replaced gnutls_ocsp_resp_get_responder_by_key with gnutls_ocsp_resp_get_responder_raw_id

In addition reverted gnutls_ocsp_resp_get_responder() to the old
buggy behavior of returning 0 if the element was missing.

diff --git a/lib/includes/gnutls/ocsp.h b/lib/includes/gnutls/ocsp.h
index 1a9679c08bacbfa9735a5c830ad6e36ec6a3f386..1a96ce8a2978898158bb309337b2a4e578fe92b2 100644 (file)
--- a/lib/includes/gnutls/ocsp.h
+++ b/lib/includes/gnutls/ocsp.h
@@ -211,9 +211,15 @@ int gnutls_ocsp_resp_get_response(gnutls_ocsp_resp_t resp,
 int gnutls_ocsp_resp_get_version(gnutls_ocsp_resp_t resp);
 int gnutls_ocsp_resp_get_responder(gnutls_ocsp_resp_t resp,
                                   gnutls_datum_t * dn);
+
+/* the raw key ID of the responder */
+#define GNUTLS_OCSP_RESP_ID_KEY 1
+/* the raw DN of the responder */
+#define GNUTLS_OCSP_RESP_ID_DN 2
 int
-gnutls_ocsp_resp_get_responder_by_key(gnutls_ocsp_resp_t resp,
-                                     gnutls_datum_t * id);
+gnutls_ocsp_resp_get_responder_raw_id(gnutls_ocsp_resp_t resp,
+                                     unsigned type,
+                                     gnutls_datum_t * raw);
 
 time_t gnutls_ocsp_resp_get_produced(gnutls_ocsp_resp_t resp);
 int gnutls_ocsp_resp_get_single(gnutls_ocsp_resp_t resp,

diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 340832c32a5b62bf28edb44af43f613096729da2..cad05281ba6b69abf599e03a63bbf19df5680935 100644 (file)
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1062,7 +1062,7 @@ GNUTLS_3_1_0 {
        gnutls_memcmp;
        gnutls_pkcs12_bag_set_privkey;
        gnutls_x509_privkey_set_pin_function;
-       gnutls_ocsp_resp_get_responder_by_key;
+       gnutls_ocsp_resp_get_responder_raw_id;
 } GNUTLS_3_0_0;
 
 GNUTLS_FIPS140 {

diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 5a5b60267bdde343fdb576f12de90086542ef8b9..aa494ab1460b3ca9be8f2c9683698add1f8de131 100644 (file)
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -1115,7 +1115,7 @@ int gnutls_ocsp_resp_get_version(gnutls_ocsp_resp_t resp)
  * will be ASCII or UTF-8 encoded, depending on the certificate data.
  *
  * If the responder ID is not a name but a hash, this function
- * will return %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.
+ * will return zero and the @dn elements will be set to %NULL.
  *
  * The caller needs to deallocate memory by calling gnutls_free() on
  * @dn->data.
@@ -1142,6 +1142,8 @@ gnutls_ocsp_resp_get_responder(gnutls_ocsp_resp_t resp,
            (resp->basicresp, "tbsResponseData.responderID.byName",
             NULL, &l);
        if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) {
+               if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+                       return 0; /* for backwards compatibility */
                gnutls_assert();
                return ret;
        }
@@ -1168,9 +1170,10 @@ gnutls_ocsp_resp_get_responder(gnutls_ocsp_resp_t resp,
 /**
  * gnutls_ocsp_resp_get_responder_by_key:
  * @resp: should contain a #gnutls_ocsp_resp_t structure
- * @id: newly allocated buffer with ID
+ * @type: should be %GNUTLS_OCSP_RESP_ID_KEY or %GNUTLS_OCSP_RESP_ID_DN
+ * @raw: newly allocated buffer with the raw ID
  *
- * This function will extract the key ID of the Basic OCSP Response in
+ * This function will extract the raw key (or DN) ID of the Basic OCSP Response in
  * the provided buffer. If the responder ID is not a key ID then
  * this function will return %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.
  *
@@ -1181,18 +1184,22 @@ gnutls_ocsp_resp_get_responder(gnutls_ocsp_resp_t resp,
  *   negative error code is returned.
  **/
 int
-gnutls_ocsp_resp_get_responder_by_key(gnutls_ocsp_resp_t resp,
-                                     gnutls_datum_t * id)
+gnutls_ocsp_resp_get_responder_raw_id(gnutls_ocsp_resp_t resp,
+                                     unsigned type,
+                                     gnutls_datum_t * raw)
 {
        int ret;
 
-       if (resp == NULL || id == NULL) {
+       if (resp == NULL || raw == NULL) {
                gnutls_assert();
                return GNUTLS_E_INVALID_REQUEST;
        }
 
-       ret = _gnutls_x509_read_value(resp->basicresp, "tbsResponseData.responderID.byKey", id);
-       if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND)
+       if (type == GNUTLS_OCSP_RESP_ID_KEY)
+               ret = _gnutls_x509_read_value(resp->basicresp, "tbsResponseData.responderID.byKey", raw);
+       else
+               ret = _gnutls_x509_read_value(resp->basicresp, "tbsResponseData.responderID.byName", raw);
+       if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND || ret == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
                return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
        return ret;
 }

diff --git a/lib/x509/ocsp_output.c b/lib/x509/ocsp_output.c
index ed96e8e777109cecde17666590aa53582224d197..294ebb142bad473d503588209eb647e176775534 100644 (file)
--- a/lib/x509/ocsp_output.c
+++ b/lib/x509/ocsp_output.c
@@ -285,9 +285,9 @@ print_resp(gnutls_buffer_st * str, gnutls_ocsp_resp_t resp,
                gnutls_datum_t dn;
 
                ret = gnutls_ocsp_resp_get_responder(resp, &dn);
-               if (ret < 0) {
-                       if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-                               ret = gnutls_ocsp_resp_get_responder_by_key(resp, &dn);
+               if (ret < 0 || dn.data == NULL) {
+                       if (dn.data == 0) {
+                               ret = gnutls_ocsp_resp_get_responder_raw_id(resp, GNUTLS_OCSP_RESP_ID_KEY, &dn);
 
                                if (ret >= 0) {
                                        addf(str, _("\tResponder Key ID: "));

diff --git a/tests/ocsp.c b/tests/ocsp.c
index 30afae2b5ef4d5fb2b86a3b918357762fd4a9e40..b8a5e8da8b236e5a450c04652b4b7fcae426e22c 100644 (file)
--- a/tests/ocsp.c
+++ b/tests/ocsp.c
@@ -645,11 +645,17 @@ static void ocsp_invalid_calls(void)
        }
 
        rc = gnutls_ocsp_resp_get_responder(resp, &dat);
-       if (rc != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+       if (rc != 0 && dat.data != NULL) {
                fail("gnutls_ocsp_resp_get_responder %d\n", rc);
                exit(1);
        }
 
+       rc = gnutls_ocsp_resp_get_responder_raw_id(resp, GNUTLS_OCSP_RESP_ID_KEY, &dat);
+       if (rc != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
+               fail("gnutls_ocsp_resp_get_responder_raw_id %s\n", gnutls_strerror(rc));
+               exit(1);
+       }
+
        gnutls_free(dat.data);
 
        gnutls_ocsp_req_deinit(req);