From 59c78d58092dd61380a2907a4798b45d5d47f5a1 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Tue, 13 Jun 2017 23:00:26 +0900
Subject: [PATCH] nghttpx: Verify OCSP response using trusted CA certificates

---
 src/shrpx.cc     | 13 ++++++++-----
 src/shrpx_tls.cc | 21 ++++++++++++++++++---
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/src/shrpx.cc b/src/shrpx.cc
index 2d5f339d..93844765 100644
--- a/src/shrpx.cc
+++ b/src/shrpx.cc
@@ -2071,11 +2071,14 @@ SSL/TLS:
               Don't  verify backend  server's  certificate  if TLS  is
               enabled for backend connections.
   --cacert=<PATH>
-              Set path to trusted CA  certificate file used in backend
-              TLS connections.   The file must  be in PEM  format.  It
-              can  contain  multiple   certificates.   If  the  linked
-              OpenSSL is configured to  load system wide certificates,
-              they are loaded at startup regardless of this option.
+              Set path to trusted CA  certificate file.  It is used in
+              backend  TLS connections  to verify  peer's certificate.
+              It is also used to  verify OCSP response from the script
+              set by --fetch-ocsp-response-file.  The  file must be in
+              PEM format.   It can contain multiple  certificates.  If
+              the  linked OpenSSL  is configured  to load  system wide
+              certificates, they  are loaded at startup  regardless of
+              this option.
   --private-key-passwd-file=<PATH>
               Path  to file  that contains  password for  the server's
               private key.   If none is  given and the private  key is
diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc
index 57e00d1c..02582909 100644
--- a/src/shrpx_tls.cc
+++ b/src/shrpx_tls.cc
@@ -829,6 +829,22 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
   }
 
   SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
+
+  if (SSL_CTX_set_default_verify_paths(ssl_ctx) != 1) {
+    LOG(WARN) << "Could not load system trusted ca certificates: "
+              << ERR_error_string(ERR_get_error(), nullptr);
+  }
+
+  if (!tlsconf.cacert.empty()) {
+    if (SSL_CTX_load_verify_locations(ssl_ctx, tlsconf.cacert.c_str(),
+                                      nullptr) != 1) {
+      LOG(FATAL) << "Could not load trusted ca certificates from "
+                 << tlsconf.cacert << ": "
+                 << ERR_error_string(ERR_get_error(), nullptr);
+      DIE();
+    }
+  }
+
   if (!tlsconf.private_key_passwd.empty()) {
     SSL_CTX_set_default_passwd_cb(ssl_ctx, ssl_pem_passwd_cb);
     SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, config);
@@ -1844,12 +1860,11 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
   }
   auto bs_deleter = defer(OCSP_BASICRESP_free, bs);
 
-  auto store = X509_STORE_new();
-  auto store_deleter = defer(X509_STORE_free, store);
+  auto store = SSL_CTX_get_cert_store(ssl_ctx);
 
   ERR_clear_error();
 
-  rv = OCSP_basic_verify(bs, chain_certs, store, OCSP_TRUSTOTHER);
+  rv = OCSP_basic_verify(bs, chain_certs, store, 0);
 
   if (rv != 1) {
     LOG(ERROR) << "OCSP_basic_verify failed: "