[nginx] OCSP stapling: keep extra chain in the staple object.

Roman Arutyunyan arut at nginx.com
Sat May 23 10:35:45 UTC 2020


details:   https://hg.nginx.org/nginx/rev/6ca8e15caf1f
branches:  
changeset: 7651:6ca8e15caf1f
user:      Roman Arutyunyan <arut at nginx.com>
date:      Sun May 17 14:24:35 2020 +0300
description:
OCSP stapling: keep extra chain in the staple object.

diffstat:

 src/event/ngx_event_openssl_stapling.c |  47 +++++++++++++--------------------
 1 files changed, 18 insertions(+), 29 deletions(-)

diffs (107 lines):

diff -r abb6cc8f1dd8 -r 6ca8e15caf1f src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c	Wed May 06 21:44:14 2020 +0300
+++ b/src/event/ngx_event_openssl_stapling.c	Sun May 17 14:24:35 2020 +0300
@@ -30,6 +30,7 @@ typedef struct {
 
     X509                        *cert;
     X509                        *issuer;
+    STACK_OF(X509)              *chain;
 
     u_char                      *name;
 
@@ -48,6 +49,7 @@ struct ngx_ssl_ocsp_ctx_s {
 
     X509                        *cert;
     X509                        *issuer;
+    STACK_OF(X509)              *chain;
 
     int                          status;
     time_t                       valid;
@@ -179,6 +181,18 @@ ngx_ssl_stapling_certificate(ngx_conf_t 
         return NGX_ERROR;
     }
 
+#ifdef SSL_CTRL_SELECT_CURRENT_CERT
+    /* OpenSSL 1.0.2+ */
+    SSL_CTX_select_current_cert(ssl->ctx, cert);
+#endif
+
+#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
+    /* OpenSSL 1.0.1+ */
+    SSL_CTX_get_extra_chain_certs(ssl->ctx, &staple->chain);
+#else
+    staple->chain = ssl->ctx->extra_certs;
+#endif
+
     staple->ssl_ctx = ssl->ctx;
     staple->timeout = 60000;
     staple->verify = verify;
@@ -295,29 +309,16 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, 
     X509            *cert, *issuer;
     X509_STORE      *store;
     X509_STORE_CTX  *store_ctx;
-    STACK_OF(X509)  *chain;
 
     cert = staple->cert;
 
-#ifdef SSL_CTRL_SELECT_CURRENT_CERT
-    /* OpenSSL 1.0.2+ */
-    SSL_CTX_select_current_cert(ssl->ctx, cert);
-#endif
-
-#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
-    /* OpenSSL 1.0.1+ */
-    SSL_CTX_get_extra_chain_certs(ssl->ctx, &chain);
-#else
-    chain = ssl->ctx->extra_certs;
-#endif
-
-    n = sk_X509_num(chain);
+    n = sk_X509_num(staple->chain);
 
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ssl->log, 0,
                    "SSL get issuer: %d extra certs", n);
 
     for (i = 0; i < n; i++) {
-        issuer = sk_X509_value(chain, i);
+        issuer = sk_X509_value(staple->chain, i);
         if (X509_check_issued(issuer, cert) == X509_V_OK) {
 #if OPENSSL_VERSION_NUMBER >= 0x10100001L
             X509_up_ref(issuer);
@@ -573,6 +574,7 @@ ngx_ssl_stapling_update(ngx_ssl_stapling
     ctx->ssl_ctx = staple->ssl_ctx;
     ctx->cert = staple->cert;
     ctx->issuer = staple->issuer;
+    ctx->chain = staple->chain;
     ctx->name = staple->name;
     ctx->flags = (staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY);
 
@@ -1720,7 +1722,6 @@ ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *
     size_t                 len;
     X509_STORE            *store;
     const u_char          *p;
-    STACK_OF(X509)        *chain;
     OCSP_CERTID           *id;
     OCSP_RESPONSE         *ocsp;
     OCSP_BASICRESP        *basic;
@@ -1769,19 +1770,7 @@ ngx_ssl_ocsp_verify(ngx_ssl_ocsp_ctx_t *
         goto error;
     }
 
-#ifdef SSL_CTRL_SELECT_CURRENT_CERT
-    /* OpenSSL 1.0.2+ */
-    SSL_CTX_select_current_cert(ctx->ssl_ctx, ctx->cert);
-#endif
-
-#ifdef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
-    /* OpenSSL 1.0.1+ */
-    SSL_CTX_get_extra_chain_certs(ctx->ssl_ctx, &chain);
-#else
-    chain = ctx->ssl_ctx->extra_certs;
-#endif
-
-    if (OCSP_basic_verify(basic, chain, store, ctx->flags) != 1) {
+    if (OCSP_basic_verify(basic, ctx->chain, store, ctx->flags) != 1) {
         ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
                       "OCSP_basic_verify() failed");
         goto error;


More information about the nginx-devel mailing list