diff options
author | Alexander Chernyakhovsky | 2013-10-15 22:03:11 +0200 |
---|---|---|
committer | Michael Brown | 2014-03-25 17:30:43 +0100 |
commit | 151e4d9bfaaaa520d5eb3547d676e6b209d2bd45 (patch) | |
tree | 3ad25c89bd78c4314ce26dccf4db9cce6ab3647b /src/crypto | |
parent | [http] Accept Content-Length header with trailing whitespace (diff) | |
download | ipxe-151e4d9bfaaaa520d5eb3547d676e6b209d2bd45.tar.gz ipxe-151e4d9bfaaaa520d5eb3547d676e6b209d2bd45.tar.xz ipxe-151e4d9bfaaaa520d5eb3547d676e6b209d2bd45.zip |
[ocsp] Handle OCSP responses that don't provide certificates
Certificate authorities are not required to send the certificate used
to sign the OCSP response if the response is signed by the original
issuer.
Modified-by: Michael Brown <mcb30@ipxe.org>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/crypto')
-rw-r--r-- | src/crypto/ocsp.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c index 9c566888..27c0080c 100644 --- a/src/crypto/ocsp.c +++ b/src/crypto/ocsp.c @@ -867,12 +867,17 @@ static int ocsp_check_signature ( struct ocsp_check *ocsp, */ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) { struct ocsp_response *response = &ocsp->response; - struct x509_certificate *signer = response->signer; + struct x509_certificate *signer; int rc; /* Sanity checks */ assert ( response->data != NULL ); - assert ( signer != NULL ); + + /* The response may include a signer certificate; if this is + * not present then the response must have been signed + * directly by the issuer. + */ + signer = ( response->signer ? response->signer : ocsp->issuer ); /* Validate signer, if applicable. If the signer is not the * issuer, then it must be signed directly by the issuer. |