ocsp: gnutls_ocsp_resp_verify_direct will skip additional checks for certificates matching issuer

That eliminates issue with ocsptool rejecting OCSP responses signed by the same CA that signed the certificate. Reported by Thomas Klute.
author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2016-03-23 23:00:53 +0100
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2016-03-23 23:33:11 +0100
commit: 8e6bd7a1027e425748afb967f5f8cd0240f97677 (patch)
tree: 36dcefe6f7959c3d940a460dbcddacf0605eb5e1
parent: b6d0c3d3fa3668cf91f236fcab1c5d99d211434b (diff)
download: gnutls-8e6bd7a1027e425748afb967f5f8cd0240f97677.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 7686a4e8f3..6bebcb4a86 100644
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -2086,7 +2086,9 @@ gnutls_ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp,
 	signercert = find_signercert(resp);
 	if (!signercert) {
 		signercert = issuer;
-	} else {		/* response contains a signer. Verify him */
+	} else if (!_gnutls_check_if_same_cert(signercert, issuer)) {
+
+		/* response contains a signer. Verify him */
 
 		unsigned int vtmp;
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2016-03-23 23:00:53 +0100
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2016-03-23 23:33:11 +0100
commit	8e6bd7a1027e425748afb967f5f8cd0240f97677 (patch)
tree	36dcefe6f7959c3d940a460dbcddacf0605eb5e1
parent	b6d0c3d3fa3668cf91f236fcab1c5d99d211434b (diff)
download	gnutls-8e6bd7a1027e425748afb967f5f8cd0240f97677.tar.gz