robin.thoni/ipxe - git rthoni.com

目錄樹: b6ffe28a21

作者	SHA1	備註	提交日期
Michael Brown	b6ffe28a21	[ocsp] Accept response certID with missing hashAlgorithm parameters One of the design goals of ASN.1 DER is to provide a canonical serialization of a data structure, thereby allowing for equality of values to be tested by simply comparing the serialized bytes. Some OCSP servers will modify the request certID to omit the optional (and null) "parameters" portion of the hashAlgorithm. This is arguably legal but breaks the ability to perform a straightforward bitwise comparison on the entire certID field between request and response. Fix by comparing the OID-identified hashAlgorithm separately from the remaining certID fields. Originally-fixed-by: Thilo Fromm <Thilo@kinvolk.io> Signed-off-by: Michael Brown <mcb30@ipxe.org>	5 年之前
Michael Brown	9759860ec0	[ocsp] Allow OCSP checks to be disabled Some CAs provide non-functional OCSP servers, and some clients are forced to operate on networks without access to the OCSP servers. Allow the user to explicitly disable the use of OCSP checks by undefining OCSP_CHECK in config/crypto.h. Signed-off-by: Michael Brown <mcb30@ipxe.org>	6 年之前
Michael Brown	a0021a30dd	[ocsp] Centralise test for whether or not an OCSP check is required Signed-off-by: Michael Brown <mcb30@ipxe.org>	6 年之前
Michael Brown	b6ee89ffb5	[legal] Relicense files under GPL2_OR_LATER_OR_UBDL Relicense files for which I am the sole author (as identified by util/relicense.pl). Signed-off-by: Michael Brown <mcb30@ipxe.org>	9 年之前
Michael Brown	0036fdd5c5	[crypto] Accept OCSP responses containing multiple certificates RFC2560 mandates that a valid OCSP response will contain exactly one relevant certificate. However, some OCSP responders include extraneous certificates. iPXE currently assumes that the first certificate in the OCSP response is the relevant certificate; OCSP checks will therefore fail if the responder includes the extraneous certificates before the relevant certificate. Fix by using the responder ID to identify the relevant certificate. Reported-by: Christian Stroehmeier <stroemi@mail.uni-paderborn.de> Signed-off-by: Michael Brown <mcb30@ipxe.org>	11 年之前
Michael Brown	4010890a39	[crypto] Allow an error margin on X.509 certificate validity periods iPXE has no concept of the local time zone, mainly because there is no viable way to obtain time zone information in the absence of local state. This causes potential problems with newly-issued certificates and certificates that are about to expire. Avoid such problems by allowing an error margin of around 12 hours on certificate validity periods, similar to the error margin already allowed for OCSP response timestamps. Signed-off-by: Michael Brown <mcb30@ipxe.org>	12 年之前
Michael Brown	944e023def	[crypto] Construct OCSP check URI Signed-off-by: Michael Brown <mcb30@ipxe.org>	12 年之前
Michael Brown	39ac285a8a	[crypto] Add framework for OCSP Add support for constructing OCSP queries and parsing OCSP responses. (There is no support yet for actually issuing an OCSP query via an HTTP POST.) Signed-off-by: Michael Brown <mcb30@ipxe.org>	12 年之前

8 次程式碼提交 (b6ffe28a21c53a0946d95751c905d9e0b6c3b630)