[ipxe-devel] [ipxe/ipxe] [crypto/OCSP] parse response certID for validation (#90)
Thilo Fromm
notifications at github.com
Fri Feb 15 17:07:44 UTC 2019
The certID part of the OCSP response is defined as an ASN.1
sequence:
CertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
issuerNameHash OCTET STRING, -- Hash of issuer's DN
issuerKeyHash OCTET STRING, -- Hash of issuer's public key
serialNumber CertificateSerialNumber }
(see https://tools.ietf.org/html/rfc6960#appendix-B.1 )
This patch implements parsing of all certID fields of incoming OCSP
responses as well as validation of the field values against the
respective request field values.
This improves the previous implementation which used memcmp() to
compare the certID memory (raw bits) of request and response.
As ASN.1 semantics are ignored by memcmp(), bitwise different but
semantically identical certIDs were rejected by the previous
implementation. This caused e.g. boot failures of OS images
downloaded via HTTPS.
Signed-off-by: Thilo Fromm <thilo at kinvolk.io>
You can view, comment on, or merge this pull request online at:
https://github.com/ipxe/ipxe/pull/90
-- Commit Summary --
* [crypto/OCSP] parse response certID for validation
-- File Changes --
M src/crypto/ocsp.c (94)
-- Patch Links --
https://github.com/ipxe/ipxe/pull/90.patch
https://github.com/ipxe/ipxe/pull/90.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/90
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20190215/600c0332/attachment.htm>
More information about the ipxe-devel
mailing list