Browse Source

[ocsp] Handle OCSP responses that don't provide certificates

Certificate authorities are not required to send the certificate used
to sign the OCSP response if the response is signed by the original
issuer.

Modified-by: Michael Brown <mcb30@ipxe.org>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Alexander Chernyakhovsky 10 years ago
parent
commit
151e4d9bfa
1 changed files with 7 additions and 2 deletions
  1. 7
    2
      src/crypto/ocsp.c

+ 7
- 2
src/crypto/ocsp.c View File

@@ -867,12 +867,17 @@ static int ocsp_check_signature ( struct ocsp_check *ocsp,
867 867
  */
868 868
 int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
869 869
 	struct ocsp_response *response = &ocsp->response;
870
-	struct x509_certificate *signer = response->signer;
870
+	struct x509_certificate *signer;
871 871
 	int rc;
872 872
 
873 873
 	/* Sanity checks */
874 874
 	assert ( response->data != NULL );
875
-	assert ( signer != NULL );
875
+
876
+	/* The response may include a signer certificate; if this is
877
+	 * not present then the response must have been signed
878
+	 * directly by the issuer.
879
+	 */
880
+	signer = ( response->signer ? response->signer : ocsp->issuer );
876 881
 
877 882
 	/* Validate signer, if applicable.  If the signer is not the
878 883
 	 * issuer, then it must be signed directly by the issuer.

Loading…
Cancel
Save