Skip to content

Basic certificate support #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Mar 31, 2025
Merged

Basic certificate support #96

merged 10 commits into from
Mar 31, 2025

Conversation

bigbrett
Copy link
Contributor

@bigbrett bigbrett commented Mar 24, 2025
edited
Loading

Adds basic support for certificate management using wolfSSL Cert Manager.

Client API has add/delete/get functionality for trusted certificate (root), and then a verify function that verifies an (ordered) certificate chain against a given trusted root.

Limitations:

  • CM is initialized at verification time to prevent issues managing state between CM and NVM. This may result in slightly more latency for verification operations
  • Chain must be ordered
  • No support for CRLs (yet)

Future work:

  • Feature flag for "minimal" public-key-only verification that doesn't check anything else about certificate validity. Would be useful on space constrained platforms where you really only care about trust and are using X509 to simply interop with existing PKI
  • Introduce the concept of a "session" with a live CM instance and directly expose CM via client API so client apps can use it in a more granular way, essentially providing direct (remote) access to the cert manager API from the client
  • Better handling of intermediates?

@bigbrett bigbrett marked this pull request as draft March 24, 2025 23:49
@bigbrett bigbrett marked this pull request as ready for review March 25, 2025 16:18
@bigbrett bigbrett requested a review from billphipps March 25, 2025 16:18
billphipps
billphipps previously approved these changes Mar 25, 2025
View reviewed changes
Copy link
Contributor

@billphipps billphipps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks very reasonable. A few API names and inout questions, but certainly is a good start. I have some concerns about the RAM necessary on the server to parse the certification chain. We may need to preallocate or use some of the existing cache memory to better handle this.

@bigbrett bigbrett requested a review from billphipps March 28, 2025 14:35
@billphipps billphipps merged commit ac64df4 into wolfSSL:main Mar 31, 2025
2 checks passed
@bigbrett
Copy link
Contributor Author

Adding this here so we don't forget: Future work should be to refactor error propagation for the verify message to return wolfCrypt error code to client, vs "catch-all" cert verification error

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@billphipps billphipps billphipps approved these changes

Assignees

@billphipps billphipps

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bigbrett @billphipps