[crypto] Accept OCSP responses containing multiple certificates

RFC2560 mandates that a valid OCSP response will contain exactly one
relevant certificate.  However, some OCSP responders include
extraneous certificates.  iPXE currently assumes that the first
certificate in the OCSP response is the relevant certificate; OCSP
checks will therefore fail if the responder includes the extraneous
certificates before the relevant certificate.

Fix by using the responder ID to identify the relevant certificate.

Reported-by: Christian Stroehmeier <stroemi@mail.uni-paderborn.de>
Signed-off-by: Michael Brown <mcb30@ipxe.org>

1 files changed, 19 insertions, 0 deletions

diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h
index fe825fd0..387e28f8 100644
--- a/src/include/ipxe/ocsp.h
+++ b/src/include/ipxe/ocsp.h
@@ -28,6 +28,8 @@ FILE_LICENCE ( GPL2_OR_LATER );
 #define OCSP_STATUS_SIG_REQUIRED	0x05
 #define OCSP_STATUS_UNAUTHORIZED	0x06
 
+struct ocsp_check;
+
 /** An OCSP request */
 struct ocsp_request {
 	/** Request builder */
@@ -36,12 +38,29 @@ struct ocsp_request {
 	struct asn1_cursor cert_id;
 };
 
+/** An OCSP responder */
+struct ocsp_responder {
+	/**
+	 * Check if certificate is the responder's certificate
+	 *
+	 * @v ocsp		OCSP check
+	 * @v cert		Certificate
+	 * @ret difference	Difference as returned by memcmp()
+	 */
+	int ( * compare ) ( struct ocsp_check *ocsp,
+			    struct x509_certificate *cert );
+	/** Responder ID */
+	struct asn1_cursor id;
+};
+
 /** An OCSP response */
 struct ocsp_response {
 	/** Raw response */
 	void *data;
 	/** Raw tbsResponseData */
 	struct asn1_cursor tbs;
+	/** Responder */
+	struct ocsp_responder responder;
 	/** Time at which status is known to be correct */
 	time_t this_update;
 	/** Time at which newer status information will be available */