diff --git a/src/ssl_certman.c b/src/ssl_certman.c index 286831b9d2a..be4cf1fc90f 100644 --- a/src/ssl_certman.c +++ b/src/ssl_certman.c @@ -2484,6 +2484,25 @@ int wolfSSL_CertManagerSetOCSP_Cb(WOLFSSL_CERT_MANAGER* cm, CbOCSPIO ioCb, return ret; } +WOLFSSL_API int wolfSSL_CertManagerSetOCSPResponseIssuer_Cb(WOLFSSL_CERT_MANAGER* cm, + CbOCSPRespCert respCertCb) +{ + int ret = WOLFSSL_SUCCESS; + + WOLFSSL_ENTER("wolfSSL_CertManagerSetOCSP_Cb"); + + /* Validate parameters. */ + if (cm == NULL) { + ret = BAD_FUNC_ARG; + } + if (ret == WOLFSSL_SUCCESS) { + /* Set callback into certificate manager. */ + cm->ocspRespCertCb = respCertCb; + } + + return ret; +} + #endif /* HAVE_OCSP */ #endif /* NO_CERTS */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a68e4bf85ca..b8626cc0241 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -39514,6 +39514,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, int ret = 0; word32 idx = *ioIndex; Signer* ca = NULL; + CbOCSPRespCert ocspRespCertCb = (NULL != cm) ? ((WOLFSSL_CERT_MANAGER*)cm)->ocspRespCertCb: NULL; int sigValid = 0; WOLFSSL_ENTER("DecodeBasicOcspResponse"); @@ -39562,6 +39563,11 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, GetASN_GetRef(&dataASN[OCSPBASICRESPASN_IDX_CERTS_SEQ], &resp->cert, &resp->certSz); } + /* If no certificate was read from the response data, but an response issuer certificate callback is available. */ + if ((ret == 0) && (resp->certSz == 0) && (ocspRespCertCb != NULL)) { + /* Call callback to obtain issuing certificate data. */ + resp->certSz = ocspRespCertCb(&resp->cert); + } if ((ret == 0) && resp->certSz > 0) { ret = OcspCheckCert(resp, noVerify, noVerifySignature, diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 77865ed897b..8b12a7345bc 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2696,6 +2696,7 @@ struct WOLFSSL_CERT_MANAGER { crlErrorCb crlCb; /* Allow user to override error */ void* crlCbCtx; CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */ + CbOCSPRespCert ocspRespCertCb; /* Callback for OCSP response issuer certificate */ CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */ wolfSSL_Mutex caLock; /* CA list lock */ byte crlEnabled:1; /* is CRL on ? */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index f58d5427969..a73fe51ccc5 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3749,6 +3749,7 @@ typedef int (*crlErrorCb)(int ret, WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm, void* ctx); typedef int (*CbOCSPIO)(void*, const char*, int, unsigned char*, int, unsigned char**); +typedef int (*CbOCSPRespCert)(unsigned char**); typedef void (*CbOCSPRespFree)(void*,unsigned char*); #ifdef HAVE_CRL_IO @@ -4264,6 +4265,8 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx, WOLFSSL_CERT_MANAGER* cm, const char* url); WOLFSSL_API int wolfSSL_CertManagerSetOCSP_Cb(WOLFSSL_CERT_MANAGER* cm, CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx); + WOLFSSL_API int wolfSSL_CertManagerSetOCSPResponseIssuer_Cb(WOLFSSL_CERT_MANAGER* cm, + CbOCSPRespCert respCertCb); WOLFSSL_API int wolfSSL_CertManagerEnableOCSPStapling( WOLFSSL_CERT_MANAGER* cm);