typedef struct response_t response_t;
struct response_t {
+ chunk_t chunk;
chunk_t tbs;
identification_t *responder_id_name;
chunk_t responder_id_key;
{
DESTROY_IF(this->responder_id_name);
DESTROY_IF(this->responder_cert);
+ free(this->chunk.ptr);
+ free(this);
}
/**
* Creates a response_t object
*/
-static response_t* response_create(void)
+static response_t* response_create_from_chunk(chunk_t chunk)
{
response_t *this = malloc_thing(response_t);
+ this->chunk = chunk;
this->tbs = chunk_empty;
this->responder_id_name = NULL;
this->responder_id_key = chunk_empty;
return this;
}
-
-
/* single response container */
typedef struct single_response single_response_t;
/**
* parse an ocsp response and return the result as a response_t struct
*/
-static response_status ocsp_parse_response(chunk_t blob, response_t *res)
+static response_status ocsp_parse_response(response_t *res)
{
asn1_ctx_t ctx;
chunk_t object;
response_status rStatus = STATUS_INTERNALERROR;
u_int ocspResponseType = OID_UNKNOWN;
- asn1_init(&ctx, blob, 0, FALSE, FALSE);
+ asn1_init(&ctx, res->chunk, 0, FALSE, FALSE);
while (objectID < OCSP_RESPONSE_ROOF)
{
DBG1("ocsp signer certificate %s", ugh);
return FALSE;
}
- DBG2("ocsp signer certificate is valid");
-
public_key = ocsp_cert->get_public_key(ocsp_cert);
return public_key->verify_emsa_pkcs1_signature(public_key, res->tbs, res->signature) == SUCCESS;
/**
* verify and process ocsp response and update the ocsp cache
*/
-void ocsp_process_response(private_ocsp_t *this, chunk_t blob, credential_store_t *credentials)
+static void ocsp_process_response(private_ocsp_t *this, response_t *res, credential_store_t *credentials)
{
x509_t *ocsp_cert = NULL;
- response_t *res = response_create();
/* parse the ocsp response without looking at the single responses yet */
- response_status status = ocsp_parse_response(blob, res);
+ response_status status = ocsp_parse_response(res);
if (status != STATUS_SUCCESSFUL)
{
DBG1("error in ocsp response");
- goto err;
+ return;
}
/* check if there was a nonce in the request */
if (res->nonce.ptr != NULL && !chunk_equals(res->nonce, this->nonce))
{
DBG1("invalid nonce in ocsp response");
- goto err;
+ return;
}
/* check if we received a trusted responder certificate */
if (ocsp_cert == NULL)
{
DBG1("no ocsp signer certificate found");
- goto err;
+ return;
}
}
if (!ocsp_valid_response(res, ocsp_cert))
{
DBG1("ocsp response signature is invalid");
- goto err;
+ return;
}
DBG2("ocsp response signature is valid");
{
if (!extract_object(responsesObjects, &objectID, &object, &level, &ctx))
{
- goto err;
+ return;
}
if (objectID == RESPONSES_SINGLE_RESPONSE)
{
objectID++;
}
}
-err:
- res->destroy(res);
}
/**
static void fetch(private_ocsp_t *this, certinfo_t *certinfo, credential_store_t *credentials)
{
chunk_t request;
- chunk_t response;
- bool fetched = FALSE;
+ response_t *response = NULL;
if (this->uris->get_count(this->uris) == 0)
{
fetcher_t *fetcher;
char uri_string[BUF_LEN];
chunk_t uri_chunk = uri->get_encoding(uri);
+ chunk_t response_chunk;
snprintf(uri_string, BUF_LEN, "%.*s", uri_chunk.len, uri_chunk.ptr);
fetcher = fetcher_create(uri_string);
- response = fetcher->post(fetcher, "application/ocsp-request", request);
+ response_chunk = fetcher->post(fetcher, "application/ocsp-request", request);
fetcher->destroy(fetcher);
- if (response.ptr != NULL)
+ if (response_chunk.ptr != NULL)
{
- fetched = TRUE;
+ response = response_create_from_chunk(response_chunk);
break;
}
}
}
free(request.ptr);
- if (!fetched)
+ if (response == NULL)
{
return;
}
- DBG3("ocsp response: %B", &response);
+ DBG3("ocsp response: %B", &response->chunk);
ocsp_process_response(this, response, credentials);
- free(response.ptr);
+ response->destroy(response);
}
/**
projects / thirdparty / strongswan.git / commitdiff
