Merge pull request #4211 from SparkiDev/ocsp_no_check

OCSP: improve handling of OCSP no check extension
2025-07-30 02:37:28 +02:00 · 2021-07-16 16:06:41 +07:00
parent e0292fdc94
commit 21ea34282a
2 changed files with 9 additions and 4 deletions
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -10212,9 +10212,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
            }

        #ifdef HAVE_OCSP
-            /* trust for the lifetime of the responder's cert*/
-            if (cert->ocspNoCheckSet && verify == VERIFY_OCSP)
-                verify = NO_VERIFY;
+            if (verify == VERIFY_OCSP_CERT) {
+                /* trust for the lifetime of the responder's cert*/
+                if (cert->ocspNoCheckSet)
+                    verify = VERIFY;
+                else
+                    verify = VERIFY_OCSP;
+            }
        #endif
            /* advance past extensions */
            cert->srcIdx = cert->sigIndex;
@ -17957,7 +17961,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,

        /* Don't verify if we don't have access to Cert Manager. */
        ret = ParseCertRelative(&cert, CERT_TYPE,
-                                noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
+                                noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm);
        if (ret < 0) {
            WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
            FreeDecodedCert(&cert);
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@ -595,6 +595,7 @@ enum VerifyType {
    VERIFY_OCSP = 3,
    VERIFY_NAME = 4,
    VERIFY_SKIP_DATE = 5,
+    VERIFY_OCSP_CERT = 6,
 };

 #ifdef WOLFSSL_CERT_EXT