OCSP: improve handling of OCSP no check extension

SparkiDev · SparkiDev · commit f93083be72a3 · 2021-07-16T12:19:39.000+10:00
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -10212,9 +10212,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
             }
 
         #ifdef HAVE_OCSP
-            /* trust for the lifetime of the responder's cert*/
-            if (cert->ocspNoCheckSet && verify == VERIFY_OCSP)
-                verify = NO_VERIFY;
+            if (verify == VERIFY_OCSP_CERT) {
+                /* trust for the lifetime of the responder's cert*/
+                if (cert->ocspNoCheckSet)
+                    verify = VERIFY;
+                else
+                    verify = VERIFY_OCSP;
+            }
         #endif
             /* advance past extensions */
             cert->srcIdx = cert->sigIndex;
@@ -17957,7 +17961,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
 
         /* Don't verify if we don't have access to Cert Manager. */
         ret = ParseCertRelative(&cert, CERT_TYPE,
-                                noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
+                                noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm);
         if (ret < 0) {
             WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
             FreeDecodedCert(&cert);
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
@@ -599,6 +599,7 @@ enum VerifyType {
     VERIFY_OCSP = 3,
     VERIFY_NAME = 4,
     VERIFY_SKIP_DATE = 5,
+    VERIFY_OCSP_CERT = 6,
 };
 
 #ifdef WOLFSSL_CERT_EXT
