Commit Graph

4 Commits

Author SHA1 Message Date
Juliusz Sosinowicz 88032c1e56 Make the server timeout wrap Linux-only
timeout(1) is GNU coreutils and is not installed on macOS, so the
"make check macos" job failed with "timeout: command not found" for
every wrapped server. Add a small shim to each affected test: when
timeout is unavailable (e.g. macOS) run the server unbounded, restoring
the prior macOS behavior. The flaky hang the timeout guards against is on
the Linux-only trackmemory job, so macOS does not need the bound.
2026-06-23 10:35:44 +00:00
Juliusz Sosinowicz 5c5cbd3094 Bound waited example servers with timeout in remaining test scripts
Several test scripts share the same pattern as ocsp-stapling_tls13multi:
a backgrounded example server is "wait"ed on with no timeout, so a
server that flakily fails to exit blocks the script until the CI job
timeout. Wrap those servers in "timeout -s KILL 2m" as well.

Scripts: ocsp-stapling, ocsp-stapling2,
ocsp-stapling-with-wolfssl-responder, crl-revoked, tls13, resume,
pkcallbacks, dtlscid.
2026-06-23 00:07:58 +00:00
Juliusz Sosinowicz 6bb122d29f Address copilot review 2026-03-11 11:08:44 +01:00
Juliusz Sosinowicz 4578e1390f Implement OCSP responder
OCSP Responder Core API:

- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM

Header Cleanup:

- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h

OCSP Responder Example (examples/ocsp_responder/):

- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client

Test Scripts (scripts/):

- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling

Certificate Infrastructure (certs/ocsp/):

- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions

Known Limitations (documented in src/ocsp.c header comment):

  - Single request/response per OCSP exchange only
  - Key-hash responder ID only (no name-based responder ID)
  - No singleExtensions support
2026-03-11 10:21:16 +01:00