From a3578c6643620d11748240ef0556027b562787fa Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 21 Jun 2017 10:52:11 -0700 Subject: [PATCH] Adds `WOLFSSL_NO_OCSP_EXTKEYUSE_OCSP_SIGN` option to provide backwards compatibility option for OCSP checking. --- wolfcrypt/src/asn.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 75f993a41..64eb76b20 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -36,10 +36,13 @@ ASN Options: * WOLFSSL_CERT_GEN: Cert generation. Saves extra certificate info in GetName. * WOLFSSL_NO_OCSP_OPTIONAL_CERTS: Skip optional OCSP certs (responder issuer must still be trusted) - * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for sitatuon where entire cert + * WOLFSSL_NO_TRUSTED_CERTS_VERIFY: Workaround for situation where entire cert chain is not loaded. This only matches on subject and public key and does not perform a PKI validation, so it is not a secure solution. Only enabled for OCSP. + * WOLFSSL_NO_OCSP_EXTKEYUSE_OCSP_SIGN: Can be defined for backwards + compatibility to disable matching of OCSP signing authority for the + certificate in question. */ #ifndef NO_ASN @@ -10767,6 +10770,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return ret; } +#ifndef WOLFSSL_NO_OCSP_EXTKEYUSE_OCSP_SIGN if ((cert.extExtKeyUsage & EXTKEYUSE_OCSP_SIGN) == 0) { if (XMEMCMP(cert.subjectHash, resp->issuerHash, KEYID_SIZE) == 0) { @@ -10779,6 +10783,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return BAD_OCSP_RESPONDER; } } +#endif /* ConfirmSignature is blocking here */ ret = ConfirmSignature(&cert.sigCtx,