diff options
| author | Michael Brown | 2019-03-10 18:58:56 +0100 |
|---|---|---|
| committer | Michael Brown | 2019-03-10 19:13:52 +0100 |
| commit | b6ffe28a21c53a0946d95751c905d9e0b6c3b630 (patch) | |
| tree | 80aa2fb6f075f3133c67b7bb9a97f967b5ff3c78 /src/include | |
| parent | [tcp] Display "connecting" status until connection is established (diff) | |
| download | ipxe-b6ffe28a21c53a0946d95751c905d9e0b6c3b630.tar.gz ipxe-b6ffe28a21c53a0946d95751c905d9e0b6c3b630.tar.xz ipxe-b6ffe28a21c53a0946d95751c905d9e0b6c3b630.zip | |
[ocsp] Accept response certID with missing hashAlgorithm parameters
One of the design goals of ASN.1 DER is to provide a canonical
serialization of a data structure, thereby allowing for equality of
values to be tested by simply comparing the serialized bytes.
Some OCSP servers will modify the request certID to omit the optional
(and null) "parameters" portion of the hashAlgorithm. This is
arguably legal but breaks the ability to perform a straightforward
bitwise comparison on the entire certID field between request and
response.
Fix by comparing the OID-identified hashAlgorithm separately from the
remaining certID fields.
Originally-fixed-by: Thilo Fromm <Thilo@kinvolk.io>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/ipxe/ocsp.h | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h index be0bddc5..9eb70b2c 100644 --- a/src/include/ipxe/ocsp.h +++ b/src/include/ipxe/ocsp.h @@ -42,8 +42,8 @@ struct ocsp_check; struct ocsp_request { /** Request builder */ struct asn1_builder builder; - /** Certificate ID */ - struct asn1_cursor cert_id; + /** Certificate ID (excluding hashAlgorithm) */ + struct asn1_cursor cert_id_tail; }; /** An OCSP responder */ |