added status_request extension and cert chain to the stapling-reponse generating callback's signature

author: Falko Strenzke <[email protected]> 2018-10-11 16:12:59 +0200
committer: Jack Lloyd <[email protected]> 2019-05-22 13:42:59 -0400
commit: f56f29c893b06e3d412e82f28e6c8aa075700ec3 (patch)
tree: 77525f4dc98e7cb804983bdc38c4b3e86f099096 /src/lib
parent: b5176ca26fd36cb51588a5d3d7094eaa313fcf63 (diff)
4 files changed, 56 insertions, 14 deletions
diff --git a/src/lib/tls/tls_callbacks.h b/src/lib/tls/tls_callbacks.h
index 6b93e7d6b..2c217993a 100644
--- a/src/lib/tls/tls_callbacks.h
+++ b/src/lib/tls/tls_callbacks.h
@@ -12,6 +12,7 @@
 
 #include <botan/tls_session.h>
 #include <botan/tls_alert.h>
+#include <botan/tls_extensions.h>
 #include <botan/pubkey.h>
 #include <functional>
 
@@ -20,6 +21,7 @@ namespace Botan {
 class Certificate_Store;
 class X509_Certificate;
 
+
 namespace OCSP {
 
 class Response;
@@ -149,7 +151,7 @@ class BOTAN_PUBLIC_API(2,0) Callbacks
        *
        * @return the encoded OCSP response to be sent to the client which indicates the revocation status of the server certificate. Return an empty vector to indicate that no response is available, and thus suppress the Certificate_Status message.
        */
-       virtual std::vector<uint8_t> tls_srv_provoide_cert_status_response() const
+       virtual std::vector<uint8_t> tls_srv_provoide_cert_status_response(std::vector<X509_Certificate> const& , Certificate_Status_Request const& ) const
        {
           return std::vector<uint8_t>();
        }
diff --git a/src/lib/tls/tls_extensions.cpp b/src/lib/tls/tls_extensions.cpp
index a673f867b..917a76b92 100644
--- a/src/lib/tls/tls_extensions.cpp
+++ b/src/lib/tls/tls_extensions.cpp
@@ -539,14 +539,36 @@ std::vector<uint8_t> Certificate_Status_Request::serialize() const
 
 Certificate_Status_Request::Certificate_Status_Request(TLS_Data_Reader& reader,
                                                        uint16_t extension_size) :
-   m_server_side(false)
+   m_server_side(false) // This ctor is used by both client and server, so the information is wrong here. 
+                        // However, m_server_side is only evaluated when sending the object, thus the error 
+                        // made will not matter. However, a better modelling would be nice.
    {
    if(extension_size > 0)
       {
       const uint8_t type = reader.get_byte();
       if(type == 1)
          {
-         reader.discard_next(extension_size - 1); // fixme
+           extension_size -= 1;
+           size_t len_resp_id_list = reader.get_uint16_t();  
+           extension_size -= 2;
+           if(len_resp_id_list + 2 > extension_size)
+           {
+             throw Decoding_Error("Bad size of responder id list in Certificate_Status_Request extension");
+           }
+           m_ocsp_names = reader.get_fixed<uint8_t>(len_resp_id_list);
+           extension_size -= len_resp_id_list;
+           size_t len_requ_ext = reader.get_uint16_t();
+           extension_size -= 2;
+           if(len_requ_ext > extension_size)
+           {
+             throw Decoding_Error("Bad size of extensions in Certificate_Status_Request extension");
+           }
+           m_extension_bytes = reader.get_fixed<uint8_t>(len_requ_ext );
+           extension_size -= len_requ_ext;
+           if(extension_size != 0)
+           {
+             throw Decoding_Error("trailing bytes in Certificate_Status_Request extension");
+           }
          }
       else
          {
@@ -555,7 +577,7 @@ Certificate_Status_Request::Certificate_Status_Request(TLS_Data_Reader& reader,
       }
    }
 
-Certificate_Status_Request::Certificate_Status_Request(const std::vector<X509_DN>& ocsp_responder_ids,
+Certificate_Status_Request::Certificate_Status_Request(const std::vector<uint8_t>& ocsp_responder_ids,
                                                        const std::vector<std::vector<uint8_t>>& ocsp_key_ids) :
    m_ocsp_names(ocsp_responder_ids),
    m_ocsp_keys(ocsp_key_ids),
diff --git a/src/lib/tls/tls_extensions.h b/src/lib/tls/tls_extensions.h
index 3ecfb7c0f..4f7bd5464 100644
--- a/src/lib/tls/tls_extensions.h
+++ b/src/lib/tls/tls_extensions.h
@@ -397,17 +397,28 @@ class BOTAN_UNSTABLE_API Certificate_Status_Request final : public Extension
 
       bool empty() const override { return false; }
 
+      std::vector<uint8_t> get_responder_id_list() const
+      {
+        return m_ocsp_names;
+      }
+      
+      std::vector<uint8_t> get_request_extensions() const 
+      {
+        return m_extension_bytes;
+      }
+
+
       // Server generated version: empty
       Certificate_Status_Request();
 
       // Client version, both lists can be empty
-      Certificate_Status_Request(const std::vector<X509_DN>& ocsp_responder_ids,
+      Certificate_Status_Request(const std::vector<uint8_t>& ocsp_responder_ids,
                                  const std::vector<std::vector<uint8_t>>& ocsp_key_ids);
 
       Certificate_Status_Request(TLS_Data_Reader& reader, uint16_t extension_size);
    private:
-      std::vector<X509_DN> m_ocsp_names;
-      std::vector<std::vector<uint8_t>> m_ocsp_keys;
+      std::vector<uint8_t> m_ocsp_names;
+      std::vector<std::vector<uint8_t>> m_ocsp_keys; // is this field really needed
       std::vector<uint8_t> m_extension_bytes;
       bool m_server_side;
    };
diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp
index 9e9ca517e..387ae019e 100644
--- a/src/lib/tls/tls_server.cpp
+++ b/src/lib/tls/tls_server.cpp
@@ -846,13 +846,20 @@ void Server::session_create(Server_Handshake_State& pending_state,
       pending_state.server_certs(new Certificate(pending_state.handshake_io(),
                                                  pending_state.hash(),
                                                  cert_chains[algo_used]));
-      if(pending_state.client_hello()->supports_cert_status_message() && callbacks().tls_srv_provoide_cert_status_response().size() > 0)
-      {
-        pending_state.server_cert_status(new Certificate_Status(
-              pending_state.handshake_io(),
-              pending_state.hash(),
-              callbacks().tls_srv_provoide_cert_status_response()
-              )); 
+
+      if(pending_state.client_hello()->supports_cert_status_message())
+      {
+        Certificate_Status_Request * csr = pending_state.client_hello()->extensions().get<Certificate_Status_Request>();
+        // csr is non-null if client_hello()->supports_cert_status_message()
+        std::vector<uint8_t> resp_bytes = callbacks().tls_srv_provoide_cert_status_response(cert_chains[algo_used], *csr);
+        if(resp_bytes.size() > 0)
+        {
+          pending_state.server_cert_status(new Certificate_Status(
+                pending_state.handshake_io(),
+                pending_state.hash(),
+                resp_bytes 
+                )); 
+        }
       }
 
       private_key = m_creds.private_key_for(
author	Falko Strenzke <[email protected]>	2018-10-11 16:12:59 +0200
committer	Jack Lloyd <[email protected]>	2019-05-22 13:42:59 -0400
commit	f56f29c893b06e3d412e82f28e6c8aa075700ec3 (patch)
tree	77525f4dc98e7cb804983bdc38c4b3e86f099096 /src/lib
parent	b5176ca26fd36cb51588a5d3d7094eaa313fcf63 (diff)