Bug 987442 - [RFE][usability] Return non zero exit code in ocsp tool on failure
[RFE][usability] Return non zero exit code in ocsp tool on failure
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssl (Show other bugs)
6.4
Unspecified Unspecified
low Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-23 07:43 EDT by Hubert Kario
Modified: 2017-09-06 08:40 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-06 08:40:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
damaged OCSP response (462 bytes, application/octet-stream)
2013-07-23 07:43 EDT, Hubert Kario
no flags Details
CA certificate (1.57 KB, text/plain)
2013-07-23 07:44 EDT, Hubert Kario
no flags Details

  None (edit)
Description Hubert Kario 2013-07-23 07:43:19 EDT
Created attachment 777287 [details]
damaged OCSP response

Description of problem:
`openssl ocsp` tool is often used to check validity of certificates using OCSP, but it's output is specifically designed for human interpretation and not machine checking. Because of that, writing scripts that use it is hard.

For example, even the OCSP check script we distribute in Fedora openvpn is wrong:
/usr/share/doc/openvpn-2.3.2/contrib/OCSP_check/OCSP_check.sh
http://svn.openvpn.net/projects/openvpn/contrib/dazo/contrib/OCSP_check/OCSP_check.sh

It will validate the cert as OK if the signature verification fails.

Version-Release number of selected component (if applicable):
openssl-1.0.0-27.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Get a valid good OCSP response for a valid certificate
2. Mangle the signature
3. Perform signature verification

openssl ocsp -CAfile ca_cert.pem -issuer ca_cert.pem -verify_other ca_cert.pem -serial 0x1212 -no_nonce -respin ocsp.resp
echo $?

Actual results:
Response Verify Failure
140624443094856:error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature length:rsa_sign.c:159:
140624443094856:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:184:
140624443094856:error:27069075:OCSP routines:OCSP_basic_verify:signature failure:ocsp_vfy.c:98:
0x1212: good
        This Update: Jul 23 11:41:21 2013 GMT
        Next Update: Jul 23 11:41:21 2014 GMT
0

Expected results:
Response Verify Failure
140624443094856:error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature length:rsa_sign.c:159:
140624443094856:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:184:
140624443094856:error:27069075:OCSP routines:OCSP_basic_verify:signature failure:ocsp_vfy.c:98:
0x1212: good
        This Update: Jul 23 11:41:21 2013 GMT
        Next Update: Jul 23 11:41:21 2014 GMT
1

Additional info:
Comment 1 Hubert Kario 2013-07-23 07:44:22 EDT
Created attachment 777288 [details]
CA certificate
Comment 5 Hubert Kario 2013-07-23 12:32:20 EDT
A bit of additional info: if the server responds with an error message (unauthorized, try_later, etc.), the ocsp command does return non zero error code.
Comment 6 RHEL Product and Program Management 2013-10-13 23:03:44 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 7 Hubert Kario 2017-09-06 08:40:05 EDT
Red Hat Enterprise Linux 6 entered Production 3 stage of its life cycle, that means only selected high priority or security issues will be fixed. See https://access.redhat.com/support/policy/updates/errata for more information

This issue is not considered to be a high priority issue thus it won't be fixed in Red Hat Enterprise Linux 6.

The issue is not present in Red Hat Enterprise Linux 7 (package version tested: openssl-1.0.2k-8.el7.x86_64), thus the bug is closed with resolution NEXTRELEASE.

Please contact Customer Support if you believe that this issue should be addressed in this release of Red Hat Enterprise Linux.

Note You need to log in before you can comment on or make changes to this bug.