From 5b5f673c5148890bf0afc60f08f8845f857b7d30 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 31 May 2022 15:51:46 -0700 Subject: [PATCH 1/7] add simple ocsp response der verify test case --- certs/ocsp/include.am | 3 ++- certs/ocsp/renewcerts.sh | 11 +++++++++ certs/ocsp/test-response.der | Bin 0 -> 1860 bytes tests/api.c | 43 +++++++++++++++++++++++++++++++++++ 4 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 certs/ocsp/test-response.der diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index 73c5f285d..c5d937ed3 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -32,4 +32,5 @@ EXTRA_DIST += \ certs/ocsp/server5-key.pem \ certs/ocsp/server5-cert.pem \ certs/ocsp/root-ca-key.pem \ - certs/ocsp/root-ca-cert.pem + certs/ocsp/root-ca-cert.pem \ + certs/ocsp/test-response.der diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 50e9e3d79..96744b6fd 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -79,3 +79,14 @@ update_cert server2 "www2.wolfssl.com" intermediate1-ca update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 07 update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 # REVOKED update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09 + + +# Create response DER buffer for test +openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem & +PID=$! + +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der + +kill $PID +wait $PID + diff --git a/certs/ocsp/test-response.der b/certs/ocsp/test-response.der new file mode 100644 index 0000000000000000000000000000000000000000..7ebfd04241cc509f38d5122ccb1aa03a10156887 GIT binary patch literal 1860 zcmXqLVt3$TWLVI|ZfVfOZpy}~&Bn;e%5K2O$kN2FX3)g0WYEOuu&{BVLE}6_ZUas> z=1>+kVW!YvLtz6!5Ql?@D?G6{BQr0(BtOqkz<>`V$j-waoSIltl9LJ(;o@O0&(BE< z4)!q=F%SZ&;pX9X%}dYBOHD1x%u6?vH;@I1GV_Q*)hYNp2L~twr4|?D=cS|;ffaCS zwRyCC=Vjz%6cfnIOUrivsVy$f(M!(HmEborFfuYQH8wOdGB!3ai84qrNHVZ8;ACUf z=3{1(Vr5_vaanQu;-2YT&DPO|vwU`33Njb%>R=Hm-XOC?zv=XO_oWusH?TBW)fI^< zGBGkXFkl$DKoBfsYG7n!0<~qKvVo$3JR;nfScF&v9-qF?x&P4L*BkJ% z!JN*>&C0;s#K_3d`Ap~p(__s!dzW*nOQdHdf6p!`Sd?ZYv-wcy_J60}{=dm{B7QBG z$-NHmy(+3jAwu^WKgla!nP$OjpSWyA0F&YAe)qyPf}I7z((2uOx0fHRa}K?xw0qs{Q!7{AJpNtskKqdU)X#0t#qUfDT-n%T%d&4x zSIl9P#{CWoNs^Tl4zy1Gm1O43S1R6Mxjs~~@`!r9jaHAltI4K**|6nuUM?S=>E(Xb zez~7h^PF|-p;M2y-to8SJzr!oZ;JcF<(a;DD?hNYG%_43UJ^fDrz%NM&{OO8*UeYe zkC{o?OMXw7y=#;G?%L_kCpWH|roNzw<(NSe%OQg%mVE|I%*z%qGchtTF|weAl|kcl znx;Dm12IUt;|Has;9wtxqWt_41!qTs3C=)HoEIg*iSrsEr;I_LV+@)Ym5@W55u7sl z84Q{jxtKsnbjL2`E#D4TiyU6^RW@{ocTy#Ia^WsshEq? z_n!Dz_Tz!qn>~}ir1@wRUc8aUyk&yHZt)HOrhk=taXfZ*x1gku&FZGYivR2EjW%%< zZj$a%Un98VhO_7S4FwxN^sKw3(k^a&gC#YGp)BCND980J#TjZM?NblO=OylFZ~4_A z#nnCI^W*=1E;6YlHH9ImPc50485tNCH!*SP)%RX6Q7A6A*a8V`8$0EieVwC=H zW96mBKl7D&3LFBqx`pj9Ff(X8!p0mbtIX24$Dna%1J?3oVdLB-jk5-C;%;J0HV_8+ zLY0NbfQyX-QY|oZBBvKvNhZx1Ir&(|dbh(nkIneMm&tyeWAD`Xm#g+Ry*%`uhg&u7 zS?%eGxAJtvx^h`A%U8+HpRZxJfR+D+7}II-HS=G3Yp2h&$UgCD%Pf-~CFY~=5(K5! z^uA(noRR&k>XNGXg87ZgIT|l*M79ZR-z6|JD|l0{rQFpHy+vx93>S(weXP*?B`gth zxcU54-uoL)#y7pwy7}=>?rD3mzfIh?*F8Ltuer(2=**hu8|R#Q9(pHm_doL&J6vpK zLv{QtuSxSi$d0-7^@LGxRpHm=@_R1Mw-GD1>b+?H=*ne@`1LuLJ5JbE?t2`T Date: Wed, 1 Jun 2022 13:18:36 -0700 Subject: [PATCH 2/7] free structure in test case and return 0 from ocsp renew script --- certs/ocsp/renewcerts.sh | 1 + tests/api.c | 1 + 2 files changed, 2 insertions(+) diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 96744b6fd..955fd73ae 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -90,3 +90,4 @@ openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url h kill $PID wait $PID +exit 0 diff --git a/tests/api.c b/tests/api.c index 7cab7504b..6c42d871a 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1437,6 +1437,7 @@ static void test_wolfSSL_CheckOCSPResponse(void) bs = wolfSSL_OCSP_response_get1_basic(res); AssertNotNull(bs); AssertIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), WOLFSSL_SUCCESS); + wolfSSL_OCSP_BASICRESP_free(bs); wolfSSL_OCSP_RESPONSE_free(res); wolfSSL_X509_STORE_free(st); wolfSSL_X509_free(issuer); From 29f2dee9918322068eb417971eec2212c615b0ce Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 2 Jun 2022 15:53:59 -0700 Subject: [PATCH 3/7] handeling DER to internal of an OCSP response with no optional certificates --- certs/ocsp/include.am | 3 ++- certs/ocsp/renewcerts.sh | 3 +++ certs/ocsp/test-response-nointern.der | Bin 0 -> 1860 bytes src/ocsp.c | 6 +++++- tests/api.c | 13 +++++++++++++ wolfcrypt/src/asn.c | 4 ++++ 6 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 certs/ocsp/test-response-nointern.der diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index c5d937ed3..3afd680b1 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -33,4 +33,5 @@ EXTRA_DIST += \ certs/ocsp/server5-cert.pem \ certs/ocsp/root-ca-key.pem \ certs/ocsp/root-ca-cert.pem \ - certs/ocsp/test-response.der + certs/ocsp/test-response.der \ + certs/ocsp/test-response-nointern.der diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 955fd73ae..556da9432 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -86,6 +86,9 @@ openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -r PID=$! openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern +# can verify with the following command +# openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem kill $PID wait $PID diff --git a/certs/ocsp/test-response-nointern.der b/certs/ocsp/test-response-nointern.der new file mode 100644 index 0000000000000000000000000000000000000000..4d4115cbe1b7fc5ac2f05f117d5f7819f228cd0a GIT binary patch literal 1860 zcmXqLVt3$TWLVI|ZfVfOZpy}~&Bn;e%5K2O$kN2FX3)g0WYEOuu&{BVLE}6_ZUas> z=1>+kVW!YvLtz6!5Ql?@D?G6{BQr0(BtOqkz<>`V$j-waoSIltl9LJ(;o@O0&(BE< z4)!q=F%SZ&;pX9X%}dYBOHD1x%u6?vH;@I1GV_Q*)hYNp2L~twr4|?D=cS|;ffaCS zwRyCC=Vjz%6cfnIOUrivsVy$f(M!(HmEborFfuYQGcYnTGBGzbi84qrNHVZ8;ACUf z=3{1(Vr5_vaanQu;-2YT&DPO|vwU`33Njb%>R=Hm-XOC?zv=XO_oWusH?TBW)fI^< zGBGkXFkl$DKoBfsYG7n!2DN3OvVo$3JR;nfScF&vj&F5rc_+Q$uueiJ%Y&SzI0Ifb zn9~`#Ss9p{7#SIO1RSQkGr7t#k%zZt-!GZ&^@cxuR4LNFs&W4=Q2DZOQp%0Ew=uEHgOUxj`{zqxBij zU-s8c>&uJaD*pTRM>^jeLrLL>_JkJ^aq;NAK%NQy<<; z-R^uu;+|N;gmWsUibq1%LC%YHoYdb4Npmoy)Z!izW3n72$Y*e$-{-}J9?FOJ8~?iQ33vRU0!Sn+?Iz0oF) z!cEdW>T3jd+;H|hzoB5`hn{t}RNBR@Z?L51Fq8$n7v;FVr8q-Pqp-%)(^A04}Oz`B=nQM2ylO zZmhi2_-DQ{Pk}?gR=2Pn24)70N7$G{WtCYP_ZT$pY`|K+ENq;+q;b~ZP25e4$p*q8 zU#PP17;v$1K&l01PUQ3gE6D^d_EdCwen1V!JK@)jl2_l>E*G%~TM+e3 zvRJ;;#L^^W(vM$mYSq$zqIK`mApQMsvZyZ_lv glr7z&Vf;*{PBLTT$qc{3wMncjFElmI-95kv0O(YO`2YX_ literal 0 HcmV?d00001 diff --git a/src/ocsp.c b/src/ocsp.c index e31ef23f7..d18e5739d 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -826,6 +826,7 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, OcspResponse *resp = NULL; word32 idx = 0; int length = 0; + int ret; if (data == NULL) return NULL; @@ -867,7 +868,10 @@ OcspResponse* wolfSSL_d2i_OCSP_RESPONSE(OcspResponse** response, XMEMCPY(resp->source, *data, len); resp->maxIdx = len; - if (OcspResponseDecode(resp, NULL, NULL, 1) != 0) { + ret = OcspResponseDecode(resp, NULL, NULL, 1); + if (ret != 0 && ret != ASN_OCSP_CONFIRM_E) { + /* for just converting from a DER to an internal structure the CA may + * not yet be known to this function for signature verification */ wolfSSL_OCSP_RESPONSE_free(resp); return NULL; } diff --git a/tests/api.c b/tests/api.c index 6c42d871a..3eeee2359 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1407,6 +1407,7 @@ static void test_wolfSSL_CheckOCSPResponse(void) { #if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL) const char* responseFile = "./certs/ocsp/test-response.der"; + const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der"; const char* caFile = "./certs/ocsp/root-ca-cert.pem"; OcspResponse* res = NULL; byte data[4096]; @@ -1442,6 +1443,18 @@ static void test_wolfSSL_CheckOCSPResponse(void) wolfSSL_X509_STORE_free(st); wolfSSL_X509_free(issuer); + /* check loading a response with optional certs */ + f = XFOPEN(responseNoInternFile, "rb"); + AssertTrue(f != XBADFILE); + dataSz = (word32)XFREAD(data, 1, sizeof(data), f); + AssertIntGT(dataSz, 0); + XFCLOSE(f); + + pt = data; + res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); + AssertNotNull(res); + wolfSSL_OCSP_RESPONSE_free(res); + printf(resultFmt, passed); #endif /* HAVE_OCSP */ } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index d34bf0603..837a8354e 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33441,7 +33441,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, #ifndef WOLFSSL_ASN_TEMPLATE int length; word32 idx = *ioIndex; + #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS word32 end_index; + #endif int ret; int sigLength; @@ -33453,7 +33455,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, if (idx + length > size) return ASN_INPUT_E; + #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS end_index = idx + length; + #endif if ((ret = DecodeResponseData(source, &idx, resp, size)) < 0) return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */ From 28a82237d93c9a3dab39292f59d5fa7ae0b82d90 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 7 Sep 2022 13:12:43 -0700 Subject: [PATCH 4/7] RSA-PSS signed OCSP responses --- certs/ocsp/include.am | 1 + certs/ocsp/renewcerts.sh | 10 ++++++++++ certs/ocsp/test-response-rsapss.der | Bin 0 -> 1913 bytes tests/api.c | 20 +++++++++++++++++++- wolfcrypt/src/asn.c | 28 +++++++++++++++++++++++++--- 5 files changed, 55 insertions(+), 4 deletions(-) create mode 100644 certs/ocsp/test-response-rsapss.der diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index 3afd680b1..92a72b81e 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -34,4 +34,5 @@ EXTRA_DIST += \ certs/ocsp/root-ca-key.pem \ certs/ocsp/root-ca-cert.pem \ certs/ocsp/test-response.der \ + certs/ocsp/test-response-rsapss.der \ certs/ocsp/test-response-nointern.der diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 556da9432..2b24dbabc 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -68,6 +68,7 @@ update_cert() { cat "$3"-cert.pem >> "$1"-cert.pem } +SIGOPT="" update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED @@ -87,6 +88,15 @@ PID=$! openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern +kill $PID +wait $PID + + +# now start up a responder that signs using rsa-pss +openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & +PID=$! + +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate4-ca-rsapss-cert.pem -url http://localhost:22221/ -rsigopt rsa_mode:pss -rsigopt rsa_padding_mode:pss -rsigopt rsa_pss_saltlen:-1 -respout test-response-rsapss.der # can verify with the following command # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem diff --git a/certs/ocsp/test-response-rsapss.der b/certs/ocsp/test-response-rsapss.der new file mode 100644 index 0000000000000000000000000000000000000000..ca99d28b73b8e006ae40b1967c694638677e8771 GIT binary patch literal 1913 zcmXqLVlU-lWLVI|o@da+p2fzg&Bn;e%5K2O$kN0fZP3IXZqUT&u&{BVLE}6_ZUas> z=1>+kVW!YvLtz6!5Ql?@D?G6{BQr0(BtOqkz<>`V$j-waoSIltl9LJ(;o@O0&(BE< z4)!q=F%SZ&;pX9X%}dYBOHD1x%u6?vH;@I1GV_Q*)hYNp2L~twr4|?D=cS|;ffaCS zwRyCC=Vjz%6cfnIOUrivsVy$f(M!(HmEborFfuZ*G%z=`G&M1{j50_uNHVZ8;ACUf z=3{1(Vr5_vaanQu;-2YT&DPO|vwU`33Njb%>R=Hm-XOC?zv=XO_oWusH?TBW)fI^< zGBI*BF<=EbB%4>u_wT;lK3puXMda>6lS0&U_f{kM!P+~cgCn+=G_x;_WmW6zx#t_JDOWr?kFW~HQD5tqskfFIdkR=6UHz1g-dt+ zyZQ69Vw1w*LkpC?9l2tr5IFtAqBnD88>H5JeX6*}Z{0kr$1<1216n!$?)37y|Hfv) zBl~^*(`Hy!O;{n-ZRGY$+r+BKDYCp%K4QwO6HjVyx1CpGhPD_OPyQO zelosZv3Tvq(kiht+Ad8VfivrGy}u+@%5^QHaLTQ7Zw`9wHsYI|XTacVJSFt^-ZO0f zqZc%>95ZNQIb_hpvd^H2dD#MHCPpSEMix+rLDL2!H!Fid<8+!PRtW90$n41{+84Q{j zxtKsnbjL2`E#D4TiyU6^RW@{ocTy#Ia^WsshEq?_n!Dz z_Tz!qn>~}ir1@wRUc8aUyk&yHZt)HOrhk=taXfZ*x1gku&FZGYivR2EjW%%P)3rtyI7A6A*aQP<7$0EieVwC=HW96mB zKl7D&3LFBqx`pj9Ff(X8!p0mbtIX24$Dna%1J*)mVdLB-jk5-C;%;J0HV_8+LY0Nb zfQyX-QkO7uBBvK_aC%{62=3=~ip$H$b(iL@3x2uk*vl{1)^zfUF5ro&-7GRCCOeL~ zYR)n@S8nlIhqW4NpMQSaxIR_&@!1b^G8kI79=-Se#1g(&U8ZAbteol|m%ZRe*o&mi4+O5f%=o)GyHVoTll9@7BA7ot|7~^b@7mIh z1$Gl=tN1-KpIUG#^Qmy$gDdNn?HB*}R8~3n|2ZaqcfAM4wH0Q(E9IE_)M!`NqtcI- fmue)_S2o@Gqag4}YDQxji^`7e_jwvJwqyVR-8YYp literal 0 HcmV?d00001 diff --git a/tests/api.c b/tests/api.c index 3eeee2359..235335858 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1403,12 +1403,15 @@ static int test_wolfSSL_CertManagerCheckOCSPResponse(void) return 0; } -static void test_wolfSSL_CheckOCSPResponse(void) +static int test_wolfSSL_CheckOCSPResponse(void) { #if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL) const char* responseFile = "./certs/ocsp/test-response.der"; const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der"; const char* caFile = "./certs/ocsp/root-ca-cert.pem"; +#if defined(WC_RSA_PSS) + const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; +#endif OcspResponse* res = NULL; byte data[4096]; const unsigned char* pt; @@ -1455,8 +1458,23 @@ static void test_wolfSSL_CheckOCSPResponse(void) AssertNotNull(res); wolfSSL_OCSP_RESPONSE_free(res); +#if defined(WC_RSA_PSS) + /* check loading a response with RSA-PSS signature */ + f = XFOPEN(responsePssFile, "rb"); + AssertTrue(f != XBADFILE); + dataSz = (word32)XFREAD(data, 1, sizeof(data), f); + AssertIntGT(dataSz, 0); + XFCLOSE(f); + + pt = data; + res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); + AssertNotNull(res); + wolfSSL_OCSP_RESPONSE_free(res); +#endif + printf(resultFmt, passed); #endif /* HAVE_OCSP */ + return 0; } static int test_wolfSSL_CertManagerLoadCABuffer(void) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 837a8354e..8f41089f2 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33446,6 +33446,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, #endif int ret; int sigLength; + const byte* sigParams = NULL; + word32 sigParamsSz = 0; WOLFSSL_ENTER("DecodeBasicOcspResponse"); (void)heap; @@ -33463,8 +33465,26 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */ /* Get the signature algorithm */ - if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0) + if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0) { return ASN_PARSE_E; + } +#ifdef WC_RSA_PSS + else if (resp->sigOID == CTC_RSASSAPSS) { + word32 sz; + int len; + const byte* params; + + sz = idx; + params = source + idx; + if (GetSequence(source, &idx, &len, size) < 0) + ret = ASN_PARSE_E; + if (ret == 0) { + idx += len; + sigParams = params; + sigParamsSz = idx - sz; + } + } +#endif ret = CheckBitString(source, &idx, &sigLength, size, 1, NULL); if (ret != 0) @@ -33532,7 +33552,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, &cert->sigCtx, resp->response, resp->responseSz, cert->publicKey, cert->pubKeySize, cert->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); + resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, + NULL); if (ret != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); @@ -33569,7 +33590,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* ConfirmSignature is blocking here */ sigValid = ConfirmSignature(&sigCtx, resp->response, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); + resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, + NULL); } if (ca == NULL || sigValid != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); From 9d6e157fc5df6b8a44efd2a808b2bb9a1c7942a6 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 7 Sep 2022 16:15:19 -0700 Subject: [PATCH 5/7] add asn template version --- certs/ocsp/renewcerts.sh | 3 +-- tests/api.c | 40 +++++++++++++++++++++++++++------------- wolfcrypt/src/asn.c | 22 +++++++++++++++++++++- 3 files changed, 49 insertions(+), 16 deletions(-) diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 2b24dbabc..4248d171e 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -68,7 +68,6 @@ update_cert() { cat "$3"-cert.pem >> "$1"-cert.pem } -SIGOPT="" update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED @@ -96,7 +95,7 @@ wait $PID openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & PID=$! -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate4-ca-rsapss-cert.pem -url http://localhost:22221/ -rsigopt rsa_mode:pss -rsigopt rsa_padding_mode:pss -rsigopt rsa_pss_saltlen:-1 -respout test-response-rsapss.der +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der # can verify with the following command # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem diff --git a/tests/api.c b/tests/api.c index 235335858..18c002023 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1409,9 +1409,6 @@ static int test_wolfSSL_CheckOCSPResponse(void) const char* responseFile = "./certs/ocsp/test-response.der"; const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der"; const char* caFile = "./certs/ocsp/root-ca-cert.pem"; -#if defined(WC_RSA_PSS) - const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; -#endif OcspResponse* res = NULL; byte data[4096]; const unsigned char* pt; @@ -1459,17 +1456,34 @@ static int test_wolfSSL_CheckOCSPResponse(void) wolfSSL_OCSP_RESPONSE_free(res); #if defined(WC_RSA_PSS) - /* check loading a response with RSA-PSS signature */ - f = XFOPEN(responsePssFile, "rb"); - AssertTrue(f != XBADFILE); - dataSz = (word32)XFREAD(data, 1, sizeof(data), f); - AssertIntGT(dataSz, 0); - XFCLOSE(f); + { + const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; - pt = data; - res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); - AssertNotNull(res); - wolfSSL_OCSP_RESPONSE_free(res); + /* check loading a response with RSA-PSS signature */ + f = XFOPEN(responsePssFile, "rb"); + AssertTrue(f != XBADFILE); + dataSz = (word32)XFREAD(data, 1, sizeof(data), f); + AssertIntGT(dataSz, 0); + XFCLOSE(f); + + pt = data; + res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); + AssertNotNull(res); + + /* try to verify the response */ + issuer = wolfSSL_X509_load_certificate_file(caFile, SSL_FILETYPE_PEM); + AssertNotNull(issuer); + st = wolfSSL_X509_STORE_new(); + AssertNotNull(st); + AssertIntEQ(wolfSSL_X509_STORE_add_cert(st, issuer), WOLFSSL_SUCCESS); + bs = wolfSSL_OCSP_response_get1_basic(res); + AssertNotNull(bs); + AssertIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), WOLFSSL_SUCCESS); + wolfSSL_OCSP_BASICRESP_free(bs); + wolfSSL_OCSP_RESPONSE_free(res); + wolfSSL_X509_STORE_free(st); + wolfSSL_X509_free(issuer); + } #endif printf(resultFmt, passed); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 8f41089f2..65dcc7bef 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33414,6 +33414,10 @@ static const ASNItem ocspBasicRespASN[] = { /* SIGALGO */ { 1, ASN_SEQUENCE, 1, 1, 0, }, /* SIGALGO_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* SIGALGO_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 }, + /* parameters */ +#ifdef WC_RSA_PSS +/* SIGALGO_PARAMS */ { 2, ASN_SEQUENCE, 1, 0, 1 }, +#endif /* signature */ /* SIGNATURE */ { 1, ASN_BIT_STRING, 0, 0, 0 }, /* certs */ @@ -33426,6 +33430,9 @@ enum { OCSPBASICRESPASN_IDX_SIGALGO, OCSPBASICRESPASN_IDX_SIGALGO_OID, OCSPBASICRESPASN_IDX_SIGALGO_NULL, +#ifdef WC_RSA_PSS + OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS, +#endif OCSPBASICRESPASN_IDX_SIGNATURE, OCSPBASICRESPASN_IDX_CERTS, OCSPBASICRESPASN_IDX_CERTS_SEQ, @@ -33607,6 +33614,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, DECL_ASNGETDATA(dataASN, ocspBasicRespASN_Length); int ret = 0; word32 idx = *ioIndex; + const byte* sigParams = NULL; + word32 sigParamsSz = 0; #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS #ifdef WOLFSSL_SMALL_STACK DecodedCert* cert = NULL; @@ -33639,6 +33648,16 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, ret = ASN_PARSE_E; } } +#ifdef WC_RSA_PSS + if (ret == 0 && (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0)) { + sigParams = GetASNItem_Addr( + dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS], + source); + sigParamsSz = + GetASNItem_Length(dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS], + source); + } +#endif if (ret == 0) { /* Get the signature OID and signature. */ resp->sigOID = dataASN[OCSPBASICRESPASN_IDX_SIGALGO_OID].data.oid.sum; @@ -33711,7 +33730,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* Check the signature of the response CA public key. */ sigValid = ConfirmSignature(&sigCtx, resp->response, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); + resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, + NULL); } if ((ca == NULL) || (sigValid != 0)) { /* Didn't find certificate or signature verificate failed. */ From f49d84e17a4fc041fbe23563ffb1ef3e96aa77d0 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 8 Sep 2022 09:02:31 -0700 Subject: [PATCH 6/7] fix typo and pipe ocsp response creation to /dev/null --- certs/ocsp/renewcerts.sh | 6 +++--- wolfcrypt/src/asn.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 4248d171e..479b3ef07 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -85,8 +85,8 @@ update_cert server5 "www5.wolfssl.com" intermediate3-ca openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem & PID=$! -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der &> /dev/null +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern &> /dev/null kill $PID wait $PID @@ -95,7 +95,7 @@ wait $PID openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & PID=$! -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der &> /dev/null # can verify with the following command # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 65dcc7bef..68156daa4 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33649,7 +33649,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, } } #ifdef WC_RSA_PSS - if (ret == 0 && (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0)) { + if (ret == 0 && (dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS].tag != 0)) { sigParams = GetASNItem_Addr( dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS], source); From 6c71777ca6abc15d29627b5ffea2a4f4d141b978 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 9 Sep 2022 13:58:43 -0700 Subject: [PATCH 7/7] no verify on renewing ocsp response --- certs/ocsp/renewcerts.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 479b3ef07..d5d411953 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -82,11 +82,11 @@ update_cert server5 "www5.wolfssl.com" intermediate3-ca # Create response DER buffer for test -openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem & +openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -partial_chain & PID=$! -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der &> /dev/null -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern &> /dev/null +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -noverify +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern -noverify kill $PID wait $PID @@ -95,7 +95,7 @@ wait $PID openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & PID=$! -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der &> /dev/null +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der -noverify # can verify with the following command # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem