From 7fa1f41f7d3522349399fe1d1523a644b59f59de Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Tue, 22 May 2012 00:53:44 +0100
Subject: [PATCH] [crypto] Require OCSP check if certificate provides an OCSP
 URI

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/crypto/x509.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 2180173b0..1a27eb24c 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -98,6 +98,10 @@ FILE_LICENCE ( GPL2_OR_LATER );
 	__einfo_error ( EINFO_EACCES_EMPTY )
 #define EINFO_EACCES_EMPTY \
 	__einfo_uniqify ( EINFO_EACCES, 0x08, "Empty certificate chain" )
+#define EACCES_OCSP_REQUIRED \
+	__einfo_error ( EINFO_EACCES_OCSP_REQUIRED )
+#define EINFO_EACCES_OCSP_REQUIRED \
+	__einfo_uniqify ( EINFO_EACCES, 0x09, "OCSP check required" )
 
 /** Certificate cache */
 static LIST_HEAD ( x509_cache );
@@ -1343,6 +1347,14 @@ int x509_validate ( struct x509_certificate *cert,
 		return -EACCES_PATH_LEN;
 	}
 
+	/* Fail if OCSP is required */
+	if ( cert->extensions.auth_info.ocsp.uri &&
+	     ( ! cert->extensions.auth_info.ocsp.good ) ) {
+		DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
+		       cert, cert->subject.name );
+		return -EACCES_OCSP_REQUIRED;
+	}
+
 	/* Calculate effective path length */
 	cert->path_remaining = ( issuer->path_remaining - 1 );
 	max_path_remaining = ( cert->extensions.basic.path_len + 1 );