From d1ad2152315eb8b25c431e389cc0ae20b86d13d7 Mon Sep 17 00:00:00 2001 From: Jarrod Johnson Date: Fri, 14 Mar 2014 13:57:31 -0400 Subject: [PATCH] Handle OCSP responses that don't provide certificates From 9f2bbf20533a6c006820c5b03be6f3a93e8b3e99 Mon Sep 17 00:00:00 2001 From: Alexander Chernyakhovsky Date: Tue, 15 Oct 2013 16:03:11 -0400 Subject: [PATCH 4/4] Handle OCSP responses that don't provide certificates Certificate authorities are not required to send the certificate used to sign the OCSP response under some scenarios, namely in the case when the certificate is the same as the one that did the original issue. The iPXE code previously assumed that such cases did not exist, and valid OCSP responses were dropped. Change these semantics by attempting to validate with the original issuer if no specific signing certificate was provided. --- src/crypto/ocsp.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- src/crypto/ocsp.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c index 20287c0b..7f9a2a7b 100644 --- a/src/crypto/ocsp.c +++ b/src/crypto/ocsp.c @@ -872,7 +872,14 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) { /* Sanity checks */ assert ( response->data != NULL ); - assert ( signer != NULL ); + /* If the signer is NULL, then we did not receive any + * supplementary certificates. Assume it's the issuer, and + * move on with life. If it doesn't validate, then the OCSP + * response is invalid anyway. + */ + if ( signer == NULL ) { + signer = ocsp->issuer; + } /* Validate signer, if applicable. If the signer is not the * issuer, then it must be signed directly by the issuer.