ocsp: gnutls_ocsp_resp_verify_direct will skip additional checks for certificates...

That eliminates issue with ocsptool rejecting OCSP responses signed
by the same CA that signed the certificate. Reported by Thomas Klute.

diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 8049e24e913612418c163a3c888fd4f6adf136ca..7e762bbfef3be2f35ba838d7590f96d4cc9e05ec 100644 (file)
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -2086,7 +2086,9 @@ gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp,
        signercert = find_signercert(resp);
        if (!signercert) {
                signercert = issuer;
-       } else {                /* response contains a signer. Verify him */
+       } else if (!_gnutls_check_if_same_cert(signercert, issuer)) {
+
+               /* response contains a signer. Verify him */
 
                unsigned int vtmp;