Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ocsp fixes #8497

Closed
wants to merge 4 commits into from
Closed

Ocsp fixes #8497

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
10fc2b3
ocsp: responderID.ByKey is SHA-1 Digest len
rizlik Feb 20, 2025
c6ce7a0
ocsp: use SHA-256 for responder name if no-sha
rizlik Feb 20, 2025
985dbae
test: ocsp: fix output file name in script
rizlik Feb 20, 2025
2143794
test: gate ocsp test when SHA-1 is disabled
rizlik Feb 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion tests/api/create_ocsp_test_blobs.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -401,7 +401,7 @@ def create_bad_response(rd: dict) -> bytes:
},
]

with open('./tests/api/ocsp_test_blobs.h', 'w') as f:
with open('./tests/api/test_ocsp_test_blobs.h', 'w') as f:
f.write(
"""/*
* This file is generated automatically by running ./tests/api/create_ocsp_test_blobs.py.
Expand Down
8 changes: 4 additions & 4 deletions tests/api/test_ocsp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
#include <wolfssl/ocsp.h>
#include <wolfssl/ssl.h>

#if defined(HAVE_OCSP)
#if defined(HAVE_OCSP) && !defined(NO_SHA)
struct ocsp_cb_ctx {
byte* response;
int responseSz;
Expand Down Expand Up @@ -158,12 +158,12 @@ int test_ocsp_response_parsing(void)

return EXPECT_SUCCESS();
}
#else /* HAVE_OCSP */
#else /* HAVE_OCSP && !NO_SHA */
int test_ocsp_response_parsing(void)
{
return TEST_SKIPPED;
}
#endif /* HAVE_OCSP */
#endif /* HAVE_OCSP && !NO_SHA */

#if defined(HAVE_OCSP) && (defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA))
static int test_ocsp_create_x509store(WOLFSSL_X509_STORE** store,
Expand Down Expand Up @@ -222,7 +222,7 @@ int test_ocsp_basic_verify(void)
ExpectIntEQ(response->responseStatus, 0);
ExpectIntEQ(response->responderIdType, OCSP_RESPONDER_ID_KEY);
ExpectBufEQ(response->responderId.keyHash, cert.subjectKeyHash,
OCSP_DIGEST_SIZE);
OCSP_RESPONDER_ID_KEY_SZ);
wolfSSL_OCSP_RESPONSE_free(response);

/* decoding with no embedded certificates */
Expand Down
19 changes: 12 additions & 7 deletions wolfcrypt/src/asn.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36950,7 +36950,7 @@ static int DecodeResponseData(byte* source, word32* ioIndex,
/* compute the hash of the name */
resp->responderIdType = OCSP_RESPONDER_ID_NAME;
ret = CalcHashId_ex(source + idx, length,
resp->responderId.nameHash, WC_SHA);
resp->responderId.nameHash, OCSP_RESPONDER_ID_HASH_TYPE);
if (ret != 0)
return ret;
idx += length;
Expand All @@ -36964,7 +36964,7 @@ static int DecodeResponseData(byte* source, word32* ioIndex,
if (GetOctetString(source, &idx, &length, size) < 0)
return ASN_PARSE_E;

if (length != KEYID_SIZE)
if (length != OCSP_RESPONDER_ID_SZ)
return ASN_PARSE_E;
resp->responderIdType = OCSP_RESPONDER_ID_KEY;
XMEMCPY(resp->responderId.keyHash, source + idx, length);
Expand Down Expand Up @@ -37027,7 +37027,7 @@ static int DecodeResponseData(byte* source, word32* ioIndex,
int ret = 0;
byte version;
word32 dateSz = 0;
word32 responderByKeySz = KEYID_SIZE;
word32 responderByKeySz = OCSP_RESPONDER_ID_KEY_SZ;
word32 idx = *ioIndex;
OcspEntry* single = NULL;

Expand Down Expand Up @@ -37070,10 +37070,11 @@ static int DecodeResponseData(byte* source, word32* ioIndex,
ret = CalcHashId_ex(
dataASN[OCSPRESPDATAASN_IDX_BYNAME].data.ref.data,
dataASN[OCSPRESPDATAASN_IDX_BYNAME].data.ref.length,
resp->responderId.nameHash, WC_SHA);
resp->responderId.nameHash, OCSP_RESPONDER_ID_HASH_TYPE);
} else {
resp->responderIdType = OCSP_RESPONDER_ID_KEY;
if (dataASN[OCSPRESPDATAASN_IDX_BYKEY_OCT].length != KEYID_SIZE) {
if (dataASN[OCSPRESPDATAASN_IDX_BYKEY_OCT].length
!= OCSP_RESPONDER_ID_KEY_SZ) {
ret = ASN_PARSE_E;
} else {
resp->responderIdType = OCSP_RESPONDER_ID_KEY;
Expand Down Expand Up @@ -37226,10 +37227,14 @@ enum {
static int OcspRespIdMatch(OcspResponse *resp, const byte *NameHash,
const byte *keyHash)
{
if (resp->responderIdType == OCSP_RESPONDER_ID_INVALID)
return 0;
if (resp->responderIdType == OCSP_RESPONDER_ID_NAME)
return XMEMCMP(NameHash, resp->responderId.nameHash,
SIGNER_DIGEST_SIZE) == 0;
return XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0;
/* OCSP_RESPONDER_ID_KEY */
return ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) &&
XMEMCMP(keyHash, resp->responderId.keyHash, KEYID_SIZE) == 0;
}

#ifndef WOLFSSL_NO_OCSP_ISSUER_CHECK
Expand Down Expand Up @@ -37268,7 +37273,7 @@ static Signer *OcspFindSigner(OcspResponse *resp, WOLFSSL_CERT_MANAGER *cm)
if (s)
return s;
}
else {
else if ((int)KEYID_SIZE == OCSP_RESPONDER_ID_KEY_SZ) {
s = GetCAByKeyHash(cm, resp->responderId.keyHash);
if (s)
return s;
Expand Down
8 changes: 7 additions & 1 deletion wolfssl/wolfcrypt/asn.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2732,6 +2732,12 @@ struct OcspEntry
WC_BITFIELD used:1; /* entry used */
};

#define OCSP_RESPONDER_ID_KEY_SZ 20
#if !defined(NO_SHA)
#define OCSP_RESPONDER_ID_HASH_TYPE WC_SHA
#else
#define OCSP_RESPONDER_ID_HASH_TYPE WC_SHA256
#endif
enum responderIdType {
OCSP_RESPONDER_ID_INVALID = 0,
OCSP_RESPONDER_ID_NAME = 1,
Expand All @@ -2750,7 +2756,7 @@ struct OcspResponse {

enum responderIdType responderIdType;
union {
byte keyHash[KEYID_SIZE];
byte keyHash[OCSP_RESPONDER_ID_KEY_SZ];
byte nameHash[KEYID_SIZE];
} responderId ;

Expand Down
Loading