Add trusted cert cache enable/disable client API

Author: bigbrett

src/wh_client_cert.c

@@ -726,6 +726,77 @@ int wh_Client_CertVerifyCacheClear(whClientContext* c, int32_t* out_rc)
 
     return rc;
 }
+
+int wh_Client_CertVerifyCacheSetEnabledRequest(whClientContext* c,
+                                               uint8_t          enable)
+{
+    whMessageCert_SetEnabledRequest* req = NULL;
+
+    if (c == NULL) {
+        return WH_ERROR_BADARGS;
+    }
+
+    req = (whMessageCert_SetEnabledRequest*)wh_CommClient_GetDataPtr(c->comm);
+    if (req == NULL) {
+        return WH_ERROR_BADARGS;
+    }
+    memset(req, 0, sizeof(*req));
+    req->enable = enable ? 1 : 0;
+
+    return wh_Client_SendRequest(
+        c, WH_MESSAGE_GROUP_CERT,
+        WH_MESSAGE_CERT_ACTION_VERIFY_CACHE_SET_ENABLED, sizeof(*req),
+        (uint8_t*)req);
+}
+
+int wh_Client_CertVerifyCacheSetEnabledResponse(whClientContext* c,
+                                                int32_t*         out_rc)
+{
+    int                          rc;
+    uint16_t                     group;
+    uint16_t                     action;
+    uint16_t                     size;
+    whMessageCert_SimpleResponse resp;
+
+    if (c == NULL) {
+        return WH_ERROR_BADARGS;
+    }
+
+    rc = wh_Client_RecvResponse(c, &group, &action, &size, &resp);
+    if (rc == WH_ERROR_OK) {
+        if ((group != WH_MESSAGE_GROUP_CERT) ||
+            (action != WH_MESSAGE_CERT_ACTION_VERIFY_CACHE_SET_ENABLED) ||
+            (size != sizeof(resp))) {
+            rc = WH_ERROR_ABORTED;
+        }
+        else if (out_rc != NULL) {
+            *out_rc = resp.rc;
+        }
+    }
+    return rc;
+}
+
+int wh_Client_CertVerifyCacheSetEnabled(whClientContext* c, uint8_t enable,
+                                        int32_t* out_rc)
+{
+    int rc = WH_ERROR_OK;
+
+    if (c == NULL) {
+        return WH_ERROR_BADARGS;
+    }
+
+    do {
+        rc = wh_Client_CertVerifyCacheSetEnabledRequest(c, enable);
+    } while (rc == WH_ERROR_NOTREADY);
+
+    if (rc == WH_ERROR_OK) {
+        do {
+            rc = wh_Client_CertVerifyCacheSetEnabledResponse(c, out_rc);
+        } while (rc == WH_ERROR_NOTREADY);
+    }
+
+    return rc;
+}
 #endif /* WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE */
 
 #ifdef WOLFHSM_CFG_DMA

src/wh_message_cert.c

@@ -45,6 +45,18 @@ int wh_MessageCert_TranslateSimpleResponse(
     return 0;
 }
 
+int wh_MessageCert_TranslateSetEnabledRequest(
+    uint16_t magic, const whMessageCert_SetEnabledRequest* src,
+    whMessageCert_SetEnabledRequest* dest)
+{
+    (void)magic;
+    if ((src == NULL) || (dest == NULL)) {
+        return WH_ERROR_BADARGS;
+    }
+    dest->enable = src->enable;
+    return 0;
+}
+
 int wh_MessageCert_TranslateAddTrustedRequest(
     uint16_t magic, const whMessageCert_AddTrustedRequest* src,
     whMessageCert_AddTrustedRequest* dest)

src/wh_nvm.c

@@ -105,9 +105,12 @@ int wh_Nvm_Init(whNvmContext* context, const whNvmConfig* config)
 #endif
 
 #ifdef WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE_GLOBAL
-    /* Initialize the global cert verify cache */
+    /* Initialize the global cert verify cache. Default to enabled so a fresh
+     * NVM context preserves pre-runtime-toggle behavior; clients can disable
+     * via wh_Client_CertVerifyCacheSetEnabled. */
     memset(&context->globalCertVerifyCache, 0,
            sizeof(context->globalCertVerifyCache));
+    context->globalCertVerifyCache.enabled = 1;
 #endif
 
 #ifdef WOLFHSM_CFG_THREADSAFE

src/wh_server.c

@@ -128,6 +128,12 @@ int wh_Server_Init(whServerContext* server, whServerConfig* config)
     if (config->certConfig != NULL) {
         server->cert.verifyCb = config->certConfig->verifyCb;
     }
+#if defined(WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE) && \
+    !defined(WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE_GLOBAL)
+    /* Cache defaults to enabled so a fresh server preserves pre-runtime-toggle
+     * behavior. Clients can disable via wh_Client_CertVerifyCacheSetEnabled. */
+    server->cert.cache.enabled = 1;
+#endif
 #endif /* WOLFHSM_CFG_CERTIFICATE_MANAGER && !WOLFHSM_CFG_NO_CRYPTO */
 
     /* Log the server startup */

src/wh_server_cert.c

@@ -172,7 +172,15 @@ int wh_Server_CertVerifyCache_Lookup(whServerContext* server,
     if (rc != WH_ERROR_OK) {
         return rc;
     }
-    found = _LookupSubsetUnlocked(cache, rootNvmIds, numRoots, hash);
+    if (!cache->enabled) {
+        /* Runtime-disabled cache: always miss, regardless of slot contents.
+         * Slots are cleared at disable time, so the scan would miss anyway,
+         * but short-circuiting keeps disabled-cache verify cost predictable. */
+        found = WH_ERROR_NOTFOUND;
+    }
+    else {
+        found = _LookupSubsetUnlocked(cache, rootNvmIds, numRoots, hash);
+    }
     (void)_UnlockVerifyCache(cache);
     return found;
 }
@@ -200,6 +208,13 @@ void wh_Server_CertVerifyCache_Insert(whServerContext* server,
     if (rc != WH_ERROR_OK) {
         return;
     }
+    /* Runtime-disabled cache: drop the insert silently. The slot array is
+     * already empty (cleared on disable) and stays that way until re-enable,
+     * so dropping here preserves "no new entries while disabled". */
+    if (!cache->enabled) {
+        (void)_UnlockVerifyCache(cache);
+        return;
+    }
     /* Dedup on exact (set, hash) match under the lock so concurrent inserts
      * of the same verify collapse to a single slot. Differing-set entries
      * for the same hash coexist: each is an independent claim about a
@@ -244,6 +259,37 @@ void wh_Server_CertVerifyCache_Clear(whServerContext* server)
     (void)_UnlockVerifyCache(cache);
 }
 
+int wh_Server_CertVerifyCache_SetEnabled(whServerContext* server,
+                                         uint8_t          enable)
+{
+    whCertVerifyCacheContext* cache;
+    int                       rc;
+
+    if (server == NULL) {
+        return WH_ERROR_BADARGS;
+    }
+    cache = _GetVerifyCache(server);
+    if (cache == NULL) {
+        return WH_ERROR_BADARGS;
+    }
+
+    rc = _LockVerifyCache(cache);
+    if (rc != WH_ERROR_OK) {
+        return rc;
+    }
+    /* Flush on transition to disabled so a future re-enable starts from a
+     * clean state rather than reviving entries that pre-dated the disable.
+     * Mirrors the payload-only clear done by wh_Server_CertVerifyCache_Clear:
+     * the embedded lock (when present) must survive. */
+    if (!enable) {
+        memset(cache->slots, 0, sizeof(cache->slots));
+        cache->writeIdx = 0;
+    }
+    cache->enabled = enable ? 1 : 0;
+    (void)_UnlockVerifyCache(cache);
+    return WH_ERROR_OK;
+}
+
 void wh_Server_CertVerifyCache_EvictRoot(whServerContext* server,
                                          whNvmId          rootNvmId)
 {
@@ -1066,6 +1112,35 @@ int wh_Server_HandleCertRequest(whServerContext* server, uint16_t magic,
                 magic, &resp, (whMessageCert_SimpleResponse*)resp_packet);
             *out_resp_size = sizeof(resp);
         }; break;
+
+        case WH_MESSAGE_CERT_ACTION_VERIFY_CACHE_SET_ENABLED: {
+            whMessageCert_SetEnabledRequest req  = {0};
+            whMessageCert_SimpleResponse    resp = {0};
+
+            if (req_size != sizeof(req)) {
+                resp.rc = WH_ERROR_ABORTED;
+            }
+            else {
+                wh_MessageCert_TranslateSetEnabledRequest(
+                    magic, (whMessageCert_SetEnabledRequest*)req_packet, &req);
+#ifndef WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE_GLOBAL
+                /* Same locking rationale as VERIFY_CACHE_CLEAR above. */
+                rc = WH_SERVER_NVM_LOCK(server);
+                if (rc == WH_ERROR_OK) {
+                    rc = wh_Server_CertVerifyCache_SetEnabled(server,
+                                                              req.enable);
+                    (void)WH_SERVER_NVM_UNLOCK(server);
+                }
+#else
+                rc = wh_Server_CertVerifyCache_SetEnabled(server, req.enable);
+#endif
+                resp.rc = rc;
+            }
+
+            wh_MessageCert_TranslateSimpleResponse(
+                magic, &resp, (whMessageCert_SimpleResponse*)resp_packet);
+            *out_resp_size = sizeof(resp);
+        }; break;
 #endif /* WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE */
 
 #ifdef WOLFHSM_CFG_DMA

test/wh_test_cert.c

@@ -311,6 +311,114 @@ static int whTest_CertServerVerifyCache(whServerConfig* serverCfg)
     WH_TEST_PRINT("Server cert verify-cache test PASSED\n");
     return WH_ERROR_OK;
 }
+
+/* Counts verify-callback invocations so we can tell a cold verify (callback
+ * fires for every cert) from a warm verify (callback skipped on cache hits).
+ * Used by the SetEnabled test below to confirm that disabling actually
+ * suppresses cache hits. */
+static int s_setEnabledCb_count = 0;
+static int whTest_setEnabledVerifyCb(int                     preverify,
+                                     WOLFSSL_X509_STORE_CTX* store)
+{
+    (void)store;
+    s_setEnabledCb_count++;
+    return preverify;
+}
+
+/* Exercises wh_Server_CertVerifyCache_SetEnabled:
+ *  - disable flushes existing entries and suppresses subsequent cache hits
+ *    (a re-verify after disable runs cold, callback fires the full count)
+ *  - re-enable resumes caching (a verify after re-enable populates, the next
+ *    re-verify warms — callback count drops back down)
+ *  - default state is enabled (covered implicitly by the cold/warm counts) */
+static int whTest_CertServerVerifyCacheSetEnabled(whServerConfig* serverCfg)
+{
+    whServerContext     server[1] = {0};
+    whServerCertConfig  certCfg   = {.verifyCb = whTest_setEnabledVerifyCb};
+    whServerCertConfig* savedCertConfig;
+    const whNvmId       rootCertA = 1;
+    int                 coldCount;
+    int                 warmCount;
+    int                 afterDisableCount;
+
+    WH_TEST_PRINT("=== Server cert verify-cache set-enabled test ===\n");
+
+    /* Inject the counting callback so we can detect cache hits by absence of
+     * callback fires. Restore on exit. */
+    savedCertConfig       = serverCfg->certConfig;
+    serverCfg->certConfig = &certCfg;
+
+    WH_TEST_RETURN_ON_FAIL(wh_Server_Init(server, serverCfg));
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertInit(server));
+
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertAddTrusted(
+        server, rootCertA, WH_NVM_ACCESS_ANY, WH_NVM_FLAGS_NONMODIFIABLE, NULL,
+        0, ROOT_A_CERT, ROOT_A_CERT_len));
+
+    /* Start cold under the global-shared cache mode where prior tests may
+     * have populated entries. Per-client mode is already clean. */
+    wh_Server_CertVerifyCache_Clear(server);
+
+    /* 1. Cold verify under default-enabled cache: callback fires for every
+     * cert in the chain. */
+    s_setEnabledCb_count = 0;
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerify(
+        server, RAW_CERT_CHAIN_A, RAW_CERT_CHAIN_A_len, rootCertA,
+        WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY, NULL));
+    coldCount = s_setEnabledCb_count;
+    WH_TEST_ASSERT_RETURN(coldCount > 0);
+
+    /* 2. Re-verify with cache still enabled: CA cache hits skip the callback,
+     * so the count is strictly less than cold. */
+    s_setEnabledCb_count = 0;
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerify(
+        server, RAW_CERT_CHAIN_A, RAW_CERT_CHAIN_A_len, rootCertA,
+        WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY, NULL));
+    warmCount = s_setEnabledCb_count;
+    WH_TEST_ASSERT_RETURN(warmCount > 0);
+    WH_TEST_ASSERT_RETURN(warmCount < coldCount);
+
+    /* 3. Disable the cache. Entries from steps 1-2 must be flushed and new
+     * inserts suppressed: the next verify should be cold again (count back
+     * up to coldCount). */
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerifyCache_SetEnabled(server, 0));
+    s_setEnabledCb_count = 0;
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerify(
+        server, RAW_CERT_CHAIN_A, RAW_CERT_CHAIN_A_len, rootCertA,
+        WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY, NULL));
+    afterDisableCount = s_setEnabledCb_count;
+    WH_TEST_ASSERT_RETURN(afterDisableCount == coldCount);
+
+    /* 4. Second verify while still disabled — also cold (no caching). */
+    s_setEnabledCb_count = 0;
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerify(
+        server, RAW_CERT_CHAIN_A, RAW_CERT_CHAIN_A_len, rootCertA,
+        WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY, NULL));
+    WH_TEST_ASSERT_RETURN(s_setEnabledCb_count == coldCount);
+
+    /* 5. Re-enable. The post-disable verify did not populate the cache, so
+     * the first re-enabled verify is still cold (and populates). */
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerifyCache_SetEnabled(server, 1));
+    s_setEnabledCb_count = 0;
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerify(
+        server, RAW_CERT_CHAIN_A, RAW_CERT_CHAIN_A_len, rootCertA,
+        WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY, NULL));
+    WH_TEST_ASSERT_RETURN(s_setEnabledCb_count == coldCount);
+
+    /* 6. Subsequent verify warms, matching step 2's warmCount. */
+    s_setEnabledCb_count = 0;
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertVerify(
+        server, RAW_CERT_CHAIN_A, RAW_CERT_CHAIN_A_len, rootCertA,
+        WH_CERT_FLAGS_NONE, WH_NVM_FLAGS_USAGE_ANY, NULL));
+    WH_TEST_ASSERT_RETURN(s_setEnabledCb_count == warmCount);
+
+    /* Clean up: leave the cache empty for downstream tests. */
+    wh_Server_CertVerifyCache_Clear(server);
+    WH_TEST_RETURN_ON_FAIL(wh_Server_CertEraseTrusted(server, rootCertA));
+    serverCfg->certConfig = savedCertConfig;
+    WH_TEST_PRINT("Server cert verify-cache set-enabled test PASSED\n");
+    return WH_ERROR_OK;
+}
 #endif /* WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE */
 
 #if defined(WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE) && \
@@ -873,6 +981,32 @@ int whTest_CertClient(whClientContext* client)
                                                     rootCertB_id_c, &out_rc));
         WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_CERT_VERIFY);
 
+        /* Exercise the SetEnabled RPC path. The cross-root-must-fail
+         * invariant has to hold regardless of cache state, so re-run it
+         * after disable and after re-enable to confirm the RPC neither
+         * crashes nor breaks correctness. Behavioral observation (cache
+         * hits vs misses) is covered by whTest_CertServerVerifyCacheSetEnabled;
+         * here we just confirm the wire path round-trips. */
+        WH_TEST_RETURN_ON_FAIL(
+            wh_Client_CertVerifyCacheSetEnabled(client, 0, &out_rc));
+        WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
+        WH_TEST_RETURN_ON_FAIL(wh_Client_CertVerify(client, RAW_CERT_CHAIN_A,
+                                                    RAW_CERT_CHAIN_A_len,
+                                                    rootCertA_id_c, &out_rc));
+        WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
+        WH_TEST_RETURN_ON_FAIL(wh_Client_CertVerify(client, RAW_CERT_CHAIN_A,
+                                                    RAW_CERT_CHAIN_A_len,
+                                                    rootCertB_id_c, &out_rc));
+        WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_CERT_VERIFY);
+
+        WH_TEST_RETURN_ON_FAIL(
+            wh_Client_CertVerifyCacheSetEnabled(client, 1, &out_rc));
+        WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
+        WH_TEST_RETURN_ON_FAIL(wh_Client_CertVerify(client, RAW_CERT_CHAIN_A,
+                                                    RAW_CERT_CHAIN_A_len,
+                                                    rootCertA_id_c, &out_rc));
+        WH_TEST_ASSERT_RETURN(out_rc == WH_ERROR_OK);
+
         /* Cleanup */
         WH_TEST_RETURN_ON_FAIL(
             wh_Client_CertEraseTrusted(client, rootCertA_id_c, &out_rc));
@@ -1394,6 +1528,13 @@ int whTest_CertRamSim(whTestNvmBackendType nvmType)
             WH_ERROR_PRINT("Cert verify-cache tests failed: %d\n", rc);
         }
     }
+    if (rc == WH_ERROR_OK) {
+        rc = whTest_CertServerVerifyCacheSetEnabled(s_conf);
+        if (rc != WH_ERROR_OK) {
+            WH_ERROR_PRINT("Cert verify-cache set-enabled tests failed: %d\n",
+                           rc);
+        }
+    }
 #ifdef WOLFHSM_CFG_CERTIFICATE_VERIFY_CACHE_GLOBAL
     if (rc == WH_ERROR_OK) {
         rc = whTest_CertServerVerifyCacheGlobalShared(s_conf);