[openssl-users] OCSP signature verification

[Wouter Verhelst]

Hi,

(that other mail on OCSP on this list reminded me of this...)

I've found the answer in the mean time by using a debugger and 
single-stepping through the library...

On 01-12-15 14:58, Verhelst Wouter (Consultant) wrote:
> Hi folks,
>
> I'm trying to write an application that needs to verify the validity of data on a smartcard. That data is signed with an RSA key for which a certificate exists on the card; but if the card is stolen or lost, the certificate will be revoked, so I want to ensure that the certificate is valid. I'm doing an OCSP request to take care of that.
>
> Since OpenSSL's own OCSP_sendreq_* functions don't support HTTP proxies, I'm currently using libcurl to send the request to the OCSP endpoint. This seems to work; when I get the reply and use d2i_OCSP_RESPONSE(), then with things like OCSP_response_status() and OCSP_resp_find_status() and friends I can manage to get the status of the request and a given certificate.
>
> However, that doesn't do signature verification. I believe that I should use OCSP_basic_verify() for that, but I'm not entirely sure whether that is the case, and if so whether I would need to do some additional checks beforehand. Unfortunately, I can't find any documentation on OCSP_basic_verify().
>
> I should note that due to the nature of my needs, I have a rather huge set of valid intermediate CAs, but a fairly limited set of root CAs that can be used for valid cards (that is, if the signature validates but it wasn't signed by any of the CAs under one of my limited set of roots, the card is a forgery and should be rejected as invalid).
>
> A few questions:
> - Am I right in assuming that OCSP_basic_verify will check the signature on the OCSP request?

Answer: yes (verified this by modifying some data in the OCSP response 
data, which caused signature verification to fail)

> - In "OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags)", I'm not entirely certain of what the "st" argument is meant to contain, and can't figure out the "certs" one. Pouring over the code, I believe the "st" argument should allow me to limit validation to my set of root certificates, but I could be mistaken. As for the "certs" one, I can't understand that one at all. The only thing I can think of is that maybe it should contain the issuer certificate that I used for the original request, but then why is it a STACK_OF(X509)* and not just an X509*? What am I missing?

Answers:

- The "STACK_OF(X509) *certs" argument should just be bs->certs (i.e., 
the certificates which were sent along with the OCSP response, and which 
contain all certificates required to be able to verify the signature on 
the response as well as its certificate chain). I assume this is done so 
as to retain API compatibility with other certificate verification 
methods (e.g., using CRLs), even though the *certs argument really is 
superfluous (OCSP_basic_verify could just as easily pluck those 
certificates out of the *bs argument).
- The "X509_STORE *st" argument indeed allows me to limit the root 
certificates allowed for valid signatures. By not including the default 
certificate store, I can reject cards that are signed by a different root.

-- 
Wouter Verhelst