[ipxe-devel] [ipxe/ipxe] parse response certID hashAlgorithm (#91)
Geert Stappers
notifications at github.com
Sat Feb 23 22:10:30 UTC 2019
Implements parsing of the hashAlgorithm certID field of incoming OCSP
responses as well as validation of the field value against the respective
request field hashAlgorithm. The remaining fields of the response certID
are validated against the request via memcpy().
The certID part of the OCSP response is defined as an ASN.1 sequence:
CertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
issuerNameHash OCTET STRING, -- Hash of issuer's DN
issuerKeyHash OCTET STRING, -- Hash of issuer's public key
serialNumber CertificateSerialNumber }
(see https://tools.ietf.org/html/rfc6960#appendix-B.1 )
Parsing hashAlgorithm improves the previous implementation which
used memcmp() to compare the certID memory (raw bits) of request and
response. As ASN.1 semantics are ignored by memcmp(), bitwise different
but semantically identical certIDs were rejected by the previous
implementation. This caused e.g. boot failures of OS images downloaded
via HTTPS.
You can view, comment on, or merge this pull request online at:
https://github.com/ipxe/ipxe/pull/91
-- Commit Summary --
* parse response certID hashAlgorithm
-- File Changes --
M src/crypto/ocsp.c (39)
-- Patch Links --
https://github.com/ipxe/ipxe/pull/91.patch
https://github.com/ipxe/ipxe/pull/91.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/ipxe/ipxe/pull/91
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ipxe.org/pipermail/ipxe-devel/attachments/20190223/874e57d0/attachment.htm>
More information about the ipxe-devel
mailing list