Fix support for OCSP and Nginx

Store DER copy of CA certificate with signer when
WOLFSSL_SIGNER_DER_CERT is defined.
Keep the bad issuer error for later when compiling for OpenSSL
compatability.
Authority Info string needs to be passed back with a nul terminator.

configure.ac

@@ -2959,7 +2959,7 @@ fi
 
 if test "$ENABLED_NGINX" = "yes"
 then
-    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NGINX"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NGINX -DWOLFSSL_SIGNER_DER_CERT"
 fi
 
 if test "$ENABLED_HAPROXY" = "yes"

src/ocsp.c

@@ -604,6 +604,11 @@ int wolfSSL_OCSP_basic_verify(WOLFSSL_OCSP_BASICRESP *bs,
     if (flags & OCSP_NOVERIFY)
         return WOLFSSL_SUCCESS;
 
+#ifdef OPENSSL_EXTRA
+    if (bs->verifyError != OCSP_VERIFY_ERROR_NONE)
+        return WOLFSSL_FAILURE;
+#endif
+
     InitDecodedCert(&cert, bs->cert, bs->certSz, NULL);
     if (ParseCertRelative(&cert, CERT_TYPE, VERIFY, st->cm) < 0)
         ret = WOLFSSL_FAILURE;

src/ssl.c

@@ -3972,7 +3972,7 @@ int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int verify)
 int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
 {
     int         ret;
-    Signer*     signer = 0;
+    Signer*     signer = NULL;
     word32      row;
     byte*       subjectHash;
 #ifdef WOLFSSL_SMALL_STACK
@@ -4060,7 +4060,14 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
         signer = MakeSigner(cm->heap);
         if (!signer)
             ret = MEMORY_ERROR;
-        else {
+    }
+    if (ret == 0 && signer != NULL) {
+    #ifdef WOLFSSL_SIGNER_DER_CERT
+        ret = AllocDer(&signer->derCert, der->length, der->type, NULL);
+    }
+    if (ret == 0 && signer != NULL) {
+        XMEMCPY(signer->derCert->buffer, der->buffer, der->length);
+    #endif
         signer->keyOID         = cert->keyOID;
         if (cert->pubKeyStored) {
             signer->publicKey      = cert->publicKey;
@@ -4111,7 +4118,6 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
             FreeSigner(signer, cm->heap);
         }
     }
-    }
 
     WOLFSSL_MSG("\tFreeing Parsed CA");
     FreeDecodedCert(cert);
@@ -32352,7 +32358,18 @@ int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer,
 
     /* Create an empty certificate as CA doesn't have a certificate. */
     XMEMSET(*issuer, 0, sizeof(WOLFSSL_X509));
-    /* TODO: store the full certificate and dup when required. */
+    (*issuer)->dynamicMemory = 1;
+#ifdef WOLFSSL_SIGNER_DER_CERT
+    if (AllocDer(&(*issuer)->derCert, ca->derCert->length, ca->derCert->type,
+                                                                   NULL) == 0) {
+        XMEMCPY((*issuer)->derCert->buffer, ca->derCert->buffer,
+                                                           ca->derCert->length);
+    }
+    else {
+        XFREE(*issuer, 0, DYNAMIC_TYPE_OPENSSL);
+        return WOLFSSL_FAILURE;
+    }
+#endif
 
     /* Result is ignored when passed to wolfSSL_OCSP_cert_to_id(). */
 
@@ -32374,16 +32391,22 @@ void wolfSSL_X509_email_free(WOLF_STACK_OF(WOLFSSL_STRING) *sk)
 WOLF_STACK_OF(WOLFSSL_STRING) *wolfSSL_X509_get1_ocsp(WOLFSSL_X509 *x)
 {
     WOLFSSL_STACK* list = NULL;
+    char*          url;
 
     if (x->authInfoSz == 0)
         return NULL;
 
-    list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL,
-                                   DYNAMIC_TYPE_OPENSSL);
+    list = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK) + x->authInfoSz + 1,
+                                   NULL, DYNAMIC_TYPE_OPENSSL);
     if (list == NULL)
         return NULL;
 
-    list->data.string = (char*)x->authInfo;
+    url = (char*)list;
+    url += sizeof(WOLFSSL_STACK);
+    XMEMCPY(url, x->authInfo, x->authInfoSz);
+    url[x->authInfoSz] = '\0';
+
+    list->data.string = url;
     list->next = NULL;
 
     return list;

wolfcrypt/src/asn.c

@@ -7037,6 +7037,9 @@ Signer* MakeSigner(void* heap)
     #endif /* IGNORE_NAME_CONSTRAINTS */
         signer->pathLengthSet = 0;
         signer->pathLength = 0;
+    #ifdef WOLFSSL_SIGNER_DER_CERT
+        signer->derCert    = NULL;
+    #endif
         signer->next       = NULL;
     }
     (void)heap;
@@ -7055,6 +7058,9 @@ void FreeSigner(Signer* signer, void* heap)
         FreeNameSubtrees(signer->permittedNames, heap);
     if (signer->excludedNames)
         FreeNameSubtrees(signer->excludedNames, heap);
+#endif
+#ifdef WOLFSSL_SIGNER_DER_CERT
+    FreeDer(&signer->derCert);
 #endif
     XFREE(signer, heap, DYNAMIC_TYPE_SIGNER);
 
@@ -12946,9 +12952,12 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
             }
             else {
                 WOLFSSL_MSG("\tOCSP Responder key usage check failed");
-
+    #ifdef OPENSSL_EXTRA
+                resp->verifyError = OCSP_BAD_ISSUER;
+    #else
                 FreeDecodedCert(&cert);
                 return BAD_OCSP_RESPONDER;
+    #endif
             }
         }
 #endif

wolfssl/wolfcrypt/asn.h

@@ -736,6 +736,9 @@ struct Signer {
         byte    subjectKeyIdHash[SIGNER_DIGEST_SIZE];
                                      /* sha hash of names in certificate */
     #endif
+#ifdef WOLFSSL_SIGNER_DER_CERT
+    DerBuffer* derCert;
+#endif
     Signer* next;
 };
 
@@ -928,6 +931,13 @@ enum Ocsp_Sums {
     OCSP_NONCE_OID = 118
 };
 
+#ifdef OPENSSL_EXTRA
+enum Ocsp_Verify_Error {
+    OCSP_VERIFY_ERROR_NONE = 0,
+    OCSP_BAD_ISSUER = 1
+};
+#endif
+
 
 typedef struct OcspRequest  OcspRequest;
 typedef struct OcspResponse OcspResponse;
@@ -981,6 +991,10 @@ struct OcspResponse {
 
     byte*   source;          /* pointer to source buffer, not owned */
     word32  maxIdx;          /* max offset based on init size */
+
+#ifdef OPENSSL_EXTRA
+    int     verifyError;
+#endif
 };