diff --git a/src/lib/x509/certstor.h b/src/lib/x509/certstor.h
index 6901589..165c414 100644
--- a/src/lib/x509/certstor.h
+++ b/src/lib/x509/certstor.h
@@ -95,6 +95,12 @@ class BOTAN_PUBLIC_API(2,0) Certificate_Store_In_Memory final : public Certifica
*/
explicit Certificate_Store_In_Memory(const X509_Certificate& cert);
+ /**
+ * Adds given certificate list to the store.
+ */
+ explicit Certificate_Store_In_Memory(std::vector<std::shared_ptr<const X509_Certificate>> certs)
+ : m_certs(std::move(certs)) {}
+
/**
* Create an empty store.
*/
diff --git a/src/lib/x509/ocsp.cpp b/src/lib/x509/ocsp.cpp
index 1ca8232..2cc5ebc 100644
--- a/src/lib/x509/ocsp.cpp
+++ b/src/lib/x509/ocsp.cpp
@@ -241,7 +241,6 @@ Certificate_Status_Code Response::check_signature(const std::vector<Certificate_
{
for(size_t i = 0; i < m_certs.size(); ++i)
{
- // Check all CA certificates in the (assumed validated) EE cert path
if(!m_signer_name.empty() && m_certs[i].subject_dn() == m_signer_name)
{
signing_cert = std::make_shared<const X509_Certificate>(m_certs[i]);
@@ -254,6 +253,73 @@ Certificate_Status_Code Response::check_signature(const std::vector<Certificate_
break;
}
}
+
+ // RFC 6960 4.2.2.2
+ // OCSP signing delegation SHALL be designated by the inclusion of
+ // id-kp-OCSPSigning in an extended key usage certificate extension
+ // included in the OCSP response signer's certificate. This certificate
+ // MUST be issued directly by the CA that is identified in the request.
+ //
+ // The CA SHOULD use the same issuing key to issue a delegation
+ // certificate as that used to sign the certificate being checked for
+ // revocation. Systems relying on OCSP responses MUST recognize a
+ // delegation certificate as being issued by the CA that issued the
+ // certificate in question only if the delegation certificate and the
+ // certificate being checked for revocation were signed by the same key.
+ //
+ // I.e. it is safe to assume that the certificate's issuer also signed the
+ // responder's certificate.
+ //
+ // Note: The 'SHOULD' in the second paragraph above allows for backward
+ // compatibility to RFC 2560 that is "strongly discouraged". This
+ // implementation explicitly _does not_ implement this backward
+ // compatibility.
+ if(signing_cert)
+ {
+ const auto issuer =
+ Certificate_Store_In_Memory(ee_cert_path)
+ .find_cert(signing_cert->issuer_dn(), signing_cert->authority_key_id());
+
+ // User did not provide the certificate path to verify the delegation
+ if(!issuer)
+ {
+ return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND;
+ }
+
+ if(!issuer->is_CA_cert())
+ {
+ return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND;
+ }
+
+ // Sub-optimal fix for CVE-2022-43705 found in Botan 2.19.2 and older.
+ //
+ // This certificate validation is incomplete. Missing checks:
+ // * validity check against the reference time
+ // * revocation status check of the responder certificate
+ // * certificate extension validations
+ // * ... potentially more
+ //
+ // A more comprehensive validation will be introduced with Botan 3.0
+ try
+ {
+ const auto issuer_pubkey = issuer->load_subject_public_key();
+ const auto sig = signing_cert->verify_signature(*issuer_pubkey);
+
+ if(sig != Certificate_Status_Code::VERIFIED)
+ {
+ return Certificate_Status_Code::OCSP_SIGNATURE_ERROR;
+ }
+
+ if(!signing_cert->has_ex_constraint(OID::from_string("PKIX.OCSPSigning")))
+ {
+ return Certificate_Status_Code::OCSP_RESPONSE_MISSING_KEYUSAGE;
+ }
+ }
+ catch(const Exception& ex)
+ {
+ return Certificate_Status_Code::OCSP_SIGNATURE_ERROR;
+ }
+ }
}
if(!signing_cert)
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
index b5cdc27..6f3159a 100644
--- a/src/lib/x509/x509path.cpp
+++ b/src/lib/x509/x509path.cpp
@@ -234,7 +234,11 @@ PKIX::check_ocsp(const std::vector<std::shared_ptr<const X509_Certificate>>& cer
{
try
{
- Certificate_Status_Code ocsp_signature_status = ocsp_responses.at(i)->check_signature(trusted_certstores, cert_path);
+ // When verifying intermediate certificates we need to truncate the
+ // cert_path so that the intermediate under investigation becomes the
+ // last certificate in the chain.
+ std::vector<std::shared_ptr<const X509_Certificate>> ocsp_cert_path(cert_path.begin() + i, cert_path.end());
+ Certificate_Status_Code ocsp_signature_status = ocsp_responses.at(i)->check_signature(trusted_certstores, ocsp_cert_path);
if(ocsp_signature_status == Certificate_Status_Code::OCSP_SIGNATURE_OK)
{
diff --git a/src/tests/data/x509/ocsp/bdr-int.pem b/src/tests/data/x509/ocsp/bdr-int.pem
new file mode 100644
index 0000000..299fb22
--- /dev/null
+++ b/src/tests/data/x509/ocsp/bdr-int.pem
@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGHzCCBQegAwIBAgIDD+SOMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF
+MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD
+bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0xNjExMTYwOTQ2MTlaFw0yOTExMDUwODUw
+NDZaMF4xCzAJBgNVBAYTAkRFMRUwEwYDVQQKEwxELVRydXN0IEdtYkgxHzAdBgNV
+BAMTFkQtVFJVU1QgQ0EgMi0yIEVWIDIwMTYxFzAVBgNVBGETDk5UUkRFLUhSQjc0
+MzQ2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4PbGGVT4nCH+CzaZ
+kZDWqXWiXbBu3UEpSPBmAKDepwkoc7b13vVlRrvehBm11yUNzaN7thsqB+VXEyF4
+OuxkCJkZRCJUfrS1zdnZXptf361oahCX+ch2E4Hdedeet45mypwKsD7FqSdz01KY
+o6wFQMnnZsRQtamilglAgT03iTUf+Yn8a5msV7fscpfkLUGCtjeM2eWgfZ2I0pqi
+m3DYrQU5/8in6DtZLrIAgZpnQsgJiB3glx0YcBXs5YZR9bfhOP71nLvM+9vkxNR4
+V90SOnwEzCbj5VforuNgP0sptC2TSPiqNG9sgdySBobz9aO5ryqG21GXMcfFp0vC
+z2kxrwIDAQABo4IC8jCCAu4wHwYDVR0jBBgwFoAU05SKTGITKhkuzK9yin0215oc
+3GcwggElBggrBgEFBQcBAQSCARcwggETMDcGCCsGAQUFBzABhitodHRwOi8vcm9v
+dC1jMy1jYTItZXYtMjAwOS5vY3NwLmQtdHJ1c3QubmV0MFAGCCsGAQUFBzAChkRo
+dHRwOi8vd3d3LmQtdHJ1c3QubmV0L2NnaS1iaW4vRC1UUlVTVF9Sb290X0NsYXNz
+XzNfQ0FfMl9FVl8yMDA5LmNydDCBhQYIKwYBBQUHMAKGeWxkYXA6Ly9kaXJlY3Rv
+cnkuZC10cnVzdC5uZXQvQ049RC1UUlVTVCUyMFJvb3QlMjBDbGFzcyUyMDMlMjBD
+QSUyMDIlMjBFViUyMDIwMDksTz1ELVRydXN0JTIwR21iSCxDPURFP2NBQ2VydGlm
+aWNhdGU/YmFzZT8wfwYDVR0gBHgwdjAJBgcEAIvsQAEEMA0GCysGAQQBpTQCgRYE
+MFoGCysGAQQBpTQCgUoBMEswSQYIKwYBBQUHAgEWPWh0dHA6Ly93d3cuZC10cnVz
+dC5uZXQvaW50ZXJuZXQvZmlsZXMvRC1UUlVTVF9DU01fUEtJX0NQUy5wZGYwgd0G
+A1UdHwSB1TCB0jCBh6CBhKCBgYZ/bGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l
+dC9DTj1ELVRSVVNUJTIwUm9vdCUyMENsYXNzJTIwMyUyMENBJTIwMiUyMEVWJTIw
+MjAwOSxPPUQtVHJ1c3QlMjBHbWJILEM9REU/Y2VydGlmaWNhdGVyZXZvY2F0aW9u
+bGlzdDBGoESgQoZAaHR0cDovL2NybC5kLXRydXN0Lm5ldC9jcmwvZC10cnVzdF9y
+b290X2NsYXNzXzNfY2FfMl9ldl8yMDA5LmNybDAdBgNVHQ4EFgQUIa9qJphx6SYK
+1duhjPfbpp2lJVwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
+DQYJKoZIhvcNAQELBQADggEBAEITrEZFU4bOy+274S2THOe9lewgYy+5OYh/Wr7Q
+WzRi/bMU6GRtag9fCnIsXon3+2wKGL22JgjI+WnZa5TRiazUOdtOjCEuwxXXMYH/
+PaBBb/BXmfGlEHGHL/ljNQauOrsfIQXXDYTfZk9jwLQgPmF54Ulm6oLsUrvYp1nq
+4jSAyWOY+mcxFlGgZPt5jdL1DSkzdLtdWfGs+1USqmx/IBZLfCwavdk0Dm5fwQSG
+iI+av54kU0E4ziDEOJ25rfiOBGqjh+4NFegAaQlTeVp1zOCjtKCf9YWDS8BgJT+O
+Ri2UKV/O8WaWZ3qRLuVavpng14sx4oa8FLM9sKBWvI+H5XU=
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/ocsp/bdr-root.pem b/src/tests/data/x509/ocsp/bdr-root.pem
new file mode 100644
index 0000000..0a1a2b2
--- /dev/null
+++ b/src/tests/data/x509/ocsp/bdr-root.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQzCCAyugAwIBAgIDCYP0MA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNVBAYTAkRF
+MRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNVBAMMIUQtVFJVU1QgUm9vdCBD
+bGFzcyAzIENBIDIgRVYgMjAwOTAeFw0wOTExMDUwODUwNDZaFw0yOTExMDUwODUw
+NDZaMFAxCzAJBgNVBAYTAkRFMRUwEwYDVQQKDAxELVRydXN0IEdtYkgxKjAoBgNV
+BAMMIUQtVFJVU1QgUm9vdCBDbGFzcyAzIENBIDIgRVYgMjAwOTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAJnxhDRwui+3MKCOvXwEz75ivJn9gpfSegpn
+ljgJ9hBOlSJzmY3aFS3nBfwZcyK3jpgAvDw9rKFs+9Z5JUut8Mxk2og+KbgPCdM0
+3TP1YtHhzRnp7hhPTFiu4h7WDFsVWtg6uMQYZB7jM7K1iXdODL/ZlGsTl28So/6Z
+qQTMFexgaDbtCHu39b+T7WYxg4zGcTSHThfqr4uRjRxWQa4iN1438h3Z0S0NL2lR
+p75mpoo6Kr3HGrHhFPC+Oh25z1uxav60sUYgovseO3Dvk5h9jHOW8sXvhXCtKSb8
+HgQ+HKDYD8tSg2J87otTlZCpV6LqYQXY+U3EJ/pure3511H3a6UCAwEAAaOCASQw
+ggEgMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNOUikxiEyoZLsyvcop9Ntea
+HNxnMA4GA1UdDwEB/wQEAwIBBjCB3QYDVR0fBIHVMIHSMIGHoIGEoIGBhn9sZGFw
+Oi8vZGlyZWN0b3J5LmQtdHJ1c3QubmV0L0NOPUQtVFJVU1QlMjBSb290JTIwQ2xh
+c3MlMjAzJTIwQ0ElMjAyJTIwRVYlMjAyMDA5LE89RC1UcnVzdCUyMEdtYkgsQz1E
+RT9jZXJ0aWZpY2F0ZXJldm9jYXRpb25saXN0MEagRKBChkBodHRwOi8vd3d3LmQt
+dHJ1c3QubmV0L2NybC9kLXRydXN0X3Jvb3RfY2xhc3NfM19jYV8yX2V2XzIwMDku
+Y3JsMA0GCSqGSIb3DQEBCwUAA4IBAQA07XtaPKSUiO8aEXUHL7P+PPoeUSbrh/Yp
+3uDx1MYkCenBz1UbtDDZzhr+BlGmFaQt77JLvyAoJUnRpjZ3NOhk31KxEcdzes05
+nsKtjHEh8lprr988TlWvsoRlFIm5d8sqMb7Po23Pb0iUMkZv53GMoKaEGTcH8gNF
+CSuGdXzfX2lXANtu2KZyIktQ1HWYVt+3GP9DQ1CuekR78HlR10M9p9OB0/DJT7na
+xpeG0ILD5EJt/rDiZE4OJudANCa1CInXCGNjOCd1HjPqbqjdn5lPdE2BiYBL3ZqX
+KVwvvoFBuYz/6n1gBp7N1z3TLqMVvKjmJuVvw9y4AyHqnxbxLFS1
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/ocsp/bdr.pem b/src/tests/data/x509/ocsp/bdr.pem
new file mode 100644
index 0000000..604defc
--- /dev/null
+++ b/src/tests/data/x509/ocsp/bdr.pem
@@ -0,0 +1,80 @@
+-----BEGIN CERTIFICATE-----
+MIIOhDCCDWygAwIBAgIQR2P0PtEycYOZmkQw8teHNzANBgkqhkiG9w0BAQsFADBe
+MQswCQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMR8wHQYDVQQDExZE
+LVRSVVNUIENBIDItMiBFViAyMDE2MRcwFQYDVQRhEw5OVFJERS1IUkI3NDM0NjAe
+Fw0yMjAzMjUwODE1NDVaFw0yMzAzMjgwNzE1NDVaMIIBIjELMAkGA1UEBhMCREUx
+HTAbBgNVBAoTFEJ1bmRlc2RydWNrZXJlaSBHbWJIMQswCQYDVQQLEwJJVDEbMBkG
+A1UEAxMSYnVuZGVzZHJ1Y2tlcmVpLmRlMQ8wDQYDVQQHEwZCZXJsaW4xEzARBgsr
+BgEEAYI3PAIBAxMCREUxDjAMBgNVBBEMBTEwOTY5MR0wGwYDVQQPDBRQcml2YXRl
+IE9yZ2FuaXphdGlvbjEcMBoGA1UECRMTS29tbWFuZGFudGVuc3RyLiAxODEUMBIG
+A1UEBRMLSFJCIDcwNzY0IEIxFzAVBgsrBgEEAYI3PAIBAQwGQmVybGluMRcwFQYL
+KwYBBAGCNzwCAQIMBkJlcmxpbjEPMA0GA1UECBMGQmVybGluMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEA3B1Rp2V3DQSrr57KSDLsZ6mUJ0Y9LWhcLvTo
+b84DN1Y/U9ZCyGGJ2hYiDnwPpcIHFfp1v+jUaiE8Km4VA6tkG8o6Y5w2BMM9Ej20
+z2kwOtVdSh1wdC9zinmuGwjshmw2eSvr1C77y3jN6P1qDyjACdAQ6SM8hKV5JxFz
+g0+UAN0lO51C9v61EXjteByo6ikDEGnjFc+fC5kQGGJGRy4+I1vfgIsYri1LhGOS
+86xH9o4RejCiM5Az4wfMgzobmeizsugAljxXcwMpVM8jA/rzUyRUqAwjsIcC4qFt
+K1tj7vQy9bpUN3xWc6VDvZjFOat/z551I6JM6kPshN5DoW6O0s3H7BoxSx0N69UA
++zb/Fefk/oy6BR4jwwvJboHjaOpliZUC/2uXOd2pp4/MCyhILz2ikRr6EMD7qCDd
+9QFabRFjKe1GzKs0Uh6ewlrX1IHs4REmmf6f5+gCeBWGrwGAWhm69Pdbv2NgfS4t
+OYob8Z2APvr+QsVsuwch7bcX99wp67gaw1Cgtsz4iAKLw73Aza6dJxoH6cC5x6PD
+Fkpoo6sXYNVovVBPVDuq5Wnd+qvSBsjzlzILUQCfuVn+CcttYzFKMMX2LHvSSRhB
+A64iOouMS/sWGvdamvqrlzUpKoeIpJhPit0D23xNq48LpEaHs3CZFsvung29Z9Vg
+8flG6h0CAwEAAaOCCXYwgglyMIIBKwYDVR0RBIIBIjCCAR6CBmJkci5kZYIed3d3
+LnN1cHBvcnQuYnVuZGVzZHJ1Y2tlcmVpLmRlgg53d3cuc2lnbi1tZS5kZYIWd3d3
+LmJ1bmRlc2RydWNrZXJlaS5kZYIXd3d3LmJ1bmRlc2RydWNrZXJlaS5jb22CCnd3
+dy5iZHIuZGWCGnN1cHBvcnQuYnVuZGVzZHJ1Y2tlcmVpLmRlggpzaWduLW1lLmRl
+ghpzZXJ2aWNlLmJ1bmRlc2RydWNrZXJlaS5kZYIdaW50ZXJha3Rpdi5idW5kZXNk
+cnVja2VyZWkuZGWCG2hlbHBkZXNrLmJ1bmRlc2RydWNrZXJlaS5kZYISYnVuZGVz
+ZHJ1Y2tlcmVpLmRlghNidW5kZXNkcnVja2VyZWkuY29tMB0GA1UdDgQWBBShj278
+UTgPVPGLerrSzyQ18D831TAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
+DgYDVR0PAQH/BAQDAgWgMIIBCQYIKwYBBQUHAQEEgfwwgfkwOgYIKwYBBQUHMAGG
+Lmh0dHA6Ly9kLXRydXN0LWNhLTItMi1ldi0yMDE2Lm9jc3AuZC10cnVzdC5uZXQw
+RQYIKwYBBQUHMAKGOWh0dHA6Ly93d3cuZC10cnVzdC5uZXQvY2dpLWJpbi9ELVRS
+VVNUX0NBXzItMl9FVl8yMDE2LmNydDB0BggrBgEFBQcwAoZobGRhcDovL2RpcmVj
+dG9yeS5kLXRydXN0Lm5ldC9DTj1ELVRSVVNUJTIwQ0ElMjAyLTIlMjBFViUyMDIw
+MTYsTz1ELVRydXN0JTIwR21iSCxDPURFP2NBQ2VydGlmaWNhdGU/YmFzZT8wgfsG
+A1UdHwSB8zCB8DCB7aCB6qCB54ZubGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l
+dC9DTj1ELVRSVVNUJTIwQ0ElMjAyLTIlMjBFViUyMDIwMTYsTz1ELVRydXN0JTIw
+R21iSCxDPURFP2NlcnRpZmljYXRlcmV2b2NhdGlvbmxpc3SGNWh0dHA6Ly9jcmwu
+ZC10cnVzdC5uZXQvY3JsL2QtdHJ1c3RfY2FfMi0yX2V2XzIwMTYuY3Jshj5odHRw
+Oi8vY2RuLmQtdHJ1c3QtY2xvdWRjcmwubmV0L2NybC9kLXRydXN0X2NhXzItMl9l
+dl8yMDE2LmNybDCB5wYIKwYBBQUHAQMEgdowgdcwCAYGBACORgEBMIG1BgYEAI5G
+AQUwgaowUxZNaHR0cDovL3d3dy5kLXRydXN0Lm5ldC9pbnRlcm5ldC9maWxlcy9E
+LVRSVVNUX1BLSV9EaXNjbG9zdXJlX1N0YXRlbWVudF9kZS5wZGYTAmRlMFMWTWh0
+dHA6Ly93d3cuZC10cnVzdC5uZXQvaW50ZXJuZXQvZmlsZXMvRC1UUlVTVF9QS0lf
+RGlzY2xvc3VyZV9TdGF0ZW1lbnRfZW4ucGRmEwJlbjATBgYEAI5GAQYwCQYHBACO
+RgEGAzCBiQYDVR0gBIGBMH8wCQYHBACL7EABBDAHBgVngQwBATANBgsrBgEEAaU0
+AoEWBDBaBgsrBgEEAaU0AoFKATBLMEkGCCsGAQUFBwIBFj1odHRwOi8vd3d3LmQt
+dHJ1c3QubmV0L2ludGVybmV0L2ZpbGVzL0QtVFJVU1RfQ1NNX1BLSV9DUFMucGRm
+MB8GA1UdIwQYMBaAFCGvaiaYcekmCtXboYz326adpSVcMIIETwYKKwYBBAHWeQIE
+AgSCBD8EggQ7BDkAdwCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAA
+AX/AJVyRAAAEAwBIMEYCIQDHYr2J0KhX9Qw2DZcpukdrMtTPrSkQTG3WQ+9TJbfv
+fAIhAIsgHLLnR3DBqqikp7qjOg2ge3rhLKae4EcfJ5OYH3bzAHcAs3N3B+GEUPhj
+htYFqdwRCUp5LbFnDAuH3PADDnk2pZoAAAF/wCVdigAABAMASDBGAiEAv5hGLqwU
+NARYcml1ScV/JumKME8Gh/+KFLd76xi69cICIQC5aK3LduJomzCkxLZecyDhIghV
+zNwsNbB1XQY9TBepLAB2AOg+0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1u
+AAABf8AlXP8AAAQDAEcwRQIgPkK0U2XQA0b4SS89AFPNRFo3TdcdNm90Z8015UBb
+MpcCIQDMUkJimfKU5IvKyO7D8ibgsJSHE+NASD15Pixf8L25+wB2AFWB1MIWkDYB
+SuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABf8AlXY8AAAQDAEcwRQIhAKX9i888
+VPeAjIztEESfZ8Izy051gTTSl9D1GBH7Z810AiBrBtrXTu+V39yPAfIK7YBpgsvS
+C0vB8MCe1Q1nR5KK+gB3AHoyjFTYty22IOo44FIe6YQWcDIThU070ivBOlejUutS
+AAABf8AlXTsAAAQDAEgwRgIhAPeWQ8o/CaW5HpEA3UkszILAlsKnixEHRDGFMl8q
+GN+rAiEAmBQ7TBG8Xgru2e5c3GdUXecmDVjwI/G1ZthSFmMvNlgAdwBvU3asMfAx
+GdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAX/AJV4ZAAAEAwBIMEYCIQC1HlH1
+MYjMp1pvFYmNXafGXvJ6oIiGiUtd1kHRtCt76QIhALj7dbiBFP4b9elj5kYMDPT0
+PAoflviX/f8klXtTFG27AHUA6H6nZgvCbPYALvVyXT/g4zG5OTu5L79Y6zuQSdr1
+Q1oAAAF/wCVhLwAABAMARjBEAiBszHijSAeBf3cec2LQgegrIJ3I4P9EQX28ZQ4S
+yTvmDgIgMvxYYvRNu7+RY4AnFAZAhN9eX4WwXLrEdPOPhhxs0TwAdAA1zxkbv7Fs
+V78PrUxtQsu7ticgJlHqP+Eq76gDwzvWTAAAAX/AJWAHAAAEAwBFMEMCIBhApuJO
+EqEb0oq/6VWxM6jz2dbD7+ZjBDuvOioO/Cf9Ah9/QAHSUTU043F7VdV/REB12XGY
+a63YqZJJeeIgTuZDAHYAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJkA
+AAF/wCVfSQAABAMARzBFAiEA4036r9QS+ngcG4FMBUc1Z36BywbwF00pHprDpNMQ
+KhUCIGzTcK+3DnLBJOxwScoow/EJq39GmZV1sZz93r/d5qNdMA0GCSqGSIb3DQEB
+CwUAA4IBAQBZvYmRmtu1gQLCA+QqN5C7ftPr0ioULQPBsmX8gHmQ1iHPrBrC99Ef
+UD0//QB8V/aWqbt1NNdFXXEslN0V591m13uF7cp27SUjxNFwkPG2oypoqNM42I0U
+136fs26VzFbLe/MLNLTiiTkIp4HfSnLoactqvWapU9X6pzRk3CoKbaGHkPpIn467
+6uq08dss4+W9DROLZynwuswtxhLdk4pi82mnIs0t8A+ZOHwKPrQ9zi8Mtc7T9xPY
+PuGpbWQMTGKzCOjki81OvuD0ZU//hfHIM8Nh3Fb1LQ3ZRMudYdW+noIaW4FQRY2W
+Pr1qU9fkcHml0htVexwhF6m1x5HZ332p
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/ocsp/mychain_ee.pem b/src/tests/data/x509/ocsp/mychain_ee.pem
new file mode 100644
index 0000000..23b0363
--- /dev/null
+++ b/src/tests/data/x509/ocsp/mychain_ee.pem
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDXDCCAkSgAwIBAgIUQCu8J4C8/lLpesu+yxmEcgboaKwwDQYJKoZIhvcNAQEL
+BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN
+BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMzA5MjIxMDAwMDBaMDsx
+GzAZBgNVBAMMEk15IE9DU1AgRW5kIEVudGl0eTELMAkGA1UEBhMCREUxDzANBgNV
+BAcMBkJlcmxpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjSgFM7
+veKLCerCj8LbDH2eyE/wsgt75EugNON2xcuxdnZKXl9kQP/lq2tjQF9VUKvUr7C0
+4BDTyXjg+0RnH8EUp2fooDsrJu9k1i+lDWFtAYAYYrYYxGMFzCC/h+GBD0FCFBwL
+3gpZwPitoDga6jtPbtv/RwFMuPy7b0KUpNMkVAeaT/KVmqc/l+SgLqDEZciiMcaC
+GG1rkMnElR7c/0lg5xNITXS1t1Z9bHbpO7lH5xDoFcSTEhOcDdFkN923sbfTT3m9
+4oKHYFDUSoAc+Y2jbwbDK+g6MyCwIiwdyUF+Kgv1fdacWxZMmr2aOA5CX/1+ZeX1
+97ameyxkyA2DZfsCAwEAAaNaMFgwHwYDVR0jBBgwFoAUm5xBswA2BO40FM22Q/5K
+RR6PtNMwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFKnd1WBRL4H/
+IhofGjvLhtGSNh9lMA0GCSqGSIb3DQEBCwUAA4IBAQCoYIhu/w1Hp2aByrbV7Plm
+aUhBJovJHqa3KixgSrV6Td6URaCSGHAiAFj1j0/dqzKL7QHMZYs43JRODuABAjsn
+SktrpuoA+FILuSZXMm3UFEqNNJzFTwZLC3lSpxT1zvQ4PDgx4xFTMi9pyvGnDHjt
+jkPLuLfjgI5PShcIB0Hd6yS07pBFdg/Dr3fCSU7OBAC4o44ubUa5kASvX35zjWoj
+NulehNs+aa6Fm7qqSt4mz24qvnOG3SyYpkNKeu/FQjaKXV35A0tGN2ibEHSn0JBp
+rZqzfegU5UuZrpGs3xUVeIH+rQdW8uBlllXP38djJ7mLb/3b1vLWakljPqAOOlsm
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/ocsp/mychain_int.pem b/src/tests/data/x509/ocsp/mychain_int.pem
new file mode 100644
index 0000000..f9bd11a
--- /dev/null
+++ b/src/tests/data/x509/ocsp/mychain_int.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDcTCCAlmgAwIBAgIUP4pG/mdA98wntpdjLKKDv50V4twwDQYJKoZIhvcNAQEL
+BQAwODEYMBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0G
+A1UEBwwGQmVybGluMB4XDTIyMDkyMjEwMDAwMFoXDTIzMDkyMjEwMDAwMFowOTEZ
+MBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzANBgNVBAcM
+BkJlcmxpbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAODHbsMfDefJ
+fryKz8fY8AfCE8uAr5CzJ2gXQcIQd0rBJTPQxaxZ950+QbSfPAPAeFa1OWRc/Xby
+3DXvtQ3yt879mvxAvsdvlUYOsOOi8b9tap3vLVSc668BJwByNwBZmAF6ByKsC4Yj
+wwH7rfekE2KU89LzH0wWDJOybo/N62kXuzt23dO4uUXJat6ZlEghmzhAzHyfFdeD
+H8V/7x7c6iQBFz0NSCeo/gzFzVNO0jKbyvScQmfLOvbwTm91nXPs6MWICzsNOliJ
+vtfkJsqheq7dVX9HdLfh/1tdFx1WaPhtVf3VTolPGTs9w7hh6uaWsHZpFTbiK0Mc
+DeNQkoX1ikcCAwEAAaNyMHAwHwYDVR0jBBgwFoAUk/nNvUAjr/JUj93s2WMZm25Y
+zHUwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUH
+AwkwHQYDVR0OBBYEFJucQbMANgTuNBTNtkP+SkUej7TTMA0GCSqGSIb3DQEBCwUA
+A4IBAQCN1CeGhYZr/ghM45N0auoTJ+U5lAah3g6c7lGS6x6+XyaueI+Pxy0wC/1C
+UCjEbErD44utxk+816uUnhmUOqSrDejV0xxPnQYokziOw8flLKm8/Y5ngQ14VshX
+oJZMdaQywe3Je34b6t/BZZaZx/dtXHtkDTBdBgOXiv/O7JMDqEQzFb8uC3MPpM1b
+TtC58Rtvh8nhy5ieig/uaXBIwcyc4ujlllzjmwV1yNg6iY1QVj3GMRsxvI1ZFkaZ
+eZnbFNqwx5ZLL61c/cBV8pG47DKSqBhV9osWCK/vc6WHYcwyYBJ5YIuykl/zs41o
+knoudoJ3BFGS9PaFZZQCA78WnYsd
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem b/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem
new file mode 100644
index 0000000..6e65f1c
--- /dev/null
+++ b/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgjCCAmqgAwIBAgIUFkhEhhLqatMopup9/noUhdFx5EkwDQYJKoZIhvcNAQEL
+BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN
+BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMjEwMDcxMDAwMDBaMDox
+GjAYBgNVBAMMEU15IE9DU1AgUmVzcG9uZGVyMQswCQYDVQQGEwJERTEPMA0GA1UE
+BwwGQmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3N3l6YZy
+pFShnQWmMyplXu3JaDjUxlrNwEs6Dn5flUC0eAZVN+uaXws+tG//wV487n+OXnyh
+Zgz1Mt97J1wYhw7R9bQakPrmkYztrTmTKemS70sWjrsH0Od/S851sv3qAGylWiKb
+1n0SawRPo6T5bvYADwwGESRKmWwOwPIv2KdsZ3kUhN9aPj06CMVJIRYVennZRt4X
+4tcpgpB/eBp4/iEmfe3BzrFgf9YJG4qcbM84lULGLOnVNuUbbEIlBe75U71OR8dV
+El65LSMAVDQovjTV3mdQcLQNOiNnBlNDDaJEi590ki59qnFbJO0Zsf7a/rpHz/4J
+LqK8b2by8KoFpwIDAQABo4GAMH4wHwYDVR0jBBgwFoAUm5xBswA2BO40FM22Q/5K
+RR6PtNMwCQYDVR0TBAIwADALBgNVHQ8EBAMCAYIwEwYDVR0lBAwwCgYIKwYBBQUH
+AwkwDwYJKwYBBQUHMAEFBAIFADAdBgNVHQ4EFgQU7cI/PXYEpWH9l6Bnu36V6Nzv
+/MowDQYJKoZIhvcNAQELBQADggEBALv6KUJ0I/Kd/4ofDQHcgrHOe3u26zs1LC5J
+X9ZMoLRwN2LbzwWogIg3DEYqLAr0whpiDDcueVQVxK0rYrI1kWAZYi/wkmdOI5D7
+GNtHxdMty62XgOLb4LwGmEMQ7SLH2GgEAgKjJAIVJ5TMlxH8NV2/hrQhmXDpkZc/
++6I881LDW2273p8vKXxYnI1EFTdCVa9XnNJr3U+yhC9plf+gSr51iXyQf9MPdZ91
+fg187LQkn6oIRtKL7yZMAajemcTkU8avoF1+EX01Z5nu/v2Hgtp2VFDKvCrud+e/
+iKFLYBlsnqfNyZt4n3PAxDP5ziZ5adH2ELCvPDkJ3nneAhvP5So=
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem b/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem
new file mode 100644
index 0000000..0cac96b
--- /dev/null
+++ b/src/tests/data/x509/ocsp/mychain_int_ocsp_delegate_responder_no_ocsp_key_usage.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIUXMtIzKLTZ3oKE92bXWKGdS16GCYwDQYJKoZIhvcNAQEL
+BQAwOTEZMBcGA1UEAwwQTXkgT0NTUCBMb2NhbCBDQTELMAkGA1UEBhMCREUxDzAN
+BgNVBAcMBkJlcmxpbjAeFw0yMjA5MjIxMDAwMDBaFw0yMjEwMDcxMDAwMDBaMDox
+GjAYBgNVBAMMEU15IE9DU1AgUmVzcG9uZGVyMQswCQYDVQQGEwJERTEPMA0GA1UE
+BwwGQmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3N3l6YZy
+pFShnQWmMyplXu3JaDjUxlrNwEs6Dn5flUC0eAZVN+uaXws+tG//wV487n+OXnyh
+Zgz1Mt97J1wYhw7R9bQakPrmkYztrTmTKemS70sWjrsH0Od/S851sv3qAGylWiKb
+1n0SawRPo6T5bvYADwwGESRKmWwOwPIv2KdsZ3kUhN9aPj06CMVJIRYVennZRt4X
+4tcpgpB/eBp4/iEmfe3BzrFgf9YJG4qcbM84lULGLOnVNuUbbEIlBe75U71OR8dV
+El65LSMAVDQovjTV3mdQcLQNOiNnBlNDDaJEi590ki59qnFbJO0Zsf7a/rpHz/4J
+LqK8b2by8KoFpwIDAQABo2swaTAfBgNVHSMEGDAWgBSbnEGzADYE7jQUzbZD/kpF
+Ho+00zAJBgNVHRMEAjAAMAsGA1UdDwQEAwIHgDAPBgkrBgEFBQcwAQUEAgUAMB0G
+A1UdDgQWBBTtwj89dgSlYf2XoGe7fpXo3O/8yjANBgkqhkiG9w0BAQsFAAOCAQEA
+V17YOra6yl0wTjt6QbQDXxm5m02CpW3EZs8x1M8yZadWXK9dJ6mo7vetqF3nnOzd
+TxesfAWigkrSZjR7HHHXXO5S9OjFLEyft+Xbx9+t8216Lbqk7WierREz1C21yCpn
+B76DiQRXqY2lEm1cpgkZeSc+SSfoN4oOyXCb/r+sgEebXGHrQhqgdFAWq3BmF6U+
+VyIXG7PiJGoTmlJ9gfkr0+Y0MxNpTIr6OPc9H6+N4mYPhcj/9emTcj6R+0PvfAZC
+GRc8U3fCW3UdPOTE28f86ZvMduavCZCSU4m74nZnzY6eKR83KNCjB0gJzYhwqcRm
+f9I5C+O6SocALwTGGYkMbg==
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/ocsp/mychain_root.pem b/src/tests/data/x509/ocsp/mychain_root.pem
new file mode 100644
index 0000000..192d71b
--- /dev/null
+++ b/src/tests/data/x509/ocsp/mychain_root.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDsDCCApigAwIBAgIUWMiulqiEbnZwrB5iI7tL724j7qswDQYJKoZIhvcNAQEL
+BQAwODEYMBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0G
+A1UEBwwGQmVybGluMB4XDTIyMDkyMjEwMDAwMFoXDTIzMDkyMjEwMDAwMFowODEY
+MBYGA1UEAwwPTXkgT0NTUCBSb290IENBMQswCQYDVQQGEwJERTEPMA0GA1UEBwwG
+QmVybGluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAukN6nemvQcIX
+zq+/DKFsJWjQif6sTP2zXfZtpw445LagOt8T9fGFgv6BSNTFp/TMRatQMAfZteH8
+ExzInhOIatwZgOKfG5tE+OH+tOuo9JrgWQRMGrhCV4fClDOv3sPAvduYm00muazD
+HeusESr/ykoA3HmJpS62EeOvMsY991TGSoTUSPLXJOyVTT5EcHdLrmosIBNx4nN9
+8xN5ENbhz/lZa3z1+NEtruMhDY5s13POVgpXRCZmgyhl6uCl0HZOYPfoWZwbZfuh
+S6U9s0C+JMRjcz1fLyBW2dgsWG6TRSsF6R83DkFQx/9kazfjv/mOqLMw1irT3K0E
+wtsxe0aKfQIDAQABo4GxMIGuMF0GA1UdIwRWMFShPKQ6MDgxGDAWBgNVBAMMD015
+IE9DU1AgUm9vdCBDQTELMAkGA1UEBhMCREUxDzANBgNVBAcMBkJlcmxpboIUWMiu
+lqiEbnZwrB5iI7tL724j7qswDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAYYwEwYD
+VR0lBAwwCgYIKwYBBQUHAwkwHQYDVR0OBBYEFJP5zb1AI6/yVI/d7NljGZtuWMx1
+MA0GCSqGSIb3DQEBCwUAA4IBAQCdGyFlbaBkoLgLwM2q91VcLUHAp54Gp6vvLavq
+p+65K7sdzzFj/6P9p6Dsa0BJ3bXba0pfJ10f9nFHOIFISb0Aptmm34XjBwvUckbb
+LYDU7InmyS5aeAIxK9+G7TllLfSslPQJspSxWWZkp3cY4Ys7bGidb1ad620F2cMe
+I2c09zhQuySbLDgaCc2Hg9Z3trb6S91Mmk6P+fQMzqq0XkfUOqzmEm2D7lFb3G76
+DI6CouYjoIYndVEN6oVVIcD+01Emxssy60aO6wS5MaM8TbcCdx3ZxYCdKj6YcdRf
+XhEN1KonHRKP71iZrlw/W+GfVvt1dJx5V5fqh3mGZVvk7Sc7
+-----END CERTIFICATE-----
diff --git a/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem b/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem
new file mode 100644
index 0000000..9381a3e
--- /dev/null
+++ b/src/tests/data/x509/ocsp/randombit_ocsp_forged_responder.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID1TCCAr2gAwIBAgIUQi+O3XGTkbU8ihDwXOrV18vdTvMwDQYJKoZIhvcNAQEL
+BQAwNzEXMBUGA1UEAwwORm9yZ2VkIE9DU1AgQ0ExCzAJBgNVBAYTAkRFMQ8wDQYD
+VQQHDAZCZXJsaW4wHhcNMTYxMTE4MTEwMDAwWhcNMTcxMTE4MTEwMDAwWjB+MQsw
+CQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xFDAS
+BgNVBAoMC0hhY2tlcnNwYWNlMRowGAYDVQQLDBFPQ1NQIEJyZWFraW5nIExhYjEb
+MBkGA1UEAwwSRm9yZ2VkIE9DU1AgU2lnbmVyMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAq72Y4p9gCPcoNELOB5i104jhbzbEWfcXhAdXkmufOFFVVveq
+HbiGx5GLi46cJATjSQoOL86Jwgp/v0nZukfQFIsWJGjG3eDQnMBGaAH9+SZh+udP
+dhcuOvFqvFBkKk6rMIcW0Tqx2ixZUG7275JrqjEyNUjAGA9fRSkGoWyca/P6QCjE
+sgAMr82n0XahLi7VVL0v/DcRK7h9slJJbG9UBmHuwPYU5C5Z9iQKCh3JZ3oOgO4d
+OuAGXrRm69znN5jlkBxgowJbgPn4Xp2QyAZl2A0/mou3U9WuVGDOUDLRL1UbCv/T
+VyX/WyUsAV54apAkxM9Hd5yZermoIZ7gPCv40wIDAQABo4GRMIGOMB8GA1UdIwQY
+MBaAFE4W+nR1DcTuZYBY/YXQinJ1Y5PjMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgeA
+MBMGA1UdJQQMMAoGCCsGAQUFBwMJMB8GA1UdEQQYMBaCFG9jc3AuaGFja2Vyc3Bh
+Y2Uub3JnMB0GA1UdDgQWBBQAUq7vwa5MkBmRG9GuRC7N2F97BjANBgkqhkiG9w0B
+AQsFAAOCAQEAzS/5VHLcyTkvnodS18mlkp6r4fKkxhrLR2cyGhQPqwEqkq+l4U8k
+UMnem31+XoVHt8nN7N0+aOCna7xhvxzWDQioahG4oSxW3R0FNbO4+HXEBkUqbJQo
+JaVxSc4vXYjXgLvvhcSAbwfg7o3jInHszCLWoEpNEWGI0Un/ngJX0E8H374LiPnd
+Z7W8bNvqRgbpbZJmrgVfm2T3NIWlMYCB8GqyZMA/uLUtxkv25LTCsCTGKhn/ZQoI
+XxCZ4OvZDbxLmGj+5GsgJUHVKVhDomo0fJQh+KrMw+0IyjFVjjyroN6d1A3JPmbL
+dKUfISvTkfDCj67y8iASBRCOEs7EB4JzSg==
+-----END CERTIFICATE-----
diff --git a/src/tests/test_x509_path.cpp b/src/tests/test_x509_path.cpp
index 727d063..85e5044 100644
--- a/src/tests/test_x509_path.cpp
+++ b/src/tests/test_x509_path.cpp
@@ -1076,12 +1076,126 @@ class Path_Validation_With_OCSP_Tests final : public Test
return result;
}
+ Test::Result validate_with_ocsp_with_authorized_responder()
+ {
+ Test::Result result("path check with ocsp response from authorized responder certificate");
+ Botan::Certificate_Store_In_Memory trusted;
+
+ auto restrictions = Botan::Path_Validation_Restrictions(true, // require revocation info
+ 110, // minimum key strength
+ true); // OCSP for all intermediates
+
+ auto ee = load_test_X509_cert("x509/ocsp/bdr.pem");
+ auto ca = load_test_X509_cert("x509/ocsp/bdr-int.pem");
+ auto trust_root = load_test_X509_cert("x509/ocsp/bdr-root.pem");
+
+ // These OCSP responses are signed by an authorized OCSP responder
+ // certificate issued by `ca` and `trust_root` respectively. Note that
+ // the responder certificates contain the "OCSP No Check" extension,
+ // meaning that they themselves do not need a revocation check via OCSP.
+ auto ocsp_ee = load_test_OCSP_resp("x509/ocsp/bdr-ocsp-resp.der");
+ auto ocsp_ca = load_test_OCSP_resp("x509/ocsp/bdr-int-ocsp-resp.der");
+
+ trusted.add_certificate(trust_root);
+ const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, trust_root };
+
+ auto check_path = [&](const std::chrono::system_clock::time_point valid_time,
+ const Botan::Certificate_Status_Code expected)
+ {
+ const auto path_result = Botan::x509_path_validate(cert_path, restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED,
+ valid_time, std::chrono::milliseconds(0), {ocsp_ee, ocsp_ca});
+
+ return result.confirm(std::string("Status: '") + Botan::to_string(expected)
+ + "' should match '" + Botan::to_string(path_result.result()) + "'",
+ path_result.result()==expected);
+ };
+
+ check_path(Botan::calendar_point(2022, 9, 18, 16, 30, 0).to_std_timepoint(),
+ Botan::Certificate_Status_Code::OCSP_NOT_YET_VALID);
+ check_path(Botan::calendar_point(2022, 9, 19, 16, 30, 0).to_std_timepoint(),
+ Botan::Certificate_Status_Code::OK);
+ check_path(Botan::calendar_point(2022, 9, 20, 16, 30, 0).to_std_timepoint(),
+ Botan::Certificate_Status_Code::OCSP_HAS_EXPIRED);
+
+ return result;
+ }
+
+ Test::Result validate_with_forged_ocsp_using_self_signed_cert()
+ {
+ Test::Result result("path check with forged ocsp using self-signed certificate (CVE-2022-43705)");
+ Botan::Certificate_Store_In_Memory trusted;
+
+ auto restrictions = Botan::Path_Validation_Restrictions(true, // require revocation info
+ 110, // minimum key strength
+ false); // OCSP for all intermediates
+
+ auto ee = load_test_X509_cert("x509/ocsp/randombit.pem");
+ auto ca = load_test_X509_cert("x509/ocsp/letsencrypt.pem");
+ auto trust_root = load_test_X509_cert("x509/ocsp/identrust.pem");
+ trusted.add_certificate(trust_root);
+
+ const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, trust_root };
+
+ auto check_path = [&](const std::string &forged_ocsp,
+ const Botan::Certificate_Status_Code expected)
+ {
+ auto ocsp = load_test_OCSP_resp(forged_ocsp);
+ const auto path_result = Botan::x509_path_validate(cert_path, restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED,
+ Botan::calendar_point(2016, 11, 18, 12, 30, 0).to_std_timepoint(), std::chrono::milliseconds(0), {ocsp});
+
+ result.confirm(std::string("Path validation with forged OCSP response should fail with '") + Botan::to_string(expected) + "'",
+ path_result.result() == expected);
+ result.test_note(std::string("Failed with: ") + Botan::to_string(path_result.result()));
+ };
+
+ // In both cases the path validation should detect the forged OCSP
+ // response and generate an appropriate error. By no means it should
+ // follow the unauthentic OCSP response.
+ check_path("x509/ocsp/randombit_ocsp_forged_valid.der", Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND);
+ check_path("x509/ocsp/randombit_ocsp_forged_revoked.der", Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND);
+
+ return result;
+ }
+
+ Test::Result validate_with_ocsp_self_signed_by_intermediate_cert()
+ {
+ Test::Result result("path check with ocsp response for intermediate that is (maliciously) self-signed by the intermediate");
+ Botan::Certificate_Store_In_Memory trusted;
+
+ auto restrictions = Botan::Path_Validation_Restrictions(true, // require revocation info
+ 110, // minimum key strength
+ true); // OCSP for all intermediates
+
+ auto ee = load_test_X509_cert("x509/ocsp/mychain_ee.pem");
+ auto ca = load_test_X509_cert("x509/ocsp/mychain_int.pem");
+ auto trust_root = load_test_X509_cert("x509/ocsp/mychain_root.pem");
+
+ // this OCSP response for EE is valid (signed by intermediate cert)
+ auto ocsp_ee = load_test_OCSP_resp("x509/ocsp/mychain_ocsp_for_ee.der");
+
+ // this OCSP response for Intermediate is malicious (signed by intermediate itself)
+ auto ocsp_ca = load_test_OCSP_resp("x509/ocsp/mychain_ocsp_for_int_self_signed.der");
+
+ trusted.add_certificate(trust_root);
+ const std::vector<Botan::X509_Certificate> cert_path = { ee, ca, trust_root };
+
+ const auto path_result = Botan::x509_path_validate(cert_path, restrictions, trusted, "", Botan::Usage_Type::UNSPECIFIED,
+ Botan::calendar_point(2022, 9, 22, 22, 30, 0).to_std_timepoint(), std::chrono::milliseconds(0), {ocsp_ee, ocsp_ca});
+ result.confirm("should reject intermediate OCSP response", path_result.result() == Botan::Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND);
+ result.test_note(std::string("Failed with: ") + Botan::to_string(path_result.result()));
+
+ return result;
+ }
+
std::vector<Test::Result> run() override
{
return {validate_with_ocsp_with_next_update_without_max_age(),
validate_with_ocsp_with_next_update_with_max_age(),
validate_with_ocsp_without_next_update_without_max_age(),
- validate_with_ocsp_without_next_update_with_max_age()};
+ validate_with_ocsp_without_next_update_with_max_age(),
+ validate_with_ocsp_with_authorized_responder(),
+ validate_with_forged_ocsp_using_self_signed_cert(),
+ validate_with_ocsp_self_signed_by_intermediate_cert()};
}
};
