multi-root CA certificate verification #350
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds multi-root certificate verification support to wolfHSM so certificate chains can be validated against a set of trusted root NVM IDs instead of a single anchor. It extends the cert message protocol, client/server certificate APIs, and test coverage for the new verification mode.
Changes:
- Added
wh_Server_CertVerifyMultiRootplus single-root delegation through the new multi-root server implementation. - Added new cert message actions and request structs for multi-root verify in both inline and DMA modes.
- Added client-side multi-root verify APIs and corresponding server/client/unit tests.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
wolfhsm/wh_settings.h |
Adds configurable max root count for multi-root verification. |
wolfhsm/wh_server_cert.h |
Declares new server-side multi-root verify API and docs. |
wolfhsm/wh_message_cert.h |
Adds protocol actions and request structs for multi-root verify/DMA. |
wolfhsm/wh_client.h |
Declares new client-side multi-root verify APIs for inline and DMA modes. |
test/wh_test_check_struct_padding.c |
Extends padding checks to new message structs. |
test/wh_test_cert.c |
Adds server, client, and DMA tests for multi-root verification. |
src/wh_server_cert.c |
Implements multi-root verification and request handling on the server. |
src/wh_message_cert.c |
Adds translation helpers for new multi-root message types. |
src/wh_client_cert.c |
Implements client request/response helpers for multi-root verify APIs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
bigbrett
force-pushed
the
cert-chain-multi-root
branch
from
72aa826 to
3928b3d
Compare
bigbrett
force-pushed
the
cert-chain-multi-root
branch
from
3928b3d to
be4aca2
Compare
wolfSSL-Fenrir-bot
left a comment
wolfSSL-Fenrir-bot
left a comment
There was a problem hiding this comment.
Fenrir Automated Review — PR #350
Scan targets checked: wolfhsm-core-bugs, wolfhsm-src
No new issues found in the changed files. ✅
AlexLanzano
left a comment
AlexLanzano
left a comment
There was a problem hiding this comment.
Looks great! Just need to fix the test case in test/wh_test_cert.c:172
You're only passing one root where the comments says you're passing in two.
Github wouldnt let me make a comment directly on the source file btw...
Adds multi-root certificate verification support to wolfHSM so certificate chains can be validated against a set of trusted root NVM IDs instead of just a single anchor. It extends the cert message protocol, client/server certificate APIs, and test coverage for the new verification mode.
Changes: