Fix an OCSP response decoding bug, we were not decoding KeyID properly.

Also prioritize checking the status code before the dates, as otherwise an attacker could substitue a valid but expired response which marked the cert as revoked and we would still just return OCSP_EXPIRED. Obviously they can still play this game with an old (valid) OCSP response, but no point making it easy.
author: lloyd <[email protected]> 2014-04-05 13:13:17 +0000
committer: lloyd <[email protected]> 2014-04-05 13:13:17 +0000
commit: aa3af43218106e184398f667f82110bb069abf8a (patch)
tree: cc602bc3e58a7b8fb364b3f31d373234c12459fb /doc
parent: c286fc7584039edc117f2f25c1fca1d1903b79d3 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/doc/relnotes/1_11_9.rst b/doc/relnotes/1_11_9.rst
index 604c0d60e..8d9f17666 100644
--- a/doc/relnotes/1_11_9.rst
+++ b/doc/relnotes/1_11_9.rst
@@ -1,6 +1,10 @@
 Version 1.11.9, Not Yet Released
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+ * Fixed a bug in OCSP response decoding which would cause an error
+   when attempting to decode responses from some widely used
+   responders.
+
  * An implementation of HMAC_DRBG RNG from NIST SP800-90A has been
    added. Like the X9.31 PRNG implementation, it uses another
    underlying RNG for seeding material.
author	lloyd <[email protected]>	2014-04-05 13:13:17 +0000
committer	lloyd <[email protected]>	2014-04-05 13:13:17 +0000
commit	aa3af43218106e184398f667f82110bb069abf8a (patch)
tree	cc602bc3e58a7b8fb364b3f31d373234c12459fb /doc
parent	c286fc7584039edc117f2f25c1fca1d1903b79d3 (diff)