mirror of https://github.com/wolfSSL/wolfssl.git
add asn template version
parent
28a82237d9
commit
9d6e157fc5
|
@ -68,7 +68,6 @@ update_cert() {
|
|||
cat "$3"-cert.pem >> "$1"-cert.pem
|
||||
}
|
||||
|
||||
SIGOPT=""
|
||||
update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01
|
||||
update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02
|
||||
update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED
|
||||
|
@ -96,7 +95,7 @@ wait $PID
|
|||
openssl ocsp -port 22221 -ndays 1000 -index index-ca-and-intermediate-cas.txt -rsigner ocsp-responder-cert.pem -rkey ocsp-responder-key.pem -CA root-ca-cert.pem -rsigopt rsa_padding_mode:pss &
|
||||
PID=$!
|
||||
|
||||
openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate4-ca-rsapss-cert.pem -url http://localhost:22221/ -rsigopt rsa_mode:pss -rsigopt rsa_padding_mode:pss -rsigopt rsa_pss_saltlen:-1 -respout test-response-rsapss.der
|
||||
openssl ocsp -issuer ./root-ca-cert.pem -cert ./intermediate1-ca-cert.pem -url http://localhost:22221/ -respout test-response-rsapss.der
|
||||
# can verify with the following command
|
||||
# openssl ocsp -respin test-response-nointern.der -CAfile root-ca-cert.pem -issuer intermediate1-ca-cert.pem
|
||||
|
||||
|
|
40
tests/api.c
40
tests/api.c
|
@ -1409,9 +1409,6 @@ static int test_wolfSSL_CheckOCSPResponse(void)
|
|||
const char* responseFile = "./certs/ocsp/test-response.der";
|
||||
const char* responseNoInternFile = "./certs/ocsp/test-response-nointern.der";
|
||||
const char* caFile = "./certs/ocsp/root-ca-cert.pem";
|
||||
#if defined(WC_RSA_PSS)
|
||||
const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der";
|
||||
#endif
|
||||
OcspResponse* res = NULL;
|
||||
byte data[4096];
|
||||
const unsigned char* pt;
|
||||
|
@ -1459,17 +1456,34 @@ static int test_wolfSSL_CheckOCSPResponse(void)
|
|||
wolfSSL_OCSP_RESPONSE_free(res);
|
||||
|
||||
#if defined(WC_RSA_PSS)
|
||||
/* check loading a response with RSA-PSS signature */
|
||||
f = XFOPEN(responsePssFile, "rb");
|
||||
AssertTrue(f != XBADFILE);
|
||||
dataSz = (word32)XFREAD(data, 1, sizeof(data), f);
|
||||
AssertIntGT(dataSz, 0);
|
||||
XFCLOSE(f);
|
||||
{
|
||||
const char* responsePssFile = "./certs/ocsp/test-response-rsapss.der";
|
||||
|
||||
pt = data;
|
||||
res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz);
|
||||
AssertNotNull(res);
|
||||
wolfSSL_OCSP_RESPONSE_free(res);
|
||||
/* check loading a response with RSA-PSS signature */
|
||||
f = XFOPEN(responsePssFile, "rb");
|
||||
AssertTrue(f != XBADFILE);
|
||||
dataSz = (word32)XFREAD(data, 1, sizeof(data), f);
|
||||
AssertIntGT(dataSz, 0);
|
||||
XFCLOSE(f);
|
||||
|
||||
pt = data;
|
||||
res = wolfSSL_d2i_OCSP_RESPONSE(NULL, &pt, dataSz);
|
||||
AssertNotNull(res);
|
||||
|
||||
/* try to verify the response */
|
||||
issuer = wolfSSL_X509_load_certificate_file(caFile, SSL_FILETYPE_PEM);
|
||||
AssertNotNull(issuer);
|
||||
st = wolfSSL_X509_STORE_new();
|
||||
AssertNotNull(st);
|
||||
AssertIntEQ(wolfSSL_X509_STORE_add_cert(st, issuer), WOLFSSL_SUCCESS);
|
||||
bs = wolfSSL_OCSP_response_get1_basic(res);
|
||||
AssertNotNull(bs);
|
||||
AssertIntEQ(wolfSSL_OCSP_basic_verify(bs, NULL, st, 0), WOLFSSL_SUCCESS);
|
||||
wolfSSL_OCSP_BASICRESP_free(bs);
|
||||
wolfSSL_OCSP_RESPONSE_free(res);
|
||||
wolfSSL_X509_STORE_free(st);
|
||||
wolfSSL_X509_free(issuer);
|
||||
}
|
||||
#endif
|
||||
|
||||
printf(resultFmt, passed);
|
||||
|
|
|
@ -33414,6 +33414,10 @@ static const ASNItem ocspBasicRespASN[] = {
|
|||
/* SIGALGO */ { 1, ASN_SEQUENCE, 1, 1, 0, },
|
||||
/* SIGALGO_OID */ { 2, ASN_OBJECT_ID, 0, 0, 0 },
|
||||
/* SIGALGO_NULL */ { 2, ASN_TAG_NULL, 0, 0, 1 },
|
||||
/* parameters */
|
||||
#ifdef WC_RSA_PSS
|
||||
/* SIGALGO_PARAMS */ { 2, ASN_SEQUENCE, 1, 0, 1 },
|
||||
#endif
|
||||
/* signature */
|
||||
/* SIGNATURE */ { 1, ASN_BIT_STRING, 0, 0, 0 },
|
||||
/* certs */
|
||||
|
@ -33426,6 +33430,9 @@ enum {
|
|||
OCSPBASICRESPASN_IDX_SIGALGO,
|
||||
OCSPBASICRESPASN_IDX_SIGALGO_OID,
|
||||
OCSPBASICRESPASN_IDX_SIGALGO_NULL,
|
||||
#ifdef WC_RSA_PSS
|
||||
OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS,
|
||||
#endif
|
||||
OCSPBASICRESPASN_IDX_SIGNATURE,
|
||||
OCSPBASICRESPASN_IDX_CERTS,
|
||||
OCSPBASICRESPASN_IDX_CERTS_SEQ,
|
||||
|
@ -33607,6 +33614,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
|
|||
DECL_ASNGETDATA(dataASN, ocspBasicRespASN_Length);
|
||||
int ret = 0;
|
||||
word32 idx = *ioIndex;
|
||||
const byte* sigParams = NULL;
|
||||
word32 sigParamsSz = 0;
|
||||
#ifndef WOLFSSL_NO_OCSP_OPTIONAL_CERTS
|
||||
#ifdef WOLFSSL_SMALL_STACK
|
||||
DecodedCert* cert = NULL;
|
||||
|
@ -33639,6 +33648,16 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
|
|||
ret = ASN_PARSE_E;
|
||||
}
|
||||
}
|
||||
#ifdef WC_RSA_PSS
|
||||
if (ret == 0 && (dataASN[X509CERTASN_IDX_SIGALGO_PARAMS].tag != 0)) {
|
||||
sigParams = GetASNItem_Addr(
|
||||
dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS],
|
||||
source);
|
||||
sigParamsSz =
|
||||
GetASNItem_Length(dataASN[OCSPBASICRESPASN_IDX_SIGNATURE_PARAMS],
|
||||
source);
|
||||
}
|
||||
#endif
|
||||
if (ret == 0) {
|
||||
/* Get the signature OID and signature. */
|
||||
resp->sigOID = dataASN[OCSPBASICRESPASN_IDX_SIGALGO_OID].data.oid.sum;
|
||||
|
@ -33711,7 +33730,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
|
|||
/* Check the signature of the response CA public key. */
|
||||
sigValid = ConfirmSignature(&sigCtx, resp->response,
|
||||
resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID,
|
||||
resp->sig, resp->sigSz, resp->sigOID, NULL, 0, NULL);
|
||||
resp->sig, resp->sigSz, resp->sigOID, sigParams, sigParamsSz,
|
||||
NULL);
|
||||
}
|
||||
if ((ca == NULL) || (sigValid != 0)) {
|
||||
/* Didn't find certificate or signature verificate failed. */
|
||||
|
|
Loading…
Reference in New Issue