use the original DER/BER data when verifying an OCSP response

diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 2b19f45e13c32944b0b920c68e82bd90482f171e..abb73fa9fc1d45aacaa11b97644463482e6d86ef 100644 (file)
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -41,6 +41,7 @@ typedef struct gnutls_ocsp_resp_int {
        ASN1_TYPE resp;
        gnutls_datum_t response_type_oid;
        ASN1_TYPE basicresp;
+       gnutls_datum_t der;
 } gnutls_ocsp_resp_int;
 
 #define MAX_TIME 64
@@ -266,8 +267,6 @@ gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp,
        if (resp->response_type_oid.size == sizeof(OCSP_BASIC)
            && memcmp(resp->response_type_oid.data, OCSP_BASIC,
                      resp->response_type_oid.size) == 0) {
-               gnutls_datum_t d;
-
                if (resp->basicresp) {
                        asn1_delete_structure(&resp->basicresp);
 
@@ -282,16 +281,15 @@ gnutls_ocsp_resp_import(gnutls_ocsp_resp_t resp,
 
                ret =
                    _gnutls_x509_read_value(resp->resp,
-                                           "responseBytes.response", &d);
+                                           "responseBytes.response", &resp->der);
                if (ret < 0) {
                        gnutls_assert();
                        return ret;
                }
 
                ret =
-                   asn1_der_decoding(&resp->basicresp, d.data, d.size,
+                   asn1_der_decoding(&resp->basicresp, resp->der.data, resp->der.size,
                                      NULL);
-               gnutls_free(d.data);
                if (ret != ASN1_SUCCESS) {
                        gnutls_assert();
                        return _gnutls_asn2err(ret);
@@ -1864,7 +1862,6 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp)
 
                        if ((20 == keyid.size) &&
                                memcmp(keyid.data, digest, 20) == 0) {
-                               gnutls_assert();
                                signercert = certs[i];
                                goto quit;
                        }
@@ -1913,7 +1910,7 @@ _ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp,
        }
        sigalg = rc;
 
-       rc = _gnutls_x509_get_raw_field(resp->basicresp, "tbsResponseData", &data);
+       rc = _gnutls_x509_get_raw_field2(resp->basicresp, &resp->der, "tbsResponseData", &data);
        if (rc != GNUTLS_E_SUCCESS) {
                gnutls_assert();
                goto done;
@@ -1950,7 +1947,6 @@ _ocsp_resp_verify_direct(gnutls_ocsp_resp_t resp,
        rc = GNUTLS_E_SUCCESS;
 
       done:
-       gnutls_free(data.data);
        gnutls_free(sig.data);
        gnutls_pubkey_deinit(pubkey);