Add OCSP response issuer certificate callback zd#20415 #9115
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
🛟 Devin Lifeguard found 1 likely issues in this PR
@ptsiewie |
|
Can one of the admins verify this patch? |
Contributor
|
Okay to test. Contributor agreement on file. |
dgarske
requested changes
Aug 29, 2025
| return ret; | ||
| } | ||
|
|
||
| WOLFSSL_API int wolfSSL_CertManagerSetOCSPResponseIssuer_Cb(WOLFSSL_CERT_MANAGER* cm, |
Contributor
There was a problem hiding this comment.
Only the public API needs WOLFSSL_API.
| GetASN_GetRef(&dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ], &resp->cert, | ||
| &resp->certSz); | ||
| } | ||
| /* If no certificate was read from the response data, but an response issuer certificate callback is available. */ |
Contributor
There was a problem hiding this comment.
Please add callback in the non ASN template case too... above. Test with --enable-asn=original.
| int ret = 0; | ||
| word32 idx = *ioIndex; | ||
| Signer* ca = NULL; | ||
| CbOCSPRespCert ocspRespCertCb = (NULL != cm) ? ((WOLFSSL_CERT_MANAGER*)cm)->ocspRespCertCb: NULL; |
Contributor
There was a problem hiding this comment.
Please fix to 80 characters max:
src/ssl_certman.c:2487 WOLFSSL_API int wolfSSL_CertManagerSetOCSPResponseIssuer_Cb(WOLFSSL_CERT_MANAGER* cm,
wolfcrypt/src/asn.c:39517 CbOCSPRespCert ocspRespCertCb = (NULL != cm) ? ((WOLFSSL_CERT_MANAGER*)cm)->ocspRespCertCb: NULL;
wolfcrypt/src/asn.c:39566 /* If no certificate was read from the response data, but an response issuer certificate callback is available. */
wolfssl/internal.h:2699 CbOCSPRespCert ocspRespCertCb; /* Callback for OCSP response issuer certificate */
wolfssl/ssl.h:4268 WOLFSSL_API int wolfSSL_CertManagerSetOCSPResponseIssuer_Cb(WOLFSSL_CERT_MANAGER* cm,
| WOLFSSL_CERT_MANAGER* cm, const char* url); | ||
| WOLFSSL_API int wolfSSL_CertManagerSetOCSP_Cb(WOLFSSL_CERT_MANAGER* cm, | ||
| CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx); | ||
| WOLFSSL_API int wolfSSL_CertManagerSetOCSPResponseIssuer_Cb(WOLFSSL_CERT_MANAGER* cm, |
Contributor
There was a problem hiding this comment.
Please add test case in tests/api.c for new functionality. Thank you
Member
|
Closing in favor of #9144 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This adds a callback for retrieving OCSP response issuer certificate data in case no such data is provided in the OCSP response's "certificate" extension. In our use case we have the OCSP response which is signed through an issuer chain, but that certificate is not included in the OCSP response certificate extension. This callback allows the OCSP response verification code to retrieve that certificate from the caller, after which the OCSP issuer verification can be performed.
Fixes zd#20415
Relates to zd#19571
Testing
How did you test?
Checklist