aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-11-21 21:17:59 -0500
committerJack Lloyd <[email protected]>2016-11-23 08:31:08 -0500
commit54ea7886c6099a2fde17b4c1261c6e2f2b9469f1 (patch)
tree042b8af408a0e7ea7ebc393ee8ac42043117c34c /src
parent2e9e19a4403a12168527601e96bf29af1024ae0f (diff)
Consult the response for matching certs also, fixes Symantec OCSP
Diffstat (limited to 'src')
-rw-r--r--src/lib/x509/ocsp.cpp22
1 files changed, 20 insertions, 2 deletions
diff --git a/src/lib/x509/ocsp.cpp b/src/lib/x509/ocsp.cpp
index af7126580..fd82393e7 100644
--- a/src/lib/x509/ocsp.cpp
+++ b/src/lib/x509/ocsp.cpp
@@ -189,8 +189,9 @@ Certificate_Status_Code Response::check_signature(const std::vector<Certificate_
}
}
- if(!signing_cert)
+ if(!signing_cert && ee_cert_path.size() > 1)
{
+ // End entity cert is not allowed to sign their own OCSP request :)
for(size_t i = 1; i < ee_cert_path.size(); ++i)
{
// Check all CA certificates in the (assumed validated) EE cert path
@@ -208,7 +209,24 @@ Certificate_Status_Code Response::check_signature(const std::vector<Certificate_
}
}
- // TODO: this ignores m_certs
+ if(!signing_cert && m_certs.size() > 0)
+ {
+ for(size_t i = 0; i < m_certs.size(); ++i)
+ {
+ // Check all CA certificates in the (assumed validated) EE cert path
+ if(!m_signer_name.empty() && m_certs[i].subject_dn() == m_signer_name)
+ {
+ signing_cert = std::make_shared<const X509_Certificate>(m_certs[i]);
+ break;
+ }
+
+ if(m_key_hash.size() > 0 && m_certs[i].subject_public_key_bitstring_sha1() == m_key_hash)
+ {
+ signing_cert = std::make_shared<const X509_Certificate>(m_certs[i]);
+ break;
+ }
+ }
+ }
if(!signing_cert)
return Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND;