diff options
Diffstat (limited to 'src/crypto/ocsp.c')
| -rw-r--r-- | src/crypto/ocsp.c | 38 |
1 files changed, 13 insertions, 25 deletions
diff --git a/src/crypto/ocsp.c b/src/crypto/ocsp.c index cc957b40c..5d6acb605 100644 --- a/src/crypto/ocsp.c +++ b/src/crypto/ocsp.c @@ -18,6 +18,7 @@ */ FILE_LICENCE ( GPL2_OR_LATER ); +FILE_SECBOOT ( PERMITTED ); #include <stdint.h> #include <stdlib.h> @@ -158,8 +159,8 @@ static int ocsp_request ( struct ocsp_check *ocsp ) { digest_final ( digest, digest_ctx, name_digest ); digest_init ( digest, digest_ctx ); digest_update ( digest, digest_ctx, - ocsp->issuer->subject.public_key.raw_bits.data, - ocsp->issuer->subject.public_key.raw_bits.len ); + ocsp->issuer->subject.public_key.value.data, + ocsp->issuer->subject.public_key.value.len ); digest_final ( digest, digest_ctx, pubkey_digest ); /* Construct request */ @@ -422,8 +423,8 @@ static int ocsp_compare_responder_key_hash ( struct ocsp_check *ocsp, /* Generate SHA1 hash of certificate's public key */ digest_init ( &sha1_algorithm, ctx ); digest_update ( &sha1_algorithm, ctx, - cert->subject.public_key.raw_bits.data, - cert->subject.public_key.raw_bits.len ); + cert->subject.public_key.value.data, + cert->subject.public_key.value.len ); digest_final ( &sha1_algorithm, ctx, digest ); /* Compare responder key hash with hash of certificate's public key */ @@ -701,7 +702,7 @@ static int ocsp_parse_basic_response ( struct ocsp_check *ocsp, const struct asn1_cursor *raw ) { struct ocsp_response *response = &ocsp->response; struct asn1_algorithm **algorithm = &response->algorithm; - struct asn1_bit_string *signature = &response->signature; + struct asn1_cursor *signature = &response->signature; struct asn1_cursor cursor; int rc; @@ -726,7 +727,8 @@ static int ocsp_parse_basic_response ( struct ocsp_check *ocsp, asn1_skip_any ( &cursor ); /* Parse signature */ - if ( ( rc = asn1_integral_bit_string ( &cursor, signature ) ) != 0 ) { + memcpy ( signature, &cursor, sizeof ( *signature ) ); + if ( ( rc = asn1_enter_bits ( signature, NULL ) ) != 0 ) { DBGC ( ocsp, "OCSP %p \"%s\" cannot parse signature: %s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc ) ); return rc; @@ -844,10 +846,9 @@ static int ocsp_check_signature ( struct ocsp_check *ocsp, struct ocsp_response *response = &ocsp->response; struct digest_algorithm *digest = response->algorithm->digest; struct pubkey_algorithm *pubkey = response->algorithm->pubkey; - struct x509_public_key *public_key = &signer->subject.public_key; + struct asn1_cursor *key = &signer->subject.public_key.raw; uint8_t digest_ctx[ digest->ctxsize ]; uint8_t digest_out[ digest->digestsize ]; - uint8_t pubkey_ctx[ pubkey->ctxsize ]; int rc; /* Generate digest */ @@ -856,30 +857,17 @@ static int ocsp_check_signature ( struct ocsp_check *ocsp, response->tbs.len ); digest_final ( digest, digest_ctx, digest_out ); - /* Initialise public-key algorithm */ - if ( ( rc = pubkey_init ( pubkey, pubkey_ctx, public_key->raw.data, - public_key->raw.len ) ) != 0 ) { - DBGC ( ocsp, "OCSP %p \"%s\" could not initialise public key: " - "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc )); - goto err_init; - } - /* Verify digest */ - if ( ( rc = pubkey_verify ( pubkey, pubkey_ctx, digest, digest_out, - response->signature.data, - response->signature.len ) ) != 0 ) { + if ( ( rc = pubkey_verify ( pubkey, key, digest, digest_out, + &response->signature ) ) != 0 ) { DBGC ( ocsp, "OCSP %p \"%s\" signature verification failed: " "%s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc )); - goto err_verify; + return rc; } DBGC2 ( ocsp, "OCSP %p \"%s\" signature is correct\n", ocsp, x509_name ( ocsp->cert ) ); - - err_verify: - pubkey_final ( pubkey, pubkey_ctx ); - err_init: - return rc; + return 0; } /** |