diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index c5d937ed3..3afd680b1 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -33,4 +33,5 @@ EXTRA_DIST += \ certs/ocsp/server5-cert.pem \ certs/ocsp/root-ca-key.pem \ certs/ocsp/root-ca-cert.pem \ - certs/ocsp/test-response.der + certs/ocsp/test-response.der \ + certs/ocsp/test-response-nointern.der diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 955fd73ae..556da9432 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -86,6 +86,9 @@ openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -r PID=$! openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern +# can verify with the following command +# openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem kill $PID wait $PID diff --git a/certs/ocsp/test-response-nointern.der b/certs/ocsp/test-response-nointern.der new file mode 100644 index 000000000..4d4115cbe Binary files /dev/null and b/certs/ocsp/test-response-nointern.der differ diff --git a/src/ocsp.c b/src/ocsp.c index e31ef23f7..d18e5739d 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -826,6 +826,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, OcspResponse *resp = NULL; word32 idx = 0; int length = 0; + int ret; if (data == NULL) return NULL; @@ -867,7 +868,10 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, XMEMCPY(resp->source, *data, len); resp->maxIdx = len; - if (OcspResponseDecode(resp, NULL, NULL, 1) != 0) { + ret = OcspResponseDecode(resp, NULL, NULL, 1); + if (ret != 0 && ret != ASN_OCSP_CONFIRM_E) { + /* for just converting from a DER to an internal structure the CA may + * not yet be known to this function for signature verification */ wolfSSL_OCSP_RESPONSE_free(resp); return NULL; } diff --git a/tests/api.c b/tests/api.c index 6c42d871a..3eeee2359 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1407,6 +1407,7 @@ static void test_wolfSSL_CheckOCSPResponse(void) { #if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL) const char* responseFile = "./certs/ocsp/test-response.der"; + const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der"; const char* caFile = "./certs/ocsp/root-ca-cert.pem"; OcspResponse* res = NULL; byte data[4096]; @@ -1442,6 +1443,18 @@ static void test_wolfSSL_CheckOCSPResponse(void) wolfSSL_X509_STORE_free(st); wolfSSL_X509_free(issuer); + /* check loading a response with optional certs */ + f = XFOPEN(responseNoInternFile, "rb"); + AssertTrue(f != XBADFILE); + dataSz = (word32)XFREAD(data, 1, sizeof(data), f); + AssertIntGT(dataSz, 0); + XFCLOSE(f); + + pt = data; + res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); + AssertNotNull(res); + wolfSSL_OCSP_RESPONSE_free(res); + printf(resultFmt, passed); #endif /* HAVE_OCSP */ } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index d34bf0603..837a8354e 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33441,7 +33441,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, #ifndef WOLFSSL_ASN_TEMPLATE int length; word32 idx = *ioIndex; + #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS word32 end_index; + #endif int ret; int sigLength; @@ -33453,7 +33455,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, if (idx + length > size) return ASN_INPUT_E; + #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS end_index = idx + length; + #endif if ((ret = DecodeResponseData(source, &idx, resp, size)) < 0) return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */