CVE-2022-1343 The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response

CVE-2022-1343 The function `OCSP_basic_verify` verifies the signer certificate on an OCSP response

due to the flag OCSP_NOCHECKS. This can lead to confusion. For example: $ openssl ocsp -no_cert_checks -get "http://www.example.com/OCSPResponse" 1: ----- BEGIN OCSPSig

2: ocsp_base64 encoded signature

3: ..................................................................
4: ----- BEGIN CERTIFICATE
5: MIIEwjCCA4CAQAwgYkxCzAJBgNVBAYTAkZDSSB8ZW1wdHkoMRAwDgYDVQQDEwtDXN0ZXJuMRowGAYDV
6: CnMCUGA1UEAxMZZGVmdHRlcnN0YXJ0dXHzIERpdmlsZXMgU2VjdXJpdHkgb2YgdGhlcmRvbi8xMS41IExH
7: MIFEVTUyBJbnRlcm5ldCBFRyBBbGFuZzBcbm9ftmVzdGFydHMnIEFhc3dlcnMpIElzIG1vcmUgbW9yZSBudWxs dXJhbCBpbiAyMDEuMAAAAAAAAAAAA==

OCSP_NOCHECKS does not mean the server is not certified. It means that the OCSP has no certificate to check against.

2: ocsp_clr.txt

----- BEGIN CERTIFICATE
----- MIIBkzCCAV2gAwIBAAEGCQDvF1/7r8Z5xRV7wAJ9LH0o+pX9fjy3NhkQeM7WnD5ExuE
----- END CERTIFICATE
----- ----- BEGIN CERTIFICATE
----- MIIDdTCCAa2gAwIBAgIQwvYUYlWzG9QiGdKUHEeajP/Ojwmf+2EIk/tBHbvmMf6TIVElNg
----- END CERTIFICATE
------ ----- BEGIN CERTIFICATE
------ MIIDdTCCAa2="AwIBAgIQwvYUYlWzG9QiGdKUHEeajP/Ojwmf+2EIk/tBHbvmMf6TIVElNg"
------ END CERTIFICATE

OCSP Response

This can be confusing. "OCSP response" is a term used to refer to the challenge that is sent back after a certificate has been revoked. So, in this example, "OCSP response" is actually the challenge that is being sent back from the server.

Remotely obtained OCSP response from upstream

OCSP responses are normally obtained from the issuing certificate authority. The OCSP response is checked locally to ensure that it has not been revoked and then sent to the requesting party. If a remote OCSP response was received, this means it was obtained using some form of man-in-the-middle attack, where an attacker either intercepted the communication between the browser or server and the issuing certificate authority or digitally signed a message without displaying any identifying information.

2: OCSPResponse ----- BEGIN OCSPSig

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe