// RFC 6960 section 4.2.2.2: The OCSP responder must either be the issuer of // the cert or it must be a delegated OCSP response signing cert directly // issued by the issuer. If the OCSP responder is a delegated OCSP response // signer, then its certificate is (probably) embedded within the OCSP // response and we'll need to verify that it is a valid certificate that chains // *directly* to issuerCert. static Result VerifySignature(Context& context, ResponderIDType responderIDType, Input responderID, const DERArray& certs, const SignedDataWithSignature& signedResponseData) { bool match; Result rv = MatchResponderID(context.trustDomain, responderIDType, responderID, context.certID.issuer, context.certID.issuerSubjectPublicKeyInfo, match); if (rv != Success) { return rv; } if (match) { return VerifyOCSPSignedData(context.trustDomain, signedResponseData, context.certID.issuerSubjectPublicKeyInfo); } size_t numCerts = certs.GetLength(); for (size_t i = 0; i < numCerts; ++i) { BackCert cert(*certs.GetDER(i), EndEntityOrCA::MustBeEndEntity, nullptr); rv = cert.Init(); if (rv != Success) { return rv; } rv = MatchResponderID(context.trustDomain, responderIDType, responderID, cert.GetSubject(), cert.GetSubjectPublicKeyInfo(), match); if (rv != Success) { if (IsFatalError(rv)) { return rv; } continue; } if (match) { rv = CheckOCSPResponseSignerCert(context.trustDomain, cert, context.certID.issuer, context.certID.issuerSubjectPublicKeyInfo, context.time); if (rv != Success) { if (IsFatalError(rv)) { return rv; } continue; } return VerifyOCSPSignedData(context.trustDomain, signedResponseData, cert.GetSubjectPublicKeyInfo()); } } return Result::ERROR_OCSP_INVALID_SIGNING_CERT; }
BOOL CSSLSession::WriteSendChannel(const BYTE* pData, int iLength) { ASSERT(IsReady()); ASSERT(pData && iLength > 0); BOOL isOK = TRUE; int bytes = SSL_write(m_ssl, pData, iLength); if(bytes > 0) ASSERT(bytes == iLength); else if(IsFatalError(bytes)) isOK = FALSE; return isOK; }
BOOL CSSLSession::ReadRecvChannel() { BOOL isOK = TRUE; int bytes = SSL_read(m_ssl, m_bufRecv.buf, m_pitRecv->Capacity()); if(bytes > 0) m_bufRecv.len = bytes; else if(!IsFatalError(bytes)) m_bufRecv.len = 0; else isOK = FALSE; if(isOK && m_enStatus == SSL_HSS_PROC && SSL_is_init_finished(m_ssl)) m_enStatus = SSL_HSS_SUCC; return isOK; }