Merge branch 'master' into openslxopenslx

1 files changed, 13 insertions, 25 deletions

diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c
index cc957b40c..5d6acb605 100644
--- a/src/crypto/ocsp.c
+++ b/src/crypto/ocsp.c
@@ -18,6 +18,7 @@
  */
 
 FILE_LICENCE ( GPL2_OR_LATER );
+FILE_SECBOOT ( PERMITTED );
 
 #include <stdint.h>
 #include <stdlib.h>
@@ -158,8 +159,8 @@ static int ocsp_request ( struct ocsp_check *ocsp ) {
 	digest_final ( digest, digest_ctx, name_digest );
 	digest_init ( digest, digest_ctx );
 	digest_update ( digest, digest_ctx,
-			ocsp->issuer->subject.public_key.raw_bits.data,
-			ocsp->issuer->subject.public_key.raw_bits.len );
+			ocsp->issuer->subject.public_key.value.data,
+			ocsp->issuer->subject.public_key.value.len );
 	digest_final ( digest, digest_ctx, pubkey_digest );
 
 	/* Construct request */
@@ -422,8 +423,8 @@ static int ocsp_compare_responder_key_hash ( struct ocsp_check *ocsp,
 	/* Generate SHA1 hash of certificate's public key */
 	digest_init ( &sha1_algorithm, ctx );
 	digest_update ( &sha1_algorithm, ctx,
-			cert->subject.public_key.raw_bits.data,
-			cert->subject.public_key.raw_bits.len );
+			cert->subject.public_key.value.data,
+			cert->subject.public_key.value.len );
 	digest_final ( &sha1_algorithm, ctx, digest );
 
 	/* Compare responder key hash with hash of certificate's public key */
@@ -701,7 +702,7 @@ static int ocsp_parse_basic_response ( struct ocsp_check *ocsp,
 				       const struct asn1_cursor *raw ) {
 	struct ocsp_response *response = &ocsp->response;
 	struct asn1_algorithm **algorithm = &response->algorithm;
-	struct asn1_bit_string *signature = &response->signature;
+	struct asn1_cursor *signature = &response->signature;
 	struct asn1_cursor cursor;
 	int rc;
 
@@ -726,7 +727,8 @@ static int ocsp_parse_basic_response ( struct ocsp_check *ocsp,
 	asn1_skip_any ( &cursor );
 
 	/* Parse signature */
-	if ( ( rc = asn1_integral_bit_string ( &cursor, signature ) ) != 0 ) {
+	memcpy ( signature, &cursor, sizeof ( *signature ) );
+	if ( ( rc = asn1_enter_bits ( signature, NULL ) ) != 0 ) {
 		DBGC ( ocsp, "OCSP %p \"%s\" cannot parse signature: %s\n",
 		       ocsp, x509_name ( ocsp->cert ), strerror ( rc ) );
 		return rc;
@@ -844,10 +846,9 @@ static int ocsp_check_signature ( struct ocsp_check *ocsp,
 	struct ocsp_response *response = &ocsp->response;
 	struct digest_algorithm *digest = response->algorithm->digest;
 	struct pubkey_algorithm *pubkey = response->algorithm->pubkey;
-	struct x509_public_key *public_key = &signer->subject.public_key;
+	struct asn1_cursor *key = &signer->subject.public_key.raw;
 	uint8_t digest_ctx[ digest->ctxsize ];
 	uint8_t digest_out[ digest->digestsize ];
-	uint8_t pubkey_ctx[ pubkey->ctxsize ];
 	int rc;
 
 	/* Generate digest */
@@ -856,30 +857,17 @@ static int ocsp_check_signature ( struct ocsp_check *ocsp,
 			response->tbs.len );
 	digest_final ( digest, digest_ctx, digest_out );
 
-	/* Initialise public-key algorithm */
-	if ( ( rc = pubkey_init ( pubkey, pubkey_ctx, public_key->raw.data,
-				  public_key->raw.len ) ) != 0 ) {
-		DBGC ( ocsp, "OCSP %p \"%s\" could not initialise public key: "
-		       "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc ));
-		goto err_init;
-	}
-
 	/* Verify digest */
-	if ( ( rc = pubkey_verify ( pubkey, pubkey_ctx, digest, digest_out,
-				    response->signature.data,
-				    response->signature.len ) ) != 0 ) {
+	if ( ( rc = pubkey_verify ( pubkey, key, digest, digest_out,
+				    &response->signature ) ) != 0 ) {
 		DBGC ( ocsp, "OCSP %p \"%s\" signature verification failed: "
 		       "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc ));
-		goto err_verify;
+		return rc;
 	}
 
 	DBGC2 ( ocsp, "OCSP %p \"%s\" signature is correct\n",
 		ocsp, x509_name ( ocsp->cert ) );
-
- err_verify:
-	pubkey_final ( pubkey, pubkey_ctx );
- err_init:
-	return rc;
+	return 0;
 }
 
 /**