if (err)
goto leave;
- /* Write OID and and nonce. */
+ /* Write OID and nonce. */
err = ksba_oid_from_str (oidstr_ocsp_nonce, &buf, &buflen);
if (err)
goto leave;
unsigned char *p;
const unsigned char *der;
size_t derlen;
+ struct tag_info ti;
ksba_writer_t w1 = NULL;
ksba_writer_t w2 = NULL;
ksba_writer_t w3 = NULL;
err = ksba_writer_write (w1, der, derlen);
if (err)
goto leave;
- xfree (ri->serialno);
- ri->serialno = xtrymalloc (derlen);
- if (!ri->serialno)
- {
- err = gpg_error_from_syserror ();
- goto leave;
- }
- memcpy (ri->serialno, der, derlen);
- ri->serialnolen = derlen;
+ /* Store the integer value. */
+ {
+ const unsigned char *tmpder = der;
+ size_t tmpderlen = derlen;
+ err = parse_integer (&tmpder, &tmpderlen, &ti);
+ if (err)
+ goto leave;
+ xfree (ri->serialno);
+ ri->serialno = xtrymalloc (tmpderlen);
+ if (!ri->serialno)
+ {
+ err = gpg_error_from_syserror ();
+ goto leave;
+ }
+ memcpy (ri->serialno, tmpder, tmpderlen);
+ ri->serialnolen = tmpderlen;
+ }
/* Now write it out as a sequence to the outer certID object. */
p = ksba_writer_snatch_mem (w1, &derlen);
if (ocsp->noncelen != ti.length
|| memcmp (ocsp->nonce, data, ti.length))
ocsp->bad_nonce = 1;
- else
- ocsp->good_nonce = 1;
}
ex = xtrymalloc (sizeof *ex + strlen (oid) + ti.length);
if (!ex)
assert (n <= *datalen);
*data += n;
*datalen -= n;
- /* fprintf (stderr, "algorithmIdentifier is `%s'\n", oid); */
+ /* gpgrt_log_debug ("algorithmIdentifier is `%s'\n", oid); */
look_for_request = !strcmp (oid, oidstr_sha1);
xfree (oid);
for (request_item = ocsp->requestlist;
request_item; request_item = request_item->next)
if (!memcmp (request_item->issuer_name_hash, name_hash, 20)
- && !memcmp (request_item->issuer_key_hash, key_hash, 20)
- && request_item->serialnolen == serialnolen
+ && !memcmp (request_item->issuer_key_hash, key_hash, 20)
+ && request_item->serialnolen == serialnolen
&& !memcmp (request_item->serialno, serialno, serialnolen))
- break; /* Got it. */
+ break; /* Got it. */
}
err = parse_asntime_into_isotime (data, datalen, this_update);
if (err)
return err;
-/* fprintf (stderr, "thisUpdate=%s\n", this_update); */
if (request_item)
- _ksba_copy_time (request_item->this_update, this_update);
+ _ksba_copy_time (request_item->this_update, this_update);
/* nextUpdate is optional. */
if (*data >= endptr)
err = parse_asntime_into_isotime (data, datalen, next_update);
if (err)
return err;
-/* fprintf (stderr, "nextUpdate=%s\n", next_update); */
if (request_item)
_ksba_copy_time (request_item->next_update, next_update);
}
ocsp->received_certs = NULL;
ocsp->hash_length = 0;
ocsp->bad_nonce = 0;
- ocsp->good_nonce = 0;
xfree (ocsp->responder_id.name);
ocsp->responder_id.name = NULL;
xfree (ocsp->responder_id.keyid);
/* FIXME: find duplicates in the request list and set them to the
same status. */
- if (*response_status == KSBA_OCSP_RSPSTATUS_SUCCESS)
- if (ocsp->bad_nonce || (ocsp->noncelen && !ocsp->good_nonce))
- *response_status = KSBA_OCSP_RSPSTATUS_REPLAYED;
+ /* We used to assume that the server needs to return a nonce, but
+ * that is not true (see for example RFC-8954). Thus we do not
+ * check the former good_nonce flag anymore. */
+ if (*response_status == KSBA_OCSP_RSPSTATUS_SUCCESS
+ && ocsp->bad_nonce)
+ *response_status = KSBA_OCSP_RSPSTATUS_REPLAYED;
return err;
}