abc/GmSSL
1
0
Fork 0
mirror of https://github.com/guanzhi/GmSSL.git synced 2026-06-29 01:03:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix bugs

Browse Source
This commit is contained in:
Zhi Guan
2026-06-19 17:18:59 +08:00
parent 3173fb45f3
commit f4abd90fba
5 changed files with 35 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/ocsp.c
View File

@@ -19,6 +19,35 @@
#include <gmssl/http.h>
#include <gmssl/ocsp.h>
/*
TLS客户端验证OCSPResponse签发证书的逻辑
假定证书链是 EE <= CA1 <= CA2 <= RootCA
* 如果 OCSPResponse 包含 BasicOCSPResponse.certs那么优先使用这个证书
这个证书是 Responder 的证书,关系是
ResponderCert <= CA1
也就是这个证书和EE是兄弟证书
Responder 证书必须包含扩展 Extended Key Usage: id-kp-OCSPSigning
* 如果 OCSPResponse 没有包含证书,那么就用 CA1 证书
客户端在验证的时候可以根据 keyHash, IssuerHash, serial等对比确认OCSP的签名证书
对于命令行工具
* OCSPReponder 中包含了 代理Responder证书
那么命令行用网站证书链中的CA1去验证ResponderCert
并且也验证网站证书链保证这个证书链是正确的
* 如果没包含代理Responder证书但是命令行参数中提供了一个 Responder证书那么也是执行相同的逻辑
* 如果没有Responder证书就用CA1证书验证
*/
static const char *ocsp_cert_status_name(int status)
{
@@ -34,8 +63,6 @@ static const char *ocsp_cert_status_name(int status)
}
}
int ocsp_request_item_to_der(int hash_algor,
const uint8_t *issuer_name_hash, size_t issuer_name_hash_len,
const uint8_t *issuer_key_hash, size_t issuer_key_hash_len,

5
src/tls12.c
View File

@@ -2558,8 +2558,7 @@ int tls_send_server_hello_done(TLS_CONNECT *conn)
int tls_recv_client_certificate(TLS_CONNECT *conn)
{
int ret;
const int verify_depth = 5;
int verify_result;
int verify_result = 0;
if(conn->verbose) tls_trace("recv ClientCertificate\n");
@@ -2588,7 +2587,7 @@ int tls_recv_client_certificate(TLS_CONNECT *conn)
if (x509_certs_verify(conn->client_certs, conn->client_certs_len, X509_cert_chain_client,
conn->ctx->cacerts, conn->ctx->cacertslen, NULL, 0,
NULL, 0,
verify_depth, &verify_result) != 1) {
conn->ctx->verify_depth, &verify_result) != 1) {
error_print();
tls_send_alert(conn, TLS_alert_bad_certificate);
return -1;

7
src/x509_cer.c
View File

@@ -1949,7 +1949,7 @@ static int x509_cert_check_optional_ocsp(const uint8_t *cert, size_t certlen,
}
return ret;
}
int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
const uint8_t *rootcerts, size_t rootcertslen,
const uint8_t *crl, size_t crl_len,
@@ -2094,6 +2094,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
return 1;
}
// 只有 TLCP 的服务器证书链才是双证书客户端证书和TLS12是一样的
int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type,
const uint8_t *rootcerts, size_t rootcertslen,
const uint8_t *crl, size_t crl_len,
@@ -2119,10 +2120,6 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
sign_cert_type = X509_cert_server_auth;
kenc_cert_type = X509_cert_server_key_encipher;
break;
case X509_cert_chain_client:
sign_cert_type = X509_cert_server_auth;
kenc_cert_type = X509_cert_server_key_encipher;
break;
default:
error_print();
return -1;