Remove CheckOcspResponderChain and related references. Function is not compliant with RFC 6960, 4.2.2.2.

Author: rlm2002

.wolfssl_known_macro_extras

@@ -843,7 +843,6 @@ WOLFSSL_NO_KCAPI_SHA224
 WOLFSSL_NO_KTRI_ORACLE_WARNING
 WOLFSSL_NO_LMS_SHAKE256_256
 WOLFSSL_NO_OCSP_DATE_CHECK
-WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
 WOLFSSL_NO_OCSP_OPTIONAL_CERTS
 WOLFSSL_NO_RSA_KEY_CHECK
 WOLFSSL_NO_SERVER_GROUPS_EXT

src/ocsp.c

@@ -21,15 +21,6 @@
 
 #include <wolfssl/wolfcrypt/libwolfssl_sources.h>
 
-  /* Name change compatibility layer no longer needs to be included here */
-
-/*
- * WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK:
- *     Disable looking for an authorized responder in the verification path of
- *     the issuer. This will make the authorized responder only look at the
- *     OCSP response signer and direct issuer.
- */
-
 /*
  * OCSP responder missing features:
  * - Support for multiple requests and responses in a single OCSP exchange
@@ -590,73 +581,6 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
     return ret;
 }
 
-#ifndef WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
-static int CheckOcspResponderChain(OcspEntry* single, byte* issuerNameHash,
-        byte* issuerKeyHash, void* vp, Signer* pendingCAs) {
-    /* Attempt to build a chain up to cert's issuer */
-    WOLFSSL_CERT_MANAGER* cm = (WOLFSSL_CERT_MANAGER*)vp;
-    Signer* ca = NULL;
-    Signer* prev = NULL;
-    int passed = 0;
-
-    /*
-     *       Relation between certs:
-     *                 CA
-     *        /                 \
-     *  intermediate(s)   cert in OCSP response
-     *        |           with OCSP key usage ext
-     *  issuer of cert
-     *  in OCSP request
-     */
-
-    if (issuerKeyHash == NULL)
-        return 0;
-
-    /* Select CertID issuer by key hash so a same-DN / different-key trust
-     * anchor cannot hijack the starting point. */
-    ca = GetCAByKeyHash(cm, single->issuerKeyHash);
-    if (ca != NULL && XMEMCMP(ca->subjectNameHash, single->issuerHash,
-            OCSP_DIGEST_SIZE) != 0) {
-        ca = NULL;
-    }
-#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
-    if (ca == NULL && pendingCAs != NULL) {
-        ca = findSignerByKeyHash(pendingCAs, single->issuerKeyHash);
-        if (ca != NULL && XMEMCMP(ca->subjectNameHash, single->issuerHash,
-                OCSP_DIGEST_SIZE) != 0) {
-            ca = NULL;
-        }
-    }
-#else
-    (void)pendingCAs;
-#endif
-    for (; ca != NULL && ca != prev;
-            prev = ca) {
-        Signer* parent = GetCAByName(cm, ca->issuerNameHash);
-#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
-        if (parent == NULL && pendingCAs != NULL) {
-            parent = findSignerByName(pendingCAs, ca->issuerNameHash);
-        }
-#endif
-        if (parent == NULL || parent == ca)
-            break;
-
-        if (XMEMCMP(parent->subjectNameHash, issuerNameHash,
-                    OCSP_DIGEST_SIZE) == 0 &&
-            XMEMCMP(parent->subjectKeyHash, issuerKeyHash,
-                    KEYID_SIZE) == 0) {
-            WOLFSSL_MSG("\tOCSP Response signed by authorized "
-                    "responder delegated by issuer "
-                    "(found in chain)");
-            passed = 1;
-            break;
-        }
-        ca = parent;
-    }
-    return passed;
-}
-#endif
-
 /* Enforce https://www.rfc-editor.org/rfc/rfc6960#section-4.2.2.2. Both halves
  * of CertID (issuerNameHash and issuerKeyHash) must match; name-only matching
  * would authorize a same-DN / different-key CA. issuerKeyHash may be NULL when
@@ -702,12 +626,6 @@ int CheckOcspResponder(OcspResponse *bs, byte* subjectNameHash,
                             "delegated by issuer");
                 passed = 1;
             }
-#ifndef WOLFSSL_NO_OCSP_ISSUER_CHAIN_CHECK
-            else if (vp != NULL) {
-                passed = CheckOcspResponderChain(single, issuerNameHash,
-                        issuerKeyHash, vp, bs->pendingCAs);
-            }
-#endif
         }
 
         if (!passed) {