From 62275e72ff0b9849c899f0fecea90731fff9da0a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 7 Dec 2017 17:08:33 +0100
Subject: [PATCH 84/86] p11_child: make sure OCSP checks are done
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If CERT_VerifyCertificateNow() is used with
'certificateUsageCheckAllUsages' OCSP checks are skipped even if OCSP
was enabled.
This patch calls CERT_CheckOCSPStatus() explicitly if OCSP checks are
enabled.
Related to https://pagure.io/SSSD/sssd/issue/3560
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
(cherry picked from commit 2297cc7d6cd5c38a7d64027165e4e82ca497f418)
---
src/p11_child/p11_child_nss.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/p11_child/p11_child_nss.c b/src/p11_child/p11_child_nss.c
index 21c508eb1b1b68b3606d0a5eed36573b01f27a19..bf533f3efe4d680f4c6dbd10a0d2c5a5da371c67 100644
--- a/src/p11_child/p11_child_nss.c
+++ b/src/p11_child/p11_child_nss.c
@@ -338,6 +338,23 @@ int do_work(TALLOC_CTX *mem_ctx, const char *nss_db,
PR_GetError(), PORT_ErrorToString(PR_GetError()));
continue;
}
+
+ /* with 'certificateUsageCheckAllUsages' set
+ * CERT_VerifyCertificateNow() does not do OCSP so it must be done
+ * explicitly */
+ if (cert_verify_opts->do_ocsp) {
+ rv = CERT_CheckOCSPStatus(handle, cert_list_node->cert,
+ PR_Now(), NULL);
+ if (rv != SECSuccess) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Certificate [%s][%s] failed OCSP check [%d][%s], "
+ "skipping.\n",
+ cert_list_node->cert->nickname,
+ cert_list_node->cert->subjectName,
+ PR_GetError(), PORT_ErrorToString(PR_GetError()));
+ continue;
+ }
+ }
}
if (key_id_in != NULL) {
--
2.14.3