diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index 3afd680b1..92a72b81e 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -34,4 +34,5 @@ EXTRA_DIST += \ certs/ocsp/root-ca-key.pem \ certs/ocsp/root-ca-cert.pem \ certs/ocsp/test-response.der \ + certs/ocsp/test-response-rsapss.der \ certs/ocsp/test-response-nointern.der diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 556da9432..2b24dbabc 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -68,6 +68,7 @@ update_cert() { cat "$3"-cert.pem >> "$1"-cert.pem } +SIGOPT="" update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED @@ -87,6 +88,15 @@ PID=$! openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern +kill $PID +wait $PID + + +# now start up a responder that signs using rsa-pss +openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & +PID=$! + +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate4-ca-rsapss-cert.pem -url http://localhost:22221/ -rsigopt rsa_mode:pss -rsigopt rsa_padding_mode:pss -rsigopt rsa_pss_saltlen:-1 -respout test-response-rsapss.der # can verify with the following command # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem diff --git a/certs/ocsp/test-response-rsapss.der b/certs/ocsp/test-response-rsapss.der new file mode 100644 index 000000000..ca99d28b7 Binary files /dev/null and b/certs/ocsp/test-response-rsapss.der differ diff --git a/tests/api.c b/tests/api.c index 3eeee2359..235335858 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1403,12 +1403,15 @@ static int test_wolfSSL_CertManagerCheckOCSPResponse(void) return 0; } -static void test_wolfSSL_CheckOCSPResponse(void) +static int test_wolfSSL_CheckOCSPResponse(void) { #if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL) const char* responseFile = "./certs/ocsp/test-response.der"; const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der"; const char* caFile = "./certs/ocsp/root-ca-cert.pem"; +#if defined(WC_RSA_PSS) + const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; +#endif OcspResponse* res = NULL; byte data[4096]; const unsigned char* pt; @@ -1455,8 +1458,23 @@ static void test_wolfSSL_CheckOCSPResponse(void) AssertNotNull(res); wolfSSL_OCSP_RESPONSE_free(res); +#if defined(WC_RSA_PSS) + /* check loading a response with RSA-PSS signature */ + f = XFOPEN(responsePssFile, "rb"); + AssertTrue(f != XBADFILE); + dataSz = (word32)XFREAD(data, 1, sizeof(data), f); + AssertIntGT(dataSz, 0); + XFCLOSE(f); + + pt = data; + res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); + AssertNotNull(res); + wolfSSL_OCSP_RESPONSE_free(res); +#endif + printf(resultFmt, passed); #endif /* HAVE_OCSP */ + return 0; } static int test_wolfSSL_CertManagerLoadCABuffer(void) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 837a8354e..8f41089f2 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33446,6 +33446,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, #endif int ret; int sigLength; + const byte* sigParams = NULL; + word32 sigParamsSz = 0; WOLFSSL_ENTER("DecodeBasicOcspResponse"); (void)heap; @@ -33463,8 +33465,26 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */ /* Get the signature algorithm */ - if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0) + if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0) { return ASN_PARSE_E; + } +#ifdef WC_RSA_PSS + else if (resp->sigOID == CTC_RSASSAPSS) { + word32 sz; + int len; + const byte* params; + + sz = idx; + params = source + idx; + if (GetSequence(source, &idx, &len, size) < 0) + ret = ASN_PARSE_E; + if (ret == 0) { + idx += len; + sigParams = params; + sigParamsSz = idx - sz; + } + } +#endif ret = CheckBitString(source, &idx, &sigLength, size, 1, NULL); if (ret != 0) @@ -33532,7 +33552,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, &cert->sigCtx, resp->response, resp->responseSz, cert->publicKey, cert->pubKeySize, cert->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); + resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, + NULL); if (ret != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); @@ -33569,7 +33590,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* ConfirmSignature is blocking here */ sigValid = ConfirmSignature(&sigCtx, resp->response, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); + resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, + NULL); } if (ca == NULL || sigValid != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed");