Browse Source

[ocsp] Centralise test for whether or not an OCSP check is required

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 6 years ago
parent
commit
a0021a30dd
3 changed files with 18 additions and 4 deletions
  1. 2
    2
      src/crypto/x509.c
  2. 15
    0
      src/include/ipxe/ocsp.h
  3. 1
    2
      src/net/validator.c

+ 2
- 2
src/crypto/x509.c View File

@@ -40,6 +40,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
40 40
 #include <ipxe/socket.h>
41 41
 #include <ipxe/in.h>
42 42
 #include <ipxe/image.h>
43
+#include <ipxe/ocsp.h>
43 44
 #include <ipxe/x509.h>
44 45
 #include <config/crypto.h>
45 46
 
@@ -1362,8 +1363,7 @@ int x509_validate ( struct x509_certificate *cert,
1362 1363
 	}
1363 1364
 
1364 1365
 	/* Fail if OCSP is required */
1365
-	if ( cert->extensions.auth_info.ocsp.uri.len &&
1366
-	     ( ! cert->extensions.auth_info.ocsp.good ) ) {
1366
+	if ( ocsp_required ( cert ) ) {
1367 1367
 		DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
1368 1368
 		       cert, x509_name ( cert ) );
1369 1369
 		return -EACCES_OCSP_REQUIRED;

+ 15
- 0
src/include/ipxe/ocsp.h View File

@@ -111,6 +111,21 @@ ocsp_put ( struct ocsp_check *ocsp ) {
111 111
 	ref_put ( &ocsp->refcnt );
112 112
 }
113 113
 
114
+/**
115
+ * Check if X.509 certificate requires an OCSP check
116
+ *
117
+ * @v cert		X.509 certificate
118
+ * @ret ocsp_required	An OCSP check is required
119
+ */
120
+static inline int ocsp_required ( struct x509_certificate *cert ) {
121
+
122
+	/* An OCSP check is required if an OCSP URI exists but the
123
+	 * OCSP status is not (yet) good.
124
+	 */
125
+	return ( cert->extensions.auth_info.ocsp.uri.len &&
126
+		 ( ! cert->extensions.auth_info.ocsp.good ) );
127
+}
128
+
114 129
 extern int ocsp_check ( struct x509_certificate *cert,
115 130
 			struct x509_certificate *issuer,
116 131
 			struct ocsp_check **ocsp );

+ 1
- 2
src/net/validator.c View File

@@ -488,8 +488,7 @@ static void validator_step ( struct validator *validator ) {
488 488
 		/* The issuer is valid, but this certificate is not
489 489
 		 * yet valid.  If OCSP is applicable, start it.
490 490
 		 */
491
-		if ( cert->extensions.auth_info.ocsp.uri.len &&
492
-		     ( ! cert->extensions.auth_info.ocsp.good ) ) {
491
+		if ( ocsp_required ( cert ) ) {
493 492
 			/* Start OCSP */
494 493
 			if ( ( rc = validator_start_ocsp ( validator, cert,
495 494
 							   issuer ) ) != 0 ) {

Loading…
Cancel
Save