diff options
author | Jack Lloyd <[email protected]> | 2016-11-21 21:17:59 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-11-23 08:31:08 -0500 |
commit | 54ea7886c6099a2fde17b4c1261c6e2f2b9469f1 (patch) | |
tree | 042b8af408a0e7ea7ebc393ee8ac42043117c34c /src | |
parent | 2e9e19a4403a12168527601e96bf29af1024ae0f (diff) |
Consult the response for matching certs also, fixes Symantec OCSP
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/x509/ocsp.cpp | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/src/lib/x509/ocsp.cpp b/src/lib/x509/ocsp.cpp index af7126580..fd82393e7 100644 --- a/src/lib/x509/ocsp.cpp +++ b/src/lib/x509/ocsp.cpp @@ -189,8 +189,9 @@ Certificate_Status_Code Response::check_signature(const std::vector<Certificate_ } } - if(!signing_cert) + if(!signing_cert && ee_cert_path.size() > 1) { + // End entity cert is not allowed to sign their own OCSP request :) for(size_t i = 1; i < ee_cert_path.size(); ++i) { // Check all CA certificates in the (assumed validated) EE cert path @@ -208,7 +209,24 @@ Certificate_Status_Code Response::check_signature(const std::vector<Certificate_ } } - // TODO: this ignores m_certs + if(!signing_cert && m_certs.size() > 0) + { + for(size_t i = 0; i < m_certs.size(); ++i) + { + // Check all CA certificates in the (assumed validated) EE cert path + if(!m_signer_name.empty() && m_certs[i].subject_dn() == m_signer_name) + { + signing_cert = std::make_shared<const X509_Certificate>(m_certs[i]); + break; + } + + if(m_key_hash.size() > 0 && m_certs[i].subject_public_key_bitstring_sha1() == m_key_hash) + { + signing_cert = std::make_shared<const X509_Certificate>(m_certs[i]); + break; + } + } + } if(!signing_cert) return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND; |