Skip to content

tls ocsp: support lazy cert loading with ocsp stapling #9144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dgarske merged 1 commit into from
Oct 3, 2025
Merged

tls ocsp: support lazy cert loading with ocsp stapling #9144

dgarske merged 1 commit into from
Oct 3, 2025

Conversation

@julek-wolfssl
Copy link
Member

@julek-wolfssl julek-wolfssl commented Aug 27, 2025
edited
Loading

  • Expose dynamic TLS certificate loading via WOLFSSL_CERT_SETUP_CB
  • Expose OCSP Status Cb to load responses directly. This bypasses internal checks on the OCSP response which is desirable if the CA is not loaded on the server.
  • OCSP csr: Allow the user to provide OCSP responses to staple for the entire cert chain.
  • Add wc_InitOCSP, wc_FreeOCSP, and wc_CheckCertOcspResponse as wrapper functions around existing OCSP functionality
  • Add test for OCSP cert callback
  • Expose store_ctx functions
  • Add cert-setup-cb to os-check

Co-Authored-By: Marco Oliverio [email protected]

@julek-wolfssl julek-wolfssl requested a review from rizlik August 27, 2025 13:45
@julek-wolfssl julek-wolfssl force-pushed the ocsp-callbacks branch 7 times, most recently from 93e9ce1 to a3a2ba8 Compare August 28, 2025 17:23
@rizlik
Copy link
Contributor

rizlik commented Aug 28, 2025

I like the changes.
I think test needs to be expanded with negative tests and with 1.2 version test for the ocsp response testing.
I also suggest GetOcspResponse or GetOcspStapledResponse instead of GetOcspStaple.

@julek-wolfssl julek-wolfssl force-pushed the ocsp-callbacks branch 5 times, most recently from 3f513f7 to 581e50e Compare August 29, 2025 15:37
@julek-wolfssl julek-wolfssl self-assigned this Aug 29, 2025
@julek-wolfssl julek-wolfssl marked this pull request as ready for review August 29, 2025 15:37
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Aug 29, 2025

🛟 Devin Lifeguard found 1 likely issues in this PR

  • no-void-functions snippet: Change wc_FreeOCSP to return an int (e.g., 0 on success, negative on failure) and propagate the result of FreeOCSP, updating all call sites accordingly.

@julek-wolfssl
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

@julek-wolfssl
Copy link
Member Author

julek-wolfssl commented Aug 29, 2025

Devin is wrong. FreeOCSP is a void return.

@julek-wolfssl julek-wolfssl changed the title tls13 ocsp: suppot lazy cert loading with ocsp stapling tls13 ocsp: support lazy cert loading with ocsp stapling Sep 16, 2025
@julek-wolfssl julek-wolfssl changed the title tls13 ocsp: support lazy cert loading with ocsp stapling tls ocsp: support lazy cert loading with ocsp stapling Sep 16, 2025
@julek-wolfssl julek-wolfssl force-pushed the ocsp-callbacks branch 6 times, most recently from f42333b to 15bb03a Compare September 16, 2025 15:37
julek-wolfssl
julek-wolfssl commented Sep 16, 2025
View reviewed changes
Copy link
Member Author

@julek-wolfssl julek-wolfssl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO

  • Add docs once we settle on the new API

@julek-wolfssl julek-wolfssl added the For This Release Release version 5.8.4 label Sep 16, 2025
rizlik
rizlik requested changes Sep 30, 2025
View reviewed changes
rizlik
rizlik previously approved these changes Sep 30, 2025
View reviewed changes
@julek-wolfssl julek-wolfssl assigned wolfSSL-Bot and unassigned rizlik Sep 30, 2025
@dgarske
Copy link
Contributor

dgarske commented Sep 30, 2025

Jenkins retest this please: "AgentOfflineException"

@douzzer douzzer assigned julek-wolfssl and unassigned wolfSSL-Bot Oct 1, 2025
@julek-wolfssl
Copy link
Member Author

julek-wolfssl commented Oct 2, 2025
edited
Loading

Retest this please RequestAbortedException AgentOfflineException

@julek-wolfssl
Copy link
Member Author

julek-wolfssl commented Oct 2, 2025

Espressif failure not relevant and Jenkins keeps crashing.

@dgarske
Copy link
Contributor

dgarske commented Oct 2, 2025

Jenkins retest this please. Fips test was aborted.

dgarske
dgarske requested changes Oct 2, 2025
View reviewed changes
Copy link
Contributor

@dgarske dgarske left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good otherwise! Thank you

@dgarske
Copy link
Contributor

dgarske commented Oct 2, 2025

@julek-wolfssl Please rebase and squash too with your next push. Thank you

@julek-wolfssl julek-wolfssl removed their assignment Oct 3, 2025
@julek-wolfssl
Enables dynamic TLS cert loading with OCSP
f9063c4 
Exposes dynamic TLS certificate loading and OCSP stapling to allow applications to load certs lazily.

The server no longer needs to load the CA to staple OCSP responses.

Adds a certificate setup callback (WOLFSSL_CERT_SETUP_CB)
Adds an OCSP status callback to load OCSP responses directly
Adds `wc_NewOCSP`, `wc_FreeOCSP`, and `wc_CheckCertOcspResponse`
Don't call verify twice on the same error
Send correct alert on status response error
@julek-wolfssl
Copy link
Member Author

julek-wolfssl commented Oct 3, 2025

Retest this please RequestAbortedException AgentOfflineException

@dgarske dgarske merged commit ac23b48 into wolfSSL:master Oct 3, 2025
257 checks passed
@julek-wolfssl julek-wolfssl mentioned this pull request Oct 7, 2025
Closed
4 tasks
@arekmula arekmula mentioned this pull request Jan 5, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgarske dgarske dgarske approved these changes

@rizlik rizlik rizlik left review comments

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

For This Release Release version 5.8.4

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@julek-wolfssl @rizlik @dgarske @wolfSSL-Bot