aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorMartin Willi <martin@strongswan.org>2009-08-24 14:11:44 +0200
committerMartin Willi <martin@strongswan.org>2009-08-26 11:23:52 +0200
commit6b6ece636c9160ab0f01c88df68dfa4e1e54a7ab (patch)
treed497a71d1bc890aa91478d5ff60c822f88665df8 /src
parenta5e3153a36524c1689573cd04adc2125f879412f (diff)
downloadstrongswan-6b6ece636c9160ab0f01c88df68dfa4e1e54a7ab.tar.bz2
strongswan-6b6ece636c9160ab0f01c88df68dfa4e1e54a7ab.tar.xz
updated x509 plugin to public key/x509 API changes
Diffstat (limited to 'src')
-rw-r--r--src/libstrongswan/plugins/x509/x509_ac.c150
-rw-r--r--src/libstrongswan/plugins/x509/x509_cert.c39
-rw-r--r--src/libstrongswan/plugins/x509/x509_crl.c47
-rw-r--r--src/libstrongswan/plugins/x509/x509_ocsp_request.c12
-rw-r--r--src/libstrongswan/plugins/x509/x509_ocsp_response.c40
5 files changed, 134 insertions, 154 deletions
diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c
index f8052eedb..ab88c23e6 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.c
+++ b/src/libstrongswan/plugins/x509/x509_ac.c
@@ -31,8 +31,8 @@
#include <credentials/certificates/x509.h>
#include <credentials/keys/private_key.h>
-extern identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob,
- int level0, chunk_t *authKeySerialNumber);
+extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob,
+ int level0, chunk_t *authKeySerialNumber);
typedef struct private_x509_ac_t private_x509_ac_t;
@@ -40,7 +40,7 @@ typedef struct private_x509_ac_t private_x509_ac_t;
* private data of x509_ac_t object
*/
struct private_x509_ac_t {
-
+
/**
* public functions
*/
@@ -50,32 +50,32 @@ struct private_x509_ac_t {
* X.509 attribute certificate encoding in ASN.1 DER format
*/
chunk_t encoding;
-
+
/**
* X.509 attribute certificate body over which signature is computed
*/
chunk_t certificateInfo;
-
+
/**
* Version of the X.509 attribute certificate
*/
u_int version;
-
+
/**
* Serial number of the X.509 attribute certificate
*/
chunk_t serialNumber;
-
+
/**
* ID representing the issuer of the holder certificate
*/
identification_t *holderIssuer;
-
+
/**
* Serial number of the holder certificate
*/
chunk_t holderSerial;
-
+
/**
* ID representing the holder
*/
@@ -85,67 +85,67 @@ struct private_x509_ac_t {
* ID representing the attribute certificate issuer
*/
identification_t *issuerName;
-
+
/**
* Start time of certificate validity
*/
time_t notBefore;
-
+
/**
* End time of certificate validity
*/
time_t notAfter;
-
+
/**
* List of charging attributes
*/
linked_list_t *charging;
-
+
/**
* List of groub attributes
*/
linked_list_t *groups;
-
+
/**
* Authority Key Identifier
*/
- identification_t *authKeyIdentifier;
-
+ chunk_t authKeyIdentifier;
+
/**
* Authority Key Serial Number
*/
chunk_t authKeySerialNumber;
-
+
/**
* No revocation information available
*/
bool noRevAvail;
-
+
/**
* Signature algorithm
*/
int algorithm;
-
+
/**
* Signature
*/
chunk_t signature;
-
- /**
- * Holder certificate
- */
+
+ /**
+ * Holder certificate
+ */
certificate_t *holderCert;
-
- /**
- * Signer certificate
- */
+
+ /**
+ * Signer certificate
+ */
certificate_t *signerCert;
-
- /**
- * Signer private key;
- */
+
+ /**
+ * Signer private key;
+ */
private_key_t *signerKey;
-
+
/**
* reference count
*/
@@ -458,7 +458,7 @@ static bool parse_certificate(private_x509_ac_t *this)
break;
case OID_AUTHORITY_KEY_ID:
this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
- level, &this->authKeySerialNumber);
+ level, &this->authKeySerialNumber);
break;
case OID_TARGET_INFORMATION:
DBG2(" need to parse targetInformation");
@@ -567,29 +567,28 @@ static chunk_t build_attributes(private_x509_ac_t *this)
*/
static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this)
{
- chunk_t keyIdentifier;
+ chunk_t keyIdentifier = chunk_empty;
chunk_t authorityCertIssuer;
chunk_t authorityCertSerialNumber;
- x509_t *x509 = (x509_t*)this->signerCert;
- identification_t *issuer = this->signerCert->get_issuer(this->signerCert);
- public_key_t *public = this->signerCert->get_public_key(this->signerCert);
-
+ identification_t *issuer;
+ public_key_t *public;
+ x509_t *x509;
+
+ x509 = (x509_t*)this->signerCert;
+ issuer = this->signerCert->get_issuer(this->signerCert);
+ public = this->signerCert->get_public_key(this->signerCert);
if (public)
{
- identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);
-
- this->authKeyIdentifier = keyid = keyid->clone(keyid);
- keyIdentifier = keyid->get_encoding(keyid);
+ if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyIdentifier))
+ {
+ this->authKeyIdentifier = chunk_clone(keyIdentifier);
+ }
public->destroy(public);
}
- else
- {
- keyIdentifier = chunk_empty;
- }
authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1,
- issuer->get_encoding(issuer));
+ issuer->get_encoding(issuer));
authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2,
- x509->get_serial(x509));
+ x509->get_serial(x509));
return asn1_wrap(ASN1_SEQUENCE, "cm",
ASN1_authorityKeyIdentifier_oid,
asn1_wrap(ASN1_OCTET_STRING, "m",
@@ -675,7 +674,7 @@ static identification_t* get_holderIssuer(private_x509_ac_t *this)
/**
* Implementation of ac_t.get_authKeyIdentifier.
*/
-static identification_t* get_authKeyIdentifier(private_x509_ac_t *this)
+static chunk_t get_authKeyIdentifier(private_x509_ac_t *this)
{
return this->authKeyIdentifier;
}
@@ -709,7 +708,7 @@ static identification_t* get_issuer(private_x509_ac_t *this)
*/
static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject)
{
- return ID_MATCH_NONE;
+ return ID_MATCH_NONE;
}
/**
@@ -717,24 +716,12 @@ static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject
*/
static id_match_t has_issuer(private_x509_ac_t *this, identification_t *issuer)
{
- id_match_t match;
-
- if (issuer->get_type(issuer) == ID_PUBKEY_SHA1)
+ if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr &&
+ chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer)))
{
- if (this->authKeyIdentifier)
- {
- match = issuer->matches(issuer, this->authKeyIdentifier);
- }
- else
- {
- match = ID_MATCH_NONE;
- }
- }
- else
- {
- match = this->issuerName->matches(this->issuerName, issuer);
+ return ID_MATCH_PERFECT;
}
- return match;
+ return this->issuerName->matches(this->issuerName, issuer);
}
/**
@@ -756,32 +743,33 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer)
{
return FALSE;
}
-
+
/* get the public key of the issuer */
key = issuer->get_public_key(issuer);
-
+
/* compare keyIdentifiers if available, otherwise use DNs */
- if (this->authKeyIdentifier && key)
+ if (this->authKeyIdentifier.ptr && key)
{
- identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1);
-
- if (!subjectKeyIdentifier->equals(subjectKeyIdentifier,
- this->authKeyIdentifier))
+ chunk_t fingerprint;
+
+ if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+ !chunk_equals(fingerprint, this->authKeyIdentifier))
{
return FALSE;
}
}
else
{
- if (!this->issuerName->equals(this->issuerName, issuer->get_subject(issuer)))
+ if (!this->issuerName->equals(this->issuerName,
+ issuer->get_subject(issuer)))
{
return FALSE;
}
}
-
+
/* determine signature scheme */
scheme = signature_scheme_from_oid(this->algorithm);
-
+
if (scheme == SIGN_UNKNOWN || key == NULL)
{
return FALSE;
@@ -894,7 +882,6 @@ static void destroy(private_x509_ac_t *this)
DESTROY_IF(this->holderIssuer);
DESTROY_IF(this->entityName);
DESTROY_IF(this->issuerName);
- DESTROY_IF(this->authKeyIdentifier);
DESTROY_IF(this->holderCert);
DESTROY_IF(this->signerCert);
DESTROY_IF(this->signerKey);
@@ -902,6 +889,7 @@ static void destroy(private_x509_ac_t *this)
ietfAttr_list_destroy(this->charging);
ietfAttr_list_destroy(this->groups);
free(this->serialNumber.ptr);
+ free(this->authKeyIdentifier.ptr);
free(this->encoding.ptr);
free(this);
}
@@ -918,7 +906,7 @@ static private_x509_ac_t *create_empty(void)
this->public.interface.get_serial = (chunk_t (*)(ac_t*))get_serial;
this->public.interface.get_holderSerial = (chunk_t (*)(ac_t*))get_holderSerial;
this->public.interface.get_holderIssuer = (identification_t* (*)(ac_t*))get_holderIssuer;
- this->public.interface.get_authKeyIdentifier = (identification_t* (*)(ac_t*))get_authKeyIdentifier;
+ this->public.interface.get_authKeyIdentifier = (chunk_t(*)(ac_t*))get_authKeyIdentifier;
this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
@@ -937,10 +925,10 @@ static private_x509_ac_t *create_empty(void)
this->encoding = chunk_empty;
this->serialNumber = chunk_empty;
this->holderSerial = chunk_empty;
+ this->authKeyIdentifier = chunk_empty;
this->holderIssuer = NULL;
this->entityName = NULL;
this->issuerName = NULL;
- this->authKeyIdentifier = NULL;
this->holderCert = NULL;
this->signerCert = NULL;
this->signerKey = NULL;
@@ -984,9 +972,9 @@ struct private_builder_t {
static private_x509_ac_t* build(private_builder_t *this)
{
private_x509_ac_t *ac = this->ac;
-
+
free(this);
-
+
/* synthesis if encoding does not exist */
if (ac && ac->encoding.ptr == NULL)
{
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 32627ebef..81a2b33a2 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -138,7 +138,7 @@ struct private_x509_cert_t {
/**
* Authority Key Identifier
*/
- identification_t *authKeyIdentifier;
+ chunk_t authKeyIdentifier;
/**
* Authority Key Serial Number
@@ -421,13 +421,13 @@ static const asn1Object_t authKeyIdentifierObjects[] = {
/**
* Extracts an authoritykeyIdentifier
*/
-identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
+chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
chunk_t *authKeySerialNumber)
{
asn1_parser_t *parser;
chunk_t object;
int objectID;
- identification_t *authKeyIdentifier = NULL;
+ chunk_t authKeyIdentifier = chunk_empty;
*authKeySerialNumber = chunk_empty;
@@ -439,8 +439,7 @@ identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
switch (objectID)
{
case AUTH_KEY_ID_KEY_ID:
- authKeyIdentifier = identification_create_from_encoding(
- ID_PUBKEY_SHA1, object);
+ authKeyIdentifier = chunk_clone(object);
break;
case AUTH_KEY_ID_CERT_ISSUER:
/* TODO: x509_parse_generalNames(object, level+1, TRUE); */
@@ -847,10 +846,12 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
enumerator_t *enumerator;
id_match_t match, best;
- if (this->encoding_hash.ptr && subject->get_type(subject) == ID_CERT_DER_SHA1 &&
- chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+ if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID)
{
- return ID_MATCH_PERFECT;
+ if (chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+ {
+ return ID_MATCH_PERFECT;
+ }
}
best = this->subject->matches(this->subject, subject);
@@ -860,11 +861,11 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
match = current->matches(current, subject);
if (match > best)
{
- best = match;
+ best = match;
}
}
enumerator->destroy(enumerator);
- return best;
+ return best;
}
/**
@@ -1040,7 +1041,7 @@ static chunk_t get_serial(private_x509_cert_t *this)
/**
* Implementation of x509_t.get_authKeyIdentifier.
*/
-static identification_t *get_authKeyIdentifier(private_x509_cert_t *this)
+static chunk_t get_authKeyIdentifier(private_x509_cert_t *this)
{
return this->authKeyIdentifier;
}
@@ -1083,7 +1084,7 @@ static void destroy(private_x509_cert_t *this)
DESTROY_IF(this->issuer);
DESTROY_IF(this->subject);
DESTROY_IF(this->public_key);
- DESTROY_IF(this->authKeyIdentifier);
+ chunk_free(&this->authKeyIdentifier);
chunk_free(&this->encoding);
chunk_free(&this->encoding_hash);
if (!this->parsed)
@@ -1118,7 +1119,7 @@ static private_x509_cert_t* create_empty(void)
this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
- this->public.interface.get_authKeyIdentifier = (identification_t* (*)(x509_t*))get_authKeyIdentifier;
+ this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier;
this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
@@ -1137,7 +1138,7 @@ static private_x509_cert_t* create_empty(void)
this->crl_uris = linked_list_create();
this->ocsp_uris = linked_list_create();
this->subjectKeyID = chunk_empty;
- this->authKeyIdentifier = NULL;
+ this->authKeyIdentifier = chunk_empty;
this->authKeySerialNumber = chunk_empty;
this->algorithm = 0;
this->signature = chunk_empty;
@@ -1253,10 +1254,14 @@ static bool generate(private_builder_t *this)
switch (this->cert->public_key->get_type(this->cert->public_key))
{
case KEY_RSA:
- key = this->cert->public_key->get_encoding(this->cert->public_key);
+ if (!this->cert->public_key->get_encoding(this->cert->public_key,
+ KEY_PUB_ASN1_DER, &key))
+ {
+ return FALSE;
+ }
key_info = asn1_wrap(ASN1_SEQUENCE, "cm",
- asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
- asn1_bitstring("m", key));
+ asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+ asn1_bitstring("m", key));
break;
default:
return FALSE;
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 93203bafe..e3d054c1c 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -101,7 +101,7 @@ struct private_x509_crl_t {
/**
* Authority Key Identifier
*/
- identification_t *authKeyIdentifier;
+ chunk_t authKeyIdentifier;
/**
* Authority Key Serial Number
@@ -127,7 +127,7 @@ struct private_x509_crl_t {
/**
* from x509_cert
*/
-extern identification_t* x509_parse_authorityKeyIdentifier(
+extern chunk_t x509_parse_authorityKeyIdentifier(
chunk_t blob, int level0,
chunk_t *authKeySerialNumber);
@@ -337,10 +337,11 @@ static chunk_t get_serial(private_x509_crl_t *this)
/**
* Implementation of crl_t.get_authKeyIdentifier.
*/
-static identification_t* get_authKeyIdentifier(private_x509_crl_t *this)
+static chunk_t get_authKeyIdentifier(private_x509_crl_t *this)
{
return this->authKeyIdentifier;
}
+
/**
* Implementation of crl_t.create_enumerator.
*/
@@ -372,24 +373,12 @@ static identification_t* get_issuer(private_x509_crl_t *this)
*/
static id_match_t has_issuer(private_x509_crl_t *this, identification_t *issuer)
{
- id_match_t match;
-
- if (issuer->get_type(issuer) == ID_PUBKEY_SHA1)
- {
- if (this->authKeyIdentifier)
- {
- match = issuer->matches(issuer, this->authKeyIdentifier);
- }
- else
- {
- match = ID_MATCH_NONE;
- }
- }
- else
+ if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr &&
+ chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer)))
{
- match = this->issuer->matches(this->issuer, issuer);
+ return ID_MATCH_PERFECT;
}
- return match;
+ return this->issuer->matches(this->issuer, issuer);
}
/**
@@ -416,12 +405,12 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer)
key = issuer->get_public_key(issuer);
/* compare keyIdentifiers if available, otherwise use DNs */
- if (this->authKeyIdentifier && key)
+ if (this->authKeyIdentifier.ptr && key)
{
- identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1);
-
- if (!subjectKeyIdentifier->equals(subjectKeyIdentifier,
- this->authKeyIdentifier))
+ chunk_t fingerprint;
+
+ if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+ !chunk_equals(fingerprint, this->authKeyIdentifier))
{
return FALSE;
}
@@ -433,10 +422,10 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer)
return FALSE;
}
}
-
+
/* determine signature scheme */
scheme = signature_scheme_from_oid(this->algorithm);
-
+
if (scheme == SIGN_UNKNOWN || key == NULL)
{
return FALSE;
@@ -562,7 +551,7 @@ static void destroy(private_x509_crl_t *this)
{
this->revoked->destroy_function(this->revoked, free);
DESTROY_IF(this->issuer);
- DESTROY_IF(this->authKeyIdentifier);
+ free(this->authKeyIdentifier.ptr);
free(this->encoding.ptr);
free(this);
}
@@ -576,7 +565,7 @@ static private_x509_crl_t* create_empty(void)
private_x509_crl_t *this = malloc_thing(private_x509_crl_t);
this->public.crl.get_serial = (chunk_t (*)(crl_t*))get_serial;
- this->public.crl.get_authKeyIdentifier = (identification_t* (*)(crl_t*))get_authKeyIdentifier;
+ this->public.crl.get_authKeyIdentifier = (chunk_t (*)(crl_t*))get_authKeyIdentifier;
this->public.crl.create_enumerator = (enumerator_t* (*)(crl_t*))create_enumerator;
this->public.crl.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
this->public.crl.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer;
@@ -597,7 +586,7 @@ static private_x509_crl_t* create_empty(void)
this->issuer = NULL;
this->crlNumber = chunk_empty;
this->revoked = linked_list_create();
- this->authKeyIdentifier = NULL;
+ this->authKeyIdentifier = chunk_empty;
this->authKeySerialNumber = chunk_empty;
this->ref = 1;
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index 4020d8d95..5892e2baf 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -159,23 +159,21 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this)
hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
if (hasher)
{
- identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);
- if (keyid)
+ if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1,
+ &issuerKeyHash))
{
enumerator_t *enumerator;
-
- issuerKeyHash = keyid->get_encoding(keyid);
-
+
issuer = cert->get_subject(cert);
hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
&issuerNameHash);
hasher->destroy(hasher);
-
+
enumerator = this->candidates->create_enumerator(this->candidates);
while (enumerator->enumerate(enumerator, &x509))
{
chunk_t request, serialNumber;
-
+
serialNumber = x509->get_serial(x509);
request = build_Request(this, issuerNameHash, issuerKeyHash,
serialNumber);
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 1b3187258..caaae6aa4 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -173,7 +173,8 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this,
{
hasher_t *hasher;
identification_t *id;
- chunk_t hash;
+ key_encoding_type_t type;
+ chunk_t hash, fingerprint;
/* check serial first, is cheaper */
if (!chunk_equals(subject->get_serial(subject), response->serialNumber))
@@ -191,15 +192,16 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this,
continue;
}
switch (response->hashAlgorithm)
- { /* TODO: generic mapper function */
+ {
case OID_SHA1:
- id = public->get_id(public, ID_PUBKEY_SHA1);
+ type = KEY_ID_PUBKEY_SHA1;
break;
default:
public->destroy(public);
continue;
}
- if (!chunk_equals(response->issuerKeyHash, id->get_encoding(id)))
+ if (!public->get_fingerprint(public, type, &fingerprint) ||
+ !chunk_equals(response->issuerKeyHash, fingerprint))
{
public->destroy(public);
continue;
@@ -525,7 +527,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
break;
case BASIC_RESPONSE_ID_BY_KEY:
this->responderId = identification_create_from_encoding(
- ID_PUBKEY_INFO_SHA1, object);
+ ID_KEY_ID, object);
DBG2(" '%Y'", this->responderId);
break;
case BASIC_RESPONSE_PRODUCED_AT:
@@ -694,30 +696,28 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer)
{
return FALSE;
}
- if (this->responderId->get_type(this->responderId) == ID_DER_ASN1_DN)
+ if (this->responderId->get_type(this->responderId) == ID_KEY_ID)
{
- if (!this->responderId->equals(this->responderId,
- issuer->get_subject(issuer)))
+ chunk_t fingerprint;
+
+ key = issuer->get_public_key(issuer);
+ if (!key ||
+ !key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+ !chunk_equals(fingerprint,
+ this->responderId->get_encoding(this->responderId)))
{
+ DESTROY_IF(key);
return FALSE;
}
+ key->destroy(key);
}
- else
+ else
{
- bool equal;
- public_key_t *public = issuer->get_public_key(issuer);
-
- if (public == NULL)
+ if (!this->responderId->equals(this->responderId,
+ issuer->get_subject(issuer)))
{
return FALSE;
}
- equal = this->responderId->equals(this->responderId,
- public->get_id(public, ID_PUBKEY_SHA1));
- public->destroy(public);
- if (!equal)
- {
- return FALSE;
- }
}
if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) &&
!(x509->get_flags(x509) & X509_CA))