diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 2b24dbabc..4248d171e 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -68,7 +68,6 @@ update_cert() { cat "$3"-cert.pem >> "$1"-cert.pem } -SIGOPT="" update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED @@ -96,7 +95,7 @@ wait $PID openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & PID=$! -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate4-ca-rsapss-cert.pem -url http://localhost:22221/ -rsigopt rsa_mode:pss -rsigopt rsa_padding_mode:pss -rsigopt rsa_pss_saltlen:-1 -respout test-response-rsapss.der +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der # can verify with the following command # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem diff --git a/tests/api.c b/tests/api.c index 235335858..18c002023 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1409,9 +1409,6 @@ static int test_wolfSSL_CheckOCSPResponse(void) const char* responseFile = "./certs/ocsp/test-response.der"; const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der"; const char* caFile = "./certs/ocsp/root-ca-cert.pem"; -#if defined(WC_RSA_PSS) - const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; -#endif OcspResponse* res = NULL; byte data[4096]; const unsigned char* pt; @@ -1459,17 +1456,34 @@ static int test_wolfSSL_CheckOCSPResponse(void) wolfSSL_OCSP_RESPONSE_free(res); #if defined(WC_RSA_PSS) - /* check loading a response with RSA-PSS signature */ - f = XFOPEN(responsePssFile, "rb"); - AssertTrue(f != XBADFILE); - dataSz = (word32)XFREAD(data, 1, sizeof(data), f); - AssertIntGT(dataSz, 0); - XFCLOSE(f); + { + const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; - pt = data; - res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); - AssertNotNull(res); - wolfSSL_OCSP_RESPONSE_free(res); + /* check loading a response with RSA-PSS signature */ + f = XFOPEN(responsePssFile, "rb"); + AssertTrue(f != XBADFILE); + dataSz = (word32)XFREAD(data, 1, sizeof(data), f); + AssertIntGT(dataSz, 0); + XFCLOSE(f); + + pt = data; + res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); + AssertNotNull(res); + + /* try to verify the response */ + issuer = wolfSSL_X509_load_certificate_file(caFile, SSL_FILETYPE_PEM); + AssertNotNull(issuer); + st = wolfSSL_X509_STORE_new(); + AssertNotNull(st); + AssertIntEQ(wolfSSL_X509_STORE_add_cert(st, issuer), WOLFSSL_SUCCESS); + bs = wolfSSL_OCSP_response_get1_basic(res); + AssertNotNull(bs); + AssertIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), WOLFSSL_SUCCESS); + wolfSSL_OCSP_BASICRESP_free(bs); + wolfSSL_OCSP_RESPONSE_free(res); + wolfSSL_X509_STORE_free(st); + wolfSSL_X509_free(issuer); + } #endif printf(resultFmt, passed); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 8f41089f2..65dcc7bef 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33414,6 +33414,10 @@ static const ASNItem ocspBasicRespASN[] = { /* SIGALGO */ { 1, ASN_SEQUENCE, 1, 1, 0, }, /* SIGALGO_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* SIGALGO_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 }, + /* parameters */ +#ifdef WC_RSA_PSS +/* SIGALGO_PARAMS */ { 2, ASN_SEQUENCE, 1, 0, 1 }, +#endif /* signature */ /* SIGNATURE */ { 1, ASN_BIT_STRING, 0, 0, 0 }, /* certs */ @@ -33426,6 +33430,9 @@ enum { OCSPBASICRESPASN_IDX_SIGALGO, OCSPBASICRESPASN_IDX_SIGALGO_OID, OCSPBASICRESPASN_IDX_SIGALGO_NULL, +#ifdef WC_RSA_PSS + OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS, +#endif OCSPBASICRESPASN_IDX_SIGNATURE, OCSPBASICRESPASN_IDX_CERTS, OCSPBASICRESPASN_IDX_CERTS_SEQ, @@ -33607,6 +33614,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, DECL_ASNGETDATA(dataASN, ocspBasicRespASN_Length); int ret = 0; word32 idx = *ioIndex; + const byte* sigParams = NULL; + word32 sigParamsSz = 0; #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS #ifdef WOLFSSL_SMALL_STACK DecodedCert* cert = NULL; @@ -33639,6 +33648,16 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, ret = ASN_PARSE_E; } } +#ifdef WC_RSA_PSS + if (ret == 0 && (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0)) { + sigParams = GetASNItem_Addr( + dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS], + source); + sigParamsSz = + GetASNItem_Length(dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS], + source); + } +#endif if (ret == 0) { /* Get the signature OID and signature. */ resp->sigOID = dataASN[OCSPBASICRESPASN_IDX_SIGALGO_OID].data.oid.sum; @@ -33711,7 +33730,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* Check the signature of the response CA public key. */ sigValid = ConfirmSignature(&sigCtx, resp->response, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); + resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, + NULL); } if ((ca == NULL) || (sigValid != 0)) { /* Didn't find certificate or signature verificate failed. */