Skip to content

fix: correct validation of OCSP signature#1863

Open
mauricefisher64 wants to merge 10 commits intomainfrom
ocsp_sig
Open

fix: correct validation of OCSP signature#1863
mauricefisher64 wants to merge 10 commits intomainfrom
ocsp_sig

Conversation

@mauricefisher64
Copy link
Collaborator

Changes in this pull request

Fix selecting the incorrect handler for RSA signatures
Enforce explicit EKUs for timestamp and ocsp certificates
Check OCSP certs against trust list
Correctly ignore OCSP responses that have errors (these are a noop)

Checklist

  • This PR represents a single feature, fix, or change.
  • All applicable changes have been documented.
  • Any TO DO items (or similar) have been entered as GitHub issues and the link to that issue has been included in a comment.

…sp_sig

# Conflicts:
#	sdk/src/crypto/cose/certificate_trust_policy.rs
#	sdk/src/crypto/cose/ocsp.rs
#	sdk/src/crypto/raw_signature/openssl/validators/mod.rs
#	sdk/src/crypto/raw_signature/rust_native/validators/mod.rs
@codecov
Copy link

codecov bot commented Feb 17, 2026

Codecov Report

❌ Patch coverage is 60.34483% with 69 lines in your changes missing coverage. Please review.
✅ Project coverage is 76.44%. Comparing base (d3488ec) to head (ba26e3c).

Files with missing lines Patch % Lines
sdk/src/crypto/cose/ocsp.rs 39.70% 41 Missing ⚠️
sdk/src/crypto/ocsp/mod.rs 73.80% 11 Missing ⚠️
sdk/src/crypto/time_stamp/verify.rs 52.63% 9 Missing ⚠️
...src/crypto/raw_signature/openssl/validators/mod.rs 80.95% 4 Missing ⚠️
...crypto/raw_signature/rust_native/validators/mod.rs 80.95% 4 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1863      +/-   ##
==========================================
- Coverage   76.53%   76.44%   -0.10%     
==========================================
  Files         171      171              
  Lines       39633    39788     +155     
==========================================
+ Hits        30334    30415      +81     
- Misses       9299     9373      +74     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@codspeed-hq
Copy link

codspeed-hq bot commented Feb 17, 2026

Merging this PR will improve performance by 81.13%

⚡ 1 improved benchmark
✅ 15 untouched benchmarks
⏩ 2 skipped benchmarks1

Performance Changes

Benchmark BASE HEAD Efficiency
sign 100kb svg 16.9 ms 9.4 ms +81.13%

Comparing ocsp_sig (ba26e3c) with main (d3488ec)

Open in CodSpeed

Footnotes

  1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

.await
};

// we only care about OCSP value log info the result is OK
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// we only care about OCSP value log info the result is OK
// we only care about OCSP value log info if the result is OK

I think that's how I understand it?

},
};

const TIMESTAMP_OID_STR: &str = "1.3.6.1.5.5.7.3.8";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can define this like the other oids using the oid! macro and then use ::as_bytes when adding it to the ctp?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants

Comments