Re: [Openca-ocspd] GET request errors

[Martin H. <he...@hl...>]

Hi developers,

We had a closer look at our crashes of ocspd. I'm adding libpki-devel to
this mail (previous mails went to the ocspd-devel list, but by now I
believe the fix should be done in libpki).

The client which caused the trouble is a Macintosh implementation of
oscpd (running on a Mac with OS X 10.9) which handles the verification
of certificates for Safari.
Actually, it sends a GET-request (in contrast to my firefox which uses
POST to send the data, which works fine).

According to RFC 2560 a get request looks as follows:
GET {url}/{url-encoding of base-64 encoding of the DER encoding of the
OCSPRequest}

In the requests which caused the crashes, {url} was "/", so there were
two slashes after the GET and url- and base64-decoding failed due to
this extra slash at the beginning. When I strip off all the slashes at
the beginning, I can successfully decode the original der-formatted ocsp
request, save it to a temporary file, parse it with openssl, and re-send
it to the ocspd which then returns "Response verify OK".

Let's look at the sources now. The problem is that in
ocspd_req_get_socket in ocspd/src/ocspd/request.c, there is a call to
PKI_HTTP_get_message in libpki/src/net/http_s.c. To make this work for
this particular case, the latter should be able to parse an URL
containing  just a slash, and it should return a reasonable http_msg
object. I believe it would work fine, if we would prepend urls that
start with a slash e.g. by "http://localhost" somewhere where the http
headers are parsed. Maybe if this is done in the right place, later on
in the code sock->url is properly defined. I haven't looked that much
into the details of  libpki/src/net/pki_socket.c yet, but I'm going to
try this out.

best regards,
Martin