diff options
| author | Michael Brown <mcb30@ipxe.org> | 2020-12-08 14:39:33 +0000 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2020-12-08 15:04:28 +0000 |
| commit | 6e92d6213d20329d8b84431f00d8cbe7d63bb379 (patch) | |
| tree | 330cacc0a8b25b8e3902d567e5f8f782be2ecaab | |
| parent | be47c2c72cd3cdecc146eca5a200d454643bcf06 (diff) | |
| download | ipxe-6e92d6213d20329d8b84431f00d8cbe7d63bb379.tar.gz | |
[ocsp] Remove dummy OCSP certificate root
OCSP currently calls x509_validate() with an empty root certificate
list, on the basis that the OCSP signer certificate (if existent) must
be signed directly by the issuer certificate.
Using an empty root certificate list is not required to achieve this
goal, since x509_validate() already accepts an explicit issuer
certificate parameter. The explicit empty root certificate list
merely prevents the signer certificate from being evaluated as a
potential trusted root certificate.
Remove the dummy OCSP root certificate list and use the default root
certificate list when calling x509_validate().
Signed-off-by: Michael Brown <mcb30@ipxe.org>
| -rw-r--r-- | src/crypto/ocsp.c | 16 |
1 files changed, 2 insertions, 14 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c index 51dc939e8..998a0ce2c 100644 --- a/src/crypto/ocsp.c +++ b/src/crypto/ocsp.c @@ -833,18 +833,6 @@ int ocsp_response ( struct ocsp_check *ocsp, const void *data, size_t len ) { } /** - * OCSP dummy root certificate store - * - * OCSP validation uses no root certificates, since it takes place - * only when there already exists a validated issuer certificate. - */ -static struct x509_root ocsp_root = { - .digest = &ocsp_digest_algorithm, - .count = 0, - .fingerprints = NULL, -}; - -/** * Check OCSP response signature * * @v ocsp OCSP check @@ -927,7 +915,7 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) { */ x509_invalidate ( signer ); if ( ( rc = x509_validate ( signer, ocsp->issuer, time, - &ocsp_root ) ) != 0 ) { + NULL ) ) != 0 ) { DBGC ( ocsp, "OCSP %p \"%s\" could not validate ", ocsp, x509_name ( ocsp->cert ) ); DBGC ( ocsp, "signer \"%s\": %s\n", @@ -973,7 +961,7 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) { /* Validate certificate against issuer */ if ( ( rc = x509_validate ( ocsp->cert, ocsp->issuer, time, - &ocsp_root ) ) != 0 ) { + NULL ) ) != 0 ) { DBGC ( ocsp, "OCSP %p \"%s\" could not validate certificate: " "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc )); return rc; |