Skip to content

Load chain CAs for OCSP response validation in Android checkServerTrusted() #309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rlm2002 merged 2 commits into from
Dec 29, 2025
Merged

Load chain CAs for OCSP response validation in Android checkServerTrusted() #309

rlm2002 merged 2 commits into from
Dec 29, 2025

Conversation

@cconlon
Copy link
Member

@cconlon cconlon commented Dec 29, 2025
edited
Loading

This PR loads intermediate CA certificates from the verified certificate chain into the CertManager before OCSP validation. This fixes OCSP_LOOKUP_FAIL (-367) when responses are signed by intermediate CAs.

This PR also adjusts our Android emulator GitHub action where it could hang indefinitely (up to the action timeout) after tests completed due to emulator not shutting down cleanly.

ZD 20419

@cconlon cconlon self-assigned this Dec 29, 2025
@cconlon cconlon requested a review from Copilot December 29, 2025 19:32
Copilot AI reviewed Dec 29, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes OCSP validation failures (OCSP_LOOKUP_FAIL error -367) that occur when OCSP responses are signed by intermediate CA certificates. The fix loads intermediate CA certificates from the verified certificate chain into the CertManager before OCSP validation, ensuring the necessary certificates are available for response verification.

Key Changes:

  • Modified checkServerTrusted() to load chain CAs (intermediate and root certificates) into the CertManager before OCSP validation
  • Added comprehensive test case to validate OCSP verification with intermediate CAs
  • Updated to use the verified certificate chain (certList) instead of the input chain for consistency

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
src/java/com/wolfssl/provider/jsse/WolfSSLTrustX509.java Implements the core fix by loading all chain CAs (indices 1 through size-1) into the CertManager before OCSP validation, and uses verified chain for extracting leaf and issuer certificates
src/test/com/wolfssl/provider/jsse/test/WolfSSLTrustX509Test.java Adds comprehensive test case testCheckServerTrustedOCSPWithChainCAs() to verify OCSP validation works with intermediate CAs from the chain, and updates comment wording
src/test/com/wolfssl/test/WolfSSLCertManagerTest.java Minor comment update removing redundant wording ("for cert" → "cert")

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cconlon cconlon force-pushed the androidCheckServerTrustedFixes branch 11 times, most recently from af11d17 to 003b78b Compare December 29, 2025 22:15
@cconlon cconlon force-pushed the androidCheckServerTrustedFixes branch from 003b78b to 91425d3 Compare December 29, 2025 22:23
@cconlon cconlon assigned rlm2002 and unassigned cconlon Dec 29, 2025
@rlm2002 rlm2002 merged commit 8dd48f9 into wolfSSL:master Dec 29, 2025
68 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rlm2002 rlm2002 rlm2002 approved these changes

Assignees

@rlm2002 rlm2002

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cconlon @rlm2002