revocation: Restrict OCSP signing to specific certificates
authorMartin Willi <martin@revosec.ch>
Tue, 25 Mar 2014 13:34:58 +0000 (14:34 +0100)
committerMartin Willi <martin@revosec.ch>
Mon, 31 Mar 2014 12:40:33 +0000 (14:40 +0200)
commit91d71abb16a9b15bbcd7f6cbefb806408be3b92d
tree78316a3926aeef1358ad770fee3401fc56af7fa7
parenta844b6589034ff53e845fb9013d69dac02385453
revocation: Restrict OCSP signing to specific certificates

To avoid considering each cached OCSP response and evaluating its trustchain,
we limit the certificates considered for OCSP signing to:

- The issuing CA of the checked certificate
- A directly delegated signer by the same CA, having the OCSP signer constraint
- Any locally installed (trusted) certificate having the OCSP signer constraint

The first two options cover the requirements from RFC 6960 2.6. For
compatibility with non-conforming CAs, we allow the third option as exception,
but require the installation of such certificates locally.
src/libstrongswan/plugins/revocation/revocation_validator.c
testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat
testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat