Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Handle OCSP responses that don't provide certificates
From 9f2bbf20533a6c006820c5b03be6f3a93e8b3e99 Mon Sep 17 00:00:00 2001
From: Alexander Chernyakhovsky <achernya@google.com>
Date: Tue, 15 Oct 2013 16:03:11 -0400
Subject: [PATCH 4/4] Handle OCSP responses that don't provide certificates

Certificate authorities are not required to send the certificate used
to sign the OCSP response under some scenarios, namely in the case
when the certificate is the same as the one that did the original
issue. The iPXE code previously assumed that such cases did not exist,
and valid OCSP responses were dropped.  Change these semantics by
attempting to validate with the original issuer if no specific signing
certificate was provided.
---
 src/crypto/ocsp.c | 9 ++++++++-
  1 file changed, 8 insertions(+), 1 deletion(-)
  • Loading branch information
Jarrod Johnson committed Mar 14, 2014
1 parent 4387f69 commit d1ad215
Showing 1 changed file with 8 additions and 1 deletion.
9 changes: 8 additions & 1 deletion src/crypto/ocsp.c
Expand Up @@ -872,7 +872,14 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {

/* Sanity checks */
assert ( response->data != NULL );
assert ( signer != NULL );
/* If the signer is NULL, then we did not receive any
* supplementary certificates. Assume it's the issuer, and
* move on with life. If it doesn't validate, then the OCSP
* response is invalid anyway.
*/
if ( signer == NULL ) {
signer = ocsp->issuer;
}

/* Validate signer, if applicable. If the signer is not the
* issuer, then it must be signed directly by the issuer.
Expand Down

0 comments on commit d1ad215

Please sign in to comment.