Pedro Monreal Gonzalez
9fd6ae9e88
OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=166
493 lines
22 KiB
Diff
493 lines
22 KiB
Diff
commit c43f598838acaf3b98df4fce4b6babb663d2f902
|
|
Author: Otto Hollmann <otto.hollmann@suse.com>
|
|
Date: Fri Jun 30 11:15:30 2023 +0200
|
|
|
|
Add OCSP_RESPONSE_check_status(), a function to check OCSP response for revoked certificate in s_client.
|
|
|
|
---
|
|
apps/s_client.c | 10 +
|
|
crypto/ocsp/ocsp_vfy.c | 31 +++++
|
|
doc/man3/OCSP_response_status.pod | 15 ++
|
|
include/openssl/ocsp.h | 1
|
|
test/recipes/80-test_ocsp_check.t | 90 +++++++++++++++++
|
|
test/recipes/80-test_ocsp_check_data/ca.pem | 19 +++
|
|
test/recipes/80-test_ocsp_check_data/index-revoked.txt | 2
|
|
test/recipes/80-test_ocsp_check_data/index-valid.txt | 2
|
|
test/recipes/80-test_ocsp_check_data/ocsp.key | 28 +++++
|
|
test/recipes/80-test_ocsp_check_data/ocsp.pem | 75 ++++++++++++++
|
|
test/recipes/80-test_ocsp_check_data/server.key | 28 +++++
|
|
test/recipes/80-test_ocsp_check_data/server.pem | 75 ++++++++++++++
|
|
util/libcrypto.num | 1
|
|
13 files changed, 372 insertions(+), 5 deletions(-)
|
|
|
|
--- a/apps/s_client.c
|
|
+++ b/apps/s_client.c
|
|
@@ -3390,7 +3390,7 @@ static void print_stuff(BIO *bio, SSL *s
|
|
static int ocsp_resp_cb(SSL *s, void *arg)
|
|
{
|
|
const unsigned char *p;
|
|
- int len;
|
|
+ int len, ret;
|
|
OCSP_RESPONSE *rsp;
|
|
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
|
|
BIO_puts(arg, "OCSP response: ");
|
|
@@ -3407,8 +3407,14 @@ static int ocsp_resp_cb(SSL *s, void *ar
|
|
BIO_puts(arg, "\n======================================\n");
|
|
OCSP_RESPONSE_print(arg, rsp, 0);
|
|
BIO_puts(arg, "======================================\n");
|
|
+ ret = OCSP_RESPONSE_check_status(rsp);
|
|
OCSP_RESPONSE_free(rsp);
|
|
- return 1;
|
|
+ if (ret <= -1) {
|
|
+ BIO_puts(arg, "unable to verify OCSP response\n");
|
|
+ } else if (ret == 0) {
|
|
+ BIO_puts(arg, "revoked certificate found in OCSP response\n");
|
|
+ }
|
|
+ return ret;
|
|
}
|
|
# endif
|
|
|
|
--- a/crypto/ocsp/ocsp_vfy.c
|
|
+++ b/crypto/ocsp/ocsp_vfy.c
|
|
@@ -433,3 +433,34 @@ static int ocsp_req_find_signer(X509 **p
|
|
}
|
|
return 0;
|
|
}
|
|
+
|
|
+/*
|
|
+ * Check an OCSP response for revoked certificate. Return a negative value on
|
|
+ * error; 0 if the response is not acceptable (in which case the handshake
|
|
+ * will fail) or a positive value if it is acceptable (no revoked certificate
|
|
+ * is found).
|
|
+ */
|
|
+
|
|
+int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o)
|
|
+{
|
|
+ int i;
|
|
+ OCSP_BASICRESP *br = NULL;
|
|
+ OCSP_RESPDATA *rd = NULL;
|
|
+ OCSP_SINGLERESP *single = NULL;
|
|
+ OCSP_RESPBYTES *rb = o->responseBytes;
|
|
+ if (rb == NULL)
|
|
+ return -1;
|
|
+ if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
|
|
+ return -1;
|
|
+ if ((br = OCSP_response_get1_basic(o)) == NULL)
|
|
+ return -1;
|
|
+ rd = &br->tbsResponseData;
|
|
+ for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) {
|
|
+ if (!sk_OCSP_SINGLERESP_value(rd->responses, i))
|
|
+ continue;
|
|
+ single = sk_OCSP_SINGLERESP_value(rd->responses, i);
|
|
+ if (single->certStatus->type == V_OCSP_CERTSTATUS_REVOKED)
|
|
+ return 0;
|
|
+ }
|
|
+ return 1;
|
|
+}
|
|
--- a/doc/man3/OCSP_response_status.pod
|
|
+++ b/doc/man3/OCSP_response_status.pod
|
|
@@ -2,8 +2,8 @@
|
|
|
|
=head1 NAME
|
|
|
|
-OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create,
|
|
-OCSP_RESPONSE_free, OCSP_RESPID_set_by_name,
|
|
+OCSP_response_status, OCSP_RESPONSE_check_status, OCSP_response_get1_basic,
|
|
+OCSP_response_create, OCSP_RESPONSE_free, OCSP_RESPID_set_by_name,
|
|
OCSP_RESPID_set_by_key, OCSP_RESPID_match,
|
|
OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions
|
|
|
|
@@ -12,6 +12,7 @@ OCSP_basic_sign, OCSP_basic_sign_ctx - O
|
|
#include <openssl/ocsp.h>
|
|
|
|
int OCSP_response_status(OCSP_RESPONSE *resp);
|
|
+ int OCSP_RESPONSE_check_status(OCSP_RESPONSE *resp);
|
|
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
|
|
OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
|
|
void OCSP_RESPONSE_free(OCSP_RESPONSE *resp);
|
|
@@ -34,6 +35,10 @@ B<OCSP_RESPONSE_STATUS_MALFORMEDREQUEST>
|
|
B<OCSP_RESPONSE_STATUS_INTERNALERROR>, B<OCSP_RESPONSE_STATUS_TRYLATER>
|
|
B<OCSP_RESPONSE_STATUS_SIGREQUIRED>, or B<OCSP_RESPONSE_STATUS_UNAUTHORIZED>.
|
|
|
|
+OCSP_RESPONSE_check_status() check status of the OCSP response I<resp>. It
|
|
+returns a negative value on error; 0 if the response is not acceptable
|
|
+(e.g. contains revoked certificate) or a positive value if it is acceptable.
|
|
+
|
|
OCSP_response_get1_basic() decodes and returns the B<OCSP_BASICRESP> structure
|
|
contained in B<resp>.
|
|
|
|
@@ -65,7 +70,11 @@ uses the parameters contained in digest
|
|
|
|
=head1 RETURN VALUES
|
|
|
|
-OCSP_RESPONSE_status() returns a status value.
|
|
+OCSP_response_status() returns a status value.
|
|
+
|
|
+OCSP_RESPONSE_check_status() returns a result of check - negative value on
|
|
+error; 0 if the response is not acceptable; positive value if response is
|
|
+acceptable.
|
|
|
|
OCSP_response_get1_basic() returns an B<OCSP_BASICRESP> structure pointer or
|
|
B<NULL> if an error occurred.
|
|
--- a/include/openssl/ocsp.h
|
|
+++ b/include/openssl/ocsp.h
|
|
@@ -340,6 +340,7 @@ const char *OCSP_crl_reason_str(long s);
|
|
|
|
int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags);
|
|
int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags);
|
|
+int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o);
|
|
|
|
int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
|
|
X509_STORE *st, unsigned long flags);
|
|
--- /dev/null
|
|
+++ b/test/recipes/80-test_ocsp_check.t
|
|
@@ -0,0 +1,90 @@
|
|
+#! /usr/bin/env perl
|
|
+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
+#
|
|
+# Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
+# this file except in compliance with the License. You can obtain a copy
|
|
+# in the file LICENSE in the source distribution or at
|
|
+# https://www.openssl.org/source/license.html
|
|
+
|
|
+use strict;
|
|
+use warnings;
|
|
+
|
|
+use IPC::Open2;
|
|
+use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_file/;
|
|
+use OpenSSL::Test::Utils;
|
|
+
|
|
+setup("test_ocsp_check");
|
|
+
|
|
+plan tests => 2;
|
|
+
|
|
+my $shlib_wrap = bldtop_file("util", "shlib_wrap.sh");
|
|
+my $apps_openssl = bldtop_file("apps", "openssl");
|
|
+my $ca = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ca.pem");
|
|
+my $ca_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ca.key");
|
|
+my $ocsp = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ocsp.pem");
|
|
+my $ocsp_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ocsp.key");
|
|
+my $server = srctop_file("test", "recipes", "80-test_ocsp_check_data", "server.pem");
|
|
+my $server_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "server.key");
|
|
+my $index;
|
|
+my $ocsp_port = 9999;
|
|
+my $https_port = 8443;
|
|
+# 20 July 2023 so we don't get certificate expiry errors.
|
|
+my @check_time=("-attime", "1689811200");
|
|
+
|
|
+sub run_test {
|
|
+ my $id = shift;
|
|
+ my $connect_good = 0;
|
|
+
|
|
+ if ($id == 0) {
|
|
+ $index = srctop_file("test", "recipes", "80-test_ocsp_check_data", "index-valid.txt");
|
|
+ }
|
|
+ if ($id == 1) {
|
|
+ $index = srctop_file("test", "recipes", "80-test_ocsp_check_data", "index-revoked.txt");
|
|
+ }
|
|
+ # OCSP responder
|
|
+ my @o_cmd = ("ocsp", "-index", $index, "-port", "$ocsp_port", "-rsigner", $ocsp, "-rkey", $ocsp_key, "-CA", $ca, "-nrequest", "1", @check_time);
|
|
+ # server
|
|
+ my @s_cmd = ("s_server", "-www", "-status_url", "http://127.0.0.1:$ocsp_port", "-accept", "$https_port", "-cert", $server, "-key", $server_key, "-state", "-CAfile", $ca, "-naccept", "1", @check_time);
|
|
+ # client
|
|
+ my @c_cmd = ("s_client", "-connect", ":$https_port", "-CAfile", $ca, "-status", "-verify_return_error", "-strict", @check_time);
|
|
+
|
|
+ # Run the OCSP responder
|
|
+ my $o_pid = open2(my $o_out, my $o_in, $shlib_wrap, $apps_openssl, @o_cmd);
|
|
+
|
|
+ # Start up the server
|
|
+ my $s_pid = open2(my $s_out, my $s_in, $shlib_wrap, $apps_openssl, @s_cmd);
|
|
+ while (<$s_out>) {
|
|
+ chomp;
|
|
+ if (/^ACCEPT$/) {
|
|
+ print "Server ready\n";
|
|
+ last;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ # Start up the client
|
|
+ my $c_pid = open2(my $c_out, my $c_in, $shlib_wrap, $apps_openssl, @c_cmd);
|
|
+ if ($id == 0) {
|
|
+ # Do the "GET", which will cause the client to finish
|
|
+ print $c_in "GET /\r\n";
|
|
+ }
|
|
+
|
|
+ waitpid($c_pid, 0);
|
|
+ waitpid($s_pid, 0);
|
|
+ waitpid($o_pid, 0);
|
|
+
|
|
+ # Check the client output
|
|
+ while (<$c_out>) {
|
|
+ chomp;
|
|
+ if ($id == 0) {
|
|
+ $connect_good = 1 if /^Content-type: text/;
|
|
+ }
|
|
+ if ($id == 1) {
|
|
+ $connect_good = 1 if /^revoked certificate found in OCSP response/;
|
|
+ }
|
|
+ }
|
|
+ print STDERR "Connection failed\n" if ! ok($connect_good);
|
|
+}
|
|
+
|
|
+for my $index (0..1) {
|
|
+ run_test($index)
|
|
+}
|
|
\ No newline at end of file
|
|
--- /dev/null
|
|
+++ b/test/recipes/80-test_ocsp_check_data/ca.pem
|
|
@@ -0,0 +1,19 @@
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIDBTCCAe2gAwIBAgIUZot4eag1ZaofYsMIB7HIzq8+zGEwDQYJKoZIhvcNAQEL
|
|
+BQAwEjEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMzA3MTIwOTI5NDdaFw0zMzA3MDkw
|
|
+OTI5NDdaMBIxEDAOBgNVBAMMB1Jvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
|
|
+DwAwggEKAoIBAQDRRSlP0gUVVlzMkEtVzX95n5lM+P36lyNgevKqY1Dl3ygPAzaq
|
|
+HRUBsgcxdDwWwMPO2u5UJOWaQ80nwFGROwX8WrRoBTvsUZ+URyXx98tHrhnD6wI9
|
|
+v30xYGN0RU2Ef2XnMvThhKRQVZJJWAHFPWZdPes0/g3H4FGJudOQJUHpiDD1UEF+
|
|
+cWxyujhVbvBFCX+mBS+r/tn75axjsUqmbxwCE7TK3CD0JdvlLUYxtybvozYoONot
|
|
+/mFleCMmPaTzPHan+iXNHp4Tn+3Ssndo3uiTr0pEbGgSOy2PppbZmv0ml0+CSLN4
|
|
+G8VaBBf7VTMayowEmmDgTpsOTi9tJqW2CcGzAgMBAAGjUzBRMB0GA1UdDgQWBBRj
|
|
+L87V9mqTdWYMCNNBb6Hay7OwPjAfBgNVHSMEGDAWgBRjL87V9mqTdWYMCNNBb6Ha
|
|
+y7OwPjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC09qzufLI/
|
|
+AoBscY8e9Q4pRhzeVVAKQ6yAZiO2O0o3trI5xKqD3iD0pOC7Mbfg0e0lneK6ovpd
|
|
+J178HwF4PMdiwvPH0KkAf0DaB96nC6U6oGQmItq8668jeVBjat0UCP3xiLmLhhAl
|
|
+mnnsgFC1eALmpWQPVlixUaXF4ri3R0QBUcc2kIV5zr1P3LJVboMSgCZULvrlfQLC
|
|
+kA0GdCCf6h08AFHRaIW8EE3I1IHNZc7eQcmnCLewHU5cPAYJ69GjhblSLS8kbpXK
|
|
+k7BllPLkk99zc/94okTasTjUkmha3RhRqMNL8jrYVc1m7H4U+4XUyh1y4C4Nmz18
|
|
+fBbrMxN2SCXM
|
|
+-----END CERTIFICATE-----
|
|
--- /dev/null
|
|
+++ b/test/recipes/80-test_ocsp_check_data/index-revoked.txt
|
|
@@ -0,0 +1,2 @@
|
|
+V 240711093229Z 1000 unknown /CN=OCSP
|
|
+R 240711093313Z 230621000000Z 1001 unknown /CN=Server
|
|
--- /dev/null
|
|
+++ b/test/recipes/80-test_ocsp_check_data/index-valid.txt
|
|
@@ -0,0 +1,2 @@
|
|
+V 240711093229Z 1000 unknown /CN=OCSP
|
|
+V 240711093313Z 1001 unknown /CN=Server
|
|
--- /dev/null
|
|
+++ b/test/recipes/80-test_ocsp_check_data/ocsp.key
|
|
@@ -0,0 +1,28 @@
|
|
+-----BEGIN PRIVATE KEY-----
|
|
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDZ2OLi8cpvoinQ
|
|
+bs4YEmk9GdQNcg9+zBRHy/YRJF+bbdreINweLYigHg2D3rcJnrjXkNAmd08aD0x+
|
|
+4iq58Tvy5P48VZ+c1R3XUs1YQR20sKgnM8w+uF2SXxX18Idy31pNErYh3J8jVpBi
|
|
+moMP9dC22iNB4kTKf1ORM6HaKnHM8wg3JzXv9lVoIQgAgyAmJOoQXhQ8Kn1AOj3j
|
|
+vp1Jgm2hI4e2MTjgjraT9sKxPXIZkKnTwnZX88MpE9HvsQ7XV2CdYmMry+L69X68
|
|
+bl3S1eisDjeIvHPtz6TenZs7wxbupy7OtdOKRxa/mDh9C76XHiNPoukUF1NVZ93S
|
|
+647ud7enAgMBAAECggEAFy+JbQxn9nwExZ2Cy4wWGFM0lF5vPhhmu4IpRTIhB4Vo
|
|
+gIYbIg5y6/vBhidWRYICUVXP2ZrkLTVd97kxlqBmuCzdeZAcEKXxavacoAfaK142
|
|
+n2mDaP+CsgPzGJMfj2nXOLxvlxNd+qBey1J/oDC8+eEl/yqfwLT5hiA/2dz08hI6
|
|
+IU0BudOB6H5iBK74MJsubdm0tsY4iqTykXeiR+n5dvVGDXLUX74BDHlD9O7AAo10
|
|
+h74Vw22luigsV0spCVLoOYy6z9KMkOaHZRruPmF3UCsfJZFY2y6uMapvbdgUavr9
|
|
+5fpsx40ep/mjRkYainHfJK1YkV/AoTxKjPQu2owJIQKBgQD0akN75lGXaAMQ0oEA
|
|
+1UrvZg75BQxPN+3qVtyynoQGVh58uRIaeG4DQdtc4nNPYI6o6NGbJk4T4wXU7W/3
|
|
+XUr+U/LdSGpHfM9gXGCUNgoJeUKY3NLUGdE4DIGDiJrmJfd5NDj37+PAQUTLBO49
|
|
+A0+BPnictZPffXuXCGL7lt7hYQKBgQDkLD9jV6HNtv8pAxFdQM+89NhWZCvpuTAs
|
|
+rihG3ebblBotMuGsrZDJ75UKq5wPEGCZWDc5q2h8L6CiyQF7Vht4/pi4NEhsA9My
|
|
+5hOGUJJVvvFmEIYz0GoCGqoDqag1XpKx8MYMvcc52bhzsYCy+dpnqraISeyiFPLM
|
|
+hdy+3jROBwKBgAqKEoLjOZ13xLoS+bEZgXO1SOwABbncxYuXV0j0gOjtCb+DE37E
|
|
+tqm5S0ZEFYjUtxIdh/xSuIcvAO9flbZq9XLmF9Dm8H5IqYCUOy3o7qHd8rs4unae
|
|
+7mCmWWdcmqFV/cfiMpquY3nE1rySZ9uFqwX9taG8SrYWaR/oIqyKou3BAoGBAJgX
|
|
+2oT4s/UxJzKKRffYLOEygEZN7WuVMsSFrnlWjv0M4soAIaf95gaFOd7r91GfRBTT
|
|
+VbSOSk6FXNlFjUROaG+lnd0jlKbTgeNqs9cTPAgGCFlVaG9/XDpc1bktTN+OU9Bi
|
|
+w1FY60TnmOkdh8FFhM0XYSbFyANeXV3xWOytp0XfAoGBAO2FkR3oGd3DSJmeljwJ
|
|
+HciEmlYCk38z93mZXiDTh4axS+mxAMYVRXt0dDUveyImlpcGi9coYmQPEzgk6spQ
|
|
+DOeRzRQcWQWfny9/UoGFU/Kv6QmpteAWaSjinBWKONx9d5AGzAkzms79tS8JMeL5
|
|
++wlkyD8NclbRA+ILu+V8HLed
|
|
+-----END PRIVATE KEY-----
|
|
--- /dev/null
|
|
+++ b/test/recipes/80-test_ocsp_check_data/ocsp.pem
|
|
@@ -0,0 +1,75 @@
|
|
+Certificate:
|
|
+ Data:
|
|
+ Version: 3 (0x2)
|
|
+ Serial Number: 4096 (0x1000)
|
|
+ Signature Algorithm: sha256WithRSAEncryption
|
|
+ Issuer: CN=Root CA
|
|
+ Validity
|
|
+ Not Before: Jul 12 09:32:29 2023 GMT
|
|
+ Not After : Jul 11 09:32:29 2024 GMT
|
|
+ Subject: CN=OCSP
|
|
+ Subject Public Key Info:
|
|
+ Public Key Algorithm: rsaEncryption
|
|
+ Public-Key: (2048 bit)
|
|
+ Modulus:
|
|
+ 00:d9:d8:e2:e2:f1:ca:6f:a2:29:d0:6e:ce:18:12:
|
|
+ 69:3d:19:d4:0d:72:0f:7e:cc:14:47:cb:f6:11:24:
|
|
+ 5f:9b:6d:da:de:20:dc:1e:2d:88:a0:1e:0d:83:de:
|
|
+ b7:09:9e:b8:d7:90:d0:26:77:4f:1a:0f:4c:7e:e2:
|
|
+ 2a:b9:f1:3b:f2:e4:fe:3c:55:9f:9c:d5:1d:d7:52:
|
|
+ cd:58:41:1d:b4:b0:a8:27:33:cc:3e:b8:5d:92:5f:
|
|
+ 15:f5:f0:87:72:df:5a:4d:12:b6:21:dc:9f:23:56:
|
|
+ 90:62:9a:83:0f:f5:d0:b6:da:23:41:e2:44:ca:7f:
|
|
+ 53:91:33:a1:da:2a:71:cc:f3:08:37:27:35:ef:f6:
|
|
+ 55:68:21:08:00:83:20:26:24:ea:10:5e:14:3c:2a:
|
|
+ 7d:40:3a:3d:e3:be:9d:49:82:6d:a1:23:87:b6:31:
|
|
+ 38:e0:8e:b6:93:f6:c2:b1:3d:72:19:90:a9:d3:c2:
|
|
+ 76:57:f3:c3:29:13:d1:ef:b1:0e:d7:57:60:9d:62:
|
|
+ 63:2b:cb:e2:fa:f5:7e:bc:6e:5d:d2:d5:e8:ac:0e:
|
|
+ 37:88:bc:73:ed:cf:a4:de:9d:9b:3b:c3:16:ee:a7:
|
|
+ 2e:ce:b5:d3:8a:47:16:bf:98:38:7d:0b:be:97:1e:
|
|
+ 23:4f:a2:e9:14:17:53:55:67:dd:d2:eb:8e:ee:77:
|
|
+ b7:a7
|
|
+ Exponent: 65537 (0x10001)
|
|
+ X509v3 extensions:
|
|
+ X509v3 Basic Constraints:
|
|
+ CA:FALSE
|
|
+ X509v3 Subject Key Identifier:
|
|
+ 2B:C9:AC:45:83:BB:96:5B:73:77:1A:F8:DB:F9:98:44:C6:E8:55:95
|
|
+ X509v3 Authority Key Identifier:
|
|
+ 63:2F:CE:D5:F6:6A:93:75:66:0C:08:D3:41:6F:A1:DA:CB:B3:B0:3E
|
|
+ Signature Algorithm: sha256WithRSAEncryption
|
|
+ Signature Value:
|
|
+ 02:87:49:a3:6f:c4:59:38:94:f9:f7:1a:ff:6f:4c:b4:6b:bd:
|
|
+ d2:79:98:5c:90:a8:49:45:ec:91:4e:ac:45:ec:8d:81:7f:ce:
|
|
+ ea:2f:93:c1:40:49:d4:c7:f2:ae:c0:60:1d:7d:65:91:83:63:
|
|
+ 51:4c:f0:ce:ef:81:dc:43:a6:b3:01:39:66:52:2d:1d:08:16:
|
|
+ a7:a7:54:78:e6:7a:06:49:5f:86:37:12:48:42:ab:37:a9:c0:
|
|
+ 04:98:70:45:50:9e:6d:30:6d:6d:81:05:79:1b:5c:2b:75:b9:
|
|
+ a8:46:22:4a:80:c9:ab:7c:f7:b2:63:69:ed:08:31:32:bd:8e:
|
|
+ f8:d7:8e:8e:29:8e:f6:b0:52:c2:a3:19:c1:e0:88:de:de:94:
|
|
+ 4f:f1:a5:9b:1c:1c:c0:11:79:7f:df:38:1b:97:a9:6c:26:fc:
|
|
+ 7e:31:f5:78:ba:c1:1d:e6:7c:e1:8e:b3:c5:91:fc:f6:5f:44:
|
|
+ 18:44:0b:15:c8:94:a5:a7:02:58:2f:be:f4:e4:80:0a:ce:8e:
|
|
+ 33:36:dd:0f:39:d3:b6:ae:57:d2:46:b4:a2:d1:49:c9:29:a7:
|
|
+ a0:a7:62:a7:2e:2d:7d:91:94:12:f7:55:13:54:d5:4e:4d:eb:
|
|
+ 1f:78:a7:9e:a9:93:f9:6c:a9:ec:97:2e:c6:04:67:fa:95:47:
|
|
+ 1e:2c:d2:74
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIC6jCCAdKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v
|
|
+dCBDQTAeFw0yMzA3MTIwOTMyMjlaFw0yNDA3MTEwOTMyMjlaMA8xDTALBgNVBAMM
|
|
+BE9DU1AwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ2OLi8cpvoinQ
|
|
+bs4YEmk9GdQNcg9+zBRHy/YRJF+bbdreINweLYigHg2D3rcJnrjXkNAmd08aD0x+
|
|
+4iq58Tvy5P48VZ+c1R3XUs1YQR20sKgnM8w+uF2SXxX18Idy31pNErYh3J8jVpBi
|
|
+moMP9dC22iNB4kTKf1ORM6HaKnHM8wg3JzXv9lVoIQgAgyAmJOoQXhQ8Kn1AOj3j
|
|
+vp1Jgm2hI4e2MTjgjraT9sKxPXIZkKnTwnZX88MpE9HvsQ7XV2CdYmMry+L69X68
|
|
+bl3S1eisDjeIvHPtz6TenZs7wxbupy7OtdOKRxa/mDh9C76XHiNPoukUF1NVZ93S
|
|
+647ud7enAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCvJrEWDu5Zbc3ca
|
|
++Nv5mETG6FWVMB8GA1UdIwQYMBaAFGMvztX2apN1ZgwI00FvodrLs7A+MA0GCSqG
|
|
+SIb3DQEBCwUAA4IBAQACh0mjb8RZOJT59xr/b0y0a73SeZhckKhJReyRTqxF7I2B
|
|
+f87qL5PBQEnUx/KuwGAdfWWRg2NRTPDO74HcQ6azATlmUi0dCBanp1R45noGSV+G
|
|
+NxJIQqs3qcAEmHBFUJ5tMG1tgQV5G1wrdbmoRiJKgMmrfPeyY2ntCDEyvY74146O
|
|
+KY72sFLCoxnB4Ije3pRP8aWbHBzAEXl/3zgbl6lsJvx+MfV4usEd5nzhjrPFkfz2
|
|
+X0QYRAsVyJSlpwJYL7705IAKzo4zNt0POdO2rlfSRrSi0UnJKaegp2KnLi19kZQS
|
|
+91UTVNVOTesfeKeeqZP5bKnsly7GBGf6lUceLNJ0
|
|
+-----END CERTIFICATE-----
|
|
--- /dev/null
|
|
+++ b/test/recipes/80-test_ocsp_check_data/server.key
|
|
@@ -0,0 +1,28 @@
|
|
+-----BEGIN PRIVATE KEY-----
|
|
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDb4qMIdALYSZd7
|
|
+/RBJ5PTRZS23d4SkIxZuOGXiSdYNyDNqg+jZZ5HPJu1ZcZFZ7AYINCAnk/yv1rPd
|
|
+Aoz50sZKTjHacQZLhaSds0PlN5/TrkwU0WUbalFWm5D6LB+VlDdkOSWSO3UNo23n
|
|
+X3wBMCWL9tTqNCwzNx8o3P6L8gjEOyOU3lIB3DU0FgGZN0Fkk7ZrbZxoln78Hcgf
|
|
+wBxWC2SafOwU9zofjdcEQr4Q6kAKDK1M7EYbq8U67BUS7SRRoj2Ub6KNhTGCuH5f
|
|
+0M4umykvong4bvqYqmrpAM0qV/F0ngus8qJgAH21AeHAvG9iuP/AphbslKFl+Me5
|
|
+3J3/2A/lAgMBAAECggEAAsC9Ist1B6kwNNSvwgUUTZTTNDNSXU21J68cE2+yNtz1
|
|
+S9WX8jTaPfoySYbi93m9f5fLeUNgjAEHonI4Op55bg+5jw8QMZzcOT83z+RY42kQ
|
|
+ucf/WI8Fsqxi7cbkpFZFNUOD5WdKKWAM7bMj1c35Al4WP1Jk5UVA5h2SMEVY97/x
|
|
+2TeQIzxBVX7w8d3jSHQXizWLB06IRs0F1Kpp0qIXJ558GcWEYVLk7ORIcJACWJSh
|
|
+UmhmtUVXI5OoWTTk4Ac7wus5GlCaLkwZ1RxV8iSwlQ5dhEBdDPRofrH9QgeULJrq
|
|
+l+G+Cv32FizTzC3QuiPrXrbfPVxffYZuJ5g2RORh9wKBgQD4IqS3WzXYOoKwkA5d
|
|
+8rVAL55tTE8I7/GZCoMrmRsXKV/30gJjhDlf5TyKWpFB7gcxBBZhd+lK/daH8d+S
|
|
+EAeBdN45VM/xbQkVKyfOQMQ5JuKmLJUyUP7yevMDZ0TYWQGDWmnVMzhfICIKWQvM
|
|
+lnPqCHFeYx+zWFBTDukr+aitywKBgQDi2sY1KAJiC24M7DILvjF0vFQGIPCyoOfQ
|
|
+VKemT3O5BKXbEK/WgBmTHMZzGPUGCZ7dxjEeTpE1d6YIadSa3FMyA34PWi8+3jdn
|
|
+lGSnK5MBlfKnk8Qo5vYOKPMgVmRPzqyJ8gUorNvAUEKZeFjV+wZeX/0yxSunumCj
|
|
+dfOk2TWDDwKBgEQE0xxED32HhH2774RHXPIMW6Rgb6XmiFbIb+6KmMd/mwQG+Iqp
|
|
+G0UzRKY0b28gPa5tDWmIglYBQUagwgV7CWOuUqBqpFns5rl7y/yY+nEkPKsKu5dA
|
|
+ZrK3i1gafd/EfkqwhSRhVwmUeGBXyok5kOrNh641A+KYyeQKyVY5qMiDAoGALJgb
|
|
+DIn/5ewfRxULRXmu2SbIUagaCNNOnop1pmDJ+93pCKZAGqd135BxhmCqkfREMY5r
|
|
+S2zgaKVLky3SqFqVVCiRmEz/KpmeRJNMMfyD2nTyjXSjw/Ka/e+Y04uIDpQvILLd
|
|
+xsAsNqLQZMDenbnJ57Vw3ZEa4s7lflyKd6ZnOYsCgYEA5jRpE1+lw1mAieDNovqH
|
|
+Mp2VwrmuFWhkeC7RW0G8ngNRzP9K6p77cDZGuR8GO5OHhpC3JG14OhOGL5rmDcwc
|
|
+ufXRlGMeAfWSY6EOY2hPWltML4EiX0zRESipQty8ns/HekIVlmOh4sv+3N3EqLlE
|
|
+edJcYLfcg1FGwnVQLHuVhy4=
|
|
+-----END PRIVATE KEY-----
|
|
--- /dev/null
|
|
+++ b/test/recipes/80-test_ocsp_check_data/server.pem
|
|
@@ -0,0 +1,75 @@
|
|
+Certificate:
|
|
+ Data:
|
|
+ Version: 3 (0x2)
|
|
+ Serial Number: 4097 (0x1001)
|
|
+ Signature Algorithm: sha256WithRSAEncryption
|
|
+ Issuer: CN=Root CA
|
|
+ Validity
|
|
+ Not Before: Jul 12 09:33:13 2023 GMT
|
|
+ Not After : Jul 11 09:33:13 2024 GMT
|
|
+ Subject: CN=Server
|
|
+ Subject Public Key Info:
|
|
+ Public Key Algorithm: rsaEncryption
|
|
+ Public-Key: (2048 bit)
|
|
+ Modulus:
|
|
+ 00:db:e2:a3:08:74:02:d8:49:97:7b:fd:10:49:e4:
|
|
+ f4:d1:65:2d:b7:77:84:a4:23:16:6e:38:65:e2:49:
|
|
+ d6:0d:c8:33:6a:83:e8:d9:67:91:cf:26:ed:59:71:
|
|
+ 91:59:ec:06:08:34:20:27:93:fc:af:d6:b3:dd:02:
|
|
+ 8c:f9:d2:c6:4a:4e:31:da:71:06:4b:85:a4:9d:b3:
|
|
+ 43:e5:37:9f:d3:ae:4c:14:d1:65:1b:6a:51:56:9b:
|
|
+ 90:fa:2c:1f:95:94:37:64:39:25:92:3b:75:0d:a3:
|
|
+ 6d:e7:5f:7c:01:30:25:8b:f6:d4:ea:34:2c:33:37:
|
|
+ 1f:28:dc:fe:8b:f2:08:c4:3b:23:94:de:52:01:dc:
|
|
+ 35:34:16:01:99:37:41:64:93:b6:6b:6d:9c:68:96:
|
|
+ 7e:fc:1d:c8:1f:c0:1c:56:0b:64:9a:7c:ec:14:f7:
|
|
+ 3a:1f:8d:d7:04:42:be:10:ea:40:0a:0c:ad:4c:ec:
|
|
+ 46:1b:ab:c5:3a:ec:15:12:ed:24:51:a2:3d:94:6f:
|
|
+ a2:8d:85:31:82:b8:7e:5f:d0:ce:2e:9b:29:2f:a2:
|
|
+ 78:38:6e:fa:98:aa:6a:e9:00:cd:2a:57:f1:74:9e:
|
|
+ 0b:ac:f2:a2:60:00:7d:b5:01:e1:c0:bc:6f:62:b8:
|
|
+ ff:c0:a6:16:ec:94:a1:65:f8:c7:b9:dc:9d:ff:d8:
|
|
+ 0f:e5
|
|
+ Exponent: 65537 (0x10001)
|
|
+ X509v3 extensions:
|
|
+ X509v3 Basic Constraints:
|
|
+ CA:FALSE
|
|
+ X509v3 Subject Key Identifier:
|
|
+ 3E:48:4E:C9:24:FA:DE:27:EA:A4:98:81:2A:06:12:9A:F6:FA:17:4E
|
|
+ X509v3 Authority Key Identifier:
|
|
+ 63:2F:CE:D5:F6:6A:93:75:66:0C:08:D3:41:6F:A1:DA:CB:B3:B0:3E
|
|
+ Signature Algorithm: sha256WithRSAEncryption
|
|
+ Signature Value:
|
|
+ 22:fe:de:97:6e:e8:5d:65:91:f0:70:af:97:85:53:5e:8e:c8:
|
|
+ 88:9b:e5:b3:33:d4:21:b9:3b:09:b7:72:70:16:8c:a8:0e:80:
|
|
+ 0f:1b:03:cb:95:94:ae:40:e2:3b:54:06:ec:1e:f5:bc:58:8a:
|
|
+ 22:57:cf:fe:14:b0:15:8c:18:5d:9d:fe:0e:70:55:26:c5:cc:
|
|
+ 92:f3:bf:03:19:e6:bd:41:b5:c3:cf:15:d3:e9:10:df:65:2a:
|
|
+ 68:c0:a3:df:93:a4:b1:66:20:94:1d:df:0a:9c:05:e7:74:a1:
|
|
+ 1a:39:db:c2:5b:78:8c:0c:f6:5e:30:80:cc:39:04:8a:8c:db:
|
|
+ 81:c1:5b:b4:3e:c2:ba:ae:06:ec:19:91:b4:a5:46:05:e7:8c:
|
|
+ ef:88:3f:d1:38:d3:37:42:88:25:c2:43:9b:df:7f:7c:15:c3:
|
|
+ 7b:72:d2:b6:49:45:ce:c8:ce:f1:2d:be:7b:86:1c:31:8d:c9:
|
|
+ de:51:d4:06:9f:1d:f2:86:ac:bf:5f:4d:da:31:26:70:ce:e1:
|
|
+ 0a:87:1f:a9:73:24:78:a2:4a:c2:73:ea:4c:6b:2c:a7:b6:1c:
|
|
+ d7:c3:5e:3a:8a:f9:02:54:62:73:a2:a6:3e:e5:d6:2d:6f:6e:
|
|
+ ba:57:11:20:d1:41:2e:c7:6b:d8:7d:70:5e:1d:17:03:5e:a7:
|
|
+ 16:c9:4b:fb
|
|
+-----BEGIN CERTIFICATE-----
|
|
+MIIC7DCCAdSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v
|
|
+dCBDQTAeFw0yMzA3MTIwOTMzMTNaFw0yNDA3MTEwOTMzMTNaMBExDzANBgNVBAMM
|
|
+BlNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANviowh0AthJ
|
|
+l3v9EEnk9NFlLbd3hKQjFm44ZeJJ1g3IM2qD6Nlnkc8m7VlxkVnsBgg0ICeT/K/W
|
|
+s90CjPnSxkpOMdpxBkuFpJ2zQ+U3n9OuTBTRZRtqUVabkPosH5WUN2Q5JZI7dQ2j
|
|
+bedffAEwJYv21Oo0LDM3Hyjc/ovyCMQ7I5TeUgHcNTQWAZk3QWSTtmttnGiWfvwd
|
|
+yB/AHFYLZJp87BT3Oh+N1wRCvhDqQAoMrUzsRhurxTrsFRLtJFGiPZRvoo2FMYK4
|
|
+fl/Qzi6bKS+ieDhu+piqaukAzSpX8XSeC6zyomAAfbUB4cC8b2K4/8CmFuyUoWX4
|
|
+x7ncnf/YD+UCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUPkhOyST63ifq
|
|
+pJiBKgYSmvb6F04wHwYDVR0jBBgwFoAUYy/O1fZqk3VmDAjTQW+h2suzsD4wDQYJ
|
|
+KoZIhvcNAQELBQADggEBACL+3pdu6F1lkfBwr5eFU16OyIib5bMz1CG5Owm3cnAW
|
|
+jKgOgA8bA8uVlK5A4jtUBuwe9bxYiiJXz/4UsBWMGF2d/g5wVSbFzJLzvwMZ5r1B
|
|
+tcPPFdPpEN9lKmjAo9+TpLFmIJQd3wqcBed0oRo528JbeIwM9l4wgMw5BIqM24HB
|
|
+W7Q+wrquBuwZkbSlRgXnjO+IP9E40zdCiCXCQ5vff3wVw3ty0rZJRc7IzvEtvnuG
|
|
+HDGNyd5R1AafHfKGrL9fTdoxJnDO4QqHH6lzJHiiSsJz6kxrLKe2HNfDXjqK+QJU
|
|
+YnOipj7l1i1vbrpXESDRQS7Ha9h9cF4dFwNepxbJS/s=
|
|
+-----END CERTIFICATE-----
|
|
--- a/util/libcrypto.num
|
|
+++ b/util/libcrypto.num
|
|
@@ -4649,3 +4649,4 @@ fips_sli_RAND_bytes_is_approved
|
|
fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION:
|
|
FIPS_entropy_init 6611 1_1_1l EXIST::FUNCTION:
|
|
FIPS_entropy_cleanup 6612 1_1_1l EXIST::FUNCTION:
|
|
+OCSP_RESPONSE_check_status 6613 1_1_1l EXIST::FUNCTION:OCSP
|