtls_x509_ocsp_single_response
with the necessary values as specified by RFC 6960 Section 4.1.1.
Add a wrapper around the function mbedtls_x509_get_time() to ensure
that only GeneralizedTime tags are parsed. This is necesary for
parsing OCSP responses as the RFC 6960 demands that all time-related
components be in GeneralizedTime format.
Populate the function x509_ocsp_get_responder_id() with code that
parses the following X.509 structure:
ResponderID ::= CHOICE {
byName [1] Name,
byKey [2] KeyHash }
KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
(excluding the tag and length fields)
Note that here the name is parsed by the helper function
mbedtls_x509_get_name() and the KeyHash's bounds are checked but we
do not ensure that the hash is of the correct length.
Populate the function x509_ocsp_get_response_data() with code that
parses the following ASN.1 structure:
ResponseData ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
responderID ResponderID,
producedAt GeneralizedTime,
responses SEQUENCE OF SingleResponse,
responseExtensions [1] EXPLICIT Extensions OPTIONAL }
x509_ocsp_get_response_data() will parse the top-level SEQUENCE and the
two EXPLICIT tags. It delegates the parsing of the individual
subcomponents to x509_ocsp_get_version(), x509_ocsp_get_responder_id(),
x509_ocsp_get_generalized_time(), x509_ocsp_get_responses() and
x509_ocsp_get_extensions().
Populate the function x509_ocsp_get_response() that parses the top
level components of the following ASN.1 structure:
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
The top-level components correspond to the main SEQUENCE and the
EXPLICIT tag.
The added code removed the SEQUENCE component from the following ASN.1
structure:
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING }
The parsing for responseType and response is delegated to
x509_ocsp_get_response_type() and x509_ocsp_get_response() respectively.
Populate the function x509_ocsp_get_response_status() that parses the
OCSPResponseStatus:
OCSPResponseStatus ::= ENUMERATED {
successful (0), -- Response has valid confirmations
malformedRequest (1), -- Illegal confirmation request
internalError (2), -- Internal error in issuer
tryLater (3), -- Try again later
-- (4) is not used
sigRequired (5), -- Must sign the request
unauthorized (6) -- Request unauthorized
}
The function writes the value into the resp_status field of the
mbedtls_x509_ocsp_response struct.
Add parsing for the OCSPResponse top level components:
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
The added code does the following:
1. Parse the top level SEQUENCE
2. Call x509_ocsp_get_response_status() which will parse the
responseStatus in the future
3. If there is any data left in the buffer, parses the EXPLICIT
tag and calls x509_ocsp_get_response_bytes() which will parse
the responseBytes in the future
At this stage, the main framework for the code is being set up. The idea
is that each function will parse the top level components of the ASN1
objects and hand over the parsing of each of the individual
sub-components to other functions. Also, note that each function its
responsible for checking that:
1. At the begining, there is enough space in the buffer p to parse
whatever is being processed before end.
2. Prior to returning, the length specified in the ASN1 encoding
matches the number of bytes consumed from the buffer p.
3. The lengths of any intermediate sub-components (such as EXPLICIT
tags) parsed matches the number of bytes consumed by the called
functions x509_ocsp_get_*().
OCSP by itself is a protocol between an OCSP responder and a client.
The protocol messages are encoded in X.509 format, so I have created
the place-holder files x509_ocsp.c and x509_ocsp.h that will contain
the X.509 parser and verification for OCSP messages.
