mirror of
https://github.com/ipxe/ipxe
synced 2026-01-23 12:38:58 +03:00
5cbdc41778
We currently compare the entirety of the KeyHash object (including the ASN.1 tag and length byte) against the raw SHA-1 hash of the certificate's public key. This causes OCSP validation to fail for any responses which identify the responder by key hash rather than by name, and hence prevents the use of X.509 certificates where any certificate in the chain has an OCSP responder which chooses to identify itself via its key hash. Fix by adding the missing asn1_enter() required to enter the ASN.1 octet string containing the key hash. Also add a corresponding test case including an OCSP response where the responder is identified by key hash, to ensure that this functionality cannot be broken in future. Debugged-by: Brian Rak <brak@gameservers.com> Signed-off-by: Michael Brown <mcb30@ipxe.org>
iPXE README File Quick start guide: cd src make For any more detailed instructions, see http://ipxe.org