Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use SHA256 as default digest for OCSP signing #2038

Merged
merged 1 commit into from
Dec 9, 2024
Merged

Use SHA256 as default digest for OCSP signing #2038

merged 1 commit into from
Dec 9, 2024

Conversation

samuel40791765
Copy link
Contributor

Description of changes:

OpenSSL apparently sets a default digest when consuming the EVP_DigestSign* APIs. We avoid this and emit a relevant error when this happens. Ruby 3.2's double downed on this on their consumption of OCSP however: ruby/ruby@4d6a293 We don't want to introduce a "default digest" to all calls to EVP_DigestSign*, so I've chosen to imitate OpenSSL's behavior in only the places necessary in this case (OCSP). This fixes the Ruby 3.2 OCSP tests we were failing before.

Call-outs:

N/A

Testing:

Built upon existing OCSP tests

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@samuel40791765 samuel40791765 requested a review from a team as a code owner December 6, 2024 00:59
@codecov-commenter
Copy link

Codecov Report

Attention: Patch coverage is 68.75000% with 5 lines in your changes missing coverage. Please review.

Project coverage is 78.66%. Comparing base (8226a05) to head (4a6fea1).

Files with missing lines Patch % Lines
crypto/ocsp/ocsp_server.c 75.00% 3 Missing ⚠️
crypto/ocsp/ocsp_client.c 50.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2038      +/-   ##
==========================================
- Coverage   78.67%   78.66%   -0.01%     
==========================================
  Files         598      598              
  Lines      103350   103364      +14     
  Branches    14693    14691       -2     
==========================================
+ Hits        81308    81311       +3     
- Misses      21389    21400      +11     
  Partials      653      653

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@samuel40791765 samuel40791765 mentioned this pull request Dec 6, 2024
Merged
justsmth
justsmth approved these changes Dec 9, 2024
View reviewed changes
crypto/ocsp/ocsp_server.c
Comment on lines +175 to +178
const EVP_MD *OCSP_get_default_digest(const EVP_MD *dgst, EVP_PKEY *signer) {
if (dgst != NULL) {
return dgst;
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NP: Why have this function take dgst as a parameter? It would seem more natural to have the callers conditionally invoke OCSP_get_default_digest only when dgst is NULL.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, that was the original way I had implemented it. But we would need double null checks (outlined below) in both functions without the abstraction into OCSP_get_default_digest. It didn't sit quite well with me since we were already trying to abstract out shared logic, which was why I moved it into the static function.

const EVP_MD *init_dgst = dgst;
if (init_dgst != NULL) {
    init_dgst = OCSP_get_default_digest(key);
}
if (init_dgst != NULL) {
  OPENSSL_PUT_ERROR(OCSP, EVP_R_NO_DEFAULT_DIGEST);
   goto err;
}

@samuel40791765 samuel40791765 merged commit 6c58a0f into aws:main Dec 9, 2024
120 of 124 checks passed
@samuel40791765 samuel40791765 deleted the ocsp-default-dgst branch December 9, 2024 19:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justsmth justsmth justsmth approved these changes

@WillChilds-Klein WillChilds-Klein WillChilds-Klein approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@samuel40791765 @codecov-commenter @WillChilds-Klein @justsmth