Fix bugs

2026-06-27 15:43:42 +08:00 · 2026-06-19 17:18:59 +08:00
parent 3173fb45f3
commit f4abd90fba
5 changed files with 35 additions and 12 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -821,7 +821,7 @@ endif()
 #
 set(CPACK_PACKAGE_NAME "GmSSL")
 set(CPACK_PACKAGE_VENDOR "GmSSL develop team")
-set(CPACK_PACKAGE_VERSION "3.2.0-dev.1104")
+set(CPACK_PACKAGE_VERSION "3.2.0-dev.1105")
 set(CPACK_PACKAGE_DESCRIPTION_FILE ${PROJECT_SOURCE_DIR}/README.md)
 set(CPACK_NSIS_MODIFY_PATH ON)
 include(CPack)
--- a/include/gmssl/version.h
+++ b/include/gmssl/version.h
@@ -18,7 +18,7 @@ extern "C" {


 #define GMSSL_VERSION_NUM	30200
-#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1104"
+#define GMSSL_VERSION_STR	"GmSSL 3.2.0-dev.1105"

 int gmssl_version_num(void);
 const char *gmssl_version_str(void);
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -19,6 +19,35 @@
 #include <gmssl/http.h>
 #include <gmssl/ocsp.h>

+/*
+TLS客户端验证OCSPResponse签发证书的逻辑
+
+假定证书链是 EE <= CA1 <= CA2 <= RootCA
+
+	* 如果 OCSPResponse 包含 BasicOCSPResponse.certs，那么优先使用这个证书
+	  这个证书是 Responder 的证书，关系是
+		ResponderCert <= CA1
+	  也就是这个证书和EE是兄弟证书
+	  Responder 证书必须包含扩展  Extended Key Usage: id-kp-OCSPSigning
+
+	* 如果 OCSPResponse 没有包含证书，那么就用 CA1 证书
+
+客户端在验证的时候可以根据 keyHash, IssuerHash, serial等对比确认OCSP的签名证书
+
+
+对于命令行工具
+
+	* OCSPReponder 中包含了 代理Responder证书
+	  那么命令行用网站证书链中的CA1去验证ResponderCert
+	  并且也验证网站证书链保证这个证书链是正确的
+
+	* 如果没包含代理Responder证书，但是命令行参数中提供了一个 Responder证书，那么也是执行相同的逻辑
+
+	* 如果没有Responder证书，就用CA1证书验证
+
+
+
+*/

 static const char *ocsp_cert_status_name(int status)
 {
@@ -34,8 +63,6 @@ static const char *ocsp_cert_status_name(int status)
 	}
 }

-
-
 int ocsp_request_item_to_der(int hash_algor,
 	const uint8_t *issuer_name_hash, size_t issuer_name_hash_len,
 	const uint8_t *issuer_key_hash, size_t issuer_key_hash_len,
--- a/src/tls12.c
+++ b/src/tls12.c
@@ -2558,8 +2558,7 @@ int tls_send_server_hello_done(TLS_CONNECT *conn)
 int tls_recv_client_certificate(TLS_CONNECT *conn)
 {
 	int ret;
-	const int verify_depth = 5;
-	int verify_result;
+	int verify_result = 0;

 	if(conn->verbose) tls_trace("recv ClientCertificate\n");

@@ -2588,7 +2587,7 @@ int tls_recv_client_certificate(TLS_CONNECT *conn)
 	if (x509_certs_verify(conn->client_certs, conn->client_certs_len, X509_cert_chain_client,
 		conn->ctx->cacerts, conn->ctx->cacertslen, NULL, 0,
 		NULL, 0,
-		verify_depth, &verify_result) != 1) {
+		conn->ctx->verify_depth, &verify_result) != 1) {
 		error_print();
 		tls_send_alert(conn, TLS_alert_bad_certificate);
 		return -1;
--- a/src/x509_cer.c
+++ b/src/x509_cer.c
@@ -1949,7 +1949,7 @@ static int x509_cert_check_optional_ocsp(const uint8_t *cert, size_t certlen,
 	}
 	return ret;
 }
-				
+
 int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 	const uint8_t *rootcerts, size_t rootcertslen,
 	const uint8_t *crl, size_t crl_len,
@@ -2094,6 +2094,7 @@ int x509_certs_verify(const uint8_t *certs, size_t certslen, int certs_type,
 	return 1;
 }

+// 只有 TLCP 的服务器证书链才是双证书，客户端证书和TLS12是一样的
 int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type,
 	const uint8_t *rootcerts, size_t rootcertslen,
 	const uint8_t *crl, size_t crl_len,
@@ -2119,10 +2120,6 @@ int x509_certs_verify_tlcp(const uint8_t *certs, size_t certslen, int certs_type
 		sign_cert_type = X509_cert_server_auth;
 		kenc_cert_type = X509_cert_server_key_encipher;
 		break;
-	case X509_cert_chain_client:
-		sign_cert_type = X509_cert_server_auth;
-		kenc_cert_type = X509_cert_server_key_encipher;
-		break;
 	default:
 		error_print();
 		return -1;