Merge GH #1470 Use soft fail for OCSP

6 files changed, 63 insertions, 20 deletions

diff --git a/src/lib/x509/cert_status.cpp b/src/lib/x509/cert_status.cpp
index 2c0e74d36..79bcd1b07 100644
--- a/src/lib/x509/cert_status.cpp
+++ b/src/lib/x509/cert_status.cpp
@@ -26,6 +26,10 @@ const char* to_string(Certificate_Status_Code code)
          return "Certificate serial number is negative";
       case Certificate_Status_Code::DN_TOO_LONG:
          return "Distinguished name too long";
+      case Certificate_Status_Code::OSCP_NO_REVOCATION_URL:
+         return "OCSP URL not available";
+      case Certificate_Status_Code::OSCP_SERVER_NOT_AVAILABLE:
+         return "OSCP server not available";
 
       case Certificate_Status_Code::NO_REVOCATION_DATA:
          return "No revocation data";
diff --git a/src/lib/x509/cert_status.h b/src/lib/x509/cert_status.h
index 76dc9252b..1c3a5de89 100644
--- a/src/lib/x509/cert_status.h
+++ b/src/lib/x509/cert_status.h
@@ -29,6 +29,8 @@ enum class Certificate_Status_Code {
    FIRST_WARNING_STATUS = 500,
    CERT_SERIAL_NEGATIVE = 500,
    DN_TOO_LONG = 501,
+   OSCP_NO_REVOCATION_URL = 502,
+   OSCP_SERVER_NOT_AVAILABLE = 503,
 
    // Errors
    FIRST_ERROR_STATUS = 1000,
diff --git a/src/lib/x509/ocsp.cpp b/src/lib/x509/ocsp.cpp
index 10449b019..751f858a5 100644
--- a/src/lib/x509/ocsp.cpp
+++ b/src/lib/x509/ocsp.cpp
@@ -87,9 +87,16 @@ std::string Request::base64_encode() const
    return Botan::base64_encode(BER_encode());
    }
 
+Response::Response(Certificate_Status_Code status)
+   {
+   m_dummy_response_status = status;
+   }
+
 Response::Response(const uint8_t response_bits[], size_t response_bits_len) :
    m_response_bits(response_bits, response_bits + response_bits_len)
    {
+   m_dummy_response_status = Certificate_Status_Code::OCSP_RESPONSE_INVALID;
+
    BER_Decoder response_outer = BER_Decoder(m_response_bits).start_cons(SEQUENCE);
 
    size_t resp_status = 0;
@@ -143,6 +150,9 @@ Response::Response(const uint8_t response_bits[], size_t response_bits_len) :
 
 Certificate_Status_Code Response::verify_signature(const X509_Certificate& issuer) const
    {
+   if (m_responses.empty())
+      return m_dummy_response_status;
+      
    try
       {
       std::unique_ptr<Public_Key> pub_key(issuer.subject_public_key());
@@ -172,6 +182,9 @@ Certificate_Status_Code Response::verify_signature(const X509_Certificate& issue
 Certificate_Status_Code Response::check_signature(const std::vector<Certificate_Store*>& trusted_roots,
                                                   const std::vector<std::shared_ptr<const X509_Certificate>>& ee_cert_path) const
    {
+   if (m_responses.empty())
+      return m_dummy_response_status;
+
    std::shared_ptr<const X509_Certificate> signing_cert;
 
    for(size_t i = 0; i != trusted_roots.size(); ++i)
@@ -253,6 +266,9 @@ Certificate_Status_Code Response::status_for(const X509_Certificate& issuer,
                                              const X509_Certificate& subject,
                                              std::chrono::system_clock::time_point ref_time) const
    {
+   if (m_responses.empty())
+      return m_dummy_response_status;
+
    for(const auto& response : m_responses)
       {
       if(response.certid().is_id_for(issuer, subject))
diff --git a/src/lib/x509/ocsp.h b/src/lib/x509/ocsp.h
index 1b780d63f..884b1c5b3 100644
--- a/src/lib/x509/ocsp.h
+++ b/src/lib/x509/ocsp.h
@@ -77,6 +77,12 @@ class BOTAN_PUBLIC_API(2,0) Response final
       Response() = default;
 
       /**
+      * Create a fake OCSP response from a given status code.
+      * @param status the status code the check functions will return
+      */
+      Response(Certificate_Status_Code status);
+
+      /**
       * Parses an OCSP response.
       * @param response_bits response bits received
       */
@@ -161,6 +167,8 @@ class BOTAN_PUBLIC_API(2,0) Response final
       std::vector<X509_Certificate> m_certs;
 
       std::vector<SingleResponse> m_responses;
+
+      Certificate_Status_Code m_dummy_response_status;
    };
 
 #if defined(BOTAN_HAS_HTTP_UTIL)
diff --git a/src/lib/x509/x509path.cpp b/src/lib/x509/x509path.cpp
index aa35a5457..f703bf028 100644
--- a/src/lib/x509/x509path.cpp
+++ b/src/lib/x509/x509path.cpp
@@ -371,26 +371,34 @@ PKIX::check_ocsp_online(const std::vector<std::shared_ptr<const X509_Certificate
       if(subject->ocsp_responder() == "")
          {
          ocsp_response_futures.emplace_back(std::async(std::launch::deferred, [&]() -> std::shared_ptr<const OCSP::Response> {
-                  throw Exception("No OCSP responder URL set for this certificate");
+                  return std::make_shared<const OCSP::Response>(Certificate_Status_Code::OSCP_NO_REVOCATION_URL);
                   }));
-            }
-         else
-            {
-            ocsp_response_futures.emplace_back(std::async(std::launch::async, [&]() -> std::shared_ptr<const OCSP::Response> {
-                  OCSP::Request req(*issuer, BigInt::decode(subject->serial_number()));
-
-                  auto http = HTTP::POST_sync(subject->ocsp_responder(),
-                                              "application/ocsp-request",
-                                              req.BER_encode(),
-                                              /*redirects*/1,
-                                              timeout);
-
-                  http.throw_unless_ok();
-                  // Check the MIME type?
-
-                  return std::make_shared<const OCSP::Response>(http.body());
-                  }));
-            }
+         }
+      else
+         {
+         ocsp_response_futures.emplace_back(std::async(std::launch::async, [&]() -> std::shared_ptr<const OCSP::Response> {
+               OCSP::Request req(*issuer, BigInt::decode(subject->serial_number()));
+
+               HTTP::Response http;
+               try
+                  {
+                  http = HTTP::POST_sync(subject->ocsp_responder(),
+                                                "application/ocsp-request",
+                                                req.BER_encode(),
+                                                /*redirects*/1,
+                                                timeout);
+                  }
+               catch(std::exception& e)
+                  {
+                  // log e.what() ?
+                  }
+               if (http.status_code() != 200)
+                  return std::make_shared<const OCSP::Response>(Certificate_Status_Code::OSCP_SERVER_NOT_AVAILABLE);
+               // Check the MIME type?
+
+               return std::make_shared<const OCSP::Response>(http.body());
+               }));
+         }
       }
 
    std::vector<std::shared_ptr<const OCSP::Response>> ocsp_responses;
@@ -773,7 +781,9 @@ void PKIX::merge_revocation_status(CertificatePathStatusCodes& chain_status,
          {
          for(auto&& code : ocsp[i])
             {
-            if(code == Certificate_Status_Code::OCSP_RESPONSE_GOOD)
+            if(code == Certificate_Status_Code::OCSP_RESPONSE_GOOD ||
+               code == Certificate_Status_Code::OSCP_NO_REVOCATION_URL ||  // softfail
+               code == Certificate_Status_Code::OSCP_SERVER_NOT_AVAILABLE) // softfail
                {
                had_ocsp = true;
                }
diff --git a/src/lib/x509/x509path.h b/src/lib/x509/x509path.h
index 65497b2cc..79ae02a10 100644
--- a/src/lib/x509/x509path.h
+++ b/src/lib/x509/x509path.h
@@ -204,6 +204,9 @@ class BOTAN_PUBLIC_API(2,0) Path_Validation_Result final
 * @param ocsp_timeout timeout for OCSP operations, 0 disables OCSP check
 * @param ocsp_resp additional OCSP responses to consider (eg from peer)
 * @return result of the path validation
+*   note: when enabled, OCSP check is softfail by default: if the OCSP server is not
+*   reachable, Path_Validation_Result::successful_validation() will return true. 
+*   Hardfail OCSP check can be achieve by also calling Path_Validation_Result::no_warnings().
 */
 Path_Validation_Result BOTAN_PUBLIC_API(2,0) x509_path_validate(
    const std::vector<X509_Certificate>& end_certs,