mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-06 00:00:49 +02:00
5c3100ed5c
authorized any responder issued by an ancestor of the target's issuer;
RFC 6960 4.2.2.2 requires direct issuance by the CA identified in the
request.
- Remove CheckOcspResponderChain() and WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK.
- Drop now-unused vp parameter from CheckOcspResponder() and the
OcspRespCheck() helper; cascade through template and non-template
paths.
OCSP test blobs:
- Re-sign resp_server1_cert with intermediate1-ca (CA-direct path).
- Add resp_server1_cert_ancestor_responder for the negative test.
- Embed server1_cert_pem[] in test_ocsp_test_blobs.h so the new test
runs under NO_FILESYSTEM; matching entry added to
create_ocsp_test_blobs.py.
- Regenerate response[] in test_certman.c with intermediate1-ca as
signer; recipe switched from Wireshark export to openssl -respout
+ xxd -i for reproducibility.
- Fix self-XOR in test_wolfSSL_CertManagerCheckOCSPResponse so the
serial byte actually flips (^= 0xFF).
Live OCSP coverage:
- Add ocsp-responder-int1 (delegated responder issued directly by
intermediate1-ca, with id-kp-OCSPSigning EKU) for the
responder->intermediate->root chain.
- scripts/ocsp-stapling.test: intermediate1 responder switched to
ocsp-responder-int1 (delegated path).
- scripts/ocsp-stapling2.test, scripts/ocsp-stapling_tls13multi.test:
intermediate2 and intermediate3 sign their OCSP responses with
their own CA keys (CA-direct path); root block unchanged
(ocsp-responder-cert is still RFC-compliant for root-issued certs).
- .github/workflows/ocsp.yml: server1 OCSP responder switched to
ocsp-responder-int1 to match the cert chain.
- New test_ocsp_ancestor_responder_rejected confirms the
ancestor-issued response is rejected with OCSP_LOOKUP_FAIL.
71 lines
2.9 KiB
Plaintext
71 lines
2.9 KiB
Plaintext
# vim:ft=automake
|
|
# All paths should be given relative to the root
|
|
#
|
|
|
|
EXTRA_DIST += \
|
|
certs/ocsp/index-ca-and-intermediate-cas.txt \
|
|
certs/ocsp/index-ca-and-intermediate-cas.txt.attr \
|
|
certs/ocsp/index-intermediate1-ca-issued-certs.txt \
|
|
certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr \
|
|
certs/ocsp/index-intermediate2-ca-issued-certs.txt \
|
|
certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr \
|
|
certs/ocsp/index-intermediate3-ca-issued-certs.txt \
|
|
certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr \
|
|
certs/ocsp/openssl.cnf \
|
|
certs/ocsp/renewcerts-for-test.sh \
|
|
certs/ocsp/intermediate1-ca-key.pem \
|
|
certs/ocsp/intermediate1-ca-key.der \
|
|
certs/ocsp/intermediate1-ca-cert.pem \
|
|
certs/ocsp/intermediate1-ca-cert.der \
|
|
certs/ocsp/intermediate2-ca-key.pem \
|
|
certs/ocsp/intermediate2-ca-key.der \
|
|
certs/ocsp/intermediate2-ca-cert.pem \
|
|
certs/ocsp/intermediate2-ca-cert.der \
|
|
certs/ocsp/intermediate3-ca-key.pem \
|
|
certs/ocsp/intermediate3-ca-key.der \
|
|
certs/ocsp/intermediate3-ca-cert.pem \
|
|
certs/ocsp/intermediate3-ca-cert.der \
|
|
certs/ocsp/ocsp-responder-key.pem \
|
|
certs/ocsp/ocsp-responder-key.der \
|
|
certs/ocsp/ocsp-responder-cert.pem \
|
|
certs/ocsp/ocsp-responder-cert.der \
|
|
certs/ocsp/ocsp-responder-int1-key.pem \
|
|
certs/ocsp/ocsp-responder-int1-key.der \
|
|
certs/ocsp/ocsp-responder-int1-cert.pem \
|
|
certs/ocsp/ocsp-responder-int1-cert.der \
|
|
certs/ocsp/server1-key.pem \
|
|
certs/ocsp/server1-key.der \
|
|
certs/ocsp/server1-cert.pem \
|
|
certs/ocsp/server1-cert.der \
|
|
certs/ocsp/server1-chain-noroot.pem \
|
|
certs/ocsp/server2-key.pem \
|
|
certs/ocsp/server2-key.der \
|
|
certs/ocsp/server2-cert.pem \
|
|
certs/ocsp/server2-cert.der \
|
|
certs/ocsp/server3-key.pem \
|
|
certs/ocsp/server3-key.der \
|
|
certs/ocsp/server3-cert.pem \
|
|
certs/ocsp/server3-cert.der \
|
|
certs/ocsp/server4-key.pem \
|
|
certs/ocsp/server4-key.der \
|
|
certs/ocsp/server4-cert.pem \
|
|
certs/ocsp/server4-cert.der \
|
|
certs/ocsp/server5-key.pem \
|
|
certs/ocsp/server5-key.der \
|
|
certs/ocsp/server5-cert.pem \
|
|
certs/ocsp/server5-cert.der \
|
|
certs/ocsp/root-ca-key.pem \
|
|
certs/ocsp/root-ca-key.der \
|
|
certs/ocsp/root-ca-cert.pem \
|
|
certs/ocsp/root-ca-cert.der \
|
|
certs/ocsp/root-ca-crl.pem \
|
|
certs/ocsp/imposter-root-ca-key.pem \
|
|
certs/ocsp/imposter-root-ca-key.der \
|
|
certs/ocsp/imposter-root-ca-cert.pem \
|
|
certs/ocsp/imposter-root-ca-cert.der \
|
|
certs/ocsp/test-response.der \
|
|
certs/ocsp/test-response-rsapss.der \
|
|
certs/ocsp/test-response-nointern.der \
|
|
certs/ocsp/test-multi-response.der \
|
|
certs/ocsp/test-leaf-response.der
|