1 Topic by endushka

(1 replies, posted in wolfSSL)

I am building wolfssl client which performs TLS connection with web server (NGINX) with OCSP stapling.


My configuration:
client --> Web server(NGINX) --> OCSP (openssl)
         (1)                               (2)

client <-- Web server(NGINX) <-- OCSP (openssl)
         (4)                               (3)

I have web server certificate and ocsp certificate singed by self-signed CA.  OCSP ceritificate is ocspSigning.crt.                                         
/etc/nginx/server_certs/serverCA.crt is CA certificate. ()

OCSP server configuraiton:
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner ocspSigning.crt -rkey ../ocspSingning.key -CA /etc/nginx/server_certs/serverCA.crt -text

NGINX configuration(lines that changed):
                   #the protocol for our implementation
            ssl_protocols TLSv1.2;

            #where the server will find its certificates
            ssl_certificate /etc/nginx/server_certs/server.crt;
           
            #where the server will find its private key
            ssl_certificate_key /etc/nginx/server_certs/server.key;

            #where the server should look for the client CA
            ssl_client_certificate /etc/nginx/client_certs/client-ca.pem;


            #where server ca is found
            ssl_trusted_certificate /etc/nginx/server_certs/serverCA.crt;

            error_log  /var/log/nginx/error.log debug;

                    ssl_stapling on;
                        ssl_stapling_verify off;

Client configuraiton:
Simple TLS client whith satus_request (OCSP) extention.


When I run OCSP server with OCSP certificate/key as mentioned before it fails with error:
OCSP Responder key usage check failed

If I change the command and use CA certificate to sign OCSP request with following command:
openssl ocsp -index demoCA/index.txt -port 8888 -rsigner /etc/nginx/server_certs/serverCA.crt -rkey server_creds/myCA.key -CA /etc/nginx/server_certs/serverCA.crt -text
Then everything is OK (So its a nice work around for me).

After inspecting the code I found that the problem is in 'wolfcrypt/asn.c' 
if (XMEMCMP(cert.subjectHash,
                        resp->issuerHash, KEYID_SIZE) == 0) {

From OCSP RFC its clear that signing with OCSP certificate should work.
rfc2560 - 4.2.2.2  Authorized Responders

   The key that signs a certificate's status information need not be the
   same key that signed the certificate. It is necessary however to
   ensure that the entity signing this information is authorized to do
   so.  Therefore, a certificate's issuer MUST either sign the OCSP
   responses itself or it MUST explicitly designate this authority to
   another entity.

I propose to change
if (XMEMCMP(cert.subjectHash,
                        resp->issuerHash, KEYID_SIZE) == 0) {
to:
if (XMEMCMP(cert.issuerHash,
                        resp->issuerHash, KEYID_SIZE) == 0) {

I wonder if there is a more elegant way to fix thisissue.

Go to forum: wolfSSL