server keystore/cert fixes and a fix for test breakage due to upstream wolfCrypt#123
Merged
billphipps merged 6 commits intowolfSSL:mainfrom Jun 23, 2025
Merged
Conversation
- pull keyId mapping logic out of wh_Server_CertVerify
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR addresses issues in key caching and certificate verification by refactoring the keystore and cert verification functions to work with raw (server) key IDs, preventing duplicate key caching across caches, and adding relevant test coverage.
- Refactor wh_Server_CertVerify to use an in/out keyId parameter
- Add cross-cache duplicate detection logic in the keystore functions
- Enhance test cases for duplicate key caching scenarios
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| wolfhsm/wh_server_cert.h | Update function signature and documentation for in/out keyId parameter |
| wolfhsm/wh_message_cert.h | Add keyId field to the verify DMA request structure |
| wolfhsm/wh_error.h | Introduce duplicate key error code |
| test/wh_test_crypto.c | Add and update tests for cross-cache duplicate detection |
| src/wh_server_keystore.c | Add duplicate detection logic in cache functions |
| src/wh_server_cert.c | Adjust certificate verification logic to correctly propagate keyId |
| src/wh_message_cert.c | Translate the new keyId field in the verify DMA request structure |
Comments suppressed due to low confidence (1)
wolfhsm/wh_server_cert.h:90
- Update the function documentation for wh_Server_CertVerify to clearly state that inout_keyId acts as both an input (if already assigned) and as an output (for the generated keyId) when caching the leaf public key.
whCertFlags flags, whKeyId* inout_keyId);
c3b81c1 to
b8ec62a
Compare
…IX testing and prevents RNG seed selection in latest upstream wolfCrypt use cert buffers for wolfCrypt tests now that NO_FILESYSTEM is removed
82376e6 to
866ae84
Compare
billphipps
requested changes
Jun 20, 2025
Contributor
billphipps
left a comment
There was a problem hiding this comment.
Looks good! Can you consider my comments about duplicate? I'm good either way.
billphipps
approved these changes
Jun 23, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
wh_Server_CertVerifyto operate on raw (server) keyIds so it can be used outside a client message handler. Relocates the client keyId mapping on input/output to the message dispatch function better aligning with the rest of the code.Also unrelated fix: wolfCrypt upstream changed default RNG seed generation causing our wolfCrypt tests to break. I removed NO_FILESYSTEM from the POSIX tests so it can use
/dev/randomfor seeding. I added in the use of the cert buffers macro as otherwise filesystem support requires you to run wolfCrypt tests from the wolfCrypt root directory which we don't want.