diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 03153a0f4..61134f015 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -10757,6 +10757,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return ASN_PARSE_E; InitDecodedCert(&cert, resp->cert, resp->certSz, heap); + /* Don't verify if we don't have access to Cert Manager. */ ret = ParseCertRelative(&cert, CERT_TYPE, noVerify ? NO_VERIFY : VERIFY_OCSP, cm); @@ -10766,6 +10767,13 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return ret; } + if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) { + WOLFSSL_MSG("\tOCSP Responder key usage check failed"); + + FreeDecodedCert(&cert); + return BAD_OCSP_RESPONDER; + } + /* ConfirmSignature is blocking here */ ret = ConfirmSignature(&cert.sigCtx, resp->response, resp->responseSz, diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index b5b578d5a..edd06afc6 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -425,6 +425,9 @@ const char* wc_GetErrorString(int error) case ASYNC_OP_E: return "Async operation error"; + case BAD_OCSP_RESPONDER: + return "Invalid OCSP Responder, missing specific key usage extensions"; + default: return "unknown error number"; diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index df29accc4..99c27d18e 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -106,6 +106,7 @@ enum { UNICODE_SIZE_E = -175, /* Unicode password too big */ NO_PASSWORD = -176, /* no password provided by user */ ALT_NAME_E = -177, /* alt name size problem, too big */ + BAD_OCSP_RESPONDER = -178, /* missing key usage extensions */ AES_GCM_AUTH_E = -180, /* AES-GCM Authentication check failure */ AES_CCM_AUTH_E = -181, /* AES-CCM Authentication check failure */