diff options
| author | Michael Brown | 2012-05-22 01:53:44 +0200 |
|---|---|---|
| committer | Michael Brown | 2012-05-22 01:53:44 +0200 |
| commit | 7fa1f41f7d3522349399fe1d1523a644b59f59de (patch) | |
| tree | be2a2fd80821ca6818c06573047c0fab716ce5b2 /src/crypto | |
| parent | [crypto] Automatically perform OCSP checks when applicable (diff) | |
| download | ipxe-7fa1f41f7d3522349399fe1d1523a644b59f59de.tar.gz ipxe-7fa1f41f7d3522349399fe1d1523a644b59f59de.tar.xz ipxe-7fa1f41f7d3522349399fe1d1523a644b59f59de.zip | |
[crypto] Require OCSP check if certificate provides an OCSP URI
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/crypto')
| -rw-r--r-- | src/crypto/x509.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 2180173b..1a27eb24 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -98,6 +98,10 @@ FILE_LICENCE ( GPL2_OR_LATER ); __einfo_error ( EINFO_EACCES_EMPTY ) #define EINFO_EACCES_EMPTY \ __einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" ) +#define EACCES_OCSP_REQUIRED \ + __einfo_error ( EINFO_EACCES_OCSP_REQUIRED ) +#define EINFO_EACCES_OCSP_REQUIRED \ + __einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" ) /** Certificate cache */ static LIST_HEAD ( x509_cache ); @@ -1343,6 +1347,14 @@ int x509_validate ( struct x509_certificate *cert, return -EACCES_PATH_LEN; } + /* Fail if OCSP is required */ + if ( cert->extensions.auth_info.ocsp.uri && + ( ! cert->extensions.auth_info.ocsp.good ) ) { + DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n", + cert, cert->subject.name ); + return -EACCES_OCSP_REQUIRED; + } + /* Calculate effective path length */ cert->path_remaining = ( issuer->path_remaining - 1 ); max_path_remaining = ( cert->extensions.basic.path_len + 1 ); |