add support for OCSP_copy_nonce #1711
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1711 +/- ##
=======================================
Coverage 78.31% 78.31%
=======================================
Files 580 580
Lines 96619 96639 +20
Branches 13850 13859 +9
=======================================
+ Hits 75665 75686 +21
+ Misses 20340 20338 -2
- Partials 614 615 +1 ☔ View full report in Codecov by Sentry. |
samuel40791765
force-pushed
the
ocsp-copy-nonce
branch
3 times, most recently
from
06fb1a5 to
cd660a2
Compare
| // OCSP_copy_nonce copies the nonce value (if any) from |req| to |resp|. Returns | ||
| // 1 on success and 0 on failure. If the optional nonce value does not exist in | ||
| // |req|, we return 2 instead. | ||
| OPENSSL_EXPORT int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req); |
There was a problem hiding this comment.
nit: should we document that the nonce extension is prepended?
There was a problem hiding this comment.
Ah yes we should
There was a problem hiding this comment.
The more I think about it, I think the correct behavior should be replacing any existing nonce in resp instead of prepending/appending it to the list of extensions. OpenSSL appends the nonce to the list, but it doesn't really make sense for a resp to have two nonces.
My initial concern was that someone may have noticed OpenSSL's double nonce behavior and they're removing the old extra nonce themselves after the call to OCSP_copy_nonce. This might cause our enforced singular nonce to be removed unintentionally. But it's an edge case trying to get around OpenSSL's buggy behavior, enforcing the right behavior might be the better call here.
There was a problem hiding this comment.
After discussing with @WillChilds-Klein, ultimately decided to align with OpenSSL's implementation. There's not too much benefit in misaligning here to be fair and creates more unanticipated behavioral changes.
samuel40791765
force-pushed
the
ocsp-copy-nonce
branch
from
bc8a2b1 to
13c2827
Compare
samuel40791765
force-pushed
the
ocsp-copy-nonce
branch
from
b191452 to
0632214
Compare
Issues:
Addresses
CryptoAlg-2420Description of changes:
Ruby consumes
OCSP_copy_nonce, which copies the nonce from the request to the OCSP response.OpenSSL's
OCSP_copy_noncedirectly appends the new OCSP nonce to the list of extensions in the response. This allows multiple OCSP nonces to exist the same response since the existing nonces are not deleted. It's a bit strange to allow multiple nonces to exist in a single response. To make things stranger,OCSP_check_noncedirectly takes the first OCSP nonce in the list to compare, so any newer nonces are ignored.We ultimately decided to follow OpenSSL's faulty implementation and document/test the behavior, there doesn't seem to be much value in diverging from the original and will only introduce more unanticipated behavioral changes.
Call-outs:
N/A
Testing:
Extend upon original OCSP nonce tests
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.