laudrup
commented
2 years ago First of all this looks really, really good. Thanks a lot.
Considering some of your points:
The new option is a member function of stream and not of context_certificates as i originally envisioned it. This is only so we can request OCSP stapling during the handshake if revocation checking is enabled. It would, of course, be possible to enable this request via a separate member function if there are concerns against combining all this in the stream member function.
I might misunderstand but didn't you add a separate member function for the revocation check on the stream class?
I think that is just fine. If you're talking about the implementation detail then I don't care too much for now, but we probably shouldn't make the function do much more in case more functionality is added later on.
The new unit test does not cover OCSP as that would require some server providing the OCSP responses during the test. This may be doable, but would be way more work. I have done some tests on actual websites and everything seems to be working as i expect it to.
Unit tests would indeed be great but I understand that it requires quite a lot of work to implement (which is why I haven't done that yet). If it should be done it should probably be some kind of general way of adding tests similar to what badssl.com is doing in addition to the OCSP tests. That's not needed for this PR but would of course be very much appreciated.
I have restored part of a mechanism to load certificates from files, that was used in the past and then removed in favour of simply hardcoding the test_certificate in a header file. As i have used several more certificates and CRLs now, i felt keeping them in separate files would be better.
More certificates is definitely needed to test this. I think it might make more sense to hardcode them in header files instead of loading them from PEM files at runtime but I definitely appreciate what you have done here so it's not all that important.
As mentioned above, i have generated some more certificates and also CRLs for testing purposes and saved them to tests/test_certificates. I generated these files with a small bash script that i also put in this folder (generate_certs.sh). Bash is maybe not a good choice for a windows specific library, but was most natural to me. I suppose powershell would also be an option if bash is a problem..? If i did everything correct, the Files should all be valid for 100 Years, however. So the script is only helpful as documentation and should only be needed again when the tests are changed.
I definitely don't mind using bash for this. I actually rarely use Window myself and when I do the first thing I do is install a "real" shell anyway. More importantly bash is supported by the pipelines used for the CI tests so it's perfectly fine.
All in all I'll be happy to merge this but I'll give you a chance to address my comments first.
Once more. Great job. I really appreciate it.
jens-diewald
I have added an option to enable checking for revoked certificates. Some Remarks:
Some Testcases:
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT | CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLYforCertGetCertificateChainSCH_CRED_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOTduring the handshake.