Discussion:
[strongSwan-dev] OCSP request malformed, no timestamp or nonce checks?
lauri
2017-06-04 18:36:27 UTC
Permalink
Hi,

I am attempting to implement OCSP responder in Python using asn1crypto
library [1]. I managed to parse OCSP request generated by openssl, but
when I try to parse OCSP request generated by StrongSwan I bump into
issue described at asn1crypto issue tracker [2]. They claim that the
request is malformed, but that can be easily problem on my side. I
manage to parse and give a response suitable for StrongSwan if I skip
parsing OCSP request extensions including the nonce.

I was digging through the StrongSwan code and I discovered that OCSP
reponse signature is checked, but no additional checks for nonce or
timestamps are performed [3].

Could anyone of you point out what I might be doing wrong or have I
found bugs in the StrongSwan's OCSP implementation?

1. https://github.com/wbond/asn1crypto/
2. https://github.com/wbond/asn1crypto/issues/56
3. https://github.com/strongswan/strongswan/blob/master/src/libstrongswan/plugins/x509/x509_ocsp_response.c#L756
--
Lauri Võsandi
tel: +372 53329412
e-mail: ***@gmail.com
blog: http://lauri.vosandi.com/
Jörn Heissler
2017-06-05 17:08:10 UTC
Permalink
Post by lauri
I am attempting to implement OCSP responder in Python using asn1crypto
library [1]. I managed to parse OCSP request generated by openssl, but
when I try to parse OCSP request generated by StrongSwan I bump into
issue described at asn1crypto issue tracker [2]. They claim that the
request is malformed, but that can be easily problem on my side. I
manage to parse and give a response suitable for StrongSwan if I skip
parsing OCSP request extensions including the nonce.
Could anyone of you point out what I might be doing wrong or have I
found bugs in the StrongSwan's OCSP implementation?
Hi,
I'm convinced that it's a bug in strongswan.
src/libstrongswan/plugins/x509/x509_ocsp_request.c function build_nonce.

return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
asn1_simple_object(ASN1_OCTET_STRING, this->nonce));

This creates an ASN1_SEQUENCE which contains the extension OID and an
ASN1_OCTET_STRING with the nonce.

Correct behaviour would be to wrap the OctetString in another
OctetString.

If you look above at ASN1_response_content you'll see an OctetString
(0x04) wrapping a sequence (0x30 and so on). This is correct.

rfc5280 (and others) specifies how those Extensions are to be encoded:

Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
critical BOOLEAN DEFAULT FALSE,
extnValue OCTET STRING
-- contains the DER encoding of an ASN.1 value
-- corresponding to the extension type identified
-- by extnID
}


Correct code may look like this (Better triple check it, I'm mostly guessing
here!):

return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
asn1_wrap(ASN1_OCTET_STRING, "m", asn1_simple_object(
ASN1_OCTET_STRING, this->nonce)));

Cheers
Jörn
Tobias Brunner
2017-07-07 07:27:57 UTC
Permalink
Hi Jörn, Lauri,

Thanks for the report and sorry for the delay.
Post by Jörn Heissler
I'm convinced that it's a bug in strongswan.
src/libstrongswan/plugins/x509/x509_ocsp_request.c function build_nonce.
return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
This creates an ASN1_SEQUENCE which contains the extension OID and an
ASN1_OCTET_STRING with the nonce.
Correct behaviour would be to wrap the OctetString in another
OctetString.
Agreed.
Post by Jörn Heissler
Correct code may look like this (Better triple check it, I'm mostly guessing
return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
asn1_wrap(ASN1_OCTET_STRING, "m", asn1_simple_object(
ASN1_OCTET_STRING, this->nonce)));
Looks about right :) Pushed to master [1].

Regards,
Tobias

[1] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d7dc677e
Loading...