From 29f2dee9918322068eb417971eec2212c615b0ce Mon Sep 17 00:00:00 2001
From: JacobBarthelmeh <jacob@wolfssl.com>
Date: Thu, 2 Jun 2022 15:53:59 -0700
Subject: [PATCH] handeling DER to internal of an OCSP response with no
 optional certificates

---
 certs/ocsp/include.am                 |   3 ++-
 certs/ocsp/renewcerts.sh              |   3 +++
 certs/ocsp/test-response-nointern.der | Bin 0 -> 1860 bytes
 src/ocsp.c                            |   6 +++++-
 tests/api.c                           |  13 +++++++++++++
 wolfcrypt/src/asn.c                   |   4 ++++
 6 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100644 certs/ocsp/test-response-nointern.der

diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am
index c5d937ed3..3afd680b1 100644
--- a/certs/ocsp/include.am
+++ b/certs/ocsp/include.am
@@ -33,4 +33,5 @@ EXTRA_DIST += \
         certs/ocsp/server5-cert.pem \
         certs/ocsp/root-ca-key.pem \
         certs/ocsp/root-ca-cert.pem \
-        certs/ocsp/test-response.der
+        certs/ocsp/test-response.der \
+        certs/ocsp/test-response-nointern.der
diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh
index 955fd73ae..556da9432 100755
--- a/certs/ocsp/renewcerts.sh
+++ b/certs/ocsp/renewcerts.sh
@@ -86,6 +86,9 @@ openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -r
 PID=$!
 
 openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der
+openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern
+# can verify with the following command
+# openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem
 
 kill $PID
 wait $PID
diff --git a/certs/ocsp/test-response-nointern.der b/certs/ocsp/test-response-nointern.der
new file mode 100644
index 0000000000000000000000000000000000000000..4d4115cbe1b7fc5ac2f05f117d5f7819f228cd0a
GIT binary patch
literal 1860
zcmXqLVt3$TWLVI|ZfVfOZpy}~&Bn;e%5K2O$kN2FX3)g0WYEOuu&{BVLE}6_ZUas>
z=1>+kVW!YvLtz6!5Ql?@D?G6{BQr0(BtOqkz<>`V$j-waoSIltl9LJ(;o@O0&(BE<
z4)!q=F%SZ&;pX9X%}dYBOHD1x%u6?vH;@I1GV_Q*)hYNp2L~twr4|?D=cS|;ffaCS
zwRyCC=Vjz%6cfnIOUrivsVy$f(M!(HmEborFfuYQGcYnTGBGzbi84qrNHVZ8;ACUf
z=3{1(Vr5_vaanQu;-2YT&DPO|vwU`33Njb%>R=Hm-XOC?zv=XO_oWusH?TBW)fI^<
zGBGkXFkl$DKoBfsYG7n!2DN3OvVo$3JR;nfScF&vj&F5rc_+Q$uueiJ%Y&SzI0Ifb
zn9~`#Ss9p{7#SIO1RSQkGr7t#k%zZt-!GZ&^@cxuR<D&0<k<G&%lb72dLPeuFRxi<
z{2-k1xx(7r>4LNFs&W4=Q2DZOQp%0Ew=uEHgOUxj`{zq<d~l#8NkBJo*EYX(Tek2k
zAD+?lJuoTehE6=|in}XgIG4QrQ=A+7^MC#KTWT7W-uk?$$K6;es_tAeDp!5Bxm(yZ
zdCo6R)tUR6=1dNFp&0yZALHxg`(1mET{HSRccV~I{bx&Q75jO$=VsV@e0fxr=r;G*
zO^c%fZO?+lj!#fK^M8G^h{L2w6GS^!&v|QNKS3k3?B8-%_t%@f);T=%`?KPJ>xBij
zU-s8c>&uJaD*pTRM>^jeLrLL>_J<ZUu^cmKVmV~c#InzziFw%qW+p}^CPo&turg?z
zPSbQJVIT%ccl@BV6ddfMP?VovqTuXEFu@tfiSwc)IB{Mh<diY!bBsX~qY`pxGlEkl
zKZ8LNBNr1WiSF2?yye^BYLUZBzRD&p{3@5cvsKw7AooYjqAr&1tEDlz-;+BovRA$0
zb~V+0Ex%D|%M?e8M{`TAbsH!N1RlM8%HB=;-_t02$CC8YsVk>kJ^aq;NAK%NQy<<;
z-R^uu;+|N;gmWsUibq1%L<K(3)7{J!<?mH&81T+ZY_DbaT2_ztjWZt!EN3f9KNWLv
z`rZ>C%YHoYdb4Npmoy)Z!izW3n72$Y*e$-{-}J9?FOJ8~?iQ33vRU0!Sn+?Iz0oF)
z!cEdW>T3jd+;H|hzoB5`hn{t}RNBR@Z?L51Fq8$n7v;FVr8q-Pq<!k)_`Jj&?Jd6=
zq`10ge181j&qXG+q^2+=^{FKjGb01z;wDBegC<5caM>p-%)(^A04}Oz`B=nQM2ylO
zZmhi2_-DQ{Pk}?gR=2Pn24)70N7$G{WtCYP_ZT$pY`|K+ENq;+q;b~ZP25e4$p*q8
zU#PP17;v$1K&l01PUQ3gE6D^d_E<cz*%=V^r>dCwen1V!JK@)jl2_l>E*G%~TM+e3
zvRJ;;#L^^W(vM$<!*|$x3kW|plPk&Z;^&<U*9YIT3*)!zI`B|s{@j!Ui_%{@TE%NN
zthn#NshDp5@rf1B;&ZXB-y=VNe`3>mYSq<Ah6@+|Fn(O=@vVCK(ml^44*!Z$_bS}|
z`S$x~KeWW-?^wU?U(d-uYm(!YyY7*{GHNfdX3sd)w5aM8r*~(PYX*}_?u+*hN$VYM
z)qZh!)fM|AN^`lo?eogGZg$)GcRwX4iEu3Yqr6<(!XPAU>$zqIK`mApQMsvZyZ_lv
glr7z&Vf;*{PBLTT$qc{3wMncjFElmI-95kv0O(YO`2YX_

literal 0
HcmV?d00001

diff --git a/src/ocsp.c b/src/ocsp.c
index e31ef23f7..d18e5739d 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -826,6 +826,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
     OcspResponse *resp = NULL;
     word32 idx = 0;
     int length = 0;
+    int ret;
 
     if (data == NULL)
         return NULL;
@@ -867,7 +868,10 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response,
     XMEMCPY(resp->source, *data, len);
     resp->maxIdx = len;
 
-    if (OcspResponseDecode(resp, NULL, NULL, 1) != 0) {
+    ret = OcspResponseDecode(resp, NULL, NULL, 1);
+    if (ret != 0 && ret != ASN_OCSP_CONFIRM_E) {
+        /* for just converting from a DER to an internal structure the CA may
+         * not yet be known to this function for signature verification */
         wolfSSL_OCSP_RESPONSE_free(resp);
         return NULL;
     }
diff --git a/tests/api.c b/tests/api.c
index 6c42d871a..3eeee2359 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -1407,6 +1407,7 @@ static void test_wolfSSL_CheckOCSPResponse(void)
 {
 #if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL)
     const char* responseFile = "./certs/ocsp/test-response.der";
+    const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der";
     const char* caFile = "./certs/ocsp/root-ca-cert.pem";
     OcspResponse* res = NULL;
     byte data[4096];
@@ -1442,6 +1443,18 @@ static void test_wolfSSL_CheckOCSPResponse(void)
     wolfSSL_X509_STORE_free(st);
     wolfSSL_X509_free(issuer);
 
+    /* check loading a response with optional certs */
+    f = XFOPEN(responseNoInternFile, "rb");
+    AssertTrue(f != XBADFILE);
+    dataSz = (word32)XFREAD(data, 1, sizeof(data), f);
+    AssertIntGT(dataSz, 0);
+    XFCLOSE(f);
+
+    pt = data;
+    res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz);
+    AssertNotNull(res);
+    wolfSSL_OCSP_RESPONSE_free(res);
+
     printf(resultFmt, passed);
 #endif /* HAVE_OCSP */
 }
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index d34bf0603..837a8354e 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -33441,7 +33441,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
 #ifndef WOLFSSL_ASN_TEMPLATE
     int    length;
     word32 idx = *ioIndex;
+    #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
     word32 end_index;
+    #endif
     int    ret;
     int    sigLength;
 
@@ -33453,7 +33455,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
 
     if (idx + length > size)
         return ASN_INPUT_E;
+    #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
     end_index = idx + length;
+    #endif
 
     if ((ret = DecodeResponseData(source, &idx, resp, size)) < 0)
         return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */