Browse Source

[crypto] Require OCSP check if certificate provides an OCSP URI

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 12 years ago
parent
commit
7fa1f41f7d
1 changed files with 12 additions and 0 deletions
  1. 12
    0
      src/crypto/x509.c

+ 12
- 0
src/crypto/x509.c View File

@@ -98,6 +98,10 @@ FILE_LICENCE ( GPL2_OR_LATER );
98 98
 	__einfo_error ( EINFO_EACCES_EMPTY )
99 99
 #define EINFO_EACCES_EMPTY \
100 100
 	__einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )
101
+#define EACCES_OCSP_REQUIRED \
102
+	__einfo_error ( EINFO_EACCES_OCSP_REQUIRED )
103
+#define EINFO_EACCES_OCSP_REQUIRED \
104
+	__einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )
101 105
 
102 106
 /** Certificate cache */
103 107
 static LIST_HEAD ( x509_cache );
@@ -1343,6 +1347,14 @@ int x509_validate ( struct x509_certificate *cert,
1343 1347
 		return -EACCES_PATH_LEN;
1344 1348
 	}
1345 1349
 
1350
+	/* Fail if OCSP is required */
1351
+	if ( cert->extensions.auth_info.ocsp.uri &&
1352
+	     ( ! cert->extensions.auth_info.ocsp.good ) ) {
1353
+		DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
1354
+		       cert, cert->subject.name );
1355
+		return -EACCES_OCSP_REQUIRED;
1356
+	}
1357
+
1346 1358
 	/* Calculate effective path length */
1347 1359
 	cert->path_remaining = ( issuer->path_remaining - 1 );
1348 1360
 	max_path_remaining = ( cert->extensions.basic.path_len + 1 );

Loading…
Cancel
Save