Thanks to visit codestin.com
Credit goes to github.com

Skip to content

server keystore/cert fixes and a fix for test breakage due to upstream wolfCrypt #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
billphipps merged 6 commits into from
Jun 23, 2025
Merged

server keystore/cert fixes and a fix for test breakage due to upstream wolfCrypt #123

billphipps merged 6 commits into from
Jun 23, 2025

Conversation

@bigbrett
Copy link
Contributor

@bigbrett bigbrett commented Jun 19, 2025
edited
Loading

  • Refactors wh_Server_CertVerify to operate on raw (server) keyIds so it can be used outside a client message handler. Relocates the client keyId mapping on input/output to the message dispatch function better aligning with the rest of the code.
  • Adds keyId parameter to client verifyAndCachePubKey API in case client wants to cache to a specific keyId, thus matching the server implementation
  • Adds fix to guard against condition where a client could potentially cache two keys with the same ID in both little and big key caches
  • Adds test coverage for the above fix

Also unrelated fix: wolfCrypt upstream changed default RNG seed generation causing our wolfCrypt tests to break. I removed NO_FILESYSTEM from the POSIX tests so it can use /dev/random for seeding. I added in the use of the cert buffers macro as otherwise filesystem support requires you to run wolfCrypt tests from the wolfCrypt root directory which we don't want.

@bigbrett
- add keystore cross-cache duplication error checking and test
d358128 
- pull keyId mapping logic out of wh_Server_CertVerify
@bigbrett bigbrett requested a review from Copilot June 19, 2025 01:55
Copilot AI reviewed Jun 19, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses issues in key caching and certificate verification by refactoring the keystore and cert verification functions to work with raw (server) key IDs, preventing duplicate key caching across caches, and adding relevant test coverage.

  • Refactor wh_Server_CertVerify to use an in/out keyId parameter
  • Add cross-cache duplicate detection logic in the keystore functions
  • Enhance test cases for duplicate key caching scenarios

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
wolfhsm/wh_server_cert.h Update function signature and documentation for in/out keyId parameter
wolfhsm/wh_message_cert.h Add keyId field to the verify DMA request structure
wolfhsm/wh_error.h Introduce duplicate key error code
test/wh_test_crypto.c Add and update tests for cross-cache duplicate detection
src/wh_server_keystore.c Add duplicate detection logic in cache functions
src/wh_server_cert.c Adjust certificate verification logic to correctly propagate keyId
src/wh_message_cert.c Translate the new keyId field in the verify DMA request structure
Comments suppressed due to low confidence (1)

wolfhsm/wh_server_cert.h:90

  • Update the function documentation for wh_Server_CertVerify to clearly state that inout_keyId acts as both an input (if already assigned) and as an output (for the generated keyId) when caching the leaf public key.
                         whCertFlags flags, whKeyId* inout_keyId);

@bigbrett bigbrett force-pushed the wolfBoot-server-x509-auth-integration branch from c3b81c1 to b8ec62a Compare June 19, 2025 02:13
@bigbrett
remove NO_FILESYSTEM from user settings as it is not required for POS…
866ae84 
…IX testing and prevents RNG seed selection in latest upstream wolfCrypt

use cert buffers for wolfCrypt tests now that NO_FILESYSTEM is removed
@bigbrett bigbrett force-pushed the wolfBoot-server-x509-auth-integration branch from 82376e6 to 866ae84 Compare June 19, 2025 02:46
@bigbrett bigbrett requested a review from billphipps June 19, 2025 02:48
@bigbrett bigbrett changed the title server keystore and cert verifiy fixes server keystore/cert fixes and a fix for test breakage due to upstream wolfCrypt Jun 19, 2025
billphipps
billphipps requested changes Jun 20, 2025
View reviewed changes
Copy link
Contributor

@billphipps billphipps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Can you consider my comments about duplicate? I'm good either way.

@bigbrett bigbrett mentioned this pull request Jun 20, 2025
Merged
@bigbrett bigbrett requested a review from billphipps June 20, 2025 19:04
@billphipps billphipps merged commit 1948957 into wolfSSL:main Jun 23, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@billphipps billphipps billphipps approved these changes

Assignees

@billphipps billphipps

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bigbrett @billphipps