Skip to content

Add OCSP round trip integration test with minor fixes#1811

Merged
samuel40791765 merged 1 commit intoaws:mainfrom
samuel40791765:ocsp-round-trip
Sep 5, 2024
Merged

Add OCSP round trip integration test with minor fixes#1811
samuel40791765 merged 1 commit intoaws:mainfrom
samuel40791765:ocsp-round-trip

Conversation

@samuel40791765
Copy link
Copy Markdown
Contributor

@samuel40791765 samuel40791765 commented Aug 28, 2024

Description of changes:

Now that we have support for OCSP responder functions, we can now do a round trip integration test with an OCSP request from an OCSP client <-> OCSP response from an OCSP responder. There were a couple bugs found along the way and this implements fixes along with the new tests.

  1. OCSP_cert_to_id allows for a NULL subject, then passes a NULL serialNumber to OCSP_cert_id_new. OpenSSL allows the NULL parameter, but we disallow it. Changed to allow NULL for better interoptability.
  2. Our implementation of X509_gmtime_adj happens to use UTC Time, but the producedAt field for OCSP OCSP_RESPDATA expects generalized time. This causes a parsing failure from OCSP responses we generated. This was pinned down to X509_gmtime_adj calling ASN1_TIME_adj internally, which allocates UTCTime if it fits.

  • aws-lc/include/openssl/asn1.h

    Lines 1417 to 1426 in 353228b

    // ASN1_TIME_adj adds |offset_day| days and |offset_sec| seconds to
    // |posix_time| and writes the result to |s|. As in RFC 5280, section 4.1.2.5,
    // it uses UTCTime when the time fits and GeneralizedTime otherwise. It returns
    // |s| on success and NULL on error. If |s| is NULL, it returns a
    // newly-allocated |ASN1_GENERALIZEDTIME| instead.
    //
    // Note this function may fail if the time overflows or is out of range for
    // GeneralizedTime.
    OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, int64_t posix_time,
    int offset_day, long offset_sec);

Call-outs:

N/A

Testing:

New round trip tests

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Aug 28, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 86.48649% with 15 lines in your changes missing coverage. Please review.

Project coverage is 78.38%. Comparing base (97a04f5) to head (af35ef1).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
crypto/ocsp/ocsp_integration_test.cc 92.55% 4 Missing and 3 partials ⚠️
crypto/test/test_util.cc 46.15% 3 Missing and 4 partials ⚠️
crypto/ocsp/ocsp_lib.c 66.66% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1811      +/-   ##
==========================================
+ Coverage   78.37%   78.38%   +0.01%     
==========================================
  Files         582      582              
  Lines       97416    97507      +91     
  Branches    13966    13982      +16     
==========================================
+ Hits        76346    76429      +83     
- Misses      20450    20453       +3     
- Partials      620      625       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@samuel40791765 samuel40791765 marked this pull request as ready for review August 28, 2024 22:47
@samuel40791765 samuel40791765 requested a review from a team as a code owner August 28, 2024 22:47
WillChilds-Klein
WillChilds-Klein approved these changes Sep 5, 2024
View reviewed changes
crypto/ocsp/ocsp_lib.c
}
if (ASN1_STRING_copy(cid->serialNumber, serialNumber) == 0) {
goto err;
// Only copy |serialNumber| if available. This may be empty.
Copy link
Copy Markdown
Contributor

@WillChilds-Klein WillChilds-Klein Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm not super familiar with the requirements here. is serialNumber expected to be populated at this point in execution?

Copy link
Copy Markdown
Contributor Author

@samuel40791765 samuel40791765 Sep 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case, it was because OCSP_cert_to_id allows for a NULL subject, then passes the NULL serialNumber to OCSP_cert_id_new. OpenSSL allows the NULL parameter and just simply skips populating it.
This was intended for self-signed certificates in OCSP_cert_to_id extracts where the subject name is extracted from the issuer and a serial number is given NULL.

@samuel40791765 samuel40791765 merged commit 305f277 into aws:main Sep 5, 2024
@samuel40791765 samuel40791765 deleted the ocsp-round-trip branch September 5, 2024 21:39
@smittals2 smittals2 mentioned this pull request Sep 15, 2024
Merged
smittals2 added a commit that referenced this pull request Sep 17, 2024
@smittals2
prepare for v1.35.0 release (#1853)
d3a598c 
## What's Changed
* Use OPENSSL_STATIC_ASSERT which handles all the platform/compiler/C s…
by @andrewhop in #1791
* ML-KEM refactor by @dkostic in #1763
* ML-KEM-IPD to ML-KEM as defined in FIPS 203 by @dkostic in
#1796
* Add KDA OneStep testing to ACVP by @skmcgrail in
#1792
* Updating erroneous documentation for BIO_get_mem_data and subsequent
usage by @smittals2 in #1752
* No-op impls for several EVP_PKEY_CTX functions by @justsmth in
#1759
* Drop "ipd" suffix from ML-KEM related code by @dkostic in
#1797
* Upstream merge 2024 08 19 by @skmcgrail in
#1781
* ML-KEM move to the FIPS module by @dkostic in
#1802
* Reduce collision probability for variable names by @torben-hansen in
#1804
* Refactor ENGINE API and memory around METHOD structs by @smittals2 in
#1776
* bn: Move x86-64 argument-based dispatching of bn_mul_mont to C. by
@justsmth in #1795
* Check at runtime that the tool is loading the same libcrypto it was
built with by @andrewhop in #1716
* Avoid matching prefixes of a symbol as arm registers by @torben-hansen
in #1807
* Add CI for FreeBSD by @justsmth in
#1787
* Move curve25519 implementations to fips module except spake25519 by
@torben-hansen in #1809
* Add CAST for SP 800-56Cr2 One-Step function by @skmcgrail in
#1803
* Remove custom PKCS7 ASN1 functions, add new structs by
@WillChilds-Klein in #1726
* NASM use default debug format by @justsmth in
#1747
* Add KDF in counter mode ACVP Testing by @skmcgrail in
#1810
* add support for OCSP_request_verify by @samuel40791765 in
#1778
* Fix GitHub/CodeBuild Purge Lambda by @justsmth in
#1808
* KBKDF_ctr_hmac FIPS Service Indicator by @skmcgrail in
#1798
* Update x509 tool to write all output to common BIO which is a file or
stdout by @andrewhop in #1800
* Add ML-KEM to speed.cc, bump AWSLC_API_VERSION to 30 by @andrewhop in
#1817
* Add EVP_PKEY_asn1_* functions by @justsmth in
#1751
* Improve portability of CI integration script by @torben-hansen in
#1815
* Upstream merge 2024 08 23 by @justsmth in
#1799
* Replace ECDSA_METHOD with EC_KEY_METHOD and add the associated API by
@smittals2 in #1785
* Cherrypick "Add some barebones support for DH in EVP" by
@samuel40791765 in #1813
* Add KDA OneStep (SSKDF_digest and SSKDF_hmac) to FIPS indicator by
@skmcgrail in #1793
* Add EVP_Digest one-shot test XOFs by @WillChilds-Klein in
#1820
* Wire-up ACVP Testing for SHA3 Signatures with RSA by @skmcgrail in
#1805
* Make SHA3 (not SHAKE) Approved for EVP_DigestSign/Verify, RSA and
ECDSA. by @nebeid in #1821
* Begin tracking RelWithDebInfo library statistics by @andrewhop in
#1822
* Move EVP ed25519 function table under FIPS module by @torben-hansen in
#1826
* Avoid C11 Atomics on Windows by @justsmth in
#1824
* Improve pre-sandbox setup by @torben-hansen in
#1825
* Add OCSP round trip integration test with minor fixes by
@samuel40791765 in #1811
* Add various PKCS7 getters and setters by @WillChilds-Klein in
#1780
* Run clang-format on pkcs7 code by @WillChilds-Klein in
#1830
* Move KEM API and ML-KEM definitions to FIPS module by @torben-hansen
in #1828
* fix socat integration CI by @samuel40791765 in
#1833
* Retire out-of-module KEM folder by @torben-hansen in
#1832
* Refactor RSA_METHOD and expand API by @smittals2 in
#1790
* Update benchmark documentation in tool/readme.md by @andrewhop in
#1812
* Pre jail unit test by @torben-hansen in
#1835
* Move EVP KEM implementation to in-module and correct OID by
@torben-hansen in #1838
* More minor symbols Ruby depends on by @samuel40791765 in
#1837
* ED25519 Power-on Self Test / CAST / KAT by @skmcgrail in
#1834
* ACVP ML-KEM testing by @skmcgrail in
#1840
* ACVP ECDSA SHA3 Digest Testing by @skmcgrail in
#1819
* ML-KEM Service Indicator for EVP_PKEY_keygen, EVP_PKEY_encapsulate,
EVP_PKEY_decapsulate by @skmcgrail in
#1844
* Add ML-KEM CAST for KeyGen, Encaps, and Decaps by @skmcgrail in
#1846
* ED25519 Service Indicator by @skmcgrail in
#1829
* Update Allowed RSA KeySize Generation to FIPS 186-5 specification by
@skmcgrail in #1823
* Add ED25519 ACVP Testing by @skmcgrail in
#1818
* Make EDDSA/Ed25519 POST lazy initalized by @skmcgrail in
#1848
* add support for PEM Parameters without ASN1 hooks by @samuel40791765
in #1831
* Add OpenVPN tip of main to CI by @smittals2 in
#1843
* Ensure SSE2 is enabled when using optimized assembly for 32-bit x86 by
@graebm in #1841
* Add support for `EVP_PKEY_CTX_ctrl_str` - Step #1 by @justsmth in
#1842
* Added SHA3/SHAKE XOF functionality by @jakemas in
#1839
* Migrated ML-KEM SHA3/SHAKE usage to fipsmodule by @jakemas in
#1851
* AVX-512 support for RSA Signing by @pittma in
#1273
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skmcgrail skmcgrail skmcgrail approved these changes

@WillChilds-Klein WillChilds-Klein WillChilds-Klein approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@samuel40791765 @codecov-commenter @skmcgrail @WillChilds-Klein