[ocsp] Handle OCSP responses that don't provide certificates

Certificate authorities are not required to send the certificate used to sign the OCSP response if the response is signed by the original issuer. Modified-by: Michael Brown <mcb30@ipxe.org> Signed-off-by: Michael Brown <mcb30@ipxe.org>
author: Alexander Chernyakhovsky <achernya@google.com> 2013-10-15 16:03:11 -0400
committer: Michael Brown <mcb30@ipxe.org> 2014-03-25 16:30:43 +0000
commit: 151e4d9bfaaaa520d5eb3547d676e6b209d2bd45 (patch)
tree: 3ad25c89bd78c4314ce26dccf4db9cce6ab3647b /src/crypto/ocsp.c
parent: e845b7da9b8203a9f1f1b2ca9ae6306d6d8168be (diff)
download: ipxe-151e4d9bfaaaa520d5eb3547d676e6b209d2bd45.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index 9c5668885..27c0080cb 100644
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -867,12 +867,17 @@ static int ocsp_check_signature ( struct ocsp_check *ocsp,
  */
 int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) {
 	struct ocsp_response *response = &ocsp->response;
-	struct x509_certificate *signer = response->signer;
+	struct x509_certificate *signer;
 	int rc;
 
 	/* Sanity checks */
 	assert ( response->data != NULL );
-	assert ( signer != NULL );
+
+	/* The response may include a signer certificate; if this is
+	 * not present then the response must have been signed
+	 * directly by the issuer.
+	 */
+	signer = ( response->signer ? response->signer : ocsp->issuer );
 
 	/* Validate signer, if applicable.  If the signer is not the
 	 * issuer, then it must be signed directly by the issuer.
author	Alexander Chernyakhovsky <achernya@google.com>	2013-10-15 16:03:11 -0400
committer	Michael Brown <mcb30@ipxe.org>	2014-03-25 16:30:43 +0000
commit	151e4d9bfaaaa520d5eb3547d676e6b209d2bd45 (patch)
tree	3ad25c89bd78c4314ce26dccf4db9cce6ab3647b /src/crypto/ocsp.c
parent	e845b7da9b8203a9f1f1b2ca9ae6306d6d8168be (diff)
download	ipxe-151e4d9bfaaaa520d5eb3547d676e6b209d2bd45.tar.gz