ocsp: bind responder authorization to CertID issuerKeyHash

CheckOcspResponder only compared issuer name hashes, so a same-DN /
different-key trust anchor (or a responder it issued) could sign OCSP
status for another CA's certificates. Both halves of CertID are now
required to match per RFC 6960 4.2.2.2, and Signer gained issuerKeyHash
so the CM-signer path can bind too.

Author: julek-wolfssl

src/ocsp.c

@@ -585,7 +585,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
 
 #ifndef WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
 static int CheckOcspResponderChain(OcspEntry* single, byte* issuerHash,
-        void* vp, Signer* pendingCAs) {
+        byte* issuerKeyHash, void* vp, Signer* pendingCAs) {
     /* Attempt to build a chain up to cert's issuer */
     WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp;
     Signer* ca = NULL;
@@ -602,47 +602,62 @@ static int CheckOcspResponderChain(OcspEntry* single, byte* issuerHash,
      *  in OCSP request
      */
 
-    /* End loop if no more issuers found or if we have found a self
-     * signed cert (ca == prev) */
-    ca = GetCAByName(cm, single->issuerHash);
+    if (issuerKeyHash == NULL)
+        return 0;
+
+    /* Select CertID issuer by key hash so a same-DN / different-key trust
+     * anchor cannot hijack the starting point. */
+    ca = GetCAByKeyHash(cm, single->issuerKeyHash);
+    if (ca != NULL && XMEMCMP(ca->subjectNameHash, single->issuerHash,
+            OCSP_DIGEST_SIZE) != 0) {
+        ca = NULL;
+    }
 #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
     if (ca == NULL && pendingCAs != NULL) {
-        ca = findSignerByName(pendingCAs, single->issuerHash);
+        ca = findSignerByKeyHash(pendingCAs, single->issuerKeyHash);
+        if (ca != NULL && XMEMCMP(ca->subjectNameHash, single->issuerHash,
+                OCSP_DIGEST_SIZE) != 0) {
+            ca = NULL;
+        }
     }
 #else
     (void)pendingCAs;
 #endif
     for (; ca != NULL && ca != prev;
             prev = ca) {
-        if (XMEMCMP(issuerHash, ca->issuerNameHash, OCSP_DIGEST_SIZE) == 0) {
+        Signer* parent = GetCAByName(cm, ca->issuerNameHash);
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+        if (parent == NULL && pendingCAs != NULL) {
+            parent = findSignerByName(pendingCAs, ca->issuerNameHash);
+        }
+#endif
+        if (parent == NULL || parent == ca)
+            break;
+
+        if (XMEMCMP(parent->subjectNameHash, issuerHash,
+                    OCSP_DIGEST_SIZE) == 0 &&
+            XMEMCMP(parent->subjectKeyHash, issuerKeyHash,
+                    OCSP_DIGEST_SIZE) == 0) {
             WOLFSSL_MSG("\tOCSP Response signed by authorized "
                     "responder delegated by issuer "
                     "(found in chain)");
             passed = 1;
             break;
         }
-        ca = GetCAByName(cm, ca->issuerNameHash);
-#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
-        if (ca == NULL && pendingCAs != NULL) {
-            ca = findSignerByName(pendingCAs, single->issuerHash);
-        }
-#endif
+
+        ca = parent;
     }
     return passed;
 }
 #endif
 
-/**
- * Enforce https://www.rfc-editor.org/rfc/rfc6960#section-4.2.2.2
- * @param bs              The basic OCSP response to verify
- * @param subjectHash     The subject key hash of the OCSP responder certificate
- * @param extExtKeyUsage  The extended key usage bits of the responder certificate
- * @param issuerHash      The issuer name hash of the OCSP responder certificate
- * @param vp              Unused (reserved for future use)
- * @return 1 if the responder is authorized to sign the response, 0 otherwise
- */
+/* Enforce https://www.rfc-editor.org/rfc/rfc6960#section-4.2.2.2. Both halves
+ * of CertID (issuerNameHash and issuerKeyHash) must match; name-only matching
+ * would authorize a same-DN / different-key CA. issuerKeyHash may be NULL when
+ * unavailable, which disables the delegated branch. */
 int CheckOcspResponder(OcspResponse *bs, byte* subjectHash,
-        byte extExtKeyUsage, byte* issuerHash, void* vp)
+        byte* subjectKeyHash, byte extExtKeyUsage, byte* issuerHash,
+        byte* issuerKeyHash, void* vp)
 {
     int ret = 0;
     OcspEntry* single;
@@ -660,26 +675,31 @@ int CheckOcspResponder(OcspResponse *bs, byte* subjectHash,
     if (bs == NULL || subjectHash == NULL || issuerHash == NULL)
         return BAD_FUNC_ARG;
 
-    /* Traverse the list and check that the cert has the authority to provide
-     * an OCSP response for each entry. */
     for (single = bs->single; single != NULL; single = single->next) {
         int passed = 0;
 
-        if (XMEMCMP(subjectHash, single->issuerHash, OCSP_DIGEST_SIZE) == 0) {
+        if (subjectKeyHash != NULL &&
+                XMEMCMP(subjectHash, single->issuerHash,
+                    OCSP_DIGEST_SIZE) == 0 &&
+                XMEMCMP(subjectKeyHash, single->issuerKeyHash,
+                    OCSP_DIGEST_SIZE) == 0) {
             WOLFSSL_MSG("\tOCSP Response signed by issuer");
             passed = 1;
         }
         else if ((extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) != 0) {
-            if (XMEMCMP(issuerHash, single->issuerHash, OCSP_DIGEST_SIZE)
-                    == 0) {
+            if (issuerKeyHash != NULL &&
+                    XMEMCMP(issuerHash, single->issuerHash,
+                        OCSP_DIGEST_SIZE) == 0 &&
+                    XMEMCMP(issuerKeyHash, single->issuerKeyHash,
+                        OCSP_DIGEST_SIZE) == 0) {
                 WOLFSSL_MSG("\tOCSP Response signed by authorized responder "
                             "delegated by issuer");
                 passed = 1;
             }
 #ifndef WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
             else if (vp != NULL) {
-                passed = CheckOcspResponderChain(single, issuerHash, vp,
-                        bs->pendingCAs);
+                passed = CheckOcspResponderChain(single, issuerHash,
+                        issuerKeyHash, vp, bs->pendingCAs);
             }
 #endif
         }
@@ -1083,8 +1103,10 @@ static int OcspVerifySigner(WOLFSSL_OCSP_BASICRESP *resp, DecodedCert *cert,
     }
 #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
     if ((flags & WOLFSSL_OCSP_NOCHECKS) == 0) {
-        ret = CheckOcspResponder(resp, c->subjectHash, c->extExtKeyUsage,
-                c->issuerHash, st->cm);
+        ret = CheckOcspResponder(resp, c->subjectHash, c->subjectKeyHash,
+                c->extExtKeyUsage, c->issuerHash,
+                (c->ca != NULL) ? c->ca->subjectKeyHash : NULL,
+                st->cm);
     }
     else {
         ret = 0;

wolfcrypt/src/asn.c

@@ -22546,17 +22546,15 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm,
         }
 
         #ifdef HAVE_OCSP
-        if (type != CA_TYPE &&
-                                                type != TRUSTED_PEER_TYPE) {
-            /* Need the CA's public key hash for OCSP */
-            if (cert->ca) {
-                XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash,
-                    KEYID_SIZE);
-            }
-            else if (cert->selfSigned) {
-                XMEMCPY(cert->issuerKeyHash, cert->subjectKeyHash,
-                    KEYID_SIZE);
-            }
+        /* Needed for OCSP requests, and for binding responder authorization
+         * to CertID's issuerKeyHash when this cert becomes a Signer. */
+        if (cert->ca) {
+            XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash,
+                KEYID_SIZE);
+        }
+        else if (cert->selfSigned) {
+            XMEMCPY(cert->issuerKeyHash, cert->subjectKeyHash,
+                KEYID_SIZE);
         }
         #endif /* HAVE_OCSP */
     }
@@ -22859,6 +22857,8 @@ int FillSigner(Signer* signer, DecodedCert* cert, int type, DerBuffer *der)
     #ifdef HAVE_OCSP
         XMEMCPY(signer->subjectKeyHash, cert->subjectKeyHash,
                 KEYID_SIZE);
+        XMEMCPY(signer->issuerKeyHash, cert->issuerKeyHash,
+                KEYID_SIZE);
     #endif
         signer->keyUsage = cert->extKeyUsageSet ? cert->extKeyUsage
                                                 : 0xFFFF;
@@ -32876,7 +32876,8 @@ static int OcspRespCheck(OcspResponse *resp, Signer *responder, void* vp)
         return -1;
 
     ret = CheckOcspResponder(resp, responder->subjectNameHash,
-            responder->extKeyUsage, responder->issuerNameHash, vp);
+            responder->subjectKeyHash, responder->extKeyUsage,
+            responder->issuerNameHash, responder->issuerKeyHash, vp);
     if (ret != 0)
         return -1;
 
@@ -32964,8 +32965,9 @@ static int OcspCheckCert(OcspResponse *resp, int noVerify,
 
 #ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
     if (ret == 0 && !noVerify) {
-        ret = CheckOcspResponder(resp, cert->subjectHash, cert->extExtKeyUsage,
-                cert->issuerHash, cm);
+        ret = CheckOcspResponder(resp, cert->subjectHash, cert->subjectKeyHash,
+                cert->extExtKeyUsage, cert->issuerHash,
+                (cert->ca != NULL) ? cert->ca->subjectKeyHash : NULL, cm);
         if (ret != 0) {
             WOLFSSL_MSG("\tOCSP Responder certificate issuer check failed");
             goto err;

wolfssl/ocsp.h

@@ -75,7 +75,8 @@ WOLFSSL_LOCAL int CheckOcspResponse(WOLFSSL_OCSP *ocsp, byte *response, int resp
                                     void* heap);
 
 WOLFSSL_LOCAL int CheckOcspResponder(OcspResponse *bs, byte* subjectHash,
-        byte extExtKeyUsage, byte* issuerHash, void* vp);
+        byte* subjectKeyHash, byte extExtKeyUsage, byte* issuerHash,
+        byte* issuerKeyHash, void* vp);
 
 /* Allocates and initializes a WOLFSSL_OCSP object */
 WOLFSSL_API WOLFSSL_OCSP* wc_NewOCSP(WOLFSSL_CERT_MANAGER* cm);

wolfssl/wolfcrypt/asn.h

@@ -2152,6 +2152,7 @@ struct Signer {
 #endif
 #ifdef HAVE_OCSP
     byte subjectKeyHash[KEYID_SIZE];
+    byte issuerKeyHash[KEYID_SIZE]; /* key hash of verifying parent CA */
 #endif
 #if defined(WOLFSSL_AKID_NAME) || defined(HAVE_CRL)
     byte serialHash[SIGNER_DIGEST_SIZE]; /* serial number hash */