[gnutls-devel] GnuTLS | gnutls_ocsp_resp_verify: Check key purpose if signer not on trust list (!1452)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Jul 14 00:26:40 CEST 2021 


Airtower created a merge request: https://gitlab.com/gnutls/gnutls/-/merge_requests/1452

Project:Branches: airtower-luna/gnutls:fix-ocsp-signer-check to gnutls/gnutls:master
Author:   Airtower




According to [RFC 6960, section 4.2.2.2](https://datatracker.ietf.org/doc/html/rfc6960#section-4.2.2.2) the id-kp-OCSPSigning key purpose is only needed for delegated signers, not signers explicitly set as trusted. The previous code would reject a signature directly from a CA on the trust list (without delegation) because the CA certificate didn't contain the id-kp-OCSPSigning key purpose.

The included tests check:

1. Is a signature directly from a CA on the trust list accepted?
2. Is a signature from a delegated signer issued by a CA on the trust list accepted?
3. Is a signature from a certificate without id-kp-OCSPSigning issued by a CA on the trust list rejected?

Note that the CA in these tests is also the one that issued the certificate the OCSP response is for, but the code (current and previous) doesn't enforce this.

## Checklist
 * [x] Commits have `Signed-off-by:` with name/author being identical to the commit author
 * [x] Code modified for feature
 * [x] Test suite updated with functionality tests
 * [x] Test suite updated with negative tests
 * [ ] Documentation updated / NEWS entry present (for non-trivial changes)
 * [x] CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)

## Reviewer's checklist:
 * [ ] Any issues marked for closing are addressed
 * [ ] There is a test suite reasonably covering new functionality or modifications
 * [ ] Function naming, parameters, return values, types, etc., are consistent and according to `CONTRIBUTION.md`
 * [ ] This feature/change has adequate documentation added
 * [ ] No obvious mistakes in the code

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/merge_requests/1452
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20210713/8ccfaa4c/attachment.html>

More information about the Gnutls-devel mailing list