Commit Graph

393 Commits

Author SHA1 Message Date
JacobBarthelmeh bbf3beef35 fix to free CRL reason extension 2026-03-13 16:17:52 -06:00
Juliusz Sosinowicz 4578e1390f Implement OCSP responder
OCSP Responder Core API:

- Add new public API for creating and managing an OCSP responder
- Add public wrappers for internal OCSP request/response functions
- OcspRespCheck: fix check when authorized responder is loaded into CM

Header Cleanup:

- Remove circular dependency when including `#include <wolfssl/wolfcrypt/asn.h>` from wolfssl/wolfcrypt/ecc.h and wolfssl/wolfcrypt/rsa.h

OCSP Responder Example (examples/ocsp_responder/):

- Add a command-line OCSP responder for interoperability testing with OpenSSL's `openssl ocsp` client

Test Scripts (scripts/):

- ocsp-responder-openssl-interop.test: Tests wolfSSL OCSP responder with `openssl ocsp` client
- ocsp-stapling-with-wolfssl-responder.test: Tests wolfSSL OCSP responder when doing OCSP stapling

Certificate Infrastructure (certs/ocsp/):

- Add DER-format certificates and keys for OCSP testing
- Update renewcerts.sh to generate DER versions

Known Limitations (documented in src/ocsp.c header comment):

  - Single request/response per OCSP exchange only
  - Key-hash responder ID only (no name-based responder ID)
  - No singleExtensions support
2026-03-11 10:21:16 +01:00
Hideki Miyazaki f59b9fd32e fix number in sh 2026-03-06 14:16:36 +09:00
Hideki Miyazaki 5ce86cff62 fix multi-test.sh failure 2026-03-06 10:53:52 +09:00
Hideki Miyazaki 4877c0e579 fix PRB tests failures 2026-03-06 10:51:57 +09:00
Hideki Miyazaki cfb7f35e72 fix lareger(>57 octets) crlnum 2026-03-06 10:51:54 +09:00
Paul Adelsbach ebda79fadb Fix OCSP->CRL fallback 2026-02-26 11:44:50 -08:00
Andrew Hutchings 7248ca3592 Add SM2 to renewcerts.sh 2026-02-18 18:01:33 +00:00
Andrew Hutchings 2e8f9fe595 Fix SM2 certs to have the correct public key OID
OpenSSL 3.5+ handles the OIDs differently.
2026-02-18 18:01:33 +00:00
Andrew Hutchings 43aad1e4d7 Fix SM4 TLS 1.3 decrypt auth tag and SM2 cert verification
- Fix SM4 GCM/CCM TLS 1.3 decrypt to read auth tag from input buffer
  instead of output buffer, consistent with all other AEAD ciphers
  (src/tls13.c)

- Fix SM4_BLOCK_SIZE typo (was SM$_BLOCK_SIZE) in TicketEncDec SM4-GCM
  decrypt path (src/internal.c)

- Fix SM2 certificate signature verification for certs using
  id-ecPublicKey (ECDSAk) with SM2-with-SM3 signature algorithm.
  OpenSSL creates SM2 cert signatures without the standard
  distinguishing identifier in the ZA hash. The SM2k code path already
  handled this correctly (idSz=0), but the ECDSAk + CTC_SM3wSM2 path
  was incorrectly using CERT_SIG_ID_SZ (16), causing ASN_SIG_CONFIRM_E
  (-155) when verifying non-self-signed SM2 certs (wolfcrypt/src/asn.c)

- Regenerate expired SM2 test certificates via certs/sm2/gen-sm2-certs.sh
  They had expired.
2026-02-18 18:01:33 +00:00
Paul Adelsbach 81ae472e50 Add CRL generation code 2026-02-13 10:54:47 -08:00
Paul Adelsbach 08c1397cc1 Enable 8 combined OCSP and URLs instead of 1 of each 2026-02-04 11:04:46 -08:00
Paul Adelsbach aa020f39c4 Extend AIA interface 2026-02-02 08:48:40 -08:00
Chris Conlon 610d530e45 Add Name Constraints extension support with wolfSSL_X509_get_ext_d2i() and wolfSSL_NAME_CONSTRAINTS_check_name() 2026-01-26 10:36:05 -07:00
Paul Adelsbach 2325c68d4e Address connection issues in ocsp-stapling test 2026-01-20 09:46:35 -08:00
Hideki Miyazaki 08876e278a Fix CRL Number hex string buffer overflow in CRL parser 2026-01-08 17:25:19 +09:00
Anthony Hu 48ebe99372 Validate asn date based on position of Z (#8603) 2025-12-29 16:01:22 -06:00
JacobBarthelmeh 6c74098be5 run renewcerts.sh, gencertbuf.pl, and create_ocsp_test_blobs.py 2025-11-14 14:45:37 -07:00
JacobBarthelmeh 328f505702 add pkcs7 test with multiple recipients 2025-10-03 13:51:15 -06:00
Kareem af9a06e9bf Merge remote-tracking branch 'upstream/master' into zd19563_verify 2025-09-25 10:39:11 -07:00
gojimmypi a4d0a777bc Generate server-sm2-cert.der 2025-09-23 08:32:21 -07:00
Kareem 6b01053d98 Add test case for new x509_verify_cert retry functionality.
Add CA cert with the same SKI and intentionally invalid AKI as part of x509_verify_cert test case.
2025-08-18 10:21:53 -07:00
Koji Takeda 09deacbe8f Revert "Merge pull request #9045 from douzzer/20250730-revert-PR9000"
This reverts commit 70af2be5ab, reversing
changes made to 46347173b2.
2025-07-31 14:14:51 +09:00
Daniel Pouzzner f6437d3072 Revert "Add test data"
This reverts commit 778dcbaafb.
2025-07-30 15:39:55 -05:00
Koji Takeda 778dcbaafb Add test data 2025-07-28 21:46:28 +09:00
Josh Holtrop cf843c8b82 Add wc_PKCS7_GetEnvelopedDataKariRid()
Allow access to recipient ID before attempting to decrypt content.
2025-07-24 11:15:30 -04:00
Josh Holtrop d2ab6edbab Add wc_PKCS7_DecodeEncryptedKeyPackage() 2025-07-09 13:38:11 -04:00
JacobBarthelmeh 7b5e3e2551 regenerate intermediate and crl certs to update ca-int.pem 2025-06-25 10:00:57 -06:00
Josh Holtrop 3bd9b2e0bc Add generation instructions for empty issuer cert and change expiry to 100 years 2025-06-16 11:39:01 -04:00
Josh Holtrop 8bde5e6982 Fix printing empty names in certificates
The empty-issuer-cert.pem certificate was created with:

    wolfssl genkey rsa -size 2048 -out mykey -outform pem -output KEY
    wolfssl req -new -days 3650 -key mykey.priv -out empty-issuer-cert.pem -x509

Prior to this fix this command would error printing the certificate:

    wolfssl x509 -inform pem -in empty-issuer-cert.pem -text
2025-06-13 11:22:52 -04:00
Daniel Pouzzner 9d722b3a6c purge baltimore-cybertrust-root.pem from certs/external/include.am and scripts/. 2025-05-13 20:52:08 -05:00
Daniel Pouzzner 55460a5261 wolfssl/wolfcrypt/logging.h and wolfcrypt/src/logging.c: add
WOLFSSL_DEBUG_PRINTF() macro adapted from wolfssl_log(), refactor
  wolfssl_log() to use it, and move printf setup includes/prototypes from
  logging.c to logging.h;

src/ssl_load.c: add source_name arg and WOLFSSL_DEBUG_CERTIFICATE_LOADS clauses
  to ProcessBuffer() and ProcessChainBuffer(), and pass reasonable values from
  callers;

remove expired "Baltimore CyberTrust Root" from certs/external/ca_collection.pem
  and certs/external/baltimore-cybertrust-root.pem.
2025-05-13 20:30:48 -05:00
Kareem 038eab61d0 Add additional FPKI test OIDs. 2025-04-17 11:29:36 -07:00
Kareem 686ae22af2 Add additional FPKI test OIDs to FPKI test cert. 2025-04-17 11:14:40 -07:00
Hideki Miyazaki 62f7ff9ec2 fix OID collision
fix qt jenkins failure
2025-04-17 11:55:03 +09:00
Kareem f313edb4cf Add a test certificate for all of the FPKI certificate policy OIDs. 2025-03-27 12:20:36 -07:00
JacobBarthelmeh 1e254c014d application decryption successful 2025-02-28 14:23:24 -07:00
Marco Oliverio 2fe413d80f ocsp: add tests 2025-02-17 08:59:23 +00:00
Colton Willey cb0779f151 Add trusted cert to generation script and include.am 2025-01-30 15:29:59 -08:00
Colton Willey a0950e97f5 Add tests for trusted certificate banner 2025-01-30 14:42:41 -08:00
JacobBarthelmeh 19e68ea71a add a faketime test and update cert buffers 2024-12-20 10:35:58 -07:00
JacobBarthelmeh 8ca790218c certs_test.h is using raw dilithium keys 2024-12-19 15:23:37 -07:00
JacobBarthelmeh e66905aaf6 fix for gencertbuf script and add dilithium public key 2024-12-19 14:25:12 -07:00
JacobBarthelmeh e998dda1db update test certs to have v3 2024-12-18 16:12:08 -07:00
JacobBarthelmeh 4ed14af331 if no extensions are present a v1 certificate was generated, add a SKID extension to avoid that 2024-12-18 16:11:18 -07:00
JacobBarthelmeh 28184dd8cc update certificates in certs directory 2024-12-18 14:26:15 -07:00
Hideki Miyazaki fdb889303a fix qt unit test qsslcertificate
fix trusted peer cert cache
2024-11-13 08:38:51 +09:00
jordan b4e8e57b59 spelling: tiny cleanup. 2024-11-07 07:40:02 -06:00
jordan 7faed6cded X509 attribute cert (acert) support. 2024-09-13 08:03:55 -05:00
JacobBarthelmeh 2a1165460e add parsing over optional PKCS8 attributes 2024-09-04 15:15:53 -06:00