/** * Parse OCSP certificate ID * * @v ocsp OCSP check * @v raw ASN.1 cursor * @ret rc Return status code */ static int ocsp_parse_cert_id ( struct ocsp_check *ocsp, const struct asn1_cursor *raw ) { struct asn1_cursor cursor; struct asn1_algorithm *algorithm; int rc; /* Check certID algorithm */ memcpy ( &cursor, raw, sizeof ( cursor ) ); asn1_enter ( &cursor, ASN1_SEQUENCE ); if ( ( rc = asn1_digest_algorithm ( &cursor, &algorithm ) ) != 0 ) { DBGC ( ocsp, "OCSP %p \"%s\" certID unknown algorithm: %s\n", ocsp, x509_name ( ocsp->cert ), strerror ( rc ) ); return rc; } if ( algorithm->digest != &ocsp_digest_algorithm ) { DBGC ( ocsp, "OCSP %p \"%s\" certID wrong algorithm %s\n", ocsp, x509_name ( ocsp->cert ), algorithm->digest->name ); return -EACCES_CERT_MISMATCH; } /* Check remaining certID fields */ asn1_skip ( &cursor, ASN1_SEQUENCE ); if ( asn1_compare ( &cursor, &ocsp->request.cert_id_tail ) != 0 ) { DBGC ( ocsp, "OCSP %p \"%s\" certID mismatch:\n", ocsp, x509_name ( ocsp->cert ) ); DBGC_HDA ( ocsp, 0, ocsp->request.cert_id_tail.data, ocsp->request.cert_id_tail.len ); DBGC_HDA ( ocsp, 0, cursor.data, cursor.len ); return -EACCES_CERT_MISMATCH; } return 0; }
/** * Compare responder's certificate name * * @v ocsp OCSP check * @v cert Certificate * @ret difference Difference as returned by memcmp() */ static int ocsp_compare_responder_name ( struct ocsp_check *ocsp, struct x509_certificate *cert ) { struct ocsp_responder *responder = &ocsp->response.responder; /* Compare responder ID with certificate's subject */ return asn1_compare ( &responder->id, &cert->subject.raw ); }
/** * Parse OCSP response type * * @v ocsp OCSP check * @v raw ASN.1 cursor * @ret rc Return status code */ static int ocsp_parse_response_type ( struct ocsp_check *ocsp, const struct asn1_cursor *raw ) { struct asn1_cursor cursor; /* Enter responseType */ memcpy ( &cursor, raw, sizeof ( cursor ) ); asn1_enter ( &cursor, ASN1_OID ); /* Check responseType is "basic" */ if ( asn1_compare ( &oid_basic_response_type_cursor, &cursor ) != 0 ) { DBGC ( ocsp, "OCSP %p \"%s\" response type not supported:\n", ocsp, x509_name ( ocsp->cert ) ); DBGC_HDA ( ocsp, 0, cursor.data, cursor.len ); return -ENOTSUP_RESPONSE_TYPE; } return 0; }
/** * Parse OCSP certificate ID * * @v ocsp OCSP check * @v raw ASN.1 cursor * @ret rc Return status code */ static int ocsp_parse_cert_id ( struct ocsp_check *ocsp, const struct asn1_cursor *raw ) { struct asn1_cursor cursor; /* Check certID matches request */ memcpy ( &cursor, raw, sizeof ( cursor ) ); asn1_shrink_any ( &cursor ); if ( asn1_compare ( &cursor, &ocsp->request.cert_id ) != 0 ) { DBGC ( ocsp, "OCSP %p \"%s\" certID mismatch:\n", ocsp, x509_name ( ocsp->cert ) ); DBGC_HDA ( ocsp, 0, ocsp->request.cert_id.data, ocsp->request.cert_id.len ); DBGC_HDA ( ocsp, 0, cursor.data, cursor.len ); return -EACCES_CERT_MISMATCH; } return 0; }