From 6e92d6213d20329d8b84431f00d8cbe7d63bb379 Mon Sep 17 00:00:00 2001 From: Michael Brown Date: Tue, 8 Dec 2020 14:39:33 +0000 Subject: [PATCH] [ocsp] Remove dummy OCSP certificate root OCSP currently calls x509_validate() with an empty root certificate list, on the basis that the OCSP signer certificate (if existent) must be signed directly by the issuer certificate. Using an empty root certificate list is not required to achieve this goal, since x509_validate() already accepts an explicit issuer certificate parameter. The explicit empty root certificate list merely prevents the signer certificate from being evaluated as a potential trusted root certificate. Remove the dummy OCSP root certificate list and use the default root certificate list when calling x509_validate(). Signed-off-by: Michael Brown --- src/crypto/ocsp.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c index 51dc939e8..998a0ce2c 100644 --- a/src/crypto/ocsp.c +++ b/src/crypto/ocsp.c @@ -832,18 +832,6 @@ int ocsp_response ( struct ocsp_check *ocsp, const void *data, size_t len ) { return 0; } -/** - * OCSP dummy root certificate store - * - * OCSP validation uses no root certificates, since it takes place - * only when there already exists a validated issuer certificate. - */ -static struct x509_root ocsp_root = { - .digest = &ocsp_digest_algorithm, - .count = 0, - .fingerprints = NULL, -}; - /** * Check OCSP response signature * @@ -927,7 +915,7 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) { */ x509_invalidate ( signer ); if ( ( rc = x509_validate ( signer, ocsp->issuer, time, - &ocsp_root ) ) != 0 ) { + NULL ) ) != 0 ) { DBGC ( ocsp, "OCSP %p \"%s\" could not validate ", ocsp, x509_name ( ocsp->cert ) ); DBGC ( ocsp, "signer \"%s\": %s\n", @@ -973,7 +961,7 @@ int ocsp_validate ( struct ocsp_check *ocsp, time_t time ) { /* Validate certificate against issuer */ if ( ( rc = x509_validate ( ocsp->cert, ocsp->issuer, time, - &ocsp_root ) ) != 0 ) { + NULL ) ) != 0 ) { DBGC ( ocsp, "OCSP %p \"%s\" could not validate certificate: " "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc )); return rc;