wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 11:17:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7934 from rizlik/ocsp-get-ca-keyhash-fix

Browse Source 
ocsp: search CA by key hash instead of ext key id
This commit is contained in:
Daniel Pouzzner
2024-09-05 15:03:54 -05:00
committed by GitHub
parent a3fea482db 6114691fd6
commit 9f6a75cdfd
3 changed files with 41 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
src/ssl.c
View File

@@ -5127,6 +5127,42 @@ Signer* GetCA(void* vp, byte* hash)
return ret; return ret;
} }
#if defined(HAVE_OCSP)
Signer* GetCAByKeyHash(void* vp, const byte* keyHash)
{
WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp;
Signer* ret = NULL;
Signer* signers;
int row;
if (cm == NULL || keyHash == NULL)
return NULL;
/* try lookup using keyHash as subjKeyID first */
ret = GetCA(vp, (byte*)keyHash);
if (ret != NULL && XMEMCMP(ret->subjectKeyHash, keyHash, KEYID_SIZE) == 0) {
return ret;
}
/* if we can't find the cert, we have to scan the full table */
if (wc_LockMutex(&cm->caLock) != 0)
return NULL;
/* Unfortunately we need to look through the entire table */
for (row = 0; row < CA_TABLE_SIZE && ret == NULL; row++) {
for (signers = cm->caTable[row]; signers != NULL;
signers = signers->next) {
if (XMEMCMP(signers->subjectKeyHash, keyHash, KEYID_SIZE) == 0) {
ret = signers;
break;
}
}
}
wc_UnLockMutex(&cm->caLock);
return ret;
}
#endif
#ifdef WOLFSSL_AKID_NAME #ifdef WOLFSSL_AKID_NAME
Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz, Signer* GetCAByAKID(void* vp, const byte* issuer, word32 issuerSz,
const byte* serial, word32 serialSz) const byte* serial, word32 serialSz)

4
wolfcrypt/src/asn.c
View File

@@ -36770,7 +36770,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
int sigValid = -1; int sigValid = -1;
#ifndef NO_SKID #ifndef NO_SKID
ca = GetCA(cm, resp->single->issuerKeyHash); ca = GetCAByKeyHash(cm, resp->single->issuerKeyHash);
#else #else
ca = GetCA(cm, resp->single->issuerHash); ca = GetCA(cm, resp->single->issuerHash);
#endif #endif
@@ -36911,7 +36911,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
/* Response didn't have a certificate - lookup CA. */ /* Response didn't have a certificate - lookup CA. */
#ifndef NO_SKID #ifndef NO_SKID
ca = GetCA(cm, resp->single->issuerKeyHash); ca = GetCAByKeyHash(cm, resp->single->issuerKeyHash);
#else #else
ca = GetCA(cm, resp->single->issuerHash); ca = GetCA(cm, resp->single->issuerHash);
#endif #endif

3
wolfssl/internal.h
View File

@@ -6466,6 +6466,9 @@ WOLFSSL_LOCAL WC_RNG* WOLFSSL_RSA_GetRNG(WOLFSSL_RSA *rsa, WC_RNG **tmpRNG,
WOLFSSL_LOCAL Signer* GetCAByAKID(void* vp, const byte* issuer, WOLFSSL_LOCAL Signer* GetCAByAKID(void* vp, const byte* issuer,
word32 issuerSz, const byte* serial, word32 serialSz); word32 issuerSz, const byte* serial, word32 serialSz);
#endif #endif
#ifdef HAVE_OCSP
WOLFSSL_LOCAL Signer* GetCAByKeyHash(void* vp, const byte* keyHash);
#endif
#if !defined(NO_SKID) && !defined(GetCAByName) #if !defined(NO_SKID) && !defined(GetCAByName)
WOLFSSL_LOCAL Signer* GetCAByName(void* cm, byte* hash); WOLFSSL_LOCAL Signer* GetCAByName(void* cm, byte* hash);
#endif #endif