Implement OCSP client and responder with HTTP and SCGI transport#200
Open
julek-wolfssl wants to merge 4 commits intowolfSSL:mainfrom
Open
Implement OCSP client and responder with HTTP and SCGI transport#200julek-wolfssl wants to merge 4 commits intowolfSSL:mainfrom
julek-wolfssl wants to merge 4 commits intowolfSSL:mainfrom
Conversation
julek-wolfssl
force-pushed
the
ocsp-responder
branch
2 times, most recently
from
7082e30 to
07fce87
Compare
There was a problem hiding this comment.
Pull request overview
This PR implements a comprehensive OCSP (Online Certificate Status Protocol) client and responder for wolfCLU, enabling certificate revocation checking with both HTTP and SCGI transport protocols.
Changes:
- Added OCSP client and responder implementation with transport-agnostic design
- Implemented HTTP utilities by refactoring existing code and adding server-side helpers
- Added SCGI protocol support for nginx reverse proxy integration
- Included comprehensive test suites for interoperability testing (wolfSSL ↔ OpenSSL)
Reviewed changes
Copilot reviewed 29 out of 30 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| src/ocsp/clu_ocsp.c | Core OCSP client and responder implementation with index file parsing |
| src/tools/clu_http.c | HTTP utilities including request/response building and server helpers |
| src/tools/clu_scgi.c | SCGI protocol implementation following spec at python.ca/scgi/protocol.txt |
| src/tools/clu_pem_der.c | Certificate and key loading utilities with PEM to DER conversion |
| wolfclu/clu_header_main.h | Function declarations for OCSP, HTTP, and SCGI APIs |
| wolfclu/clu_optargs.h | Added WOLFCLU_OCSP enum value |
| wolfclu/client.h | Removed unnecessary WOLFSSL_THREAD define |
| src/clu_main.c | Integrated OCSP mode into main command dispatcher |
| src/tools/clu_funcs.c | Added OCSP to help text |
| src/client/client.c | Refactored to use shared HTTP GET message |
| src/server/server.c | Refactored to use shared HTTP response message |
| tests/ocsp/ocsp-test.sh | Top-level test runner for four interop combinations |
| tests/ocsp/ocsp-interop-test.sh | Detailed interop test script with 11 test cases |
| tests/ocsp-scgi/ocsp-scgi-test.sh | SCGI integration test with nginx |
| tests/ocsp-scgi/scgi_params | nginx SCGI parameter configuration |
| src/include.am | Added new source files to build system |
| Makefile.am | Added test directories to make check |
| wolfCLU.vcxproj | Added source files for Windows build |
| certs/renew.sh | Added OCSP responder certificate generation |
| certs/ocsp.cnf | OpenSSL configuration for OCSP signing extension |
| certs/ocsp-responder-*.pem | OCSP responder certificate and key |
| README.md | Added deployment documentation for SCGI mode with nginx |
| .gitignore | Added development artifacts |
| .github/workflows/*.yml | Added nginx and openssl to CI dependencies |
| autogen.sh | Removed Git hooks setup |
| tests/x509/x509-req-test.sh | Added cleanup of tmp.csr file |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Depends on wolfSSL/wolfssl#9761 Core OCSP implementation: - Register the new WOLFCLU_OCSP mode enum value - The responder main loop accepts connections and handles the request in a transport-agnostic way. - Add the OCSP mode to the help text in src/tools/clu_funcs.c. New HTTP utilities (src/tools/clu_http.c): - Move the static `kHttpGetMsg` from src/client/client.c and the static `kHttpServerMsg` from src/server/server.c into shared accessor functions - Add HTTP builder and server helpers New SCGI protocol implementation (src/tools/clu_scgi.c): - Implement the SCGI wire protocol per https://python.ca/scgi/protocol.txt Certificate and config additions (certs/): - Add ocsp-responder-cert.pem which is an authorized responder for ca-cert.pem Test suites: - tests/ocsp/ocsp-test.sh: top-level test runner with four interop combinations (wolfssl↔openssl, wolfssl↔wolfssl, openssl↔wolfssl, openssl↔openssl) sequentially - tests/ocsp/ocsp-interop-test.sh: test script taking in $OCSP_CLIENT and $OCSP_RESPONDER. Written to take in the same commands when run with wolfssl or openssl on either side - tests/ocsp-scgi/ocsp-scgi-test.sh: SCGI integration test using nginx for HTTP termination
julek-wolfssl
force-pushed
the
ocsp-responder
branch
from
cdeeb04 to
ee60365
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 29 out of 30 changed files in this pull request and generated 9 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
…ing logic; add wolfCLU_SendAll function for reliable socket writes
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Depends on wolfSSL/wolfssl#9761
Core OCSP implementation:
New HTTP utilities (src/tools/clu_http.c):
kHttpGetMsgfrom src/client/client.c and the statickHttpServerMsgfrom src/server/server.c into shared accessor functionsNew SCGI protocol implementation (src/tools/clu_scgi.c):
Certificate and config additions (certs/):
Test suites:
Removed git hooks as they interfere with dev work