1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "ssl_private.h"
18
19 #ifndef OPENSSL_NO_OCSP
20 #include "apr_base64.h"
21
22 /* Return the responder URI specified in the given certificate, or
23 * NULL if none specified. */
extract_responder_uri(X509 * cert,apr_pool_t * pool)24 static const char *extract_responder_uri(X509 *cert, apr_pool_t *pool)
25 {
26 STACK_OF(ACCESS_DESCRIPTION) *values;
27 char *result = NULL;
28 int j;
29
30 values = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL);
31 if (!values) {
32 return NULL;
33 }
34
35 for (j = 0; j < sk_ACCESS_DESCRIPTION_num(values) && !result; j++) {
36 ACCESS_DESCRIPTION *value = sk_ACCESS_DESCRIPTION_value(values, j);
37
38 /* Name found in extension, and is a URI: */
39 if (OBJ_obj2nid(value->method) == NID_ad_OCSP
40 && value->location->type == GEN_URI) {
41 result = apr_pstrdup(pool,
42 (char *)value->location->d.uniformResourceIdentifier->data);
43 }
44 }
45
46 AUTHORITY_INFO_ACCESS_free(values);
47
48 return result;
49 }
50
51 /* Return the responder URI object which should be used in the given
52 * configuration for the given certificate, or NULL if none can be
53 * determined. */
determine_responder_uri(SSLSrvConfigRec * sc,X509 * cert,conn_rec * c,apr_pool_t * p)54 static apr_uri_t *determine_responder_uri(SSLSrvConfigRec *sc, X509 *cert,
55 conn_rec *c, apr_pool_t *p)
56 {
57 apr_uri_t *u = apr_palloc(p, sizeof *u);
58 const char *s;
59 apr_status_t rv;
60
61 /* Use default responder URL if forced by configuration, else use
62 * certificate-specified responder, falling back to default if
63 * necessary and possible. */
64 if (sc->server->ocsp_force_default) {
65 s = sc->server->ocsp_responder;
66 }
67 else {
68 s = extract_responder_uri(cert, p);
69
70 if (s == NULL && sc->server->ocsp_responder) {
71 s = sc->server->ocsp_responder;
72 }
73 }
74
75 if (s == NULL) {
76 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(01918)
77 "no OCSP responder specified in certificate and "
78 "no default configured");
79 return NULL;
80 }
81
82 rv = apr_uri_parse(p, s, u);
83 if (rv || !u->hostname) {
84 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c, APLOGNO(01919)
85 "failed to parse OCSP responder URI '%s'", s);
86 return NULL;
87 }
88
89 if (strcasecmp(u->scheme, "http") != 0) {
90 ap_log_cerror(APLOG_MARK, APLOG_DEBUG, rv, c, APLOGNO(01920)
91 "cannot handle OCSP responder URI '%s'", s);
92 return NULL;
93 }
94
95 if (!u->port) {
96 u->port = apr_uri_port_of_scheme(u->scheme);
97 }
98
99 return u;
100 }
101
102 /* Create an OCSP request for the given certificate; returning the
103 * certificate ID in *certid and *issuer on success. Returns the
104 * request object on success, or NULL on error. */
create_request(X509_STORE_CTX * ctx,X509 * cert,OCSP_CERTID ** certid,server_rec * s,apr_pool_t * p)105 static OCSP_REQUEST *create_request(X509_STORE_CTX *ctx, X509 *cert,
106 OCSP_CERTID **certid,
107 server_rec *s, apr_pool_t *p)
108 {
109 OCSP_REQUEST *req = OCSP_REQUEST_new();
110
111 *certid = OCSP_cert_to_id(NULL, cert, ctx->current_issuer);
112 if (!*certid || !OCSP_request_add0_id(req, *certid)) {
113 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01921)
114 "could not retrieve certificate id");
115 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
116 return NULL;
117 }
118
119 OCSP_request_add1_nonce(req, 0, -1);
120
121 return req;
122 }
123
124 /* Verify the OCSP status of given certificate. Returns
125 * V_OCSP_CERTSTATUS_* result code. */
verify_ocsp_status(X509 * cert,X509_STORE_CTX * ctx,conn_rec * c,SSLSrvConfigRec * sc,server_rec * s,apr_pool_t * pool)126 static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
127 SSLSrvConfigRec *sc, server_rec *s,
128 apr_pool_t *pool)
129 {
130 int rc = V_OCSP_CERTSTATUS_GOOD;
131 OCSP_RESPONSE *response = NULL;
132 OCSP_BASICRESP *basicResponse = NULL;
133 OCSP_REQUEST *request = NULL;
134 OCSP_CERTID *certID = NULL;
135 apr_uri_t *ruri;
136
137 ruri = determine_responder_uri(sc, cert, c, pool);
138 if (!ruri) {
139 return V_OCSP_CERTSTATUS_UNKNOWN;
140 }
141
142 request = create_request(ctx, cert, &certID, s, pool);
143 if (request) {
144 apr_interval_time_t to = sc->server->ocsp_responder_timeout == UNSET ?
145 apr_time_from_sec(DEFAULT_OCSP_TIMEOUT) :
146 sc->server->ocsp_responder_timeout;
147 response = modssl_dispatch_ocsp_request(ruri, to, request, c, pool);
148 }
149
150 if (!request || !response) {
151 rc = V_OCSP_CERTSTATUS_UNKNOWN;
152 }
153
154 if (rc == V_OCSP_CERTSTATUS_GOOD) {
155 int r = OCSP_response_status(response);
156
157 if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
158 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01922)
159 "OCSP response not successful: %d", rc);
160 rc = V_OCSP_CERTSTATUS_UNKNOWN;
161 }
162 }
163
164 if (rc == V_OCSP_CERTSTATUS_GOOD) {
165 basicResponse = OCSP_response_get1_basic(response);
166 if (!basicResponse) {
167 ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01923)
168 "could not retrieve OCSP basic response");
169 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
170 rc = V_OCSP_CERTSTATUS_UNKNOWN;
171 }
172 }
173
174 if (rc == V_OCSP_CERTSTATUS_GOOD) {
175 if (OCSP_check_nonce(request, basicResponse) != 1) {
176 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
177 "Bad OCSP responder answer (bad nonce)");
178 rc = V_OCSP_CERTSTATUS_UNKNOWN;
179 }
180 }
181
182 if (rc == V_OCSP_CERTSTATUS_GOOD) {
183 /* TODO: allow flags configuration. */
184 if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {
185 ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
186 "failed to verify the OCSP response");
187 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
188 rc = V_OCSP_CERTSTATUS_UNKNOWN;
189 }
190 }
191
192 if (rc == V_OCSP_CERTSTATUS_GOOD) {
193 int reason = -1, status;
194 ASN1_GENERALIZEDTIME *thisup = NULL, *nextup = NULL;
195
196 rc = OCSP_resp_find_status(basicResponse, certID, &status,
197 &reason, NULL, &thisup, &nextup);
198 if (rc != 1) {
199 ssl_log_cxerror(SSLLOG_MARK, APLOG_ERR, 0, c, cert, APLOGNO(02272)
200 "failed to retrieve OCSP response status");
201 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
202 rc = V_OCSP_CERTSTATUS_UNKNOWN;
203 }
204 else {
205 rc = status;
206 }
207
208 /* Check whether the response is inside the defined validity
209 * period; otherwise fail. */
210 if (rc != V_OCSP_CERTSTATUS_UNKNOWN) {
211 long resptime_skew = sc->server->ocsp_resptime_skew == UNSET ?
212 DEFAULT_OCSP_MAX_SKEW : sc->server->ocsp_resptime_skew;
213 /* oscp_resp_maxage can be passed verbatim - UNSET (-1) means
214 * that responses can be of any age as long as nextup is in the
215 * future. */
216 int vrc = OCSP_check_validity(thisup, nextup, resptime_skew,
217 sc->server->ocsp_resp_maxage);
218 if (vrc != 1) {
219 ssl_log_cxerror(SSLLOG_MARK, APLOG_ERR, 0, c, cert, APLOGNO(02273)
220 "OCSP response outside validity period");
221 ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
222 rc = V_OCSP_CERTSTATUS_UNKNOWN;
223 }
224 }
225
226 {
227 int level =
228 (status == V_OCSP_CERTSTATUS_GOOD) ? APLOG_INFO : APLOG_ERR;
229 const char *result =
230 status == V_OCSP_CERTSTATUS_GOOD ? "good" :
231 (status == V_OCSP_CERTSTATUS_REVOKED ? "revoked" : "unknown");
232
233 ssl_log_cxerror(SSLLOG_MARK, level, 0, c, cert,
234 "OCSP validation completed, "
235 "certificate status: %s (%d, %d)",
236 result, status, reason);
237 }
238 }
239
240 if (request) OCSP_REQUEST_free(request);
241 if (response) OCSP_RESPONSE_free(response);
242 if (basicResponse) OCSP_BASICRESP_free(basicResponse);
243 /* certID is freed when the request is freed */
244
245 return rc;
246 }
247
modssl_verify_ocsp(X509_STORE_CTX * ctx,SSLSrvConfigRec * sc,server_rec * s,conn_rec * c,apr_pool_t * pool)248 int modssl_verify_ocsp(X509_STORE_CTX *ctx, SSLSrvConfigRec *sc,
249 server_rec *s, conn_rec *c, apr_pool_t *pool)
250 {
251 X509 *cert = X509_STORE_CTX_get_current_cert(ctx);
252 apr_pool_t *vpool;
253 int rv;
254
255 if (!cert) {
256 /* starting with OpenSSL 1.0, X509_STORE_CTX_get_current_cert()
257 * may yield NULL. Return early, but leave the ctx error as is. */
258 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
259 "No cert available to check with OCSP");
260 return 1;
261 }
262 else if (cert->valid && X509_check_issued(cert,cert) == X509_V_OK) {
263 /* don't do OCSP checking for valid self-issued certs */
264 ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
265 "Skipping OCSP check for valid self-issued cert");
266 X509_STORE_CTX_set_error(ctx, X509_V_OK);
267 return 1;
268 }
269
270 /* Create a temporary pool to constrain memory use (the passed-in
271 * pool may be e.g. a connection pool). */
272 apr_pool_create(&vpool, pool);
273
274 rv = verify_ocsp_status(cert, ctx, c, sc, s, vpool);
275
276 apr_pool_destroy(vpool);
277
278 /* Propagate the verification status back to the passed-in
279 * context. */
280 switch (rv) {
281 case V_OCSP_CERTSTATUS_GOOD:
282 X509_STORE_CTX_set_error(ctx, X509_V_OK);
283 break;
284
285 case V_OCSP_CERTSTATUS_REVOKED:
286 X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
287 break;
288
289 case V_OCSP_CERTSTATUS_UNKNOWN:
290 /* correct error code for application errors? */
291 X509_STORE_CTX_set_error(ctx, X509_V_ERR_APPLICATION_VERIFICATION);
292 break;
293 }
294
295 return rv == V_OCSP_CERTSTATUS_GOOD;
296 }
297 #endif /* HAVE_OCSP */
298