iPXE - Open Source Boot Firmware

[ocsp] Accept response certID with missing hashAlgorithm parameters
authorMichael Brown <mcb30@ipxe.org>
Sun, 10 Mar 2019 17:58:56 +0000 (17:58 +0000)
committerMichael Brown <mcb30@ipxe.org>
Sun, 10 Mar 2019 18:13:52 +0000 (18:13 +0000)
commitb6ffe28a21c53a0946d95751c905d9e0b6c3b630
tree80aa2fb6f075f3133c67b7bb9a97f967b5ff3c78
parentf6b2bf9507599709d30bcb74af9bffdb179e5338
[ocsp] Accept response certID with missing hashAlgorithm parameters

One of the design goals of ASN.1 DER is to provide a canonical
serialization of a data structure, thereby allowing for equality of
values to be tested by simply comparing the serialized bytes.

Some OCSP servers will modify the request certID to omit the optional
(and null) "parameters" portion of the hashAlgorithm.  This is
arguably legal but breaks the ability to perform a straightforward
bitwise comparison on the entire certID field between request and
response.

Fix by comparing the OID-identified hashAlgorithm separately from the
remaining certID fields.

Originally-fixed-by: Thilo Fromm <Thilo@kinvolk.io>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
src/crypto/ocsp.c
src/include/ipxe/ocsp.h