new x509 API: verify and cache pubKey #110
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces a new x509 API for verifying certificates and caching the public key of the leaf certificate. The changes include new and updated server and client API functions with additional parameters, modifications to message structures to support flags and key IDs, and updates to test cases and certificate generation scripts to cover the new functionality.
Reviewed Changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| wolfhsm/wh_server_cert.h | Updated API definition for certificate verification with caching, including additional parameters. |
| wolfhsm/wh_message_cert.h | Added new fields and translation functions in message structs to support key caching. |
| wolfhsm/wh_common.h | Introduced new certificate management flags. |
| wolfhsm/wh_client.h | Added new client API functions for verifying certs and caching the leaf public key. |
| tools/testcertgen/gen_test_cert_chain.sh | Updated test certificate generation to export the leaf public key. |
| test/wh_test_cert.c | Extended test cases to validate the new API functions and key caching behavior. |
| src/wh_server_crypto.c | Modified logic for Curve25519 key export with proper RNG usage. |
| src/wh_server_cert.c | Integrated caching of the leaf public key into the certificate verification flow. |
| src/wh_message_cert.c | Updated translation functions to handle the new verify response structures. |
| src/wh_client_cert.c | Refactored client certificate verification functions to support key caching. |
Comments suppressed due to low confidence (2)
wolfhsm/wh_server_cert.h:83
- The parameter name 'trustedRootNvmI' appears to be a typo; consider renaming it to 'trustedRootNvmId' for consistency with existing naming conventions.
whNvmId trustedRootNvmI,
src/wh_server_cert.c:125
- Ensure that 'idx' is correctly defined and represents the intended offset in the certificate data when exporting the public key; if it is not defined or not computed as expected, this could lead to incorrect behavior.
rc = wc_ExportX509PubKeyWithSpki(cert_ptr, cert_len + idx, cacheBuf, &cacheBufSize);
ad4af4c to
5c87010
Compare
billphipps
requested changes
May 14, 2025
Contributor
billphipps
left a comment
There was a problem hiding this comment.
Looks really good! Great that this feature is so quickly exported into wolfHSM. Can you add the new messages to the padding test and add static where necessary?
billphipps
approved these changes
May 14, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds new API for verification that instructs the server to cache the public key of the leaf cert if the provided cert chain verifies. Requires new wolfCrypt API introduced in wolfSSL/wolfssl#8758.
Needed for upcoming wolfBoot + wolfHSM cert chain verification of firmware images, as wolfBoot will use the leaf cert public key to verify firmware authenticity after the chain is verified.
I thought about just adding this as a flag to the existing verify API, but ended up splitting it into a new API function for backwards compat. Can revert to doing it that way instead if you think it is better, just LMK.