]> git.ipfire.org Git - thirdparty/ipxe.git/commit
projects / thirdparty / ipxe.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: be47c2c) | patch
[ocsp] Remove dummy OCSP certificate root
authorMichael Brown <mcb30@ipxe.org>
Tue, 8 Dec 2020 14:39:33 +0000 (14:39 +0000)
committerMichael Brown <mcb30@ipxe.org>
Tue, 8 Dec 2020 15:04:28 +0000 (15:04 +0000)
commit6e92d6213d20329d8b84431f00d8cbe7d63bb379
tree330cacc0a8b25b8e3902d567e5f8f782be2ecaabtree | snapshot
parentbe47c2c72cd3cdecc146eca5a200d454643bcf06commit | diff
[ocsp] Remove dummy OCSP certificate root

OCSP currently calls x509_validate() with an empty root certificate
list, on the basis that the OCSP signer certificate (if existent) must
be signed directly by the issuer certificate.

Using an empty root certificate list is not required to achieve this
goal, since x509_validate() already accepts an explicit issuer
certificate parameter.  The explicit empty root certificate list
merely prevents the signer certificate from being evaluated as a
potential trusted root certificate.

Remove the dummy OCSP root certificate list and use the default root
certificate list when calling x509_validate().

Signed-off-by: Michael Brown <mcb30@ipxe.org>
src/crypto/ocsp.c diff | blob | blame | history
Mirror of https://github.com/ipxe/ipxe.git