wip ocsp any hash

julek-wolfssl · julek-wolfssl · commit bd94d2f356a4 · 2026-02-16T11:51:28.000+01:00
diff --git a/scripts/ocsp-responder-openssl-interop.test b/scripts/ocsp-responder-openssl-interop.test
@@ -338,26 +338,29 @@ echo
 
 echo "=== Negative tests: unsupported features ==="
 
-# Test 1: Non-SHA-1 hash algorithms (should fail with OCSP error)
+# Test 1: Non-SHA-1 hash algorithms (should be supported)
 tests_run=$((tests_run+1))
-printf "  TEST %2d: %-55s " "$tests_run" "SHA-256 hash (should return OCSP error)"
+printf "  TEST %2d: %-55s " "$tests_run" "SHA-384 hash -> good"
 
 output=$($OPENSSL ocsp \
-    -sha256 \
+    -sha384 \
     -issuer "$OCSP_DIR/intermediate1-ca-cert.pem" \
     -cert "$OCSP_DIR/server1-cert.pem" \
     -url "http://127.0.0.1:$port1/" \
     -noverify \
     -resp_text 2>&1)
 rc=$?
 
-# Expect OCSP error response: internalerror (2)
-# OpenSSL shows "Responder Error: internalerror (2)"
-if echo "$output" | grep -q "Responder Error: internalerror"; then
-    printf "PASSED (OCSP internalerror)\n"
+# Extract the cert status line
+status=$(echo "$output" | grep "Cert Status:" | head -1 | \
+         sed 's/.*Cert Status: *//')
+
+# Expect "good" status (feature should be supported)
+if [ "$status" = "good" ]; then
+    printf "PASSED (status: %s)\n" "$status"
     tests_passed=$((tests_passed+1))
 else
-    printf "FAILED (expected OCSP internalerror, got rc: %d)\n" "$rc"
+    printf "FAILED (expected: good, got: %s, rc: %d)\n" "$status" "$rc"
     tests_failed=$((tests_failed+1))
     echo "--- openssl output ---"
     echo "$output"
diff --git a/src/ocsp.c b/src/ocsp.c
@@ -2293,8 +2293,23 @@ int wc_OcspResponder_AddCA(OcspResponder* responder,
 
     /* Extract necessary info from decoded cert */
     XMEMCPY(ca->subject, decoded->subject, WC_ASN_NAME_MAX);
-    XMEMCPY(ca->issuerHash, decoded->subjectHash, KEYID_SIZE);
-    XMEMCPY(ca->issuerKeyHash, decoded->subjectKeyHash, KEYID_SIZE);
+    if (decoded->subjectRawForHash == NULL ||
+            decoded->subjectRawForHashLen <= 0) {
+        ret = BAD_FUNC_ARG;
+        goto out;
+    }
+    ret = AsnHashesHash(&ca->issuerHashes, decoded->subjectRawForHash,
+            (word32)decoded->subjectRawForHashLen);
+    if (ret != 0)
+        goto out;
+    if (decoded->publicKeyForHash == NULL || decoded->pubKeyForHashSize == 0) {
+        ret = BAD_FUNC_ARG;
+        goto out;
+    }
+    ret = AsnHashesHash(&ca->issuerKeyHash, decoded->publicKeyForHash,
+            decoded->pubKeyForHashSize);
+    if (ret != 0)
+        goto out;
     keyOID = decoded->keyOID;
 
     /* Store raw certificate DER if sendCerts is enabled */
@@ -2364,8 +2379,9 @@ static OcspResponderCa* FindCaByHashes(OcspResponder* responder,
     OcspResponderCa* ca = responder->caList;
 
     while (ca != NULL) {
-        if (XMEMCMP(ca->issuerHash, issuerHash, KEYID_SIZE) == 0 &&
-            XMEMCMP(ca->issuerKeyHash, issuerKeyHash, KEYID_SIZE) == 0) {
+        /* Compare SHA-1 hashes since that's what OCSP uses */
+        if (XMEMCMP(ca->issuerHashes.sha, issuerHash, KEYID_SIZE) == 0 &&
+            XMEMCMP(ca->issuerKeyHash.sha, issuerKeyHash, KEYID_SIZE) == 0) {
             return ca;
         }
         ca = ca->next;
@@ -2581,11 +2597,11 @@ static int OcspResponse_WriteResponse(OcspResponder* responder, byte* response,
 
     /* Only support sha-1 hashes for now */
     entry.hashAlgoOID = SHAh;
-    XMEMCPY(entry.issuerHash, ca->issuerHash, KEYID_SIZE);
-    XMEMCPY(entry.issuerKeyHash, ca->issuerKeyHash, KEYID_SIZE);
+    XMEMCPY(entry.issuerHash, ca->issuerHashes.sha, KEYID_SIZE);
+    XMEMCPY(entry.issuerKeyHash, ca->issuerKeyHash.sha, KEYID_SIZE);
 
     resp.responderIdType = OCSP_RESPONDER_ID_KEY;
-    XMEMCPY(resp.responderId.keyHash, ca->issuerKeyHash, KEYID_SIZE);
+    XMEMCPY(resp.responderId.keyHash, ca->issuerKeyHash.sha, KEYID_SIZE);
 
     /* TODO allow user to set algo */
     if (ca->keyType == RSAk) {
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -13068,6 +13068,11 @@ static int StoreKey(DecodedCert* cert, const byte* source, word32* srcIdx,
             cert->pubKeyStored = 1;
             cert->pubKeySize   = (word32)length;
 
+#ifdef HAVE_OCSP_RESPONDER
+            cert->publicKeyForHash = cert->publicKey;
+            cert->pubKeyForHashSize = cert->pubKeySize;
+#endif
+
             *srcIdx += (word32)length;
         }
     }
@@ -13698,6 +13703,10 @@ static int StoreRsaKey(DecodedCert* cert, const byte* source, word32* srcIdx,
         cert->sigCtx.CertAtt.pubkey_n_start =
             cert->sigCtx.CertAtt.pubkey_e_start = dataASN[RSACERTKEYASN_IDX_SEQ].offset;
     #endif
+    #ifdef HAVE_OCSP_RESPONDER
+        cert->publicKeyForHash = cert->publicKey;
+        cert->pubKeyForHashSize = cert->pubKeySize;
+    #endif
     #ifdef HAVE_OCSP
         /* Calculate the hash of the public key for OCSP. */
         ret = CalcHashId_ex(cert->publicKey, cert->pubKeySize,
@@ -13877,6 +13886,13 @@ static int StoreEccKey(DecodedCert* cert, const byte* source, word32* srcIdx,
             + 1;
     #endif
 
+    #ifdef HAVE_OCSP_RESPONDER
+        cert->publicKeyForHash =
+                dataASN[ECCCERTKEYASN_IDX_SUBJPUBKEY].data.ref.data;
+        cert->pubKeyForHashSize =
+                dataASN[ECCCERTKEYASN_IDX_SUBJPUBKEY].data.ref.length;
+    #endif
+
     #ifdef HAVE_OCSP
         if (ret == 0) {
             /* Calculate the hash of the subject public key for OCSP. */
@@ -16042,6 +16058,13 @@ static int GetCertName(DecodedCert* cert, char* full, byte* hash, int nameType,
         ret = ASN_PARSE_E;
     }
 
+#ifdef HAVE_OCSP_RESPONDER
+    if (ret == 0 && nameType == ASN_SUBJECT) {
+        cert->subjectRawForHash = input + srcIdx;
+        cert->subjectRawForHashLen = maxIdx - srcIdx;
+    }
+#endif
+
     CALLOC_ASNGETDATA(dataASN, rdnASN_Length, ret, cert->heap);
 
 #ifdef WOLFSSL_X509_NAME_AVAILABLE
@@ -45596,6 +45619,40 @@ int wc_VerifyX509Acert(const byte* acert, word32 acertSz,
 
 #endif /* WOLFSSL_ACERT && WOLFSSL_ASN_TEMPLATE */
 
+int AsnHashesHash(AsnHashes* hashes, const byte* data, word32 dataSz)
+{
+    int ret = 0;
+
+    if (hashes == NULL || data == NULL)
+        ret = BAD_FUNC_ARG;
+#if !defined(NO_MD5)
+    if (ret == 0)
+        ret = wc_Md5Hash(data, dataSz, hashes->md5);
+#endif
+#if !defined(NO_SHA)
+    if (ret == 0)
+        ret = wc_ShaHash(data, dataSz, hashes->sha);
+#endif
+#ifndef NO_SHA256
+    if (ret == 0)
+        ret = wc_Sha256Hash(data, dataSz, hashes->sha256);
+#endif
+#ifdef WOLFSSL_SHA384
+    if (ret == 0)
+        ret = wc_Sha384Hash(data, dataSz, hashes->sha384);
+#endif
+#ifdef WOLFSSL_SHA512
+    if (ret == 0)
+        ret = wc_Sha512Hash(data, dataSz, hashes->sha512);
+#endif
+#ifdef WOLFSSL_SM3
+    if (ret == 0)
+        ret = wc_Sm3Hash(data, dataSz, hashes->sm3);
+#endif
+
+    return ret;
+}
+
 #ifdef WOLFSSL_SEP
 
 
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
@@ -1728,6 +1728,10 @@ typedef int (*wc_UnknownExtCallbackEx)(const word16* oid, word32 oidSz,
 struct DecodedCert {
     const byte* publicKey;
     word32  pubKeySize;
+#ifdef HAVE_OCSP_RESPONDER
+    const byte* publicKeyForHash;
+    word32  pubKeyForHashSize;
+#endif
     int     pubKeyStored;
     word32  certBegin;               /* offset to start of cert          */
     word32  sigIndex;                /* offset to start of signature     */
@@ -1848,6 +1852,10 @@ struct DecodedCert {
     const byte* issuerRaw;           /* pointer to issuer inside source */
     int     issuerRawLen;
 #endif
+#ifdef HAVE_OCSP_RESPONDER
+    const byte* subjectRawForHash;   /* pointer to subject including tags */
+    int     subjectRawForHashLen;
+#endif
 #if !defined(IGNORE_NAME_CONSTRAINTS) || defined(WOLFSSL_CERT_EXT)
     const byte* subjectRaw;          /* pointer to subject inside source */
     int     subjectRawLen;
@@ -2865,6 +2873,30 @@ struct OcspResponderCertStatus {
     OcspResponderCertStatus* next;
 };
 
+/* hashes type for asn */
+typedef struct AsnHashes {
+    #if !defined(NO_MD5)
+        byte md5[WC_MD5_DIGEST_SIZE];
+    #endif
+    #if !defined(NO_SHA)
+        byte sha[WC_SHA_DIGEST_SIZE];
+    #endif
+    #ifndef NO_SHA256
+        byte sha256[WC_SHA256_DIGEST_SIZE];
+    #endif
+    #ifdef WOLFSSL_SHA384
+        byte sha384[WC_SHA384_DIGEST_SIZE];
+    #endif
+    #ifdef WOLFSSL_SHA512
+        byte sha512[WC_SHA512_DIGEST_SIZE];
+    #endif
+    #ifdef WOLFSSL_SM3
+        byte sm3[WC_SM3_DIGEST_SIZE];
+    #endif
+} AsnHashes;
+
+WOLFSSL_LOCAL int AsnHashesHash(AsnHashes* hashes, const byte* data, word32 dataSz);
+
 /* CA entry with its certificates and key */
 typedef struct OcspResponderCa OcspResponderCa;
 struct OcspResponderCa {
@@ -2880,8 +2912,8 @@ struct OcspResponderCa {
     } key;                           /* CA private key for signing */
     enum Key_Sum keyType;            /* Type of key */
 
-    byte issuerHash[KEYID_SIZE];     /* Hash of CA's subject DN */
-    byte issuerKeyHash[KEYID_SIZE];  /* Hash of CA's public key */
+    AsnHashes issuerHashes;          /* Hashes of CA's subject DN */
+    AsnHashes issuerKeyHash;         /* Hashes of CA's public key */
 
     byte* certDer;                   /* Raw DER certificate (if sendCerts enabled) */
     word32 certDerSz;                /* Size of certificate DER */
