Conversation
Three examples demonstrating the new OCSP Responder API: 1. ocsp-request-response.c - Pure API usage: encode DER OCSP requests from certificates, generate signed responses, and verify them in memory without networking. 2. ocsp-responder-http.c - Minimal HTTP server that accepts POST requests with DER OCSP payloads and returns signed responses. 3. nginx-scgi/ - Production-style deployment using nginx as HTTP frontend with wolfclu running as an SCGI backend for OCSP processing.
There was a problem hiding this comment.
Pull request overview
Adds a new ocsp/responder/ set of examples showcasing the wolfSSL OCSP Responder API, including in-memory request/response generation, a minimal HTTP responder, and an nginx+SCGI deployment pattern using wolfCLU.
Changes:
- Added two C examples: raw DER OCSP request/response and a minimal HTTP POST responder.
- Added shared PEM->DER file loading helpers and a local Makefile to build the examples.
- Added nginx+SCGI deployment example (config + run script) and documented how to run all examples.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| ocsp/responder/README.md | Documents the new responder examples and how to build/run them. |
| ocsp/responder/ocsp-request-response.c | In-memory OCSP request encode + response sign + verification flow example. |
| ocsp/responder/ocsp-responder-http.c | Minimal socket-based HTTP responder that returns signed OCSP responses. |
| ocsp/responder/ocsp-load-certs.h | Shared file/cert/key loading helpers for the C examples. |
| ocsp/responder/nginx-scgi/run.sh | Script to stand up wolfCLU SCGI backend + nginx frontend for OCSP. |
| ocsp/responder/nginx-scgi/nginx-ocsp.conf | Example nginx config to SCGI-pass OCSP requests to wolfCLU. |
| ocsp/responder/Makefile | Builds the responder examples against an installed wolfSSL. |
| .gitignore | Ignores the newly built responder example binaries. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Add missing <time.h> include for time(NULL) usage - Replace atoi() with strtol() and validate Content-Length in RecvHttp and ParsePost to reject negative/overflowing values - Add SendAll() helper to handle partial send() writes - Check return values of socket(), setsockopt(), and listen()
- Add SO_RCVTIMEO (5s) on accepted client sockets to prevent indefinite blocking from incomplete requests - Move 64KB httpBuf/respBuf from stack to static globals - Fix SendAll infinite loop when send() returns 0 (check n <= 0) - Ignore SIGPIPE to prevent crash on client disconnect during writes - Use case-insensitive Content-Length header matching per RFC 7230 - Track error state and return nonzero from main on fatal errors - Reset ret after wolfSSL_CertManagerLoadCABuffer to avoid leaking WOLFSSL_SUCCESS (1) into error paths in ocsp-request-response.c - Add -Wextra to Makefile CFLAGS
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 8 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 8 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dgarske
left a comment
dgarske
left a comment
There was a problem hiding this comment.
🐺 Skoll Code Review
Overall recommendation: APPROVE
Findings: 3 total — 2 posted, 1 skipped
Posted findings
- [Medium] LoadFile does not validate fread return value —
ocsp/responder/ocsp-load-certs.h:47 - [Medium] wolfSSL_Init() return value not checked in HTTP responder —
ocsp/responder/ocsp-responder-http.c:255
Skipped findings
- [Low] Makefile uses -Wextra unlike other OCSP Makefiles
Review generated by Skoll via openclaw
| if (sz <= 0) { fclose(f); return NULL; } | ||
| buf = (byte*)malloc((size_t)sz); | ||
| if (!buf) { fclose(f); return NULL; } | ||
| *outSz = (int)fread(buf, 1, (size_t)sz, f); |
There was a problem hiding this comment.
🟡 [Medium] LoadFile does not validate fread return value
💡 SUGGEST bug
The LoadFile function does not check whether fread actually read the expected number of bytes. If fread encounters an I/O error or partial read, *outSz could be 0 or less than sz, and a buffer with incorrect/incomplete data is returned to the caller. The downstream callers (LoadCertDer, LoadKeyDer) would then pass a size-0 or short buffer to wc_CertPemToDer/wc_KeyPemToDer, which would return an error — so in practice this is safe — but the existing ocsp/stapling/ocsp-server.c:134 shows the project convention is to validate fread return against the expected size (if (fread(...) != (size_t)certPemSz)). For a shared utility header included by multiple files, adding this check improves robustness.
Suggestion:
| *outSz = (int)fread(buf, 1, (size_t)sz, f); | |
| *outSz = (int)fread(buf, 1, (size_t)sz, f); | |
| fclose(f); | |
| if (*outSz != (int)sz) { free(buf); return NULL; } | |
| return buf; |
| certFile = argv[2]; | ||
| keyFile = argv[3]; | ||
|
|
||
| wolfSSL_Init(); |
There was a problem hiding this comment.
🟡 [Medium] wolfSSL_Init() return value not checked in HTTP responder
💡 SUGGEST convention
In ocsp-responder-http.c, wolfSSL_Init() is called without checking the return value (line 255: wolfSSL_Init();). In contrast, ocsp-request-response.c in the same PR properly checks the return (lines 122-126). The ocsp_nonblock_async.c example also checks it. Since these two files are being introduced together as example code, they should demonstrate consistent best practices. If wolfSSL_Init() fails silently, all subsequent wolfSSL/wolfCrypt calls will produce undefined behavior.
Suggestion:
| wolfSSL_Init(); | |
| if (wolfSSL_Init() != WOLFSSL_SUCCESS) { | |
| fprintf(stderr, "wolfSSL_Init failed\n"); | |
| return 1; | |
| } |
| keyFile = argv[3]; | ||
|
|
||
| wolfSSL_Init(); | ||
| { |
Three examples demonstrating the new OCSP Responder API:
ocsp-request-response.c - Pure API usage: encode DER OCSP requests
from certificates, generate signed responses, and verify them
in memory without networking.
ocsp-responder-http.c - Minimal HTTP server that accepts POST
requests with DER OCSP payloads and returns signed responses.
nginx-scgi/ - Production-style deployment using nginx as HTTP
frontend with wolfclu running as an SCGI backend for OCSP
processing.