Skip to content

Trusted cert cache and verify callbacks#353

Merged
AlexLanzano merged 2 commits into
wolfSSL:mainfrom
bigbrett:trusted-cert-cache
May 26, 2026
Merged

Trusted cert cache and verify callbacks#353
AlexLanzano merged 2 commits into
wolfSSL:mainfrom
bigbrett:trusted-cert-cache

Conversation

@bigbrett
Copy link
Copy Markdown
Contributor

@bigbrett bigbrett commented May 5, 2026
edited
Loading

Introduces two new features and a few cleanups

  1. Adds a "Trusted cert cache" maintained by the server for each client that "remembers" certificates (intermediate and leaf) after they are verified as trusted in a cert chain verification operation (based on the SHA256 over the cert). Any time the cert is subsequently encountered in a chain verification operation, the public key verification is short-circuited, and the cert is automatically registered as trusted. Notably, the cert "memory" is bound to the list of roots it was initially verified against. This feature exists to enhance performance in scenarios where the same cert chain is expected to be encountered multiple times (think wolfBoot cert chain auth for a time-critical boot). The cache can be per-client or global. There are definitely some security consequences to this feature but this is noted clearly in the docs. More details in the docs.
  2. Adds the ability for the user to inject a verify callback into the certificate manager for cert chain verification. This allows the chain verification to be further exteneded or overriden by the user (domain name/SAN validation, etc.). Note that callbacks will NOT be invoked on cached/trusted certs, as this short circuits the entire verification process for that cert.
  3. Completely unrelated fix for uninitialized variable warning in SHE layer
  4. Unrelated fix adding padding check macro to prevent transitive includes from blowing up padding check

Copilot AI review requested due to automatic review settings May 5, 2026 16:51
Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

Copilot AI reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/wh_server_cert.c Outdated
Comment thread src/wh_server_cert.c Outdated
Comment thread wolfhsm/wh_server_cert_cache.h Outdated
Comment thread src/wh_server_cert.c
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #353

Scan targets checked: wolfhsm-core-bugs, wolfhsm-src

Findings: 3
3 finding(s) posted as inline comments (see file-level comments below)

This review was generated automatically by Fenrir. Findings are non-blocking.

Comment thread src/wh_server_cert.c Outdated
Comment thread src/wh_server_cert.c
Comment thread src/wh_server_cert.c
bigbrett
bigbrett commented May 5, 2026
View reviewed changes
Comment thread src/wh_server_cert.c Outdated
bigbrett
bigbrett commented May 5, 2026
View reviewed changes
Comment thread src/wh_server_cert.c
bigbrett
bigbrett commented May 5, 2026
View reviewed changes
Comment thread src/wh_server_cert.c
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #353

Scan targets checked: wolfhsm-core-bugs, wolfhsm-src

No new issues found in the changed files. ✅

@bigbrett bigbrett force-pushed the trusted-cert-cache branch 2 times, most recently from 5d341c4 to 56779ee Compare May 11, 2026 20:08
wolfSSL-Fenrir-bot
wolfSSL-Fenrir-bot reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fenrir Automated Review — PR #353

Scan targets checked: wolfhsm-core-bugs, wolfhsm-src

No new issues found in the changed files. ✅

@bigbrett bigbrett force-pushed the trusted-cert-cache branch 5 times, most recently from 3b66a72 to c0024d2 Compare May 15, 2026 17:32
@bigbrett bigbrett marked this pull request as ready for review May 15, 2026 20:40
@bigbrett bigbrett force-pushed the trusted-cert-cache branch from c0024d2 to 6526244 Compare May 17, 2026 21:31
@bigbrett bigbrett force-pushed the trusted-cert-cache branch from 6526244 to fbb033c Compare May 17, 2026 21:36
@Frauschi Frauschi removed their assignment May 21, 2026
AlexLanzano
AlexLanzano approved these changes May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@AlexLanzano AlexLanzano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. One thing we should look into is if there are use cases where that user-defined callback should be run even on a cache hit.

@AlexLanzano AlexLanzano merged commit b14fe41 into wolfSSL:main May 26, 2026
108 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot wolfSSL-Fenrir-bot left review comments

@Frauschi Frauschi Frauschi approved these changes

@AlexLanzano AlexLanzano AlexLanzano approved these changes

@padelsbach padelsbach Awaiting requested review from padelsbach

Assignees

@AlexLanzano AlexLanzano

@padelsbach padelsbach

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@bigbrett @Frauschi @AlexLanzano @wolfSSL-Fenrir-bot @padelsbach