4 files changed, 32 insertions, 21 deletions

diff --git a/src/pluto/crl.c b/src/pluto/crl.c
index e6a64bf4f..c8fb107d5 100644
--- a/src/pluto/crl.c
+++ b/src/pluto/crl.c
@@ -202,9 +202,11 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl)
 		snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex);
 		free(hex.ptr);
 
-		encoding = cert_crl->get_encoding(cert_crl);
-		chunk_write(encoding, buf, "crl", 022, TRUE);
-		free(encoding.ptr);
+		if (cert_crl->get_encoding(cert_crl, CERT_ASN1_DER, &encoding))
+		{
+			chunk_write(encoding, buf, "crl", 022, TRUE);
+			free(encoding.ptr);
+		}
 	}
 
 	/* is the fetched crl valid? */
diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c
index f2a5de780..4a6a7c872 100644
--- a/src/pluto/ipsec_doi.c
+++ b/src/pluto/ipsec_doi.c
@@ -3645,7 +3645,7 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 	}
 	if (send_cert)
 	{
-		bool success;
+		bool success = FALSE;
 		chunk_t cert_encoding;
 		pb_stream cert_pbs;
 
@@ -3657,9 +3657,12 @@ stf_status main_inR2_outI3(struct msg_digest *md)
 		{
 			return STF_INTERNAL_ERROR;
 		}
-		cert_encoding = mycert->cert->get_encoding(mycert->cert);
-		success = out_chunk(cert_encoding, &cert_pbs, "CERT");
-		free(cert_encoding.ptr);
+		if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER,
+									   &cert_encoding))
+		{
+			success = out_chunk(cert_encoding, &cert_pbs, "CERT");
+			free(cert_encoding.ptr);
+		}
 		if (!success)
 		{
 			return STF_INTERNAL_ERROR;
@@ -4086,7 +4089,7 @@ main_inI3_outR3_tail(struct msg_digest *md
 	}
 	if (send_cert)
 	{
-		bool success;
+		bool success = FALSE;
 		chunk_t cert_encoding;
 		pb_stream cert_pbs;
 		struct isakmp_cert cert_hd;
@@ -4098,9 +4101,12 @@ main_inI3_outR3_tail(struct msg_digest *md
 		{
 			return STF_INTERNAL_ERROR;
 		}
-		cert_encoding = mycert->cert->get_encoding(mycert->cert);
-		success = out_chunk(cert_encoding, &cert_pbs, "CERT");
-		free(cert_encoding.ptr);
+		if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER,
+									   &cert_encoding))
+		{
+			success = out_chunk(cert_encoding, &cert_pbs, "CERT");
+			free(cert_encoding.ptr);
+		}
 		if (!success)
 		{
 			return STF_INTERNAL_ERROR;
diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c
index b1f558ebf..8a351be6d 100644
--- a/src/pluto/ocsp.c
+++ b/src/pluto/ocsp.c
@@ -621,7 +621,7 @@ void list_ocsp_locations(ocsp_location_t *location, bool requests,
 				}
 				else
 				{
-					whack_log(RC_COMMENT, "  serial:    %#B, %s, until %T %s", 
+					whack_log(RC_COMMENT, "  serial:    %#B, %s, until %T %s",
 						&certinfo->serialNumber,
 						cert_status_names[certinfo->status],
  						&certinfo->nextUpdate, utc,
@@ -767,7 +767,7 @@ static chunk_t sc_build_sha1_signature(chunk_t tbs, smartcard_t *sc)
  */
 static chunk_t build_signature(chunk_t tbsRequest)
 {
-	chunk_t sigdata, cert, certs;
+	chunk_t sigdata, cert, certs = chunk_empty;
 
 	if (ocsp_requestor_sc)
 	{
@@ -786,10 +786,12 @@ static chunk_t build_signature(chunk_t tbsRequest)
 	}
 
 	/* include our certificate */
-	cert = ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert);
-	certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
-				asn1_wrap(ASN1_SEQUENCE, "m", cert));
-
+	if (ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert,
+												CERT_ASN1_DER, &cert))
+	{
+		certs = asn1_wrap(ASN1_CONTEXT_C_0, "m",
+					asn1_wrap(ASN1_SEQUENCE, "m", cert));
+	}
 	/* build signature comprising algorithm, signature and cert */
 	return asn1_wrap(ASN1_CONTEXT_C_0, "m"
 				, asn1_wrap(ASN1_SEQUENCE, "mmm"
@@ -1013,7 +1015,7 @@ static bool valid_ocsp_response(response_t *res)
 		{
 			plog("certificate is invalid (valid from %T to %T)",
 				 &not_before, FALSE, &not_after, FALSE);
-			
+
 			unlock_authcert_list("valid_ocsp_response");
 			return FALSE;
 		}
@@ -1154,7 +1156,7 @@ static bool parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
 					break;
 				}
 				x509 = (x509_t*)cert->cert;
-				
+
 				if ((x509->get_flags(x509) & X509_OCSP_SIGNER) &&
 					trust_authcert_candidate(cert, NULL))
 				{
diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c
index b24ef1a8c..c0fd041a7 100644
--- a/src/pluto/pkcs7.c
+++ b/src/pluto/pkcs7.c
@@ -591,7 +591,7 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
 	contentInfo_t pkcs7Data, signedData;
 	chunk_t authenticatedAttributes = chunk_empty;
 	chunk_t encryptedDigest = chunk_empty;
-	chunk_t signerInfo, cInfo, signature;
+	chunk_t signerInfo, cInfo, signature, encoding = chunk_empty;;
 	signature_scheme_t scheme = signature_scheme_from_oid(digest_alg);
 
 	if (attributes.ptr)
@@ -622,12 +622,13 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes,
 	pkcs7Data.content = (data.ptr == NULL)? chunk_empty
 				: asn1_simple_object(ASN1_OCTET_STRING, data);
 
+	cert->get_encoding(cert, CERT_ASN1_DER, &encoding);
 	signedData.type = OID_PKCS7_SIGNED_DATA;
 	signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm"
 				, ASN1_INTEGER_1
 				, asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_alg))
 				, pkcs7_build_contentInfo(&pkcs7Data)
-				, asn1_wrap(ASN1_CONTEXT_C_0, "m", cert->get_encoding(cert))
+				, asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding)
 				, asn1_wrap(ASN1_SET, "m", signerInfo));
 
 	cInfo = pkcs7_build_contentInfo(&signedData);