@@ -2753,24 +2753,32 @@ int wc_OcspResponder_WriteResponse(OcspResponder* responder,
27532753 /* Find the certificate status */
27542754 certStatus = FindCertStatus (ca , req .serial , req .serialSz );
27552755 if (certStatus == NULL ) {
2756- WOLFSSL_MSG ("No status configured for requested certificate" );
2757- ret = OCSP_CERT_UNKNOWN ;
2758- goto out ;
2756+ /* RFC 6960: 'unknown' is a per-certificate status inside a successful
2757+ * OCSPResponse, not an error response. Generate a successful response
2758+ * with CERT_UNKNOWN so clients can distinguish it from UNAUTHORIZED. */
2759+ OcspResponderCertStatus unknownStatus ;
2760+ WOLFSSL_MSG ("No status for requested certificate, responding unknown" );
2761+ if (req .serialSz > EXTERNAL_SERIAL_SIZE ) {
2762+ ret = BUFFER_E ;
2763+ goto out ;
2764+ }
2765+ XMEMSET (& unknownStatus , 0 , sizeof (unknownStatus ));
2766+ XMEMCPY (unknownStatus .serial , req .serial , req .serialSz );
2767+ unknownStatus .serialSz = req .serialSz ;
2768+ unknownStatus .status = CERT_UNKNOWN ;
2769+ ret = OcspResponse_WriteResponse (responder , response , responseSz , ca ,
2770+ & unknownStatus , & req );
27592771 }
2760-
2761- WOLFSSL_MSG ("Found CA and certificate status" );
2762-
2763- ret = OcspResponse_WriteResponse (responder , response , responseSz , ca ,
2764- certStatus , & req );
2765- if (ret != 0 ) {
2766- WOLFSSL_MSG ("Failed to write OCSP response" );
2767- goto out ;
2772+ else {
2773+ WOLFSSL_MSG ("Found CA and certificate status" );
2774+ ret = OcspResponse_WriteResponse (responder , response , responseSz , ca ,
2775+ certStatus , & req );
27682776 }
27692777
2770- ret = 0 ;
27712778out :
27722779 if (reqInited )
27732780 FreeOcspRequest (& req );
2781+ WOLFSSL_LEAVE ("wc_OcspResponder_WriteResponse" , ret );
27742782 return ret ;
27752783}
27762784
0 commit comments