Commit Graph

20 Commits

Author SHA1 Message Date
Emma Stensland 92e76d4667 updated email to facts@wolfssl.com 2026-06-26 14:44:16 -06:00
Ruby Martin 5c3100ed5c Remove non-RFC-compliant OCSP responder chain walk. The chain walk
authorized any responder issued by an ancestor of the target's issuer;
  RFC 6960 4.2.2.2 requires direct issuance by the CA identified in the
  request.

    - Remove CheckOcspResponderChain() and WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK.
    - Drop now-unused vp parameter from CheckOcspResponder() and the
      OcspRespCheck() helper; cascade through template and non-template
      paths.

  OCSP test blobs:

    - Re-sign resp_server1_cert with intermediate1-ca (CA-direct path).
    - Add resp_server1_cert_ancestor_responder for the negative test.
    - Embed server1_cert_pem[] in test_ocsp_test_blobs.h so the new test
      runs under NO_FILESYSTEM; matching entry added to
      create_ocsp_test_blobs.py.
    - Regenerate response[] in test_certman.c with intermediate1-ca as
      signer; recipe switched from Wireshark export to openssl -respout
      + xxd -i for reproducibility.
    - Fix self-XOR in test_wolfSSL_CertManagerCheckOCSPResponse so the
      serial byte actually flips (^= 0xFF).

  Live OCSP coverage:

    - Add ocsp-responder-int1 (delegated responder issued directly by
      intermediate1-ca, with id-kp-OCSPSigning EKU) for the
      responder->intermediate->root chain.
    - scripts/ocsp-stapling.test: intermediate1 responder switched to
      ocsp-responder-int1 (delegated path).
    - scripts/ocsp-stapling2.test, scripts/ocsp-stapling_tls13multi.test:
      intermediate2 and intermediate3 sign their OCSP responses with
      their own CA keys (CA-direct path); root block unchanged
      (ocsp-responder-cert is still RFC-compliant for root-issued certs).
    - .github/workflows/ocsp.yml: server1 OCSP responder switched to
      ocsp-responder-int1 to match the cert chain.
    - New test_ocsp_ancestor_responder_rejected confirms the
      ancestor-issued response is rejected with OCSP_LOOKUP_FAIL.
2026-06-02 16:20:37 -06:00
Juliusz Sosinowicz 49906319f6 ocsp: address review feedback on PR 10303
- Use KEYID_SIZE for Signer key-hash comparisons since
  Signer.{subject,issuer}KeyHash is sized KEYID_SIZE, not OCSP_DIGEST_SIZE.
- Rename subjectHash/issuerHash to subjectNameHash/issuerNameHash in
  CheckOcspResponder/CheckOcspResponderChain to make the name-vs-key
  hash distinction explicit.
- Expand the Signer.issuerKeyHash field comment to clarify it is the
  subject key hash of the immediate issuer CA.
- Add an imposter-root-ca cert (same DN as root-ca, different RSA key)
  for tests that need to exercise the new CertID issuerKeyHash binding.
2026-05-12 14:36:00 +02:00
Juliusz Sosinowicz 4578e1390f Implement OCSP responder
OCSP Responder Core API:

- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM

Header Cleanup:

- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h

OCSP Responder Example (examples/ocsp_responder/):

- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client

Test Scripts (scripts/):

- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling

Certificate Infrastructure (certs/ocsp/):

- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions

Known Limitations (documented in src/ocsp.c header comment):

  - Single request/response per OCSP exchange only
  - Key-hash responder ID only (no name-based responder ID)
  - No singleExtensions support
2026-03-11 10:21:16 +01:00
Paul Adelsbach ebda79fadb Fix OCSP->CRL fallback 2026-02-26 11:44:50 -08:00
Marco Oliverio 2fe413d80f ocsp: add tests 2025-02-17 08:59:23 +00:00
Juliusz Sosinowicz 3c5d3c0fa9 bwrap ocsp renew script 2023-10-23 15:53:42 +02:00
Andras Fekete 76cf3d61a0 Calling 'nc' makes the server unresponsive 2023-06-14 09:54:23 -04:00
Andras Fekete 20df12e5f7 This should add a check to make sure the server is up before connecting 2023-06-14 09:20:06 -04:00
JacobBarthelmeh 29a5c04c2e add test case 2022-10-25 15:35:37 -07:00
JacobBarthelmeh 6c71777ca6 no verify on renewing ocsp response 2022-09-09 13:58:43 -07:00
JacobBarthelmeh f49d84e17a fix typo and pipe ocsp response creation to /dev/null 2022-09-08 09:02:31 -07:00
JacobBarthelmeh 9d6e157fc5 add asn template version 2022-09-07 16:15:19 -07:00
JacobBarthelmeh 28a82237d9 RSA-PSS signed OCSP responses 2022-09-07 13:12:43 -07:00
JacobBarthelmeh 29f2dee991 handeling DER to internal of an OCSP response with no optional certificates 2022-08-29 15:25:50 -07:00
JacobBarthelmeh ac3cdb42b7 free structure in test case and return 0 from ocsp renew script 2022-08-29 15:25:50 -07:00
JacobBarthelmeh 5b5f673c51 add simple ocsp response der verify test case 2022-08-29 15:25:50 -07:00
kaleb-himes 4f6ee556dc Refactor the cert renewal scripts with error handling
Portability updates
2018-09-19 14:47:21 -06:00
Moisés Guimarães d817f0fbc8 fixes test scripts to avoid bash-isms 2016-01-04 09:27:58 -03:00
Moisés Guimarães ec9d23a9c3 Merge branch 'csr' 2015-12-28 19:38:04 -03:00