Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OCSP stapling with HAProxy as a server #7593

Closed
wants to merge 1 commit into from
Closed

OCSP stapling with HAProxy as a server #7593

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 43 additions & 3 deletions src/ocsp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -730,6 +730,7 @@ WOLFSSL_OCSP_CERTID* wolfSSL_OCSP_cert_to_id(
WOLFSSL_CERT_MANAGER* cm = NULL;
int ret = -1;
DerBuffer* derCert = NULL;

#ifdef WOLFSSL_SMALL_STACK
DecodedCert *cert = NULL;
#else
Expand Down Expand Up @@ -1211,6 +1212,41 @@ int wolfSSL_i2d_OCSP_REQUEST_bio(WOLFSSL_BIO* out,
}
#endif /* !NO_BIO */

/* workaround to provide some similar functionaly as i2d_OCSP_CERTID,
* as it seems not to be implemented in WolfSSL in the same way as in OpenSSL.
* wolfSSL_i2d_OCSP_CERTID in its given implementation always returns 0, when
* proper cert_id and valid address in *data are provided. This happens, because
* id->rawCertIdSize is always 0 at this stage (HAProxy OCSP load workflow), as
* it's not filled by wolfSSL_OCSP_cert_to_id(), called by haproxy before.
*/
#if defined(WOLFSSL_HAPROXY)

/* Apparently 128 is max len of CertID defined in rfc2560 (X.509 Internet Public
* Key Infrastructure Online Certificate Status Protocol - OCSP)
* CertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier, --> word32 hashAlgoOID in OcspEntry
issuerNameHash OCTET STRING, -- Hash of Issuer's DN --> limited by OCSP_DIGEST_SIZE=32
issuerKeyHash OCTET STRING, -- Hash of Issuers public key --> limited by OCSP_DIGEST_SIZE=32
serialNumber CertificateSerialNumber --> limited by EXTERNAL_SERIAL_SIZE=32
* }
*/
#define OCSP_MAX_CERTID_ASN1_LENGTH 128
int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id, unsigned char** encoded_cert_id)
{
if (id == NULL)
return WOLFSSL_FAILURE;

if (!sizeof(id->issuerHash) || (sizeof(id->issuerHash) > OCSP_MAX_CERTID_ASN1_LENGTH))
return WOLFSSL_FAILURE;

if (!encoded_cert_id)
return sizeof(id->issuerHash);

XMEMCPY(*encoded_cert_id, id->issuerHash, sizeof(id->issuerHash));

return sizeof(id->issuerHash);
}
#else
int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id, unsigned char** data)
{
if (id == NULL || data == NULL)
Expand All @@ -1231,6 +1267,8 @@ int wolfSSL_i2d_OCSP_CERTID(WOLFSSL_OCSP_CERTID* id, unsigned char** data)
return id->rawCertIdSize;
}

#endif /* WOLFSSL_HAPROXY */

WOLFSSL_OCSP_CERTID* wolfSSL_d2i_OCSP_CERTID(WOLFSSL_OCSP_CERTID** cidOut,
const unsigned char** derIn,
int length)
Expand Down Expand Up @@ -1294,9 +1332,11 @@ int wolfSSL_OCSP_id_cmp(WOLFSSL_OCSP_CERTID *a, WOLFSSL_OCSP_CERTID *b)
if (a == NULL || b == NULL)
return WOLFSSL_FATAL_ERROR;

ret = a->hashAlgoOID != b->hashAlgoOID;
if (ret == 0)
ret = XMEMCMP(a->issuerHash, b->issuerHash, OCSP_DIGEST_SIZE);
/* commented this one, as hashAlgoOID is not set by WOLFSSL_OCSP_CERTID
* ret = a->hashAlgoOID != b->hashAlgoOID;
* if (ret == 0)
*/
ret = XMEMCMP(a->issuerHash, b->issuerHash, OCSP_DIGEST_SIZE);
if (ret == 0)
ret = XMEMCMP(a->issuerKeyHash, b->issuerKeyHash, OCSP_DIGEST_SIZE);
if (ret == 0) {
Expand Down
Loading