From: Nikos Mavrogiannopoulos Date: Fri, 14 Nov 2014 16:22:07 +0000 (+0100) Subject: ocsp: fix DN decoding in gnutls_ocsp_resp_get_responder_raw_id X-Git-Tag: gnutls_3_4_0~609 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1015ceae20d2d19c8264fb3798ab7dc1ff63ae43;p=thirdparty%2Fgnutls.git ocsp: fix DN decoding in gnutls_ocsp_resp_get_responder_raw_id --- diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c index abb73fa9fc..c15f388569 100644 --- a/lib/x509/ocsp.c +++ b/lib/x509/ocsp.c @@ -1172,10 +1172,49 @@ gnutls_ocsp_resp_get_responder_raw_id(gnutls_ocsp_resp_t resp, if (type == GNUTLS_OCSP_RESP_ID_KEY) ret = _gnutls_x509_read_value(resp->basicresp, "tbsResponseData.responderID.byKey", raw); - else - ret = _gnutls_x509_read_value(resp->basicresp, "tbsResponseData.responderID.byName", raw); + else { + gnutls_datum_t tmp; + + /* simply reading a CHOICE of CHOICE value doesn't work in libtasn1 */ + ret = _gnutls_x509_get_raw_field2(resp->basicresp, &resp->der, + "tbsResponseData.responderID.byName", + &tmp); + if (ret >= 0) { + int real; + /* skip the tag */ + if (tmp.size < 2) { + gnutls_assert(); + ret = GNUTLS_E_ASN1_GENERIC_ERROR; + goto fail; + } + + tmp.data++; + tmp.size--; + + ret = asn1_get_length_der(tmp.data, tmp.size, &real); + if (ret < 0) { + gnutls_assert(); + ret = GNUTLS_E_ASN1_GENERIC_ERROR; + goto fail; + } + + if (tmp.size < (unsigned)real) { + gnutls_assert(); + ret = GNUTLS_E_ASN1_GENERIC_ERROR; + goto fail; + } + + tmp.data+=real; + tmp.size-=real; + + ret = _gnutls_set_datum(raw, tmp.data, tmp.size); + } + } + if (ret == GNUTLS_E_ASN1_ELEMENT_NOT_FOUND || ret == GNUTLS_E_ASN1_VALUE_NOT_FOUND) return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + + fail: return ret; } @@ -1821,7 +1860,6 @@ static gnutls_x509_crt_t find_signercert(gnutls_ocsp_resp_t resp) if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { gnutls_assert(); rc = gnutls_ocsp_resp_get_responder_raw_id(resp, GNUTLS_OCSP_RESP_ID_KEY, &keyid); - } if (rc != GNUTLS_E_SUCCESS) { gnutls_assert();