[ocsp] Centralise test for whether or not an OCSP check is required

Signed-off-by: Michael Brown <mcb30@ipxe.org>

src/crypto/x509.c

@@ -40,6 +40,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/socket.h>
 #include <ipxe/in.h>
 #include <ipxe/image.h>
+#include <ipxe/ocsp.h>
 #include <ipxe/x509.h>
 #include <config/crypto.h>
 
@@ -1362,8 +1363,7 @@ int x509_validate ( struct x509_certificate *cert,
 	}
 
 	/* Fail if OCSP is required */
-	if ( cert->extensions.auth_info.ocsp.uri.len &&
+	if ( ocsp_required ( cert ) ) {
-	     ( ! cert->extensions.auth_info.ocsp.good ) ) {
 		DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
 		       cert, x509_name ( cert ) );
 		return -EACCES_OCSP_REQUIRED;

src/include/ipxe/ocsp.h

@@ -111,6 +111,21 @@ ocsp_put ( struct ocsp_check *ocsp ) {
 	ref_put ( &ocsp->refcnt );
 }
 
+/**
+ * Check if X.509 certificate requires an OCSP check
+ *
+ * @v cert		X.509 certificate
+ * @ret ocsp_required	An OCSP check is required
+ */
+static inline int ocsp_required ( struct x509_certificate *cert ) {
+
+	/* An OCSP check is required if an OCSP URI exists but the
+	 * OCSP status is not (yet) good.
+	 */
+	return ( cert->extensions.auth_info.ocsp.uri.len &&
+		 ( ! cert->extensions.auth_info.ocsp.good ) );
+}
+
 extern int ocsp_check ( struct x509_certificate *cert,
 			struct x509_certificate *issuer,
 			struct ocsp_check **ocsp );

src/net/validator.c

@@ -488,8 +488,7 @@ static void validator_step ( struct validator *validator ) {
 		/* The issuer is valid, but this certificate is not
 		 * yet valid.  If OCSP is applicable, start it.
 		 */
-		if ( cert->extensions.auth_info.ocsp.uri.len &&
+		if ( ocsp_required ( cert ) ) {
-		     ( ! cert->extensions.auth_info.ocsp.good ) ) {
 			/* Start OCSP */
 			if ( ( rc = validator_start_ocsp ( validator, cert,
 							   issuer ) ) != 0 ) {