1 (edited by Zeddi 2014-02-19 01:25:25)

Topic: [SOLVED] Signature of OCSP response not verified?

I've set up my own CA with OpenSSL (1.0.1e). I created ECC-keys and issued the following certs:

  • cacert-ecc.pem

  • test3-ecc.pem

The following commands are all issued on my local laptop (which has 192.168.1.5 assigned).
I start my OpenSSL server:

D:\OpenSSL-CA-ECC>openssl s_server -CAfile cacert-ecc.pem -cert test3-ecc.pem -key test3-ecc-key.pem -debug -port 11111

I start my OpenSSL OCSP responder:

D:\OpenSSL-CA-ECC>openssl ocsp -index index.txt -port 192.168.1.5:8888 -rsigner cacert-ecc.pem -rkey private\cakey-ecc.pem -CA cacert-ecc.pem -text
Waiting for OCSP client connections...

I start my wolfSSL 2.8.0 test client on the same laptop inside a Cygwin environment (hence the unix style):

$ ./client -o -A /cygdrive/d/OpenSSL-CA-ECC/cacert-ecc.pem -c /cygdrive/d/OpenSSL-CA-ECC/test3-ecc.pem -k /cygdrive/d/OpenSSL-CA-ECC/test3-ecc-key.pem -h 192.168.1.5 -p 11111

The OCSP request and response dumped by the OpenSSL OCSP responder:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 694F0EA887A109BF63EFD1420E7F0B501195929E
          Issuer Key Hash: ACCCEC3C2E4DDCF100AFD46C6D085E8C92C80F81
          Serial Number: 1003
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = DE, ST = Bayern, L = Regensburg, O = Daniel Zebralla, OU = A S&T CDS TCD, CN = ca.test.de, emailAddress = daniel.zebralla@continental-corporation.com
    Produced At: Jan 24 11:35:15 2014 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 694F0EA887A109BF63EFD1420E7F0B501195929E
      Issuer Key Hash: ACCCEC3C2E4DDCF100AFD46C6D085E8C92C80F81
      Serial Number: 1003
    Cert Status: good
    This Update: Jan 24 11:35:15 2014 GMT

    Signature Algorithm: ecdsa-with-SHA1
         30:45:02:20:55:7c:09:e9:6b:09:15:ef:79:fc:55:5d:97:d4:
         34:e1:db:f1:36:a6:01:b6:62:60:1f:3d:40:74:87:1a:fc:99:
         02:21:00:b7:ae:b9:78:f1:69:5b:49:2b:88:95:2e:13:03:4c:
         a3:63:83:2a:8f:65:6c:66:7e:f8:2c:80:23:b7:1e:94:d3
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8b:d4:04:ab:af:5b:65:69
    Signature Algorithm: ecdsa-with-SHA1
        Issuer: C=DE, ST=Bayern, L=Regensburg, O=Daniel Zebralla, OU=A S&T CDS TCD, CN=ca.test.de/emailAddress=daniel.zebralla@continental-corporation.com
        Validity
            Not Before: Jan 14 07:47:23 2014 GMT
            Not After : Jan 12 07:47:23 2024 GMT
        Subject: C=DE, ST=Bayern, L=Regensburg, O=Daniel Zebralla, OU=A S&T CDS TCD, CN=ca.test.de/emailAddress=daniel.zebralla@continental-corporation.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:5d:a8:08:01:2e:b7:26:1e:6e:f3:36:16:70:b9:
                    c5:30:63:85:72:62:66:39:fe:ed:b8:71:6e:1c:ca:
                    30:62:be:d9:80:d2:f3:32:36:5b:08:8e:04:ad:29:
                    7d:b8:ce:ad:ab:14:e5:d5:9c:c9:24:5e:32:7f:52:
                    ab:6e:be:38:42
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                AC:CC:EC:3C:2E:4D:DC:F1:00:AF:D4:6C:6D:08:5E:8C:92:C8:0F:81
            X509v3 Authority Key Identifier:
                keyid:AC:CC:EC:3C:2E:4D:DC:F1:00:AF:D4:6C:6D:08:5E:8C:92:C8:0F:81

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: ecdsa-with-SHA1
         30:45:02:20:61:f8:17:c9:45:89:0b:50:4d:6a:1e:92:e2:df:
         09:14:e4:9d:1a:8b:c7:85:35:d3:de:77:b4:43:de:d8:b9:60:
         02:21:00:9a:43:25:7b:8f:e6:13:21:18:26:5c:78:2e:5c:9a:
         f1:55:36:8b:a5:2a:09:ac:26:ee:35:2e:77:bf:c7:53:2e
-----BEGIN CERTIFICATE-----
MIICszCCAlqgAwIBAgIJAIvUBKuvW2VpMAkGByqGSM49BAEwgbYxCzAJBgNVBAYT
AkRFMQ8wDQYDVQQIDAZCYXllcm4xEzARBgNVBAcMClJlZ2Vuc2J1cmcxGDAWBgNV
BAoMD0RhbmllbCBaZWJyYWxsYTEWMBQGA1UECwwNQSBTJlQgQ0RTIFRDRDETMBEG
A1UEAwwKY2EudGVzdC5kZTE6MDgGCSqGSIb3DQEJARYrZGFuaWVsLnplYnJhbGxh
QGNvbnRpbmVudGFsLWNvcnBvcmF0aW9uLmNvbTAeFw0xNDAxMTQwNzQ3MjNaFw0y
NDAxMTIwNzQ3MjNaMIG2MQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMRMw
EQYDVQQHDApSZWdlbnNidXJnMRgwFgYDVQQKDA9EYW5pZWwgWmVicmFsbGExFjAU
BgNVBAsMDUEgUyZUIENEUyBUQ0QxEzARBgNVBAMMCmNhLnRlc3QuZGUxOjA4Bgkq
hkiG9w0BCQEWK2RhbmllbC56ZWJyYWxsYUBjb250aW5lbnRhbC1jb3Jwb3JhdGlv
bi5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARdqAgBLrcmHm7zNhZwucUw
Y4VyYmY5/u24cW4cyjBivtmA0vMyNlsIjgStKX24zq2rFOXVnMkkXjJ/UqtuvjhC
o1AwTjAdBgNVHQ4EFgQUrMzsPC5N3PEAr9RsbQhejJLID4EwHwYDVR0jBBgwFoAU
rMzsPC5N3PEAr9RsbQhejJLID4EwDAYDVR0TBAUwAwEB/zAJBgcqhkjOPQQBA0gA
MEUCIGH4F8lFiQtQTWoekuLfCRTknRqLx4U10953tEPe2LlgAiEAmkMle4/mEyEY
Jlx4Llya8VU2i6UqCawm7jUud7/HUy4=
-----END CERTIFICATE-----

I am wondering, why the signature of the OCSP response seems NOT to get checked. Note the one line of debug output I've added in the wolfSSL embedded SSL debug messages further below, indicating an error in looking for OCSP extensions ( >>> DZ: In OcspResponseDecode, ret = -140). I'm missing a line like "About to verify certificate signature" while OCSP processing. As far as I debugged, the error code -140 results in OCSP response processing returning before the signature of its attached certificate would be checked. Is this the way it should be:

    if (DecodeResponseData(source, &idx, resp, size) < 0)
        return ASN_PARSE_E;
[...]
    * see if there are certificates, they are optional.
    */
    if (idx < end_index)
    {
[...]
        ret = ConfirmSignature(resp->response, resp->responseSz,
                            cert.publicKey, cert.pubKeySize, cert.keyOID,
                            resp->sig, resp->sigSz, resp->sigOID, NULL);
CyaSSL Entering CYASSL_CTX_new
CyaSSL Entering CyaSSL_CertManagerNew
CyaSSL Leaving CYASSL_CTX_new, return 0
CyaSSL Entering CyaSSL_CTX_OCSP_set_options
CyaSSL Entering CyaSSL_CTX_use_certificate_chain_file
Getting dynamic buffer
Checking cert signature type
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
CyaSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
CyaSSL Entering GetAlgoId
ECDSA cert signature
CyaSSL Entering CyaSSL_CTX_use_PrivateKey_file
CyaSSL Entering GetMyVersion
CyaSSL Entering CyaSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
Adding a CA
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
CyaSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
CyaSSL Entering GetAlgoId
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Leaving DecodeCertExtensions, return 0
CyaSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
CyaSSL Leaving AddCA, return 0
   Processed a CA
CyaSSL Entering SSL_new
CyaSSL Leaving SSL_new, return 0
CyaSSL Entering SSL_set_fd
CyaSSL Leaving SSL_set_fd, return 1
CyaSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

growing input buffer

received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing server hello
CyaSSL Leaving DoHandShakeMsgType(), return 0
CyaSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
CyaSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
CyaSSL Entering GetAlgoId
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Leaving DecodeCertExtensions, return 0
CyaSSL Entering GetAlgoId
About to verify certificate signature
ECC Verify did match
Verified CA from chain and already had it
Verifying Peer's cert
CyaSSL Entering GetExplicitVersion
CyaSSL Entering GetMyVersion
CyaSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
CyaSSL Entering GetAlgoId
CyaSSL Entering DecodeCertExtensions
CyaSSL Entering DecodeBasicCaConstraint
CyaSSL Entering DecodeAuthInfo
        Extension type not handled, skipping
CyaSSL Entering DecodeSubjKeyId
CyaSSL Entering DecodeAuthKeyId
CyaSSL Leaving DecodeCertExtensions, return 0
CyaSSL Entering GetAlgoId
About to verify certificate signature
ECC Verify did match
Verified Peer's cert
Add a new OCSP entry
CyaSSL Entering InitOCSP_Entry
CyaSSL Entering InitOcspRequest
CyaSSL Entering EncodeOcspRequest
CyaSSL Entering SetSerialNumber
CyaSSL Entering InitOcspResponse
CyaSSL Entering OcspResponseDecode
CyaSSL Entering GetEnumerated
CyaSSL Entering DecodeBasicOcspResponse
CyaSSL Entering DecodeResponseData
CyaSSL Entering GetBasicDate
CyaSSL Entering DecodeSingleResponse
CyaSSL Entering GetAlgoId
CyaSSL Entering GetBasicDate
CyaSSL Entering DecodeOcspRespExtensions
 >>> DZ: In OcspResponseDecode, ret = -140
CyaSSL Entering CompareOcspReqResp
CyaSSL Leaving DoHandShakeMsgType(), return 0
CyaSSL Leaving DoHandShakeMsg(), return 0
received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing server key exchange
CyaSSL Leaving DoHandShakeMsgType(), return 0
CyaSSL Leaving DoHandShakeMsg(), return 0
received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing server hello done
CyaSSL Leaving DoHandShakeMsgType(), return 0
CyaSSL Leaving DoHandShakeMsg(), return 0
connect state: HELLO_AGAIN
connect state: HELLO_AGAIN_REPLY
connect state: FIRST_REPLY_DONE
connect state: FIRST_REPLY_FIRST
growing output buffer

Shrinking output buffer

sent: client key exchange
connect state: FIRST_REPLY_SECOND
connect state: FIRST_REPLY_THIRD
growing output buffer

Shrinking output buffer

sent: change cipher spec
connect state: FIRST_REPLY_FOURTH
growing output buffer

Shrinking output buffer

sent: finished
connect state: FINISHED_DONE
received record layer msg
got CHANGE CIPHER SPEC
received record layer msg
CyaSSL Entering DoHandShakeMsg()
CyaSSL Entering DoHandShakeMsgType
processing finished
CyaSSL Leaving DoHandShakeMsgType(), return 0
CyaSSL Leaving DoHandShakeMsg(), return 0
connect state: SECOND_REPLY_DONE
Shrinking input buffer

CyaSSL Leaving SSL_connect(), return 1
CyaSSL Entering SSL_get_version
SSL version is TLSv1.2
CyaSSL Entering SSL_get_current_cipher
CyaSSL Entering SSL_CIPHER_get_name
SSL cipher suite is TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
CyaSSL Entering SSL_write()
growing output buffer

Shrinking output buffer

CyaSSL Leaving SSL_write(), return 13
CyaSSL Entering CyaSSL_read()
CyaSSL Entering CyaSSL_read_internal()
CyaSSL Entering ReceiveData()
growing input buffer

growing input buffer

received record layer msg
got app DATA
Shrinking input buffer

CyaSSL Leaving ReceiveData(), return 13
CyaSSL Leaving CyaSSL_read_internal(), return 13
Server response: I hear you!

CyaSSL Entering SSL_shutdown()
growing output buffer

Shrinking output buffer

CyaSSL Leaving SSL_shutdown(), return 0
CyaSSL Entering SSL_free
CTX ref count not 0 yet, no free
CyaSSL Leaving SSL_free, return 0
CyaSSL Entering SSL_CTX_free
CTX ref count down to 0, doing full free
CyaSSL Entering CyaSSL_CertManagerFree
CyaSSL Entering FreeOCSP_Entry
CyaSSL Leaving SSL_CTX_free, return 0
CyaSSL Entering CyaSSL_Cleanup

Best regards
- Daniel

Post's attachments

cacert-ecc.pem 2.62 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Share

2 (edited by Zeddi 2014-01-31 02:13:51)

Re: [SOLVED] Signature of OCSP response not verified?

I've debugged a bit further. This is where the parsing fails:

    if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
        return ASN_PARSE_E;

source[idx++] points to the value 0x30 in my error case, which is unlike ASN_CONSTRUCTED (0x20) or ASN_CONTEXT_SPECIFIC (0x80).

Since the name of the function is DecodeOcspRespExtensions, I tried changing the OCSP options for the wolfaSSL test client from ...

            CyaSSL_CTX_OCSP_set_options(ctx,
                                        CYASSL_OCSP_ENABLE | CYASSL_OCSP_NO_NONCE
                                            | CYASSL_OCSP_URL_OVERRIDE);

... to ...

            CyaSSL_CTX_OCSP_set_options(ctx,
                                        CYASSL_OCSP_ENABLE
                                            | CYASSL_OCSP_URL_OVERRIDE);

and the function completes without an error!

This is the response my OpenSSL OCSP responder sent in this case:

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = DE, ST = Bayern, O = Daniel Zebralla, OU = A S&T CDS TCD,
CN = test1.test.de, emailAddress = daniel.zebralla@continental-corporation.com
    Produced At: Jan 31 08:35:07 2014 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 694F0EA887A109BF63EFD1420E7F0B501195929E
      Issuer Key Hash: ACCCEC3C2E4DDCF100AFD46C6D085E8C92C80F81
      Serial Number: 1003
    Cert Status: good
    This Update: Jan 31 08:35:07 2014 GMT

    Response Extensions:
        OCSP Nonce:
            9DBE63800346529A6222420658C6EA6D91F3
    Signature Algorithm: ecdsa-with-SHA1
         30:45:02:20:10:27:9e:78:1e:c4:28:d6:3c:1f:05:af:6f:27:
         0e:72:ff:78:a6:ab:73:6e:6e:60:8c:54:d1:31:01:82:ba:f8:
         02:21:00:eb:46:5b:7e:15:39:aa:72:a3:92:dd:c4:ba:e1:fd:
         f7:21:c1:17:fa:bb:5f:56:de:d7:2d:99:4d:6a:e6:74:7b
Certificate:
 ...

Note the new lines:

    Response Extensions:
        OCSP Nonce:
            9DBE63800346529A6222420658C6EA6D91F3

So, in conclusion, I assume that wolfSSL treats the "response extensions" block as mandatory and stops parsing the OCSP response if it's not there (thus not checking the signature which would be done later in the code).

I've looked up RFC6960, and 4.2.2.3. Basic Response states [1]:

The basic response type contains:
[...]
o  optional extensions;
[...]

I guess wolfSSL should treat OCSP response extensions as optional and continue parsing the response in any case.

[1] http://tools.ietf.org/html/rfc6960#section-4.2.2.3

- Daniel

Share

Re: [SOLVED] Signature of OCSP response not verified?

In commit 67b1b00a, there was a fix to allow a server to be missing a requested nonce, as they are supposed to be optional. There have been several other improvements to the OCSP code in the last few months. (Note, it has been tested against connections to the thawte.com and google.com webserver using SSL.)