wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4211 from SparkiDev/ocsp_no_check

Browse Source 
OCSP: improve handling of OCSP no check extension
This commit is contained in:
JacobBarthelmeh
2021-07-16 16:06:41 +07:00
committed by Jacob Barthelmeh
parent e0292fdc94
commit 21ea34282a
2 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
wolfcrypt/src/asn.c
View File

@ -10212,9 +10212,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
} }
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
/* trust for the lifetime of the responder's cert*/ if (verify == VERIFY_OCSP_CERT) {
if (cert->ocspNoCheckSet && verify == VERIFY_OCSP) /* trust for the lifetime of the responder's cert*/
verify = NO_VERIFY; if (cert->ocspNoCheckSet)
verify = VERIFY;
else
verify = VERIFY_OCSP;
}
#endif #endif
/* advance past extensions */ /* advance past extensions */
cert->srcIdx = cert->sigIndex; cert->srcIdx = cert->sigIndex;
@ -17957,7 +17961,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
/* Don't verify if we don't have access to Cert Manager. */ /* Don't verify if we don't have access to Cert Manager. */
ret = ParseCertRelative(&cert, CERT_TYPE, ret = ParseCertRelative(&cert, CERT_TYPE,
noVerify ? NO_VERIFY : VERIFY_OCSP, cm); noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm);
if (ret < 0) { if (ret < 0) {
WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
FreeDecodedCert(&cert); FreeDecodedCert(&cert);

1
wolfssl/wolfcrypt/asn.h
View File

@ -595,6 +595,7 @@ enum VerifyType {
VERIFY_OCSP = 3, VERIFY_OCSP = 3,
VERIFY_NAME = 4, VERIFY_NAME = 4,
VERIFY_SKIP_DATE = 5, VERIFY_SKIP_DATE = 5,
VERIFY_OCSP_CERT = 6,
}; };
#ifdef WOLFSSL_CERT_EXT #ifdef WOLFSSL_CERT_EXT