Merge pull request #526 from julek-wolfssl/ocsp-stapling

Adds OCSP stapling example and TLS 1.3 support

Author: dgarske

.gitignore

@@ -301,6 +301,8 @@ hash/sha3-256-hash-string
 hash/sha512-hash
 
 ocsp/ocsp_nonblock/ocsp_nonblock
+ocsp/stapling/ocsp-client
+ocsp/stapling/ocsp-server
 
 sslkeylog.log
 
@@ -381,3 +383,8 @@ tpm/evp_tpm
 /Arduino/sketches/output.log
 /**/*.bak
 
+# Eclipse
+\.settings/
+\.cproject
+\.project
+\.autotools

ocsp/stapling/Makefile

@@ -0,0 +1,42 @@
+# Examples Makefile
+CC       = gcc
+WOLFSSL_INSTALL_DIR = /usr/local
+CFLAGS   = -Wall -I$(WOLFSSL_INSTALL_DIR)/include
+LIBS     = -L$(WOLFSSL_INSTALL_DIR)/lib
+
+# option variables
+DYN_LIB         = -lwolfssl
+STATIC_LIB      = $(WOLFSSL_INSTALL_DIR)/lib/libwolfssl.a
+DEBUG_FLAGS     = -g3 -O0 -DDEBUG
+DEBUG_INC_PATHS = -MD
+OPTIMIZE        = -O2
+
+# Options
+CFLAGS+=$(DEBUG_FLAGS)
+#CFLAGS+=$(OPTIMIZE)
+#LIBS+=$(STATIC_LIB)
+LIBS+=$(DYN_LIB)
+
+# build targets
+SRC=$(wildcard *.c)
+TARGETS=$(patsubst %.c, %, $(SRC))
+
+.PHONY: clean all
+
+all: $(TARGETS)
+
+debug: CFLAGS+=$(DEBUG_FLAGS)
+debug: all
+
+# build template
+%: %.c
+	$(CC) -o $@ $< $(CFLAGS) $(LIBS)
+
+responder:
+	openssl ocsp -index responder-certs/index.txt -port 22221 \
+	    -rsigner responder-certs/ocsp-responder-cert.pem \
+		-rkey responder-certs/ocsp-responder-key.pem \
+		-CA client-certs/intermediate1-ca-cert.pem
+
+clean:
+	rm -f $(TARGETS)

ocsp/stapling/README.md

@@ -0,0 +1,71 @@
+# OCSP Stapling Example with wolfSSL
+
+This directory contains a standalone example demonstrating OCSP stapling with dynamic certificate selection and verification. Both a client and a server are provided, along with the necessary certificates and a Makefile for building the example. The certificates are taken from the wolfSSL test suite.
+
+## Directory Structure
+
+- `ocsp-server.c` — Example TLS server with OCSP stapling support.
+- `ocsp-client.c` — Example TLS client that verifies OCSP staples.
+- `Makefile` — Build instructions for the example programs.
+- `client-certs/` — CA and intermediate certificates for client verification.
+- `server-certs/` — Server certificate and private key.
+- `responder-certs/` — OCSP responder certificate, key, and index file.
+
+## Prerequisites
+
+- wolfSSL library installed (headers and libraries in `/usr/local` by default).
+- OpenSSL (for running a local OCSP responder).
+- GNU Make and GCC.
+
+## Building
+
+For this example, you need to build wolfSSL with OCSP and session certificate support. The following configuration options are required:
+
+```sh
+./configure --enable-ocsp --enable-ocspstapling --enable-ocspstapling2 --enable-cert-setup-cb --enable-sessioncerts
+make
+make install
+```
+
+To build both the server and client, simply run:
+
+```sh
+make
+```
+
+This will produce two binaries: `ocsp-server` and `ocsp-client`.
+
+## Running the Example
+
+### 1. Start the OCSP Responder
+
+From the `stapling` directory, run:
+
+```sh
+make responder
+```
+
+### 2. Start the Server
+
+```sh
+./ocsp-server
+```
+
+### 3. Run the Client
+
+In a separate terminal, run either:
+
+```sh
+./ocsp-client --tls12
+```
+or
+```sh
+./ocsp-client --tls13
+```
+
+## Notes
+
+- The server listens on `127.0.0.1:11111`.
+- The OCSP responder listens on `127.0.0.1:22221`.
+- Certificates are pre-generated for demonstration purposes.
+- The client and server demonstrate both automatic and manual OCSP staple verification.

ocsp/stapling/client-certs/intermediate1-ca-cert.pem

@@ -0,0 +1,184 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = [email protected]
+        Validity
+            Not Before: Dec 18 21:25:31 2024 GMT
+            Not After : Sep 14 21:25:31 2027 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL intermediate CA 1, emailAddress = [email protected]
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35:
+                    a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c:
+                    bb:77:a5:76:da:6d:87:87:f6:4a:4d:13:e4:26:3e:
+                    27:87:ee:5b:c7:6a:3f:45:30:61:55:5c:f6:35:d1:
+                    65:fa:98:11:a3:a7:55:d5:be:91:82:4b:fc:be:90:
+                    d6:50:53:63:9a:2c:22:e1:35:11:dc:78:02:97:8a:
+                    e4:46:92:9c:53:08:76:de:1f:53:b6:b8:ca:77:3e:
+                    79:6e:bc:d0:e3:0d:30:5b:4c:f6:94:0d:30:29:64:
+                    9f:04:e5:db:fb:89:60:67:bb:af:26:83:51:77:24:
+                    2f:2b:0b:a1:94:81:10:98:e8:eb:26:a8:1e:7c:e4:
+                    c4:6c:67:06:95:55:4a:dd:52:f4:f2:60:6d:01:2b:
+                    19:91:35:6d:a4:08:47:06:71:24:00:d9:de:c6:56:
+                    f3:8b:53:2c:e2:9a:96:a5:f3:62:e5:c4:e3:23:f2:
+                    d2:fc:21:ea:0f:62:76:8d:d5:99:48:ce:dc:58:c4:
+                    bb:7f:da:94:2c:80:74:83:c5:e0:b0:15:7e:41:fd:
+                    0e:f2:f4:f0:78:76:7b:ad:26:0d:aa:48:96:17:2f:
+                    21:e3:95:2b:26:37:f9:aa:80:2f:fe:de:f6:5e:bc:
+                    97:7f
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E
+            X509v3 Authority Key Identifier: 
+                keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+                DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/[email protected]
+                serial:63
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:22220
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        75:57:f1:0c:87:8f:a2:70:3c:ce:e4:70:0e:99:6a:da:c4:80:
+        94:2c:25:0c:de:0d:7b:f3:94:f1:e8:ad:6f:d0:de:9a:9d:f5:
+        64:31:65:3f:18:e6:c3:f5:b5:1d:a2:be:5b:97:79:41:78:15:
+        1c:b3:83:de:d0:00:ea:d2:70:43:c5:60:60:07:72:e5:76:59:
+        b8:0e:2f:47:c9:8d:a4:4c:f1:20:b0:40:3b:ed:e9:de:b2:46:
+        10:90:1b:0f:96:16:e6:97:bc:d5:9a:93:aa:3c:e3:b3:6b:5f:
+        db:2c:af:2b:da:7c:36:36:aa:86:a1:65:70:c8:f1:34:d1:1f:
+        10:96:71:e6:cf:69:5c:bf:0e:15:33:97:fe:40:42:be:30:48:
+        ad:fb:d7:0e:7b:73:dd:64:30:7e:10:81:ac:3b:0b:3c:e4:12:
+        9f:31:8b:3d:f0:9b:84:dc:5b:32:33:39:de:eb:1a:17:89:d8:
+        1b:00:33:2d:50:a4:1a:2c:11:a2:60:ac:c1:9a:0f:44:90:00:
+        cf:8d:6c:af:5b:71:23:7a:a7:4f:df:f5:3f:5c:ae:93:ca:4e:
+        ec:f0:1b:f4:fa:53:7d:d9:36:af:5e:4c:54:c7:3a:d5:e3:68:
+        ca:78:e5:1f:55:44:65:eb:00:2d:c3:c8:ba:0e:1f:47:1c:67:
+        2e:a9:c1:6e
+-----BEGIN CERTIFICATE-----
+MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjQx
+MjE4MjEyNTMxWhcNMjcwOTE0MjEyNTMxWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
+bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl
+xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV
+1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2
+lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt
+ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7
+f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID
+AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi
+KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k
+gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
+ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
+ggEBAHVX8QyHj6JwPM7kcA6ZatrEgJQsJQzeDXvzlPHorW/Q3pqd9WQxZT8Y5sP1
+tR2ivluXeUF4FRyzg97QAOrScEPFYGAHcuV2WbgOL0fJjaRM8SCwQDvt6d6yRhCQ
+Gw+WFuaXvNWak6o847NrX9ssryvafDY2qoahZXDI8TTRHxCWcebPaVy/DhUzl/5A
+Qr4wSK371w57c91kMH4Qgaw7CzzkEp8xiz3wm4TcWzIzOd7rGheJ2BsAMy1QpBos
+EaJgrMGaD0SQAM+NbK9bcSN6p0/f9T9crpPKTuzwG/T6U33ZNq9eTFTHOtXjaMp4
+5R9VRGXrAC3DyLoOH0ccZy6pwW4=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 99 (0x63)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = [email protected]
+        Validity
+            Not Before: Dec 18 21:25:31 2024 GMT
+            Not After : Sep 14 21:25:31 2027 GMT
+        Subject: C = US, ST = Washington, L = Seattle, O = wolfSSL, OU = Engineering, CN = wolfSSL root CA, emailAddress = [email protected]
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+                    bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+                    48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+                    27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+                    ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+                    71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+                    f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+                    b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+                    09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+                    06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+                    96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+                    b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+                    44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+                    94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+                    75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+                    b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+                    90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+                    99:81
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+            X509v3 Authority Key Identifier: 
+                keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+                DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/[email protected]
+                serial:63
+            X509v3 Key Usage: 
+                Certificate Sign, CRL Sign
+            Authority Information Access: 
+                OCSP - URI:http://127.0.0.1:22220
+    Signature Algorithm: sha256WithRSAEncryption
+    Signature Value:
+        76:e8:fa:f6:1e:5b:0e:ff:24:43:e0:cb:19:26:38:d9:df:18:
+        5d:66:e1:4b:ac:e4:8e:b0:49:2c:d6:04:20:eb:4a:a8:06:d7:
+        55:ec:6b:38:f8:0f:8c:e6:c9:ec:42:f0:ca:07:9f:88:7a:ee:
+        bf:af:3f:7d:d3:45:67:20:84:bb:c7:c5:32:69:ab:59:e1:e3:
+        38:4b:ed:18:2e:de:da:88:ec:a0:b7:ff:c1:50:96:73:e3:03:
+        df:a1:e7:47:93:13:1d:fb:e6:6b:37:3e:50:a3:eb:5b:24:26:
+        d2:43:2e:6e:9c:83:9c:fb:79:ba:cd:fd:3b:e5:87:87:a7:0f:
+        5f:f9:64:34:56:5e:8b:13:e2:c4:41:e3:9d:3e:36:2d:cb:d3:
+        5f:d3:12:90:bf:78:c1:4c:df:eb:7b:99:e6:1e:ee:52:78:6f:
+        0c:82:e1:59:d4:25:40:e5:24:95:3e:0f:cc:08:60:fe:b4:8c:
+        48:42:bf:29:74:92:71:1a:85:00:a7:4c:f0:c0:32:47:f3:be:
+        f4:08:5c:f2:43:e0:b9:76:86:60:9a:3b:af:d6:32:41:5f:b0:
+        04:12:44:2a:44:19:d4:27:d3:ce:71:7e:5b:16:1a:f5:0c:db:
+        43:b0:a6:bb:76:02:f6:e0:30:4e:04:f4:f3:9b:cd:d4:ae:45:
+        94:c5:8c:bb
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMjQx
+MjE4MjEyNTMxWhcNMjcwOTE0MjEyNTMxWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAduj69h5b
+Dv8kQ+DLGSY42d8YXWbhS6zkjrBJLNYEIOtKqAbXVexrOPgPjObJ7ELwygefiHru
+v68/fdNFZyCEu8fFMmmrWeHjOEvtGC7e2ojsoLf/wVCWc+MD36HnR5MTHfvmazc+
+UKPrWyQm0kMubpyDnPt5us39O+WHh6cPX/lkNFZeixPixEHjnT42LcvTX9MSkL94
+wUzf63uZ5h7uUnhvDILhWdQlQOUklT4PzAhg/rSMSEK/KXSScRqFAKdM8MAyR/O+
+9Ahc8kPguXaGYJo7r9YyQV+wBBJEKkQZ1CfTznF+WxYa9QzbQ7Cmu3YC9uAwTgT0
+85vN1K5FlMWMuw==
+-----END CERTIFICATE-----