mirror of
git://git.gnupg.org/gnupg.git
synced 2025-01-10 13:04:23 +01:00
c091816b4a
* dirmngr/dirmngr.h (opt): Add field "use_tor". * dirmngr/dirmngr.c (oUseTor): New. (opts): Add --use-tor. (parse_rereadable_options): Set option. (main): Tell gpgconf about that option. * dirmngr/crlfetch.c (crl_fetch): Pass TOR flag to the http module and return an error if LDAP is used in TOR mode. (ca_cert_fetch): Return an error in TOR mode. (start_cert_fetch): Ditto. * dirmngr/ks-engine-finger.c (ks_finger_fetch): Pass TOR flag to the http module. * dirmngr/ks-engine-hkp.c (send_request): Ditto. * dirmngr/ks-engine-http.c (ks_http_fetch): Ditto. * dirmngr/ks-engine-ldap.c (ks_ldap_get): Return an error in TOR mode. (ks_ldap_search): Ditto. (ks_ldap_put): Ditto. * dirmngr/ocsp.c (do_ocsp_request): Ditto. Also pass TOR flag to the http module. * dirmngr/server.c (option_handler): Add "honor-keyserver-url-used". (cmd_dns_cert): Return an error in TOR mode. (cmd_getinfo): Add subcommand "tor" * tools/gpgconf-comp.c (gc_options_dirmngr): Add TOR group. -- More work is required to actually make --use-tor useful. For now it returns an error for almost all network access but as soon as we have added the TOR feature to the http module some parts will start to work. Signed-off-by: Werner Koch <wk@gnupg.org>
806 lines
25 KiB
C
806 lines
25 KiB
C
/* ocsp.c - OCSP management
|
|
* Copyright (C) 2004, 2007 g10 Code GmbH
|
|
*
|
|
* This file is part of DirMngr.
|
|
*
|
|
* DirMngr is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* DirMngr is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
|
|
*/
|
|
|
|
#include <config.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <errno.h>
|
|
#include <assert.h>
|
|
|
|
#include "dirmngr.h"
|
|
#include "misc.h"
|
|
#include "http.h"
|
|
#include "validate.h"
|
|
#include "certcache.h"
|
|
#include "ocsp.h"
|
|
|
|
/* The maximum size we allow as a response from an OCSP reponder. */
|
|
#define MAX_RESPONSE_SIZE 65536
|
|
|
|
|
|
static const char oidstr_ocsp[] = "1.3.6.1.5.5.7.48.1";
|
|
|
|
|
|
/* Telesec attribute used to implement a positive confirmation.
|
|
|
|
CertHash ::= SEQUENCE {
|
|
HashAlgorithm AlgorithmIdentifier,
|
|
certificateHash OCTET STRING }
|
|
*/
|
|
static const char oidstr_certHash[] = "1.3.36.8.3.13";
|
|
|
|
|
|
|
|
|
|
/* Read from FP and return a newly allocated buffer in R_BUFFER with the
|
|
entire data read from FP. */
|
|
static gpg_error_t
|
|
read_response (estream_t fp, unsigned char **r_buffer, size_t *r_buflen)
|
|
{
|
|
gpg_error_t err;
|
|
unsigned char *buffer;
|
|
size_t bufsize, nbytes;
|
|
|
|
*r_buffer = NULL;
|
|
*r_buflen = 0;
|
|
|
|
bufsize = 4096;
|
|
buffer = xtrymalloc (bufsize);
|
|
if (!buffer)
|
|
return gpg_error_from_errno (errno);
|
|
|
|
nbytes = 0;
|
|
for (;;)
|
|
{
|
|
unsigned char *tmp;
|
|
size_t nread = 0;
|
|
|
|
assert (nbytes < bufsize);
|
|
nread = es_fread (buffer+nbytes, 1, bufsize-nbytes, fp);
|
|
if (nread < bufsize-nbytes && es_ferror (fp))
|
|
{
|
|
err = gpg_error_from_errno (errno);
|
|
log_error (_("error reading from responder: %s\n"),
|
|
strerror (errno));
|
|
xfree (buffer);
|
|
return err;
|
|
}
|
|
if ( !(nread == bufsize-nbytes && !es_feof (fp)))
|
|
{ /* Response succesfully received. */
|
|
nbytes += nread;
|
|
*r_buffer = buffer;
|
|
*r_buflen = nbytes;
|
|
return 0;
|
|
}
|
|
|
|
nbytes += nread;
|
|
|
|
/* Need to enlarge the buffer. */
|
|
if (bufsize >= MAX_RESPONSE_SIZE)
|
|
{
|
|
log_error (_("response from server too large; limit is %d bytes\n"),
|
|
MAX_RESPONSE_SIZE);
|
|
xfree (buffer);
|
|
return gpg_error (GPG_ERR_TOO_LARGE);
|
|
}
|
|
|
|
bufsize += 4096;
|
|
tmp = xtryrealloc (buffer, bufsize);
|
|
if (!tmp)
|
|
{
|
|
err = gpg_error_from_errno (errno);
|
|
xfree (buffer);
|
|
return err;
|
|
}
|
|
buffer = tmp;
|
|
}
|
|
}
|
|
|
|
|
|
/* Construct an OCSP request, send it to the configured OCSP responder
|
|
and parse the response. On success the OCSP context may be used to
|
|
further process the reponse. */
|
|
static gpg_error_t
|
|
do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md,
|
|
const char *url, ksba_cert_t cert, ksba_cert_t issuer_cert)
|
|
{
|
|
gpg_error_t err;
|
|
unsigned char *request, *response;
|
|
size_t requestlen, responselen;
|
|
http_t http;
|
|
ksba_ocsp_response_status_t response_status;
|
|
const char *t;
|
|
int redirects_left = 2;
|
|
char *free_this = NULL;
|
|
|
|
(void)ctrl;
|
|
|
|
if (opt.use_tor)
|
|
{
|
|
/* For now we do not allow OCSP via TOR due to possible privacy
|
|
concerns. Needs further research. */
|
|
log_error (_("OCSP request not possible due to TOR mode\n"));
|
|
return gpg_error (GPG_ERR_NOT_SUPPORTED);
|
|
}
|
|
|
|
if (opt.disable_http)
|
|
{
|
|
log_error (_("OCSP request not possible due to disabled HTTP\n"));
|
|
return gpg_error (GPG_ERR_NOT_SUPPORTED);
|
|
}
|
|
|
|
err = ksba_ocsp_add_target (ocsp, cert, issuer_cert);
|
|
if (err)
|
|
{
|
|
log_error (_("error setting OCSP target: %s\n"), gpg_strerror (err));
|
|
return err;
|
|
}
|
|
|
|
{
|
|
size_t n;
|
|
unsigned char nonce[32];
|
|
|
|
n = ksba_ocsp_set_nonce (ocsp, NULL, 0);
|
|
if (n > sizeof nonce)
|
|
n = sizeof nonce;
|
|
gcry_create_nonce (nonce, n);
|
|
ksba_ocsp_set_nonce (ocsp, nonce, n);
|
|
}
|
|
|
|
err = ksba_ocsp_build_request (ocsp, &request, &requestlen);
|
|
if (err)
|
|
{
|
|
log_error (_("error building OCSP request: %s\n"), gpg_strerror (err));
|
|
return err;
|
|
}
|
|
|
|
once_more:
|
|
err = http_open (&http, HTTP_REQ_POST, url, NULL, NULL,
|
|
((opt.honor_http_proxy? HTTP_FLAG_TRY_PROXY:0)
|
|
| (opt.use_tor? HTTP_FLAG_FORCE_TOR:0)),
|
|
ctrl->http_proxy, NULL, NULL, NULL);
|
|
if (err)
|
|
{
|
|
log_error (_("error connecting to '%s': %s\n"), url, gpg_strerror (err));
|
|
xfree (free_this);
|
|
return err;
|
|
}
|
|
|
|
es_fprintf (http_get_write_ptr (http),
|
|
"Content-Type: application/ocsp-request\r\n"
|
|
"Content-Length: %lu\r\n",
|
|
(unsigned long)requestlen );
|
|
http_start_data (http);
|
|
if (es_fwrite (request, requestlen, 1, http_get_write_ptr (http)) != 1)
|
|
{
|
|
err = gpg_error_from_errno (errno);
|
|
log_error ("error sending request to '%s': %s\n", url, strerror (errno));
|
|
http_close (http, 0);
|
|
xfree (request);
|
|
xfree (free_this);
|
|
return err;
|
|
}
|
|
xfree (request);
|
|
request = NULL;
|
|
|
|
err = http_wait_response (http);
|
|
if (err || http_get_status_code (http) != 200)
|
|
{
|
|
if (err)
|
|
log_error (_("error reading HTTP response for '%s': %s\n"),
|
|
url, gpg_strerror (err));
|
|
else
|
|
{
|
|
switch (http_get_status_code (http))
|
|
{
|
|
case 301:
|
|
case 302:
|
|
{
|
|
const char *s = http_get_header (http, "Location");
|
|
|
|
log_info (_("URL '%s' redirected to '%s' (%u)\n"),
|
|
url, s?s:"[none]", http_get_status_code (http));
|
|
if (s && *s && redirects_left-- )
|
|
{
|
|
xfree (free_this); url = NULL;
|
|
free_this = xtrystrdup (s);
|
|
if (!free_this)
|
|
err = gpg_error_from_errno (errno);
|
|
else
|
|
{
|
|
url = free_this;
|
|
http_close (http, 0);
|
|
goto once_more;
|
|
}
|
|
}
|
|
else
|
|
err = gpg_error (GPG_ERR_NO_DATA);
|
|
log_error (_("too many redirections\n"));
|
|
}
|
|
break;
|
|
|
|
default:
|
|
log_error (_("error accessing '%s': http status %u\n"),
|
|
url, http_get_status_code (http));
|
|
err = gpg_error (GPG_ERR_NO_DATA);
|
|
break;
|
|
}
|
|
}
|
|
http_close (http, 0);
|
|
xfree (free_this);
|
|
return err;
|
|
}
|
|
|
|
err = read_response (http_get_read_ptr (http), &response, &responselen);
|
|
http_close (http, 0);
|
|
if (err)
|
|
{
|
|
log_error (_("error reading HTTP response for '%s': %s\n"),
|
|
url, gpg_strerror (err));
|
|
xfree (free_this);
|
|
return err;
|
|
}
|
|
|
|
err = ksba_ocsp_parse_response (ocsp, response, responselen,
|
|
&response_status);
|
|
if (err)
|
|
{
|
|
log_error (_("error parsing OCSP response for '%s': %s\n"),
|
|
url, gpg_strerror (err));
|
|
xfree (response);
|
|
xfree (free_this);
|
|
return err;
|
|
}
|
|
|
|
switch (response_status)
|
|
{
|
|
case KSBA_OCSP_RSPSTATUS_SUCCESS: t = "success"; break;
|
|
case KSBA_OCSP_RSPSTATUS_MALFORMED: t = "malformed"; break;
|
|
case KSBA_OCSP_RSPSTATUS_INTERNAL: t = "internal error"; break;
|
|
case KSBA_OCSP_RSPSTATUS_TRYLATER: t = "try later"; break;
|
|
case KSBA_OCSP_RSPSTATUS_SIGREQUIRED: t = "must sign request"; break;
|
|
case KSBA_OCSP_RSPSTATUS_UNAUTHORIZED: t = "unauthorized"; break;
|
|
case KSBA_OCSP_RSPSTATUS_REPLAYED: t = "replay detected"; break;
|
|
case KSBA_OCSP_RSPSTATUS_OTHER: t = "other (unknown)"; break;
|
|
case KSBA_OCSP_RSPSTATUS_NONE: t = "no status"; break;
|
|
default: t = "[unknown status]"; break;
|
|
}
|
|
if (response_status == KSBA_OCSP_RSPSTATUS_SUCCESS)
|
|
{
|
|
if (opt.verbose)
|
|
log_info (_("OCSP responder at '%s' status: %s\n"), url, t);
|
|
|
|
err = ksba_ocsp_hash_response (ocsp, response, responselen,
|
|
HASH_FNC, md);
|
|
if (err)
|
|
log_error (_("hashing the OCSP response for '%s' failed: %s\n"),
|
|
url, gpg_strerror (err));
|
|
}
|
|
else
|
|
{
|
|
log_error (_("OCSP responder at '%s' status: %s\n"), url, t);
|
|
err = gpg_error (GPG_ERR_GENERAL);
|
|
}
|
|
|
|
xfree (response);
|
|
xfree (free_this);
|
|
return err;
|
|
}
|
|
|
|
|
|
/* Validate that CERT is indeed valid to sign an OCSP response. If
|
|
SIGNER_FPR_LIST is not NULL we simply check that CERT matches one
|
|
of the fingerprints in this list. */
|
|
static gpg_error_t
|
|
validate_responder_cert (ctrl_t ctrl, ksba_cert_t cert,
|
|
fingerprint_list_t signer_fpr_list)
|
|
{
|
|
gpg_error_t err;
|
|
char *fpr;
|
|
|
|
if (signer_fpr_list)
|
|
{
|
|
fpr = get_fingerprint_hexstring (cert);
|
|
for (; signer_fpr_list && strcmp (signer_fpr_list->hexfpr, fpr);
|
|
signer_fpr_list = signer_fpr_list->next)
|
|
;
|
|
if (signer_fpr_list)
|
|
err = 0;
|
|
else
|
|
{
|
|
log_error (_("not signed by a default OCSP signer's certificate"));
|
|
err = gpg_error (GPG_ERR_BAD_CA_CERT);
|
|
}
|
|
xfree (fpr);
|
|
}
|
|
else if (opt.system_daemon)
|
|
{
|
|
err = validate_cert_chain (ctrl, cert, NULL, VALIDATE_MODE_OCSP, NULL);
|
|
}
|
|
else
|
|
{
|
|
/* We avoid duplicating the entire certificate validation code
|
|
from gpgsm here. Because we have no way calling back to the
|
|
client and letting it compute the validity, we use the ugly
|
|
hack of telling the client that the response will only be
|
|
valid if the certificate given in this status message is
|
|
valid.
|
|
|
|
Note, that in theory we could simply ask the client via an
|
|
inquire to validate a certificate but this might involve
|
|
calling DirMngr again recursivly - we can't do that as of now
|
|
(neither DirMngr nor gpgsm have the ability for concurrent
|
|
access to DirMngr. */
|
|
|
|
/* FIXME: We should cache this certificate locally, so that the next
|
|
call to dirmngr won't need to look it up - if this works at
|
|
all. */
|
|
fpr = get_fingerprint_hexstring (cert);
|
|
dirmngr_status (ctrl, "ONLY_VALID_IF_CERT_VALID", fpr, NULL);
|
|
xfree (fpr);
|
|
err = 0;
|
|
}
|
|
|
|
return err;
|
|
}
|
|
|
|
|
|
/* Helper for check_signature. */
|
|
static int
|
|
check_signature_core (ctrl_t ctrl, ksba_cert_t cert, gcry_sexp_t s_sig,
|
|
gcry_sexp_t s_hash, fingerprint_list_t signer_fpr_list)
|
|
{
|
|
gpg_error_t err;
|
|
ksba_sexp_t pubkey;
|
|
gcry_sexp_t s_pkey = NULL;
|
|
|
|
pubkey = ksba_cert_get_public_key (cert);
|
|
if (!pubkey)
|
|
err = gpg_error (GPG_ERR_INV_OBJ);
|
|
else
|
|
err = canon_sexp_to_gcry (pubkey, &s_pkey);
|
|
xfree (pubkey);
|
|
if (!err)
|
|
err = gcry_pk_verify (s_sig, s_hash, s_pkey);
|
|
if (!err)
|
|
err = validate_responder_cert (ctrl, cert, signer_fpr_list);
|
|
if (!err)
|
|
{
|
|
gcry_sexp_release (s_pkey);
|
|
return 0; /* Successfully verified the signature. */
|
|
}
|
|
|
|
/* We simply ignore all errors. */
|
|
gcry_sexp_release (s_pkey);
|
|
return -1;
|
|
}
|
|
|
|
|
|
/* Check the signature of an OCSP repsonse. OCSP is the context,
|
|
S_SIG the signature value and MD the handle of the hash we used for
|
|
the response. This function automagically finds the correct public
|
|
key. If SIGNER_FPR_LIST is not NULL, the default OCSP reponder has been
|
|
used and thus the certificate is one of those identified by
|
|
the fingerprints. */
|
|
static gpg_error_t
|
|
check_signature (ctrl_t ctrl,
|
|
ksba_ocsp_t ocsp, gcry_sexp_t s_sig, gcry_md_hd_t md,
|
|
fingerprint_list_t signer_fpr_list)
|
|
{
|
|
gpg_error_t err;
|
|
int algo, cert_idx;
|
|
gcry_sexp_t s_hash;
|
|
ksba_cert_t cert;
|
|
|
|
/* Create a suitable S-expression with the hash value of our response. */
|
|
gcry_md_final (md);
|
|
algo = gcry_md_get_algo (md);
|
|
if (algo != GCRY_MD_SHA1 )
|
|
{
|
|
log_error (_("only SHA-1 is supported for OCSP responses\n"));
|
|
return gpg_error (GPG_ERR_DIGEST_ALGO);
|
|
}
|
|
err = gcry_sexp_build (&s_hash, NULL, "(data(flags pkcs1)(hash sha1 %b))",
|
|
gcry_md_get_algo_dlen (algo),
|
|
gcry_md_read (md, algo));
|
|
if (err)
|
|
{
|
|
log_error (_("creating S-expression failed: %s\n"), gcry_strerror (err));
|
|
return err;
|
|
}
|
|
|
|
/* Get rid of old OCSP specific certificate references. */
|
|
release_ctrl_ocsp_certs (ctrl);
|
|
|
|
if (signer_fpr_list && !signer_fpr_list->next)
|
|
{
|
|
/* There is exactly one signer fingerprint given. Thus we use
|
|
the default OCSP responder's certificate and instantly know
|
|
the certificate to use. */
|
|
cert = get_cert_byhexfpr (signer_fpr_list->hexfpr);
|
|
if (!cert)
|
|
cert = get_cert_local (ctrl, signer_fpr_list->hexfpr);
|
|
if (cert)
|
|
{
|
|
err = check_signature_core (ctrl, cert, s_sig, s_hash,
|
|
signer_fpr_list);
|
|
ksba_cert_release (cert);
|
|
cert = NULL;
|
|
if (!err)
|
|
{
|
|
gcry_sexp_release (s_hash);
|
|
return 0; /* Successfully verified the signature. */
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
char *name;
|
|
ksba_sexp_t keyid;
|
|
|
|
/* Put all certificates included in the response into the cache
|
|
and setup a list of those certificate which will later be
|
|
preferred used when locating certificates. */
|
|
for (cert_idx=0; (cert = ksba_ocsp_get_cert (ocsp, cert_idx));
|
|
cert_idx++)
|
|
{
|
|
cert_ref_t cref;
|
|
|
|
cref = xtrymalloc (sizeof *cref);
|
|
if (!cref)
|
|
log_error (_("allocating list item failed: %s\n"),
|
|
gcry_strerror (err));
|
|
else if (!cache_cert_silent (cert, &cref->fpr))
|
|
{
|
|
cref->next = ctrl->ocsp_certs;
|
|
ctrl->ocsp_certs = cref;
|
|
}
|
|
else
|
|
xfree (cref);
|
|
}
|
|
|
|
/* Get the certificate by means of the responder ID. */
|
|
err = ksba_ocsp_get_responder_id (ocsp, &name, &keyid);
|
|
if (err)
|
|
{
|
|
log_error (_("error getting responder ID: %s\n"),
|
|
gcry_strerror (err));
|
|
return err;
|
|
}
|
|
cert = find_cert_bysubject (ctrl, name, keyid);
|
|
if (!cert)
|
|
{
|
|
log_error ("responder certificate ");
|
|
if (name)
|
|
log_printf ("'/%s' ", name);
|
|
if (keyid)
|
|
{
|
|
log_printf ("{");
|
|
dump_serial (keyid);
|
|
log_printf ("} ");
|
|
}
|
|
log_printf ("not found\n");
|
|
}
|
|
ksba_free (name);
|
|
ksba_free (keyid);
|
|
|
|
if (cert)
|
|
{
|
|
err = check_signature_core (ctrl, cert, s_sig, s_hash,
|
|
signer_fpr_list);
|
|
ksba_cert_release (cert);
|
|
if (!err)
|
|
{
|
|
gcry_sexp_release (s_hash);
|
|
return 0; /* Successfully verified the signature. */
|
|
}
|
|
}
|
|
}
|
|
|
|
gcry_sexp_release (s_hash);
|
|
log_error (_("no suitable certificate found to verify the OCSP response\n"));
|
|
return gpg_error (GPG_ERR_NO_PUBKEY);
|
|
}
|
|
|
|
|
|
/* Check whether the certificate either given by fingerprint CERT_FPR
|
|
or directly through the CERT object is valid by running an OCSP
|
|
transaction. With FORCE_DEFAULT_RESPONDER set only the configured
|
|
default responder is used. */
|
|
gpg_error_t
|
|
ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr,
|
|
int force_default_responder)
|
|
{
|
|
gpg_error_t err;
|
|
ksba_ocsp_t ocsp = NULL;
|
|
ksba_cert_t issuer_cert = NULL;
|
|
ksba_sexp_t sigval = NULL;
|
|
gcry_sexp_t s_sig = NULL;
|
|
ksba_isotime_t current_time;
|
|
ksba_isotime_t this_update, next_update, revocation_time, produced_at;
|
|
ksba_isotime_t tmp_time;
|
|
ksba_status_t status;
|
|
ksba_crl_reason_t reason;
|
|
char *url_buffer = NULL;
|
|
const char *url;
|
|
gcry_md_hd_t md = NULL;
|
|
int i, idx;
|
|
char *oid;
|
|
ksba_name_t name;
|
|
fingerprint_list_t default_signer = NULL;
|
|
|
|
/* Get the certificate. */
|
|
if (cert)
|
|
{
|
|
ksba_cert_ref (cert);
|
|
|
|
err = find_issuing_cert (ctrl, cert, &issuer_cert);
|
|
if (err)
|
|
{
|
|
log_error (_("issuer certificate not found: %s\n"),
|
|
gpg_strerror (err));
|
|
goto leave;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
cert = get_cert_local (ctrl, cert_fpr);
|
|
if (!cert)
|
|
{
|
|
log_error (_("caller did not return the target certificate\n"));
|
|
err = gpg_error (GPG_ERR_GENERAL);
|
|
goto leave;
|
|
}
|
|
issuer_cert = get_issuing_cert_local (ctrl, NULL);
|
|
if (!issuer_cert)
|
|
{
|
|
log_error (_("caller did not return the issuing certificate\n"));
|
|
err = gpg_error (GPG_ERR_GENERAL);
|
|
goto leave;
|
|
}
|
|
}
|
|
|
|
/* Create an OCSP instance. */
|
|
err = ksba_ocsp_new (&ocsp);
|
|
if (err)
|
|
{
|
|
log_error (_("failed to allocate OCSP context: %s\n"),
|
|
gpg_strerror (err));
|
|
goto leave;
|
|
}
|
|
|
|
|
|
|
|
/* Figure out the OCSP responder to use.
|
|
1. Try to get the reponder from the certificate.
|
|
We do only take http and https style URIs into account.
|
|
2. If this fails use the default responder, if any.
|
|
*/
|
|
url = NULL;
|
|
for (idx=0; !url && !opt.ignore_ocsp_service_url && !force_default_responder
|
|
&& !(err=ksba_cert_get_authority_info_access (cert, idx,
|
|
&oid, &name)); idx++)
|
|
{
|
|
if ( !strcmp (oid, oidstr_ocsp) )
|
|
{
|
|
for (i=0; !url && ksba_name_enum (name, i); i++)
|
|
{
|
|
char *p = ksba_name_get_uri (name, i);
|
|
if (p && (!ascii_strncasecmp (p, "http:", 5)
|
|
|| !ascii_strncasecmp (p, "https:", 6)))
|
|
url = url_buffer = p;
|
|
else
|
|
xfree (p);
|
|
}
|
|
}
|
|
ksba_name_release (name);
|
|
ksba_free (oid);
|
|
}
|
|
if (err && gpg_err_code (err) != GPG_ERR_EOF)
|
|
{
|
|
log_error (_("can't get authorityInfoAccess: %s\n"), gpg_strerror (err));
|
|
goto leave;
|
|
}
|
|
if (!url)
|
|
{
|
|
if (!opt.ocsp_responder || !*opt.ocsp_responder)
|
|
{
|
|
log_info (_("no default OCSP responder defined\n"));
|
|
err = gpg_error (GPG_ERR_CONFIGURATION);
|
|
goto leave;
|
|
}
|
|
if (!opt.ocsp_signer)
|
|
{
|
|
log_info (_("no default OCSP signer defined\n"));
|
|
err = gpg_error (GPG_ERR_CONFIGURATION);
|
|
goto leave;
|
|
}
|
|
url = opt.ocsp_responder;
|
|
default_signer = opt.ocsp_signer;
|
|
if (opt.verbose)
|
|
log_info (_("using default OCSP responder '%s'\n"), url);
|
|
}
|
|
else
|
|
{
|
|
if (opt.verbose)
|
|
log_info (_("using OCSP responder '%s'\n"), url);
|
|
}
|
|
|
|
/* Ask the OCSP responder. */
|
|
err = gcry_md_open (&md, GCRY_MD_SHA1, 0);
|
|
if (err)
|
|
{
|
|
log_error (_("failed to establish a hashing context for OCSP: %s\n"),
|
|
gpg_strerror (err));
|
|
goto leave;
|
|
}
|
|
err = do_ocsp_request (ctrl, ocsp, md, url, cert, issuer_cert);
|
|
if (err)
|
|
goto leave;
|
|
|
|
/* We got a useful answer, check that the answer has a valid signature. */
|
|
sigval = ksba_ocsp_get_sig_val (ocsp, produced_at);
|
|
if (!sigval || !*produced_at)
|
|
{
|
|
err = gpg_error (GPG_ERR_INV_OBJ);
|
|
goto leave;
|
|
}
|
|
if ( (err = canon_sexp_to_gcry (sigval, &s_sig)) )
|
|
goto leave;
|
|
xfree (sigval);
|
|
sigval = NULL;
|
|
err = check_signature (ctrl, ocsp, s_sig, md, default_signer);
|
|
if (err)
|
|
goto leave;
|
|
|
|
/* We only support one certificate per request. Check that the
|
|
answer matches the right certificate. */
|
|
err = ksba_ocsp_get_status (ocsp, cert,
|
|
&status, this_update, next_update,
|
|
revocation_time, &reason);
|
|
if (err)
|
|
{
|
|
log_error (_("error getting OCSP status for target certificate: %s\n"),
|
|
gpg_strerror (err));
|
|
goto leave;
|
|
}
|
|
|
|
/* In case the certificate has been revoked, we better invalidate
|
|
our cached validation status. */
|
|
if (status == KSBA_STATUS_REVOKED)
|
|
{
|
|
time_t validated_at = 0; /* That is: No cached validation available. */
|
|
err = ksba_cert_set_user_data (cert, "validated_at",
|
|
&validated_at, sizeof (validated_at));
|
|
if (err)
|
|
{
|
|
log_error ("set_user_data(validated_at) failed: %s\n",
|
|
gpg_strerror (err));
|
|
err = 0; /* The certificate is anyway revoked, and that is a
|
|
more important message than the failure of our
|
|
cache. */
|
|
}
|
|
}
|
|
|
|
|
|
if (opt.verbose)
|
|
{
|
|
log_info (_("certificate status is: %s (this=%s next=%s)\n"),
|
|
status == KSBA_STATUS_GOOD? _("good"):
|
|
status == KSBA_STATUS_REVOKED? _("revoked"):
|
|
status == KSBA_STATUS_UNKNOWN? _("unknown"):
|
|
status == KSBA_STATUS_NONE? _("none"): "?",
|
|
this_update, next_update);
|
|
if (status == KSBA_STATUS_REVOKED)
|
|
log_info (_("certificate has been revoked at: %s due to: %s\n"),
|
|
revocation_time,
|
|
reason == KSBA_CRLREASON_UNSPECIFIED? "unspecified":
|
|
reason == KSBA_CRLREASON_KEY_COMPROMISE? "key compromise":
|
|
reason == KSBA_CRLREASON_CA_COMPROMISE? "CA compromise":
|
|
reason == KSBA_CRLREASON_AFFILIATION_CHANGED?
|
|
"affiliation changed":
|
|
reason == KSBA_CRLREASON_SUPERSEDED? "superseeded":
|
|
reason == KSBA_CRLREASON_CESSATION_OF_OPERATION?
|
|
"cessation of operation":
|
|
reason == KSBA_CRLREASON_CERTIFICATE_HOLD?
|
|
"certificate on hold":
|
|
reason == KSBA_CRLREASON_REMOVE_FROM_CRL?
|
|
"removed from CRL":
|
|
reason == KSBA_CRLREASON_PRIVILEGE_WITHDRAWN?
|
|
"privilege withdrawn":
|
|
reason == KSBA_CRLREASON_AA_COMPROMISE? "AA compromise":
|
|
reason == KSBA_CRLREASON_OTHER? "other":"?");
|
|
|
|
}
|
|
|
|
|
|
if (status == KSBA_STATUS_REVOKED)
|
|
err = gpg_error (GPG_ERR_CERT_REVOKED);
|
|
else if (status == KSBA_STATUS_UNKNOWN)
|
|
err = gpg_error (GPG_ERR_NO_DATA);
|
|
else if (status != KSBA_STATUS_GOOD)
|
|
err = gpg_error (GPG_ERR_GENERAL);
|
|
|
|
/* Allow for some clock skew. */
|
|
gnupg_get_isotime (current_time);
|
|
add_seconds_to_isotime (current_time, opt.ocsp_max_clock_skew);
|
|
|
|
if (strcmp (this_update, current_time) > 0 )
|
|
{
|
|
log_error (_("OCSP responder returned a status in the future\n"));
|
|
log_info ("used now: %s this_update: %s\n", current_time, this_update);
|
|
if (!err)
|
|
err = gpg_error (GPG_ERR_TIME_CONFLICT);
|
|
}
|
|
|
|
/* Check that THIS_UPDATE is not too far back in the past. */
|
|
gnupg_copy_time (tmp_time, this_update);
|
|
add_seconds_to_isotime (tmp_time,
|
|
opt.ocsp_max_period+opt.ocsp_max_clock_skew);
|
|
if (!*tmp_time || strcmp (tmp_time, current_time) < 0 )
|
|
{
|
|
log_error (_("OCSP responder returned a non-current status\n"));
|
|
log_info ("used now: %s this_update: %s\n",
|
|
current_time, this_update);
|
|
if (!err)
|
|
err = gpg_error (GPG_ERR_TIME_CONFLICT);
|
|
}
|
|
|
|
/* Check that we are not beyound NEXT_UPDATE (plus some extra time). */
|
|
if (*next_update)
|
|
{
|
|
gnupg_copy_time (tmp_time, next_update);
|
|
add_seconds_to_isotime (tmp_time,
|
|
opt.ocsp_current_period+opt.ocsp_max_clock_skew);
|
|
if (!*tmp_time && strcmp (tmp_time, current_time) < 0 )
|
|
{
|
|
log_error (_("OCSP responder returned an too old status\n"));
|
|
log_info ("used now: %s next_update: %s\n",
|
|
current_time, next_update);
|
|
if (!err)
|
|
err = gpg_error (GPG_ERR_TIME_CONFLICT);
|
|
}
|
|
}
|
|
|
|
|
|
leave:
|
|
gcry_md_close (md);
|
|
gcry_sexp_release (s_sig);
|
|
xfree (sigval);
|
|
ksba_cert_release (issuer_cert);
|
|
ksba_cert_release (cert);
|
|
ksba_ocsp_release (ocsp);
|
|
xfree (url_buffer);
|
|
return err;
|
|
}
|
|
|
|
|
|
/* Release the list of OCSP certificates hold in the CTRL object. */
|
|
void
|
|
release_ctrl_ocsp_certs (ctrl_t ctrl)
|
|
{
|
|
while (ctrl->ocsp_certs)
|
|
{
|
|
cert_ref_t tmp = ctrl->ocsp_certs->next;
|
|
xfree (ctrl->ocsp_certs);
|
|
ctrl->ocsp_certs = tmp;
|
|
}
|
|
}
|