From 5b5f673c5148890bf0afc60f08f8845f857b7d30 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 31 May 2022 15:51:46 -0700 Subject: [PATCH 1/7] add simple ocsp response der verify test case --- certs/ocsp/include.am | 3 ++- certs/ocsp/renewcerts.sh | 11 +++++++++ certs/ocsp/test-response.der | Bin 0 -> 1860 bytes tests/api.c | 43 +++++++++++++++++++++++++++++++++++ 4 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 certs/ocsp/test-response.der diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index 73c5f285d..c5d937ed3 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -32,4 +32,5 @@ EXTRA_DIST += \ certs/ocsp/server5-key.pem \ certs/ocsp/server5-cert.pem \ certs/ocsp/root-ca-key.pem \ - certs/ocsp/root-ca-cert.pem + certs/ocsp/root-ca-cert.pem \ + certs/ocsp/test-response.der diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 50e9e3d79..96744b6fd 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -79,3 +79,14 @@ update_cert server2 "www2.wolfssl.com" intermediate1-ca update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 07 update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 # REVOKED update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09 + + +# Create response DER buffer for test +openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem & +PID=$! + +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der + +kill $PID +wait $PID + diff --git a/certs/ocsp/test-response.der b/certs/ocsp/test-response.der new file mode 100644 index 0000000000000000000000000000000000000000..7ebfd04241cc509f38d5122ccb1aa03a10156887 GIT binary patch literal 1860 zcmXqLVt3$TWLVI|ZfVfOZpy}~&Bn;e%5K2O$kN2F1{6{-ibnU`LYpJymwzy}g!=V1>{O)M$NNrj1U@vxWY=cEM( z`xuHC2!Yga^KiT7rDx`)rWOG;8_FBVf<&2l#GvXF{GEdX6oOKV3-a?)Qj5R}IJMe5 z+P?ELax#huWag#iJAl*{7w70D=jTfB8yOfG8JHRy8W|ZI8<<2Hq!=U_SOJ~Ps?EpD zB*n_WBI2^*_QgHZxtgt`4QKi6xD;eA+SS1#QoKQCiGI`R^X^M6u5VyzvZ^Z*Rb*mh zY+%4Ja)BUN$P{Ri3DlN_$_9!C@`!L_Vi95yczpUk=l(}eR3+HfIu~C}UvI$626H+i zH!A~k6C)!-=QE)bOpi6^>|M^OE|H#<{5`v%U{RWp%;rO(+y9+@`~N1-iTJf#CignL z_o}ECg$Uhi{3Ne@Wts)Aed4ke0ZfLc``ruI2zC|-Pn)#j@JH$MQ$kCv)(E|Nm$Y`( z3dz6UuRjkE++KdL&N=j&((ZM)Ppw>e^Z0kkKZYyZQ$M#o7r!$taAjkUEz7<&T``AE z8uvRWBuQ3IIM6!zSCW}CU#WP5<@!*`$|LIaHd;OIt|puMWy6-sdAWRerkDF!`{jO4 z&2!eRhfY1-ddJ_Q_k5AXyeaMvmuLFst^B~o(#UYEcuD+povI{3K~JsUUpHS>KV~Ln zFZn%T_O4C#yKAREpWL`=n)-q!mSYA@EQf%2pFtDzvIWdcj7&_7ENEe6&^Vo@=}y8x z43h5nVd<_YKfgr5*^yv^GmsPKMM-c#E^^8k^f?BYvz3rTn-QEc`5A!XTuh)Ox?`8} zmT!lvMGi0dDx0|Qt6cKVR%Mfb+#fZIx>&lemd5CQPwu$LUiFIG)l~bn{6?iMQyeWG z%`LgsZJ;C&c=YxudpGTWPowM|OVUfHuAFl9@H?j;y{{)teRwlVaH%a%XuMymF!`buv zhJuYBde+@iX&1M?!IGN8P!{lBl;irA;tVyB_Nj;C^AdNoxBP05;_9C9`SE{07n#(O zn!=FOr$I zupI_w28~C6NlI3krE!lz4U}jeErd~_As~via)HWF|6mR-iq4!HzBIa=O`Ki43H=K-bdZ%^s zBlAR_o|yhFEwxa S^o^6TaEhDX+xF{TpY#EQN`_JZ literal 0 HcmV?d00001 diff --git a/tests/api.c b/tests/api.c index 5bec3d5bc..7cab7504b 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1403,6 +1403,48 @@ static int test_wolfSSL_CertManagerCheckOCSPResponse(void) return 0; } +static void test_wolfSSL_CheckOCSPResponse(void) +{ +#if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL) + const char* responseFile = "./certs/ocsp/test-response.der"; + const char* caFile = "./certs/ocsp/root-ca-cert.pem"; + OcspResponse* res = NULL; + byte data[4096]; + const unsigned char* pt; + int dataSz; + XFILE f; + WOLFSSL_OCSP_BASICRESP* bs; + WOLFSSL_X509_STORE* st; + WOLFSSL_X509* issuer; + + + printf(testingFmt, "wolfSSL_CheckOCSPResponse()"); + + f = XFOPEN(responseFile, "rb"); + AssertTrue(f != XBADFILE); + dataSz = (word32)XFREAD(data, 1, sizeof(data), f); + AssertIntGT(dataSz, 0); + XFCLOSE(f); + + pt = data; + res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); + AssertNotNull(res); + issuer = wolfSSL_X509_load_certificate_file(caFile, SSL_FILETYPE_PEM); + AssertNotNull(issuer); + st = wolfSSL_X509_STORE_new(); + AssertNotNull(st); + AssertIntEQ(wolfSSL_X509_STORE_add_cert(st, issuer), WOLFSSL_SUCCESS); + bs = wolfSSL_OCSP_response_get1_basic(res); + AssertNotNull(bs); + AssertIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), WOLFSSL_SUCCESS); + wolfSSL_OCSP_RESPONSE_free(res); + wolfSSL_X509_STORE_free(st); + wolfSSL_X509_free(issuer); + + printf(resultFmt, passed); +#endif /* HAVE_OCSP */ +} + static int test_wolfSSL_CertManagerLoadCABuffer(void) { int ret; @@ -57441,6 +57483,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_CTX_use_PrivateKey_file), TEST_DECL(test_wolfSSL_CTX_load_verify_locations), TEST_DECL(test_wolfSSL_CertManagerCheckOCSPResponse), + TEST_DECL(test_wolfSSL_CheckOCSPResponse), TEST_DECL(test_wolfSSL_CertManagerLoadCABuffer), TEST_DECL(test_wolfSSL_CertManagerGetCerts), TEST_DECL(test_wolfSSL_CertManagerSetVerify), From ac3cdb42b73777c2ac0af8f4464bb3f4fc107805 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 1 Jun 2022 13:18:36 -0700 Subject: [PATCH 2/7] free structure in test case and return 0 from ocsp renew script --- certs/ocsp/renewcerts.sh | 1 + tests/api.c | 1 + 2 files changed, 2 insertions(+) diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 96744b6fd..955fd73ae 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -90,3 +90,4 @@ openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url h kill $PID wait $PID +exit 0 diff --git a/tests/api.c b/tests/api.c index 7cab7504b..6c42d871a 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1437,6 +1437,7 @@ static void test_wolfSSL_CheckOCSPResponse(void) bs = wolfSSL_OCSP_response_get1_basic(res); AssertNotNull(bs); AssertIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), WOLFSSL_SUCCESS); + wolfSSL_OCSP_BASICRESP_free(bs); wolfSSL_OCSP_RESPONSE_free(res); wolfSSL_X509_STORE_free(st); wolfSSL_X509_free(issuer); From 29f2dee9918322068eb417971eec2212c615b0ce Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 2 Jun 2022 15:53:59 -0700 Subject: [PATCH 3/7] handeling DER to internal of an OCSP response with no optional certificates --- certs/ocsp/include.am | 3 ++- certs/ocsp/renewcerts.sh | 3 +++ certs/ocsp/test-response-nointern.der | Bin 0 -> 1860 bytes src/ocsp.c | 6 +++++- tests/api.c | 13 +++++++++++++ wolfcrypt/src/asn.c | 4 ++++ 6 files changed, 27 insertions(+), 2 deletions(-) create mode 100644 certs/ocsp/test-response-nointern.der diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index c5d937ed3..3afd680b1 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -33,4 +33,5 @@ EXTRA_DIST += \ certs/ocsp/server5-cert.pem \ certs/ocsp/root-ca-key.pem \ certs/ocsp/root-ca-cert.pem \ - certs/ocsp/test-response.der + certs/ocsp/test-response.der \ + certs/ocsp/test-response-nointern.der diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 955fd73ae..556da9432 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -86,6 +86,9 @@ openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -r PID=$! openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern +# can verify with the following command +# openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem kill $PID wait $PID diff --git a/certs/ocsp/test-response-nointern.der b/certs/ocsp/test-response-nointern.der new file mode 100644 index 0000000000000000000000000000000000000000..4d4115cbe1b7fc5ac2f05f117d5f7819f228cd0a GIT binary patch literal 1860 zcmXqLVt3$TWLVI|ZfVfOZpy}~&Bn;e%5K2O$kN2F1{6{-ibnU`LYpJymwzy}g!=V1>{O)M$NNrj1U@vxWY=cEM( z`xuHC2!Yga^KiT7rDx`)rWOG;8_FBVf<&2l#GvXF{GEdX6oOKV3-a?)Qj5R}IJMe5 z+P?ELax#huWag#iJAl*{7w70D=jTfB8yOfG8JGbHBNKB|lPH4}gCqkhpp#j(`Iwoc zSQ%JETvpt^xMw<7vvsuLET0{hg3Lv`I#@)CH^?l}Z#sS6eW}Iu4J=Jobw#3zOpJ^T z3>Zc(5CjXE0_`w^+OkmDK+!-R5pGN@LM#Huw>q}GliqMxC!v$&K~7Vg0WTZO>5Sa0 z49rc8j0`*i4pZKlTxFTa!&|fOmrVD1!yi7Y*UATSY&;&493J}pS#iMi!UEeb`|GCl zIlSbnY~sSNa>+Yel}!S2f7C4MV(GqG8l(F?x#J>x)hljSQ|;IC8~`i@0@=0zMeGo;my?T&POEfi8V|(r(&vj zBy>$w-~&C~&0JCbUd4t1@4UqJT6V8x^=RKX^O3-EwxaY?F&C%rJ@K*Z#{;i7dnSKL z^U)~0cq5H@%LIen;v4==|0?(5c~0B;BLFMsUXsXV3E+ z3O0V|S$9jNUEKNxOKJ{7S-^Wyj_X^BGt@-dryh>aOWe`k@~c6Lt9!=h$N&9YWKv6N z3PVz#S~4*+GB7R%h6XT1*uZ6(5{GF-Uuhwm+pBcarjr1x>w=u&$r({`=KQsf5-ZD|9VdT zS(6;E+;xxql~H?vHG9UXrbSh+IK4ZQTr-$da$mf6NLuf3tM-e-tFG7|QJTxuZJ$@h zb+g;fzxydcNrYqBALZrR76u_source, *data, len); resp->maxIdx = len; - if (OcspResponseDecode(resp, NULL, NULL, 1) != 0) { + ret = OcspResponseDecode(resp, NULL, NULL, 1); + if (ret != 0 && ret != ASN_OCSP_CONFIRM_E) { + /* for just converting from a DER to an internal structure the CA may + * not yet be known to this function for signature verification */ wolfSSL_OCSP_RESPONSE_free(resp); return NULL; } diff --git a/tests/api.c b/tests/api.c index 6c42d871a..3eeee2359 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1407,6 +1407,7 @@ static void test_wolfSSL_CheckOCSPResponse(void) { #if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL) const char* responseFile = "./certs/ocsp/test-response.der"; + const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der"; const char* caFile = "./certs/ocsp/root-ca-cert.pem"; OcspResponse* res = NULL; byte data[4096]; @@ -1442,6 +1443,18 @@ static void test_wolfSSL_CheckOCSPResponse(void) wolfSSL_X509_STORE_free(st); wolfSSL_X509_free(issuer); + /* check loading a response with optional certs */ + f = XFOPEN(responseNoInternFile, "rb"); + AssertTrue(f != XBADFILE); + dataSz = (word32)XFREAD(data, 1, sizeof(data), f); + AssertIntGT(dataSz, 0); + XFCLOSE(f); + + pt = data; + res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); + AssertNotNull(res); + wolfSSL_OCSP_RESPONSE_free(res); + printf(resultFmt, passed); #endif /* HAVE_OCSP */ } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index d34bf0603..837a8354e 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33441,7 +33441,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, #ifndef WOLFSSL_ASN_TEMPLATE int length; word32 idx = *ioIndex; + #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS word32 end_index; + #endif int ret; int sigLength; @@ -33453,7 +33455,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, if (idx + length > size) return ASN_INPUT_E; + #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS end_index = idx + length; + #endif if ((ret = DecodeResponseData(source, &idx, resp, size)) < 0) return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */ From 28a82237d93c9a3dab39292f59d5fa7ae0b82d90 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 7 Sep 2022 13:12:43 -0700 Subject: [PATCH 4/7] RSA-PSS signed OCSP responses --- certs/ocsp/include.am | 1 + certs/ocsp/renewcerts.sh | 10 ++++++++++ certs/ocsp/test-response-rsapss.der | Bin 0 -> 1913 bytes tests/api.c | 20 +++++++++++++++++++- wolfcrypt/src/asn.c | 28 +++++++++++++++++++++++++--- 5 files changed, 55 insertions(+), 4 deletions(-) create mode 100644 certs/ocsp/test-response-rsapss.der diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am index 3afd680b1..92a72b81e 100644 --- a/certs/ocsp/include.am +++ b/certs/ocsp/include.am @@ -34,4 +34,5 @@ EXTRA_DIST += \ certs/ocsp/root-ca-key.pem \ certs/ocsp/root-ca-cert.pem \ certs/ocsp/test-response.der \ + certs/ocsp/test-response-rsapss.der \ certs/ocsp/test-response-nointern.der diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 556da9432..2b24dbabc 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -68,6 +68,7 @@ update_cert() { cat "$3"-cert.pem >> "$1"-cert.pem } +SIGOPT="" update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED @@ -87,6 +88,15 @@ PID=$! openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern +kill $PID +wait $PID + + +# now start up a responder that signs using rsa-pss +openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & +PID=$! + +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate4-ca-rsapss-cert.pem -url http://localhost:22221/ -rsigopt rsa_mode:pss -rsigopt rsa_padding_mode:pss -rsigopt rsa_pss_saltlen:-1 -respout test-response-rsapss.der # can verify with the following command # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem diff --git a/certs/ocsp/test-response-rsapss.der b/certs/ocsp/test-response-rsapss.der new file mode 100644 index 0000000000000000000000000000000000000000..ca99d28b73b8e006ae40b1967c694638677e8771 GIT binary patch literal 1913 zcmXqLVlU-lWLVI|o@da+p2fzg&Bn;e%5K2O$kN0f4HODDXkv6&*tpQ3ah@T!0Vf-C zC<~h~Q)sZEuz?_m!@-ibnU`LYpJymwzy}g!=V1>{O)M$NNrj1U@vxWY=cEM( z`xuHC2!Yga^KiT7rDx`)rWOG;8_FBVf<&2l#GvXF{GEdX6oOKV3-a?)Qj5R}IJMe5 z+P?ELax#huWag#iJAl*{7w70D=jTfB8yOfG8CV*a8(Ny07+Xdeq!=U_SOJ~Ps?EpD zB*n_WBI2^*_QgHZxtgt`4QKi6xD;eA+SS1#QoKQCiGI`R^X^M6u5VyzvZ^Z*Rb*o1 zYGS}Ja)BUN$kf2hz!+-FLS+L*19?QaF|i1-2t1wS8Ti!jwk^*k>8?wf|J@9n*kDd) zyKlqEAo14VBjje`*_{RTpwxoAqL^SFTE^r^XM*fQMHl z1C4fje(#J?zs$QQ;OzZNDu4F}%XT!kvfNQh+G?`NF-Mg%xO3*r877Qh?hBXh`gil^ zX~iam!-p0qeLHf+Od)XkhedDZ$~H)?`TA6GkKej^R*z*aiwCrF{N3s0b^ndcf=BlI z`lrpXteUVws@urznYM{lkyB)Or+mbeStp*<-flau#>(S4FQh%}T-4z&x0gD%ru}4m zy<+j&jips$XS7|KJOXFd-+F&Ztd#3oM&XoO=iVIj*lol&JI{c@*LX_k@4aW({zorp zVmW5e#BvCT_Zc)XFI&LO#K^?N$N~y6Xxd=pW@RvFoKDlkDq$c7Nv!;^#9EY}U!vgb zNHCQe$cghpQ>lf4iIGJVkPAsp5bmJQX29Y=2|2WZsTY_s`5A!XTuh)Ox?`8}mT!lv zMGi0dDx0|Qt6cKVR%Mfb+#fZIx>&lemd5CQPwu$LUiFIG)l~bn{6?iMQyeWG%`Lgs zZJ;C&c=YxudpGTWPowM|OVUfHuAFl9@H?j;y{{)teRwlVaH%a%XuMymF!`buvhJuYB zde+@iX&1M?!IGN8P!{lBl;irA;tVyB_Nj;C^AdNoxBP05;_9C9`SE{07n#(On!=FO zrk%#8^a((jRWDywvz-zA{gNL%>$IupPhx zrSS+bNy#d+H108I+}VJ&P+HhHcS+-{!JD|77?TZzLB3FB;W6N1b)Gnh!d#*MVskT#ih3PSkBWk+_&8fmFf`HEtt#Y%O2>rqOCr3NhWVg`rGSOU0-&pM?O_Ov0~*^ z_qgl@Kf+!lZGIqdd-&Do6-zn-iQ-xR_8>G^M~V}I9{ZY;2yFk8j%k@?huQ<+bN z;~rdDw`{-o$EUK&x&O~G`Mc{qIIgWQ<6SAo)Tc(fx*nB&w7gU!nZB~=&L0JVPf{}) Q%UD!)Y`@Rbkg+8L0Npo_jsO4v literal 0 HcmV?d00001 diff --git a/tests/api.c b/tests/api.c index 3eeee2359..235335858 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1403,12 +1403,15 @@ static int test_wolfSSL_CertManagerCheckOCSPResponse(void) return 0; } -static void test_wolfSSL_CheckOCSPResponse(void) +static int test_wolfSSL_CheckOCSPResponse(void) { #if defined(HAVE_OCSP) && !defined(NO_RSA) && defined(OPENSSL_ALL) const char* responseFile = "./certs/ocsp/test-response.der"; const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der"; const char* caFile = "./certs/ocsp/root-ca-cert.pem"; +#if defined(WC_RSA_PSS) + const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; +#endif OcspResponse* res = NULL; byte data[4096]; const unsigned char* pt; @@ -1455,8 +1458,23 @@ static void test_wolfSSL_CheckOCSPResponse(void) AssertNotNull(res); wolfSSL_OCSP_RESPONSE_free(res); +#if defined(WC_RSA_PSS) + /* check loading a response with RSA-PSS signature */ + f = XFOPEN(responsePssFile, "rb"); + AssertTrue(f != XBADFILE); + dataSz = (word32)XFREAD(data, 1, sizeof(data), f); + AssertIntGT(dataSz, 0); + XFCLOSE(f); + + pt = data; + res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); + AssertNotNull(res); + wolfSSL_OCSP_RESPONSE_free(res); +#endif + printf(resultFmt, passed); #endif /* HAVE_OCSP */ + return 0; } static int test_wolfSSL_CertManagerLoadCABuffer(void) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 837a8354e..8f41089f2 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33446,6 +33446,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, #endif int ret; int sigLength; + const byte* sigParams = NULL; + word32 sigParamsSz = 0; WOLFSSL_ENTER("DecodeBasicOcspResponse"); (void)heap; @@ -33463,8 +33465,26 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return ret; /* ASN_PARSE_E, ASN_BEFORE_DATE_E, ASN_AFTER_DATE_E */ /* Get the signature algorithm */ - if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0) + if (GetAlgoId(source, &idx, &resp->sigOID, oidSigType, size) < 0) { return ASN_PARSE_E; + } +#ifdef WC_RSA_PSS + else if (resp->sigOID == CTC_RSASSAPSS) { + word32 sz; + int len; + const byte* params; + + sz = idx; + params = source + idx; + if (GetSequence(source, &idx, &len, size) < 0) + ret = ASN_PARSE_E; + if (ret == 0) { + idx += len; + sigParams = params; + sigParamsSz = idx - sz; + } + } +#endif ret = CheckBitString(source, &idx, &sigLength, size, 1, NULL); if (ret != 0) @@ -33532,7 +33552,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, &cert->sigCtx, resp->response, resp->responseSz, cert->publicKey, cert->pubKeySize, cert->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); + resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, + NULL); if (ret != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); @@ -33569,7 +33590,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* ConfirmSignature is blocking here */ sigValid = ConfirmSignature(&sigCtx, resp->response, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); + resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, + NULL); } if (ca == NULL || sigValid != 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); From 9d6e157fc5df6b8a44efd2a808b2bb9a1c7942a6 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Wed, 7 Sep 2022 16:15:19 -0700 Subject: [PATCH 5/7] add asn template version --- certs/ocsp/renewcerts.sh | 3 +-- tests/api.c | 40 +++++++++++++++++++++++++++------------- wolfcrypt/src/asn.c | 22 +++++++++++++++++++++- 3 files changed, 49 insertions(+), 16 deletions(-) diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 2b24dbabc..4248d171e 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -68,7 +68,6 @@ update_cert() { cat "$3"-cert.pem >> "$1"-cert.pem } -SIGOPT="" update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED @@ -96,7 +95,7 @@ wait $PID openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & PID=$! -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate4-ca-rsapss-cert.pem -url http://localhost:22221/ -rsigopt rsa_mode:pss -rsigopt rsa_padding_mode:pss -rsigopt rsa_pss_saltlen:-1 -respout test-response-rsapss.der +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der # can verify with the following command # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem diff --git a/tests/api.c b/tests/api.c index 235335858..18c002023 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1409,9 +1409,6 @@ static int test_wolfSSL_CheckOCSPResponse(void) const char* responseFile = "./certs/ocsp/test-response.der"; const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der"; const char* caFile = "./certs/ocsp/root-ca-cert.pem"; -#if defined(WC_RSA_PSS) - const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; -#endif OcspResponse* res = NULL; byte data[4096]; const unsigned char* pt; @@ -1459,17 +1456,34 @@ static int test_wolfSSL_CheckOCSPResponse(void) wolfSSL_OCSP_RESPONSE_free(res); #if defined(WC_RSA_PSS) - /* check loading a response with RSA-PSS signature */ - f = XFOPEN(responsePssFile, "rb"); - AssertTrue(f != XBADFILE); - dataSz = (word32)XFREAD(data, 1, sizeof(data), f); - AssertIntGT(dataSz, 0); - XFCLOSE(f); + { + const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der"; - pt = data; - res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); - AssertNotNull(res); - wolfSSL_OCSP_RESPONSE_free(res); + /* check loading a response with RSA-PSS signature */ + f = XFOPEN(responsePssFile, "rb"); + AssertTrue(f != XBADFILE); + dataSz = (word32)XFREAD(data, 1, sizeof(data), f); + AssertIntGT(dataSz, 0); + XFCLOSE(f); + + pt = data; + res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz); + AssertNotNull(res); + + /* try to verify the response */ + issuer = wolfSSL_X509_load_certificate_file(caFile, SSL_FILETYPE_PEM); + AssertNotNull(issuer); + st = wolfSSL_X509_STORE_new(); + AssertNotNull(st); + AssertIntEQ(wolfSSL_X509_STORE_add_cert(st, issuer), WOLFSSL_SUCCESS); + bs = wolfSSL_OCSP_response_get1_basic(res); + AssertNotNull(bs); + AssertIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), WOLFSSL_SUCCESS); + wolfSSL_OCSP_BASICRESP_free(bs); + wolfSSL_OCSP_RESPONSE_free(res); + wolfSSL_X509_STORE_free(st); + wolfSSL_X509_free(issuer); + } #endif printf(resultFmt, passed); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 8f41089f2..65dcc7bef 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33414,6 +33414,10 @@ static const ASNItem ocspBasicRespASN[] = { /* SIGALGO */ { 1, ASN_SEQUENCE, 1, 1, 0, }, /* SIGALGO_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 }, /* SIGALGO_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 }, + /* parameters */ +#ifdef WC_RSA_PSS +/* SIGALGO_PARAMS */ { 2, ASN_SEQUENCE, 1, 0, 1 }, +#endif /* signature */ /* SIGNATURE */ { 1, ASN_BIT_STRING, 0, 0, 0 }, /* certs */ @@ -33426,6 +33430,9 @@ enum { OCSPBASICRESPASN_IDX_SIGALGO, OCSPBASICRESPASN_IDX_SIGALGO_OID, OCSPBASICRESPASN_IDX_SIGALGO_NULL, +#ifdef WC_RSA_PSS + OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS, +#endif OCSPBASICRESPASN_IDX_SIGNATURE, OCSPBASICRESPASN_IDX_CERTS, OCSPBASICRESPASN_IDX_CERTS_SEQ, @@ -33607,6 +33614,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, DECL_ASNGETDATA(dataASN, ocspBasicRespASN_Length); int ret = 0; word32 idx = *ioIndex; + const byte* sigParams = NULL; + word32 sigParamsSz = 0; #ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS #ifdef WOLFSSL_SMALL_STACK DecodedCert* cert = NULL; @@ -33639,6 +33648,16 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, ret = ASN_PARSE_E; } } +#ifdef WC_RSA_PSS + if (ret == 0 && (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0)) { + sigParams = GetASNItem_Addr( + dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS], + source); + sigParamsSz = + GetASNItem_Length(dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS], + source); + } +#endif if (ret == 0) { /* Get the signature OID and signature. */ resp->sigOID = dataASN[OCSPBASICRESPASN_IDX_SIGALGO_OID].data.oid.sum; @@ -33711,7 +33730,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, /* Check the signature of the response CA public key. */ sigValid = ConfirmSignature(&sigCtx, resp->response, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL); + resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz, + NULL); } if ((ca == NULL) || (sigValid != 0)) { /* Didn't find certificate or signature verificate failed. */ From f49d84e17a4fc041fbe23563ffb1ef3e96aa77d0 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Thu, 8 Sep 2022 09:02:31 -0700 Subject: [PATCH 6/7] fix typo and pipe ocsp response creation to /dev/null --- certs/ocsp/renewcerts.sh | 6 +++--- wolfcrypt/src/asn.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 4248d171e..479b3ef07 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -85,8 +85,8 @@ update_cert server5 "www5.wolfssl.com" intermediate3-ca openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem & PID=$! -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der &> /dev/null +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern &> /dev/null kill $PID wait $PID @@ -95,7 +95,7 @@ wait $PID openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & PID=$! -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der &> /dev/null # can verify with the following command # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 65dcc7bef..68156daa4 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -33649,7 +33649,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, } } #ifdef WC_RSA_PSS - if (ret == 0 && (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0)) { + if (ret == 0 && (dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS].tag != 0)) { sigParams = GetASNItem_Addr( dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS], source); From 6c71777ca6abc15d29627b5ffea2a4f4d141b978 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Fri, 9 Sep 2022 13:58:43 -0700 Subject: [PATCH 7/7] no verify on renewing ocsp response --- certs/ocsp/renewcerts.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 479b3ef07..d5d411953 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -82,11 +82,11 @@ update_cert server5 "www5.wolfssl.com" intermediate3-ca # Create response DER buffer for test -openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem & +openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -partial_chain & PID=$! -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der &> /dev/null -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern &> /dev/null +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response.der -noverify +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-nointern.der -no_intern -noverify kill $PID wait $PID @@ -95,7 +95,7 @@ wait $PID openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss & PID=$! -openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der &> /dev/null +openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der -noverify # can verify with the following command # openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem