Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL Compat Layer: OCSP response improvments #8408

Open
wants to merge 24 commits into
base: master
Choose a base branch
from
Open

OpenSSL Compat Layer: OCSP response improvments #8408

wants to merge 24 commits into from
+3,023 −376

Conversation

rizlik
Copy link
Contributor

@rizlik rizlik commented Feb 1, 2025

Improves of OCSP response handling.

Aligns wolfSSL_OCSP_basic_verify and wolfSSL_d2i_OCSP_RESPONSE to OpenSSL behavior.

Replaces #8036

@rizlik rizlik requested a review from julek-wolfssl February 1, 2025 00:15
@rizlik rizlik self-assigned this Feb 1, 2025
@rizlik rizlik force-pushed the ocsp-resp-refactor branch 3 times, most recently from 3b89ce4 to f96acbb Compare February 1, 2025 02:34
@rizlik rizlik closed this Feb 1, 2025
@rizlik rizlik reopened this Feb 1, 2025
@rizlik rizlik force-pushed the ocsp-resp-refactor branch 3 times, most recently from 43964c1 to 2816d92 Compare February 3, 2025 11:06
@rizlik rizlik assigned julek-wolfssl and unassigned rizlik Feb 3, 2025
@rizlik rizlik force-pushed the ocsp-resp-refactor branch from 2816d92 to a635189 Compare February 3, 2025 11:57
@rizlik
Copy link
Contributor Author

rizlik commented Feb 3, 2025

retest this please

julek-wolfssl
julek-wolfssl requested changes Feb 4, 2025
View reviewed changes
Copy link
Member

@julek-wolfssl julek-wolfssl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still need to review tests/.

wolfssl/wolfcrypt/asn.h Outdated Show resolved Hide resolved
wolfcrypt/src/asn.c Show resolved Hide resolved
src/ocsp.c Outdated Show resolved Hide resolved
src/ocsp.c Outdated Show resolved Hide resolved
wolfcrypt/src/asn.c Show resolved Hide resolved
wolfcrypt/src/asn.c Outdated Show resolved Hide resolved
src/internal.c Outdated Show resolved Hide resolved
src/ssl.c Outdated Show resolved Hide resolved
wolfssl/wolfcrypt/asn.h Show resolved Hide resolved
src/ocsp.c Outdated Show resolved Hide resolved
julek-wolfssl
julek-wolfssl requested changes Feb 4, 2025
View reviewed changes
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
julek-wolfssl
julek-wolfssl requested changes Feb 4, 2025
View reviewed changes
wolfcrypt/src/asn.c Outdated Show resolved Hide resolved
julek-wolfssl
julek-wolfssl requested changes Feb 4, 2025
View reviewed changes
wolfcrypt/src/asn.c Show resolved Hide resolved
wolfcrypt/src/asn.c Show resolved Hide resolved
@julek-wolfssl julek-wolfssl removed their assignment Feb 4, 2025
@rizlik
Copy link
Contributor Author

rizlik commented Feb 5, 2025

retest this please

rizlik added 9 commits February 5, 2025 07:19
@rizlik
ocsp: fix memory leaks in OpenSSL compat layer
d25c387
@rizlik
openssl compat: skip OCSP response verification in statusCb
98f16ab 
This aligns with OpenSSL behavior
@rizlik
ocsp: refactor OCSP response decoding and wolfSSL_OCSP_basic_verify
f671953 
- Search certificate based on responderId
- Verify response signer is authorized for all single responses
- Align with OpenSSL behavior
- Separate wolfSSL_OCSP_basic_verify from verification done during
  decoding
@rizlik
ocsp: adapt ASN original to new OCSP response refactor
14e88f2
@rizlik
ocsp: refactor wolfSSL_OCSP_response_get1_basic
7cbfbc8 
The internal fields of OcspResponse refer to the resp->source buffer.
Copying these fields is complex, so it's better to decode the response again.
@rizlik
ocsp: add tests
ed4b4ea
@rizlik
fixup! openssl compat: skip OCSP response verification in statusCb
bd9e6f4
@rizlik
fixup! ocsp: refactor OCSP response decoding and wolfSSL_OCSP_basic_v…
139c763 
…erify
@rizlik
fixup! ocsp: adapt ASN original to new OCSP response refactor
2e83d96
@rizlik rizlik force-pushed the ocsp-resp-refactor branch from a92d921 to b02a263 Compare February 5, 2025 07:20
@rizlik
Copy link
Contributor Author

rizlik commented Feb 5, 2025

retest this please

@rizlik rizlik assigned julek-wolfssl and unassigned rizlik Feb 5, 2025
julek-wolfssl
julek-wolfssl requested changes Feb 5, 2025
View reviewed changes
wolfcrypt/src/asn.c Show resolved Hide resolved
wolfcrypt/src/asn.c Outdated Show resolved Hide resolved
wolfcrypt/src/asn.c Outdated Show resolved Hide resolved
src/internal.c Outdated Show resolved Hide resolved
src/internal.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
tests/api/ocsp.c Outdated Show resolved Hide resolved
@julek-wolfssl julek-wolfssl assigned rizlik and unassigned julek-wolfssl Feb 5, 2025
rizlik added 6 commits February 5, 2025 16:35
@rizlik
ocsp: improve OCSP response signature validation
26d3bdc 
- search for the signer in the CertificateManager if the embedded cert
  verification fails in original asn template.
@rizlik
ocsp: add test for response with unusable internal cert
f9c6fae 
- Added a new test case `resp_bad_embedded_cert` in
  `create_ocsp_test_blobs.py` to test OCSP response with an unusable
  internal cert that can be verified in Cert Manager.
- Updated `test_ocsp_response_parsing` in `ocsp.c` to include the new
  test case.
- Ensured the new test case checks for proper handling of OCSP responses
  with incorrect internal certificates.
@rizlik
minor: improve indentation of guards
e4a4107
@rizlik
ocsp/tests: update blobs and add license header
2fa477f
@rizlik
ocsp/test: better test assertions
36f2e1f
@rizlik
ocsp: minors
f6d13fd
@rizlik
Copy link
Contributor Author

rizlik commented Feb 6, 2025
edited
Loading

retest this please.

@rizlik rizlik closed this Feb 6, 2025
@rizlik rizlik reopened this Feb 6, 2025
@julek-wolfssl julek-wolfssl removed their assignment Feb 6, 2025
@wlallemand wlallemand mentioned this pull request Feb 6, 2025
Open
@rizlik rizlik assigned wolfSSL-Bot and unassigned rizlik Feb 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@julek-wolfssl julek-wolfssl julek-wolfssl approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rizlik @julek-wolfssl @wolfSSL-Bot