Files
wolfssl/certs/ocsp/include.am
T
Ruby Martin 5c3100ed5c Remove non-RFC-compliant OCSP responder chain walk. The chain walk
authorized any responder issued by an ancestor of the target's issuer;
  RFC 6960 4.2.2.2 requires direct issuance by the CA identified in the
  request.

    - Remove CheckOcspResponderChain() and WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK.
    - Drop now-unused vp parameter from CheckOcspResponder() and the
      OcspRespCheck() helper; cascade through template and non-template
      paths.

  OCSP test blobs:

    - Re-sign resp_server1_cert with intermediate1-ca (CA-direct path).
    - Add resp_server1_cert_ancestor_responder for the negative test.
    - Embed server1_cert_pem[] in test_ocsp_test_blobs.h so the new test
      runs under NO_FILESYSTEM; matching entry added to
      create_ocsp_test_blobs.py.
    - Regenerate response[] in test_certman.c with intermediate1-ca as
      signer; recipe switched from Wireshark export to openssl -respout
      + xxd -i for reproducibility.
    - Fix self-XOR in test_wolfSSL_CertManagerCheckOCSPResponse so the
      serial byte actually flips (^= 0xFF).

  Live OCSP coverage:

    - Add ocsp-responder-int1 (delegated responder issued directly by
      intermediate1-ca, with id-kp-OCSPSigning EKU) for the
      responder->intermediate->root chain.
    - scripts/ocsp-stapling.test: intermediate1 responder switched to
      ocsp-responder-int1 (delegated path).
    - scripts/ocsp-stapling2.test, scripts/ocsp-stapling_tls13multi.test:
      intermediate2 and intermediate3 sign their OCSP responses with
      their own CA keys (CA-direct path); root block unchanged
      (ocsp-responder-cert is still RFC-compliant for root-issued certs).
    - .github/workflows/ocsp.yml: server1 OCSP responder switched to
      ocsp-responder-int1 to match the cert chain.
    - New test_ocsp_ancestor_responder_rejected confirms the
      ancestor-issued response is rejected with OCSP_LOOKUP_FAIL.
2026-06-02 16:20:37 -06:00

71 lines
2.9 KiB
Plaintext

# vim:ft=automake
# All paths should be given relative to the root
#
EXTRA_DIST += \
certs/ocsp/index-ca-and-intermediate-cas.txt \
certs/ocsp/index-ca-and-intermediate-cas.txt.attr \
certs/ocsp/index-intermediate1-ca-issued-certs.txt \
certs/ocsp/index-intermediate1-ca-issued-certs.txt.attr \
certs/ocsp/index-intermediate2-ca-issued-certs.txt \
certs/ocsp/index-intermediate2-ca-issued-certs.txt.attr \
certs/ocsp/index-intermediate3-ca-issued-certs.txt \
certs/ocsp/index-intermediate3-ca-issued-certs.txt.attr \
certs/ocsp/openssl.cnf \
certs/ocsp/renewcerts-for-test.sh \
certs/ocsp/intermediate1-ca-key.pem \
certs/ocsp/intermediate1-ca-key.der \
certs/ocsp/intermediate1-ca-cert.pem \
certs/ocsp/intermediate1-ca-cert.der \
certs/ocsp/intermediate2-ca-key.pem \
certs/ocsp/intermediate2-ca-key.der \
certs/ocsp/intermediate2-ca-cert.pem \
certs/ocsp/intermediate2-ca-cert.der \
certs/ocsp/intermediate3-ca-key.pem \
certs/ocsp/intermediate3-ca-key.der \
certs/ocsp/intermediate3-ca-cert.pem \
certs/ocsp/intermediate3-ca-cert.der \
certs/ocsp/ocsp-responder-key.pem \
certs/ocsp/ocsp-responder-key.der \
certs/ocsp/ocsp-responder-cert.pem \
certs/ocsp/ocsp-responder-cert.der \
certs/ocsp/ocsp-responder-int1-key.pem \
certs/ocsp/ocsp-responder-int1-key.der \
certs/ocsp/ocsp-responder-int1-cert.pem \
certs/ocsp/ocsp-responder-int1-cert.der \
certs/ocsp/server1-key.pem \
certs/ocsp/server1-key.der \
certs/ocsp/server1-cert.pem \
certs/ocsp/server1-cert.der \
certs/ocsp/server1-chain-noroot.pem \
certs/ocsp/server2-key.pem \
certs/ocsp/server2-key.der \
certs/ocsp/server2-cert.pem \
certs/ocsp/server2-cert.der \
certs/ocsp/server3-key.pem \
certs/ocsp/server3-key.der \
certs/ocsp/server3-cert.pem \
certs/ocsp/server3-cert.der \
certs/ocsp/server4-key.pem \
certs/ocsp/server4-key.der \
certs/ocsp/server4-cert.pem \
certs/ocsp/server4-cert.der \
certs/ocsp/server5-key.pem \
certs/ocsp/server5-key.der \
certs/ocsp/server5-cert.pem \
certs/ocsp/server5-cert.der \
certs/ocsp/root-ca-key.pem \
certs/ocsp/root-ca-key.der \
certs/ocsp/root-ca-cert.pem \
certs/ocsp/root-ca-cert.der \
certs/ocsp/root-ca-crl.pem \
certs/ocsp/imposter-root-ca-key.pem \
certs/ocsp/imposter-root-ca-key.der \
certs/ocsp/imposter-root-ca-cert.pem \
certs/ocsp/imposter-root-ca-cert.der \
certs/ocsp/test-response.der \
certs/ocsp/test-response-rsapss.der \
certs/ocsp/test-response-nointern.der \
certs/ocsp/test-multi-response.der \
certs/ocsp/test-leaf-response.der