<p>The certID part of the OCSP response is defined as an ASN.1<br>
sequence:</p>
<p>CertID ::= SEQUENCE {<br>
hashAlgorithm           AlgorithmIdentifier,<br>
issuerNameHash          OCTET STRING, -- Hash of issuer's DN<br>
issuerKeyHash           OCTET STRING, -- Hash of issuer's public key<br>
serialNumber            CertificateSerialNumber }</p>
<p>(see <a rel="nofollow" href="https://tools.ietf.org/html/rfc6960#appendix-B.1">https://tools.ietf.org/html/rfc6960#appendix-B.1</a> )</p>
<p>This patch implements parsing of all certID fields of incoming OCSP<br>
responses as well as validation of the field values against the<br>
respective request field values.</p>
<p>This improves the previous implementation which used memcmp() to<br>
compare the certID memory (raw bits) of request and response.<br>
As ASN.1 semantics are ignored by memcmp(), bitwise different but<br>
semantically identical certIDs were rejected by the previous<br>
implementation. This caused e.g. boot failures of OS images<br>
downloaded via HTTPS.</p>
<p>Signed-off-by: Thilo Fromm <a href="mailto:thilo@kinvolk.io">thilo@kinvolk.io</a></p>

<hr>

<h4>You can view, comment on, or merge this pull request online at:</h4>
<p>  <a href='https://github.com/ipxe/ipxe/pull/90'>https://github.com/ipxe/ipxe/pull/90</a></p>

<h4>Commit Summary</h4>
<ul>
  <li>[crypto/OCSP] parse response certID for validation</li>
</ul>

<h4>File Changes</h4>
<ul>
  <li>
    <strong>M</strong>
    <a href="https://github.com/ipxe/ipxe/pull/90/files#diff-0">src/crypto/ocsp.c</a>
    (94)
  </li>
</ul>

<h4>Patch Links:</h4>
<ul>
  <li><a href='https://github.com/ipxe/ipxe/pull/90.patch'>https://github.com/ipxe/ipxe/pull/90.patch</a></li>
  <li><a href='https://github.com/ipxe/ipxe/pull/90.diff'>https://github.com/ipxe/ipxe/pull/90.diff</a></li>
</ul>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/ipxe/ipxe/pull/90">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AArTVPmleYBToabHpub8y1066m13PAS8ks5vNulggaJpZM4a-EdD">mute the thread</a>.<img src="https://github.com/notifications/beacon/AArTVIuyxUZBdfsgfmIOFOLYSM0kriuAks5vNulggaJpZM4a-EdD.gif" height="1" width="1" alt="" /></p>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/ipxe/ipxe","title":"ipxe/ipxe","subtitle":"GitHub repository","main_image_url":"https://github.githubassets.com/images/email/message_cards/header.png","avatar_image_url":"https://github.githubassets.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/ipxe/ipxe"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"[crypto/OCSP] parse response certID for validation (#90)"}],"action":{"name":"View Pull Request","url":"https://github.com/ipxe/ipxe/pull/90"}}}</script>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/ipxe/ipxe/pull/90",
"url": "https://github.com/ipxe/ipxe/pull/90",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>