wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

RSA-PSS signed OCSP responses

Browse Source
This commit is contained in:
JacobBarthelmeh
2022-09-07 13:12:43 -07:00
parent 29f2dee991
commit 28a82237d9
5 changed files with 55 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
certs/ocsp/include.am
View File

@@ -34,4 +34,5 @@ EXTRA_DIST += \
certs/ocsp/root-ca-key.pem \ certs/ocsp/root-ca-key.pem \
certs/ocsp/root-ca-cert.pem \ certs/ocsp/root-ca-cert.pem \
certs/ocsp/test-response.der \ certs/ocsp/test-response.der \
certs/ocsp/test-response-rsapss.der \
certs/ocsp/test-response-nointern.der certs/ocsp/test-response-nointern.der

10
certs/ocsp/renewcerts.sh
View File

@@ -68,6 +68,7 @@ update_cert() {
cat "$3"-cert.pem >> "$1"-cert.pem cat "$3"-cert.pem >> "$1"-cert.pem
} }
SIGOPT=""
update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01
update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02
update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED
@@ -87,6 +88,15 @@ PID=$!
openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der
openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern
kill $PID
wait $PID
# now start up a responder that signs using rsa-pss
openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss &
PID=$!
openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate4-ca-rsapss-cert.pem -url http://localhost:22221/ -rsigopt rsa_mode:pss -rsigopt rsa_padding_mode:pss -rsigopt rsa_pss_saltlen:-1 -respout test-response-rsapss.der
# can verify with the following command # can verify with the following command
# openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem

BIN
certs/ocsp/test-response-rsapss.der Normal file
View File

Binary file not shown.

20
tests/api.c
View File

@@ -1403,12 +1403,15 @@ static int test_wolfSSL_CertManagerCheckOCSPResponse(void)
return 0; return 0;
} }
static void test_wolfSSL_CheckOCSPResponse(void) static int test_wolfSSL_CheckOCSPResponse(void)
{ {
#if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL) #if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL)
const char* responseFile = "./certs/ocsp/test-response.der"; const char* responseFile = "./certs/ocsp/test-response.der";
const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der"; const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der";
const char* caFile = "./certs/ocsp/root-ca-cert.pem"; const char* caFile = "./certs/ocsp/root-ca-cert.pem";
#if defined(WC_RSA_PSS)
const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der";
#endif
OcspResponse* res = NULL; OcspResponse* res = NULL;
byte data[4096]; byte data[4096];
const unsigned char* pt; const unsigned char* pt;
@@ -1455,8 +1458,23 @@ static void test_wolfSSL_CheckOCSPResponse(void)
AssertNotNull(res); AssertNotNull(res);
wolfSSL_OCSP_RESPONSE_free(res); wolfSSL_OCSP_RESPONSE_free(res);
#if defined(WC_RSA_PSS)
/* check loading a response with RSA-PSS signature */
f = XFOPEN(responsePssFile, "rb");
AssertTrue(f != XBADFILE);
dataSz = (word32)XFREAD(data, 1, sizeof(data), f);
AssertIntGT(dataSz, 0);
XFCLOSE(f);
pt = data;
res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz);
AssertNotNull(res);
wolfSSL_OCSP_RESPONSE_free(res);
#endif
printf(resultFmt, passed); printf(resultFmt, passed);
#endif /* HAVE_OCSP */ #endif /* HAVE_OCSP */
return 0;
} }
static int test_wolfSSL_CertManagerLoadCABuffer(void) static int test_wolfSSL_CertManagerLoadCABuffer(void)

28
wolfcrypt/src/asn.c
View File

@@ -33446,6 +33446,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
#endif #endif
int ret; int ret;
int sigLength; int sigLength;
const byte* sigParams = NULL;
word32 sigParamsSz = 0;
WOLFSSL_ENTER("DecodeBasicOcspResponse"); WOLFSSL_ENTER("DecodeBasicOcspResponse");
(void)heap; (void)heap;
@@ -33463,8 +33465,26 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */ return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */
/* Get the signature algorithm */ /* Get the signature algorithm */
if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0) if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0) {
return ASN_PARSE_E; return ASN_PARSE_E;
}
#ifdef WC_RSA_PSS
else if (resp->sigOID == CTC_RSASSAPSS) {
word32 sz;
int len;
const byte* params;
sz = idx;
params = source + idx;
if (GetSequence(source, &idx, &len, size) < 0)
ret = ASN_PARSE_E;
if (ret == 0) {
idx += len;
sigParams = params;
sigParamsSz = idx - sz;
}
}
#endif
ret = CheckBitString(source, &idx, &sigLength, size, 1, NULL); ret = CheckBitString(source, &idx, &sigLength, size, 1, NULL);
if (ret != 0) if (ret != 0)
@@ -33532,7 +33552,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
&cert->sigCtx, &cert->sigCtx,
resp->response, resp->responseSz, resp->response, resp->responseSz,
cert->publicKey, cert->pubKeySize, cert->keyOID, cert->publicKey, cert->pubKeySize, cert->keyOID,
resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz,
NULL);
if (ret != 0) { if (ret != 0) {
WOLFSSL_MSG("\tOCSP Confirm signature failed"); WOLFSSL_MSG("\tOCSP Confirm signature failed");
@@ -33569,7 +33590,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
/* ConfirmSignature is blocking here */ /* ConfirmSignature is blocking here */
sigValid = ConfirmSignature(&sigCtx, resp->response, sigValid = ConfirmSignature(&sigCtx, resp->response,
resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID,
resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz,
NULL);
} }
if (ca == NULL || sigValid != 0) { if (ca == NULL || sigValid != 0) {
WOLFSSL_MSG("\tOCSP Confirm signature failed"); WOLFSSL_MSG("\tOCSP Confirm signature failed");