[ocsp] Centralise test for whether or not an OCSP check is required

Signed-off-by: Michael Brown <mcb30@ipxe.org>
2025-12-20 03:55:46 +03:00 · 2018-03-18 22:21:49 +02:00
parent ae93064496
commit a0021a30dd
3 changed files with 18 additions and 4 deletions
--- a/src/include/ipxe/ocsp.h
+++ b/src/include/ipxe/ocsp.h
@@ -111,6 +111,21 @@ ocsp_put ( struct ocsp_check *ocsp ) {
 	ref_put ( &ocsp->refcnt );
 }

+/**
+ * Check if X.509 certificate requires an OCSP check
+ *
+ * @v cert		X.509 certificate
+ * @ret ocsp_required	An OCSP check is required
+ */
+static inline int ocsp_required ( struct x509_certificate *cert ) {
+
+	/* An OCSP check is required if an OCSP URI exists but the
+	 * OCSP status is not (yet) good.
+	 */
+	return ( cert->extensions.auth_info.ocsp.uri.len &&
+		 ( ! cert->extensions.auth_info.ocsp.good ) );
+}
+
 extern int ocsp_check ( struct x509_certificate *cert,
 			struct x509_certificate *issuer,
 			struct ocsp_check **ocsp );