Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL Compat Layer: OCSP response improvments #8408

Open
wants to merge 22 commits into
base: master
Choose a base branch
from
Open

OpenSSL Compat Layer: OCSP response improvments #8408

wants to merge 22 commits into from
+3,014 −382

Conversation

rizlik
Copy link
Contributor

@rizlik rizlik commented Feb 1, 2025

Improves of OCSP response handling.

Aligns wolfSSL_OCSP_basic_verify and wolfSSL_d2i_OCSP_RESPONSE to OpenSSL behavior.

Replaces #8036

@rizlik rizlik requested a review from julek-wolfssl February 1, 2025 00:15
@rizlik rizlik self-assigned this Feb 1, 2025
@rizlik rizlik force-pushed the ocsp-resp-refactor branch 3 times, most recently from 3b89ce4 to f96acbb Compare February 1, 2025 02:34
@rizlik rizlik closed this Feb 1, 2025
@rizlik rizlik reopened this Feb 1, 2025
@rizlik rizlik force-pushed the ocsp-resp-refactor branch 3 times, most recently from 43964c1 to 2816d92 Compare February 3, 2025 11:06
@rizlik rizlik assigned julek-wolfssl and unassigned rizlik Feb 3, 2025
@rizlik rizlik force-pushed the ocsp-resp-refactor branch from 2816d92 to a635189 Compare February 3, 2025 11:57
@rizlik
Copy link
Contributor Author

rizlik commented Feb 3, 2025

retest this please

julek-wolfssl
julek-wolfssl requested changes Feb 4, 2025
View reviewed changes
Copy link
Member

@julek-wolfssl julek-wolfssl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still need to review tests/.

wolfssl/wolfcrypt/asn.h Outdated Show resolved Hide resolved
wolfcrypt/src/asn.c Outdated Show resolved Hide resolved
src/ocsp.c Outdated Show resolved Hide resolved
src/ocsp.c Outdated Show resolved Hide resolved
wolfcrypt/src/asn.c Show resolved Hide resolved
wolfcrypt/src/asn.c Outdated Show resolved Hide resolved
src/internal.c Outdated Show resolved Hide resolved
src/ssl.c Outdated Show resolved Hide resolved
wolfssl/wolfcrypt/asn.h Show resolved Hide resolved
src/ocsp.c Outdated Show resolved Hide resolved
julek-wolfssl
julek-wolfssl requested changes Feb 4, 2025
View reviewed changes
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
julek-wolfssl
julek-wolfssl requested changes Feb 4, 2025
View reviewed changes
wolfcrypt/src/asn.c Outdated Show resolved Hide resolved
julek-wolfssl
julek-wolfssl requested changes Feb 4, 2025
View reviewed changes
wolfcrypt/src/asn.c Outdated Show resolved Hide resolved
wolfcrypt/src/asn.c Show resolved Hide resolved
@julek-wolfssl julek-wolfssl removed their assignment Feb 4, 2025
@rizlik
Copy link
Contributor Author

rizlik commented Feb 5, 2025

retest this please

@rizlik rizlik force-pushed the ocsp-resp-refactor branch from a92d921 to b02a263 Compare February 5, 2025 07:20
@rizlik
Copy link
Contributor Author

rizlik commented Feb 5, 2025

retest this please

@rizlik rizlik assigned julek-wolfssl and unassigned rizlik Feb 5, 2025
julek-wolfssl
julek-wolfssl requested changes Feb 5, 2025
View reviewed changes
wolfcrypt/src/asn.c Show resolved Hide resolved
wolfcrypt/src/asn.c Outdated Show resolved Hide resolved
wolfcrypt/src/asn.c Outdated Show resolved Hide resolved
src/internal.c Outdated Show resolved Hide resolved
src/internal.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
@julek-wolfssl julek-wolfssl assigned rizlik and unassigned julek-wolfssl Feb 5, 2025
@rizlik
Copy link
Contributor Author

rizlik commented Feb 6, 2025
edited by julek-wolfssl
Loading

retest this please

@rizlik rizlik closed this Feb 6, 2025
rizlik added 12 commits February 17, 2025 08:59
@rizlik
tests/api: expose test_ssl_memio functions
eb7904b
@rizlik
ocsp-resp-refactor: address reviewer's comments
851d74f
@rizlik
ocsp-resp-refactor: fix tests
ae3177c
@rizlik
tests: bind test_wolfSSL_client_server_nofail_memio HAVE_SSL_MEMIO_TE…
3e50c79 
…STS_DEP
@rizlik
ocsp: improve OCSP response signature validation
2c2eb2a 
- search for the signer in the CertificateManager if the embedded cert
  verification fails in original asn template.
@rizlik
ocsp: add test for response with unusable internal cert
3724094 
- Added a new test case `resp_bad_embedded_cert` in
  `create_ocsp_test_blobs.py` to test OCSP response with an unusable
  internal cert that can be verified in Cert Manager.
- Updated `test_ocsp_response_parsing` in `ocsp.c` to include the new
  test case.
- Ensured the new test case checks for proper handling of OCSP responses
  with incorrect internal certificates.
@rizlik
minor: improve indentation of guards
c1c9af5
@rizlik
ocsp/tests: update blobs and add license header
69116eb
@rizlik
ocsp/test: better test assertions
4351a5d
@rizlik
ocsp: minors
a06a8b5
@rizlik
ocsp: minors
0af092e
@rizlik
ocsp: use ocspReponse->heap in OcspFindSigner + minors
1eecf32
@rizlik rizlik force-pushed the ocsp-resp-refactor branch from da504fa to 1eecf32 Compare February 17, 2025 09:10
@rizlik
Copy link
Contributor Author

rizlik commented Feb 17, 2025

retest this please

@rizlik rizlik assigned dgarske and unassigned rizlik Feb 17, 2025
@rizlik rizlik requested a review from dgarske February 17, 2025 16:33
dgarske
dgarske requested changes Feb 17, 2025
View reviewed changes
wolfssl/wolfcrypt/asn.h
@@ -2737,6 +2748,12 @@ struct OcspResponse {
byte* response; /* Pointer to beginning of OCSP Response */
word32 responseSz; /* length of the OCSP Response */

enum responderIdType responderIdType;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this new union need to always be part of the OcspResponse structure or can it be just with compatibility enabled? I am worried about struct size growth on stack.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's always needed. If stack size is a concern I can refactor the code to use heap memory instead.

@dgarske dgarske assigned rizlik and unassigned dgarske Feb 17, 2025
@rizlik rizlik requested a review from dgarske February 19, 2025 06:07
@rizlik rizlik assigned dgarske and unassigned rizlik Feb 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julek-wolfssl julek-wolfssl Awaiting requested review from julek-wolfssl

@JacobBarthelmeh JacobBarthelmeh Awaiting requested review from JacobBarthelmeh

@SparkiDev SparkiDev Awaiting requested review from SparkiDev

@dgarske dgarske Awaiting requested review from dgarske

Requested changes must be addressed to merge this pull request.

Assignees

@dgarske dgarske

@wolfSSL-Bot wolfSSL-Bot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rizlik @dgarske @julek-wolfssl @wolfSSL-Bot