<p>Implements parsing of the hashAlgorithm  certID field of incoming OCSP<br>
responses as well as validation of the field value against the respective<br>
request field hashAlgorithm. The remaining fields of the response certID<br>
are validated against the request via memcpy().</p>
<p>The certID part of the OCSP response is defined as an ASN.1 sequence:</p>
<p>CertID ::= SEQUENCE {<br>
hashAlgorithm           AlgorithmIdentifier,<br>
issuerNameHash          OCTET STRING, -- Hash of issuer's DN<br>
issuerKeyHash           OCTET STRING, -- Hash of issuer's public key<br>
serialNumber            CertificateSerialNumber }</p>
<p>(see <a rel="nofollow" href="https://tools.ietf.org/html/rfc6960#appendix-B.1">https://tools.ietf.org/html/rfc6960#appendix-B.1</a> )</p>
<p>Parsing hashAlgorithm improves the previous implementation which<br>
used memcmp() to compare the certID memory (raw bits) of request and<br>
response. As ASN.1 semantics are ignored by memcmp(), bitwise different<br>
but semantically identical certIDs were rejected by the previous<br>
implementation. This caused e.g. boot failures of OS images downloaded<br>
via HTTPS.</p>

<hr>

<h4>You can view, comment on, or merge this pull request online at:</h4>
<p>  <a href='https://github.com/ipxe/ipxe/pull/91'>https://github.com/ipxe/ipxe/pull/91</a></p>

<h4>Commit Summary</h4>
<ul>
  <li>parse response certID hashAlgorithm</li>
</ul>

<h4>File Changes</h4>
<ul>
  <li>
    <strong>M</strong>
    <a href="https://github.com/ipxe/ipxe/pull/91/files#diff-0">src/crypto/ocsp.c</a>
    (39)
  </li>
</ul>

<h4>Patch Links:</h4>
<ul>
  <li><a href='https://github.com/ipxe/ipxe/pull/91.patch'>https://github.com/ipxe/ipxe/pull/91.patch</a></li>
  <li><a href='https://github.com/ipxe/ipxe/pull/91.diff'>https://github.com/ipxe/ipxe/pull/91.diff</a></li>
</ul>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/ipxe/ipxe/pull/91">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AArTVNF2NceqkgLOHkTGfOYyyVYbLyQOks5vQbxWgaJpZM4bOMJO">mute the thread</a>.<img src="https://github.com/notifications/beacon/AArTVCZaLMwvfoWDaY_0ALfbn7NtBCHZks5vQbxWgaJpZM4bOMJO.gif" height="1" width="1" alt="" /></p>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/ipxe/ipxe","title":"ipxe/ipxe","subtitle":"GitHub repository","main_image_url":"https://github.githubassets.com/images/email/message_cards/header.png","avatar_image_url":"https://github.githubassets.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/ipxe/ipxe"}},"updates":{"snippets":[{"icon":"DESCRIPTION","message":"parse response certID hashAlgorithm (#91)"}],"action":{"name":"View Pull Request","url":"https://github.com/ipxe/ipxe/pull/91"}}}</script>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/ipxe/ipxe/pull/91",
"url": "https://github.com/ipxe/ipxe/pull/91",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>