Merge pull request #9834 from padelsbach/padelsbach/finding-23

Fix OCSP->CRL fallback

Author: douzzer

.gitignore

@@ -488,3 +488,6 @@ AGENTS.md
 
 # Code navigation files
 compile_commands.json
+
+# Python cache
+__pycache__/

certs/crl/gencrls.sh

@@ -241,4 +241,17 @@ openssl crl -in extra-crls/large_crlnum2.pem -text > tmp
 check_result $?
 mv tmp extra-crls/large_crlnum2.pem
 
+# OCSP root-ca CRL (empty, no revocations)
+cp blank.index.txt demoCA/index.txt
+
+echo "Step 31"
+openssl ca -config ../renewcerts/wolfssl.cnf -gencrl -crldays 1000 -out ../ocsp/root-ca-crl.pem -keyfile ../ocsp/root-ca-key.pem -cert ../ocsp/root-ca-cert.pem
+check_result $?
+
+# metadata
+echo "Step 32"
+openssl crl -in ../ocsp/root-ca-crl.pem -text > tmp
+check_result $?
+mv tmp ../ocsp/root-ca-crl.pem
+
 exit 0

certs/ocsp/include.am

@@ -23,6 +23,7 @@ EXTRA_DIST += \
         certs/ocsp/ocsp-responder-cert.pem \
         certs/ocsp/server1-key.pem \
         certs/ocsp/server1-cert.pem \
+        certs/ocsp/server1-chain-noroot.pem \
         certs/ocsp/server2-key.pem \
         certs/ocsp/server2-cert.pem \
         certs/ocsp/server3-key.pem \
@@ -33,6 +34,7 @@ EXTRA_DIST += \
         certs/ocsp/server5-cert.pem \
         certs/ocsp/root-ca-key.pem \
         certs/ocsp/root-ca-cert.pem \
+        certs/ocsp/root-ca-crl.pem \
         certs/ocsp/test-response.der \
         certs/ocsp/test-response-rsapss.der \
         certs/ocsp/test-response-nointern.der \

certs/ocsp/renewcerts.sh

@@ -89,6 +89,11 @@ update_cert server3          "www3.wolfssl.com"                intermediate2-ca
 update_cert server4          "www4.wolfssl.com"                intermediate2-ca v3_req2 08 # REVOKED
 update_cert server5          "www5.wolfssl.com"                intermediate3-ca v3_req3 09
 
+# server1-chain-noroot.pem: server1 + intermediate1 without root-ca
+# (used by tests that need a chain where the root is not sent by the server)
+head -n "$(grep -n 'END CERTIFICATE' server1-cert.pem | head -2 | tail -1 | cut -d: -f1)" server1-cert.pem > server1-chain-noroot.pem
+check_result $? ""
+
 # Create response DER buffer for test
 openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -partial_chain &
 PID=$!

certs/ocsp/root-ca-crl.pem

@@ -0,0 +1,13 @@
+-----BEGIN X509 CRL-----
+MIIB8TCB2gIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20XDTI2MDIyNTE5NTQx
+MloXDTM2MDIyMzE5NTQxMlqgDjAMMAoGA1UdFAQDAgEBMA0GCSqGSIb3DQEBCwUA
+A4IBAQB25t9Aca9CcNe95wh1Wnbh5iy/bia5+uRgZjc1aj/fylr8hRyWtOJZlG+S
+zfNBgqIAvwRVi/Tc8YPhW9Lae5q8Fm3yxoNPLXtjLr+zaDdyvmLxktL+KxlipV94
+UkJfriy3AwsyGtPAL59ziBnJss8MtymrNWO8tRklWQTj10esMZioiJ1DjaiujV3Q
+oivVpWT7CiyzL8/mcBDcLhoFwJzgJS8Wz1gWXW91LSKIZdC9QLs7dAml7lHj8P6r
+5t/0KDjcitESALpgvrOYTbloUr9vQbklWuiQtmV4m0mqjrdci0DJdi9+00AHI0Cx
+Khl2ffvl7QFIATotVj6EKb3FgKhd
+-----END X509 CRL-----

certs/ocsp/server1-chain-noroot.pem

@@ -0,0 +1,58 @@
+-----BEGIN CERTIFICATE-----
+MIIE7jCCA9agAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM
+IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMB4XDTI1MTExMzIwNDEzNloXDTI4MDgwOTIwNDEzNlowgZgxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
+VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3
+MS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOaWVXXPipdojLY49noFvjO2
+UUc3ivfbkb6Sa7cAjPLFJG4Y6ZIAgQHcs0woqbeA8ZbPI3ovrvjjDy3TXiPn20yy
+XYkWF76+gdv7Em0oSxCgEgQnwcnQeZXv6I2MWZtOcn28SSsiTvhP4gzx6emX+d+M
+WgqqOB1DBKOniaHig6RLtU5FiKYiXaypWGeIwdVh770RBSeUR7szpYrK7h+NwG4k
+r83Kv4BHcZWsqfFdI2z1S7Sp4cRm++XEoZ+nUdF4zS60Py7igvN/xKf0Mc92Jz/b
+LtJuw0cjgqNIQIynwRPwY1BUQ/ZxEuFvpXpYJvf9iztwGKBDugFrs/jVvgUTZDEC
+AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMxVFQDiRImSY20QXbme
+c7ZdOhnKMIHEBgNVHSMEgbwwgbmAFIPGOoksgfQC151M4irAcYJkRNoOoYGdpIGa
+MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH
+U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx
+GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
+AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB
+AQBZVHFAYgrl8GELqy6w3SNRK3u/VHEpTeKUEuzEOhgA2GZTvPk5DroQWfWMWE3d
+NVX6fUEtehkfqMQRz6eOQ9KYm8DbeSAj9SiVLgartP6pDJHGMh01LouFr6ghQBTn
+gnHcB6O7hFwfHGpHSgEnBdReToInidg2iv4P2absHzgKJk+/WBJmcTNjxKEjA1je
+bUymC8YqiV7CjFYvxAFe7wjJfjWfI/3+85YzS1kEO4AGGY5KHCSnpBcSMriG63Kc
+2Ni6GQ6chwdBEoYo8CWFU1H02RvKUmeYTLOMsm/Hxx24S4Brhhdu5/opwqCPtsOy
+p/wK7eMUb4BBVJMV2Y8KTB4V
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjUx
+MTEzMjA0MTM0WhcNMjgwODA5MjA0MTM0WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
+bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl
+xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV
+1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2
+lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt
+ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7
+f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID
+AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi
+KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k
+gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
+ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
+ggEBAHfsiTfUNS4k/dLe2ZiHvlKutdT2EzQSLPB4mAef9+R2327rl8cDo+YVbuKU
+FmvtWalKEKDMwmF4x/scBEogwfyUxpmwOowvK30VMFPHm3NUb00WpqstilFwHxuO
+YAtWi/KUAf2BX3PL7V7MSnHBqRrXxytaZgJ32hDoRUKgfO94/90I9oQvQfUYyaJI
+0V22pE0yr4NduWTsQOliOO8b0Y7J6P2z6OGh2hYeJjyCNsuNgGczyjC/kwPInL6i
+b6p8diQ9Bpmrp/4S89v9oIq1DcGckLfKfm37/yrD/nyfQejCf0/6S0nEoNC8/Tg0
+Iv/Vg3lwf2wwja2T+7h3ATSvzA4=
+-----END CERTIFICATE-----

src/internal.c

@@ -15954,7 +15954,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
                         goto exit_ppc;
                 #endif
-                    if (ret == 0) {
+                    if (ret == 0 || ret == WC_NO_ERR_TRACE(OCSP_CERT_UNKNOWN)) {
                         ret = ProcessPeerCertCheckKey(ssl, args);
                     }
                     else if (ret == WC_NO_ERR_TRACE(ASN_PARSE_E) ||
@@ -16052,7 +16052,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     }
                 #endif /* HAVE_OCSP */
 
-                    if (ret == 0) {
+                    if (ret == 0 || ret == WC_NO_ERR_TRACE(OCSP_CERT_UNKNOWN)) {
                 #ifdef HAVE_CRL
                         if (SSL_CM(ssl)->crlEnabled &&
                                 SSL_CM(ssl)->crlCheckAll) {
@@ -16593,7 +16593,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 #endif /* HAVE_OCSP */
 
                 #ifdef HAVE_CRL
-                    if (ret == 0 && doLookup && SSL_CM(ssl)->crlEnabled) {
+                    if ((ret == 0 || ret == WC_NO_ERR_TRACE(OCSP_CERT_UNKNOWN))
+                            && doLookup && SSL_CM(ssl)->crlEnabled) {
                         WOLFSSL_MSG("Doing Leaf CRL check");
                         ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert);
                     #ifdef WOLFSSL_NONBLOCK_OCSP
@@ -16621,7 +16622,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                         #endif
                         }
                     }
-                    if (ret == 0 && doLookup && SSL_CM(ssl)->crlEnabled &&
+                    if ((ret == 0 || ret == WC_NO_ERR_TRACE(OCSP_CERT_UNKNOWN))
+                            && doLookup && SSL_CM(ssl)->crlEnabled &&
                             SSL_CM(ssl)->crlCheckAll && args->totalCerts == 1) {
                         /* Check the entire cert chain */
                         if (args->dCert->ca != NULL) {

tests/api.c

@@ -33409,6 +33409,8 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_ocsp_response_parsing),
     TEST_DECL(test_ocsp_certid_enc_dec),
     TEST_DECL(test_ocsp_tls_cert_cb),
+    TEST_DECL(test_ocsp_cert_unknown_crl_fallback),
+    TEST_DECL(test_ocsp_cert_unknown_crl_fallback_nonleaf),
     TEST_TLS_DECLS,
     TEST_DECL(test_wc_DhSetNamedKey),
     /* This test needs to stay at the end to clean up any caches allocated. */

tests/api/create_ocsp_test_blobs.py

@@ -126,6 +126,10 @@ def cert_status(value: int) -> rfc6960.CertStatus:
         revoked['revocationTime'] = useful.GeneralizedTime().fromDateTime(
             datetime.now() - timedelta(days=1))
         cs['revoked'] = revoked
+    elif value == CERT_UNKNOWN:
+        unknown = rfc6960.UnknownInfo('').subtype(implicitTag=tag.Tag(
+            tag.tagClassContext, tag.tagFormatSimple, 2))
+        cs['unknown'] = unknown
 
     return cs
 
@@ -444,6 +448,38 @@ def create_bad_response(rd: dict) -> bytes:
             'responder_key': WOLFSSL_OCSP_CERT_PATH + 'ocsp-responder-key.pem',
             'name': 'resp_root_ca_cert'
         },
+        {
+            'response_status': 0,
+            'signature_algorithm': signature_algorithm(),
+            'certs_path': [WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem'],
+            'responder_by_name': True,
+            'responder_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem',
+            'responses': [
+                {
+                    'issuer_cert': WOLFSSL_OCSP_CERT_PATH + 'root-ca-cert.pem',
+                    'serial': 0x01,
+                    'status': CERT_UNKNOWN
+                }
+            ],
+            'responder_key': WOLFSSL_OCSP_CERT_PATH + 'root-ca-key.pem',
+            'name': 'resp_cert_unknown'
+        },
+        {
+            'response_status': 0,
+            'signature_algorithm': signature_algorithm(),
+            'certs_path': [WOLFSSL_OCSP_CERT_PATH + '../ca-cert.pem'],
+            'responder_by_name': True,
+            'responder_cert': WOLFSSL_OCSP_CERT_PATH + '../ca-cert.pem',
+            'responses': [
+                {
+                    'issuer_cert': WOLFSSL_OCSP_CERT_PATH + '../ca-cert.pem',
+                    'serial': 0x01,
+                    'status': CERT_UNKNOWN
+                }
+            ],
+            'responder_key': WOLFSSL_OCSP_CERT_PATH + '../ca-key.pem',
+            'name': 'resp_server_cert_unknown'
+        },
     ]
 
     with open('./tests/api/test_ocsp_test_blobs.h', 'w') as f: