[strongSwan-dev] OCSP request malformed, no timestamp or nonce checks?
Tobias Brunner
tobias at strongswan.org
Fri Jul 7 09:27:57 CEST 2017
Hi Jörn, Lauri,
Thanks for the report and sorry for the delay.
> I'm convinced that it's a bug in strongswan.
> src/libstrongswan/plugins/x509/x509_ocsp_request.c function build_nonce.
>
> return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
> asn1_simple_object(ASN1_OCTET_STRING, this->nonce));
>
> This creates an ASN1_SEQUENCE which contains the extension OID and an
> ASN1_OCTET_STRING with the nonce.
>
> Correct behaviour would be to wrap the OctetString in another
> OctetString.
Agreed.
> Correct code may look like this (Better triple check it, I'm mostly guessing
> here!):
>
> return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid,
> asn1_wrap(ASN1_OCTET_STRING, "m", asn1_simple_object(
> ASN1_OCTET_STRING, this->nonce)));
Looks about right :) Pushed to master [1].
Regards,
Tobias
[1] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d7dc677e
More information about the Dev
mailing list