Add CRL generation capability #315
Conversation
padelsbach
force-pushed
the
crl-generation
branch
from
d84fe0d to
8e8480d
Compare
padelsbach
force-pushed
the
crl-generation
branch
5 times, most recently
from
a016758 to
3676f25
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 18 out of 18 changed files in this pull request and generated 15 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Point to PR branch until merge | ||
| # TODO: Switch back to wolfssl/wolfssl after merge | ||
| repository: padelsbach/wolfssl | ||
| ref: crl-generation |
There was a problem hiding this comment.
The workflow is pointing to a temporary repository (padelsbach/wolfssl) and branch (crl-generation) for testing. The TODO comment indicates this should be changed back to wolfSSL/wolfssl after merge. This is acceptable for development but must be reverted before merging this PR to ensure CI uses the official repository.
| # Point to PR branch until merge | |
| # TODO: Switch back to wolfssl/wolfssl after merge | |
| repository: padelsbach/wolfssl | |
| ref: crl-generation | |
| repository: wolfSSL/wolfssl |
| # Point to PR branch until merge | ||
| # TODO: Switch back to wolfssl/wolfssl after merge | ||
| ref: crl-generation | ||
| repository: padelsbach/wolfssl |
There was a problem hiding this comment.
The workflow is pointing to a temporary repository (padelsbach/wolfssl) and branch (crl-generation) for testing. The TODO comment indicates this should be changed back to wolfSSL/wolfssl after merge. This is acceptable for development but must be reverted before merging this PR to ensure CI uses the official repository. Note that the ref and repository parameters are in reverse order compared to other workflow files.
| # Point to PR branch until merge | |
| # TODO: Switch back to wolfssl/wolfssl after merge | |
| ref: crl-generation | |
| repository: padelsbach/wolfssl | |
| # Use official wolfSSL repository | |
| repository: wolfSSL/wolfssl |
| # Point to PR branch until merge | ||
| # TODO: Switch back to wolfssl/wolfssl after merge | ||
| repository: padelsbach/wolfssl | ||
| ref: crl-generation |
There was a problem hiding this comment.
The workflow is pointing to a temporary repository (padelsbach/wolfssl) and branch (crl-generation) for testing. The TODO comment indicates this should be changed back to wolfSSL/wolfssl after merge. This is acceptable for development but must be reverted before merging this PR to ensure CI uses the official repository.
| # Point to PR branch until merge | |
| # TODO: Switch back to wolfssl/wolfssl after merge | |
| repository: padelsbach/wolfssl | |
| ref: crl-generation | |
| repository: wolfSSL/wolfssl |
| # Point to PR branch until merge | ||
| # TODO: Switch back to wolfssl/wolfssl after merge | ||
| repository: padelsbach/wolfssl | ||
| ref: crl-generation |
There was a problem hiding this comment.
The workflow is pointing to a temporary repository (padelsbach/wolfssl) and branch (crl-generation) for testing. The TODO comment indicates this should be changed back to wolfSSL/wolfssl after merge. This is acceptable for development but must be reverted before merging this PR to ensure CI uses the official repository.
| # Point to PR branch until merge | |
| # TODO: Switch back to wolfssl/wolfssl after merge | |
| repository: padelsbach/wolfssl | |
| ref: crl-generation | |
| repository: wolfSSL/wolfssl |
| fail-fast: false | ||
| matrix: | ||
| wolfssl_version: ${{ fromJson(needs.get-stable-releases.outputs.versions) }} | ||
| wolfssl_version: crl-generation |
There was a problem hiding this comment.
The matrix strategy has been changed to use a hardcoded crl-generation branch instead of the dynamic versions from the previous step. This appears to be temporary for testing but breaks the purpose of this workflow which is to test against stable releases. This should be reverted or the workflow should be updated to handle the new dependency properly.
| wolfssl_version: crl-generation | |
| wolfssl_version: ${{ fromJson(needs.get-stable-releases.outputs.versions) }} |
| # Point to PR branch until merge | ||
| # TODO: Switch back to wolfssl/wolfssl after merge | ||
| repository: padelsbach/wolfssl | ||
| ref: crl-generation |
There was a problem hiding this comment.
The workflow is pointing to a temporary repository (padelsbach/wolfssl) and branch (crl-generation) for testing. The TODO comment indicates this should be changed back to wolfSSL/wolfssl after merge. This is acceptable for development but must be reverted before merging this PR to ensure CI uses the official repository.
| # Point to PR branch until merge | |
| # TODO: Switch back to wolfssl/wolfssl after merge | |
| repository: padelsbach/wolfssl | |
| ref: crl-generation | |
| # Use official wolfSSL repository for CI builds | |
| repository: wolfSSL/wolfssl |
| # Point to PR branch until merge | ||
| # TODO: Switch back to wolfssl/wolfssl after merge | ||
| repository: padelsbach/wolfssl | ||
| ref: crl-generation |
There was a problem hiding this comment.
The workflow is pointing to a temporary repository (padelsbach/wolfssl) and branch (crl-generation) for testing. The TODO comment indicates this should be changed back to wolfSSL/wolfssl after merge. This is acceptable for development but must be reverted before merging this PR to ensure CI uses the official repository.
| # Point to PR branch until merge | |
| # TODO: Switch back to wolfssl/wolfssl after merge | |
| repository: padelsbach/wolfssl | |
| ref: crl-generation | |
| repository: wolfSSL/wolfssl | |
| ref: master |
padelsbach
force-pushed
the
crl-generation
branch
7 times, most recently
from
8b9532c to
8af03a8
Compare
|
The FIPS failures are due to the use of the main wolfSSL repo and are expected to be fixed once the CRL PR is merged on the wolfSSL repo. I will also revert the yamls at that point. |
native/com_wolfssl_WolfSSLCRL.c
Outdated
| timeBuf = (byte*)(*jenv)->GetByteArrayElements(jenv, time, NULL); | ||
| timeSz = (*jenv)->GetArrayLength(jenv, time); | ||
| if (timeBuf == NULL || | ||
| timeSz < (com_wolfssl_WolfSSLCRL_CTC_DATE_SIZE + 8)) { |
There was a problem hiding this comment.
Could we add a small comment saying what 8 represents here?
native/com_wolfssl_WolfSSLCRL.c
Outdated
| } | ||
| else { | ||
| /* Extract length from bytes 32-35 (assuming native byte order) */ | ||
| timeLen = *((int*)(timeBuf + com_wolfssl_WolfSSLCRL_CTC_DATE_SIZE)); |
There was a problem hiding this comment.
I was pondering if we should use the native CTC_DATE_SIZE here rather than the JNI-defined equivalent (com_wolfssl_WolfSSLCRL_CTC_DATE_SIZE)? If it were me I probably would use CTC_DATE_SIZE since we are calling down to native wolfSSL from this layer, and it's shorter to read.
Comment applies across all usages of that define.
native/com_wolfssl_WolfSSLCRL.c
Outdated
| timeBuf = (byte*)(*jenv)->GetByteArrayElements(jenv, time, NULL); | ||
| timeSz = (*jenv)->GetArrayLength(jenv, time); | ||
| if (timeBuf == NULL || | ||
| timeSz < (com_wolfssl_WolfSSLCRL_CTC_DATE_SIZE + 8)) { |
There was a problem hiding this comment.
Same comment as above, a small comment about what 8 represents would be nice.
native/com_wolfssl_WolfSSLCRL.c
Outdated
| ret = WOLFSSL_FAILURE; | ||
| } | ||
| else { | ||
| ret = WOLFSSL_SUCCESS; |
There was a problem hiding this comment.
Would it be better to initialize ret = WOLFSSL_SUCCESS at variable declaration, then just worry about setting ret = WOLFSSL_FAILURE when needed?
| } | ||
| } | ||
|
|
||
| (*jenv)->ReleaseByteArrayElements(jenv, time, (jbyte*)timeBuf, JNI_ABORT); |
There was a problem hiding this comment.
Should this be wrapped in a if (timeBuf != NULL), in case GetByteArrayElements() failed up above? Same comment applies to different functions where ReleaseByteArrayElements() is called as well.
There was a problem hiding this comment.
That pattern exists in places in this repo, but the large majority of calls to ReleaseByteArrayElements() don't perform the null check
native/com_wolfssl_WolfSSLCRL.c
Outdated
|
|
||
| /* Set correct WOLFSSL_EVP_MD, does not need to be freed */ | ||
| if (ret == WOLFSSL_FAILURE) { | ||
| /* skip if already failed */ |
There was a problem hiding this comment.
This seems a little odd, at least different than how most of our native wolfSSL code looks:
if (ret == WOLFSSL_FAILURE) {
/* skip if already failed */
}
In wolfSSL I think you would typically see a pattern like the following instead of the if(skip)/else:
if (ret == WOLFSSL_SUCCESS) {
if (digestAlg != NULL) {
...
}
}
Or:
if ((ret == WOLFSSL_SUCCESS) && (digestAlg != NULL)) {
...
}
native/com_wolfssl_WolfSSLCRL.c
Outdated
| /* already in DER */ | ||
| derBuf = keyBuf; | ||
| derSz = keySz; | ||
| ret = WOLFSSL_SUCCESS; |
There was a problem hiding this comment.
Hasn't ret already been initialized to WOLFSSL_SUCCESS at this point, unless it has been overridden by WOLFSSL_FAILURE (but then we shouldn't get to this point).
native/com_wolfssl_WolfSSLCRL.c
Outdated
| defined(WOLFSSL_CERT_GEN) && !defined(NO_ASN_TIME) | ||
| WOLFSSL_X509_CRL* crl = (WOLFSSL_X509_CRL*)(uintptr_t)crlPtr; | ||
| WOLFSSL_ASN1_TIME* date = NULL; | ||
| char ret[32]; |
There was a problem hiding this comment.
A comment about why 32 is used here would be good, or maybe use of MAX_TIME_STRING_SZ instead?
There was a problem hiding this comment.
Ok. I'll update a couple similar methods in com_wolfssl_WolfSSLCertificate.c which follow this pattern
native/com_wolfssl_WolfSSLCRL.c
Outdated
| defined(WOLFSSL_CERT_GEN) && !defined(NO_ASN_TIME) | ||
| WOLFSSL_X509_CRL* crl = (WOLFSSL_X509_CRL*)(uintptr_t)crlPtr; | ||
| WOLFSSL_ASN1_TIME* date = NULL; | ||
| char ret[32]; |
There was a problem hiding this comment.
Same as above, for possible use of MAX_TIME_STRING_SZ
src/java/com/wolfssl/WolfSSLCRL.java
Outdated
| WolfSSLDebug.INFO, this.crlPtr, | ||
| () -> "entered getEncoded(format: " + format + ")"); | ||
|
|
||
| ret = write_X509_CRL(this.crlPtr, tempPath.toString(), format); |
There was a problem hiding this comment.
Would it be easier just to add a native wolfSSL API that returns back a byte array of the CRL? That seems easier and less error prone to me than making a temporary file, especially if this is running in some sort of restricted Java environment where file creation isn't allowed (maybe Android or such).
padelsbach
force-pushed
the
crl-generation
branch
from
8af03a8 to
dfa7848
Compare
2 participants
Add wrappers for CRL generation logic. Requires wolfSSL/wolfssl#9631 to be merged.