Reject status_request_v2 ocsp-multi staples that bundle multiple SingleResponses#10747
Open
gasbytes wants to merge 1 commit into
Open
Reject status_request_v2 ocsp-multi staples that bundle multiple SingleResponses#10747gasbytes wants to merge 1 commit into
gasbytes wants to merge 1 commit into
Conversation
gasbytes
force-pushed
the
tls-1-2-ocsp-multi-stapl-check
branch
2 times, most recently
from
a1db565 to
1410138
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens OCSP stapling verification for status_request_v2 OCSP-multi by rejecting stapled BasicOCSPResponse values that bundle multiple SingleResponse entries, closing a case where a revoked certificate could be accepted if a benign SingleResponse appeared first.
Changes:
- Reject OCSP-multi (
WOLFSSL_CSR2_OCSP_MULTI) staples that contain more than oneSingleResponse. - Add a regression test that staples a multi-
SingleResponseleaf OCSP response where the revoked entry is not first. - Add a generated OCSP response blob and generator script entry to reproduce the behavior.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
src/internal.c |
Adds a guard in DoCertificateStatus() to reject multi-SingleResponse staples for CSR2 OCSP-multi. |
tests/api/test_ocsp.c |
Adds a regression test and status callback that supplies the crafted multi-SingleResponse leaf staple. |
tests/api/test_ocsp.h |
Exposes the new regression test prototype. |
tests/api.c |
Registers the new test in the test runner. |
tests/api/test_ocsp_test_blobs.h |
Adds the new binary OCSP response blob used by the test. |
tests/api/create_ocsp_test_blobs.py |
Adds generation metadata for the new OCSP response blob. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
gasbytes
force-pushed
the
tls-1-2-ocsp-multi-stapl-check
branch
from
1410138 to
7c287de
Compare
|
retest this please |
julek-wolfssl
requested changes
Jun 23, 2026
…leResponses So a revoked certificate's non-first single can no longer be accepted
gasbytes
force-pushed
the
tls-1-2-ocsp-multi-stapl-check
branch
from
7c287de to
733d292
Compare
julek-wolfssl
approved these changes
Jun 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Reject status_request_v2 ocsp-multi staples that bundle multiple SingleResponses
So a revoked certificate's non-first single can no longer be accepted
Testing
Added regression test + generated blob with the certificate chain to reproduce the behaviour.
config used: ./configure --enable-all
Checklist