For OCSP, when decoding X.509 Auth Info Access record, find the first

OCSP responder, rather than only looking at the first item.
2014-02-03 14:39:41 -08:00 · 2014-02-03 14:39:41 -08:00 · 2758f40a09
commit 2758f40a09
parent 909b9258d6
2 changed files with 20 additions and 23 deletions
--- a/ctaocrypt/src/asn.c
+++ b/ctaocrypt/src/asn.c
@ -3081,6 +3081,7 @@ static void DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
 {
    word32 idx = 0;
    int length = 0;
+    byte b;
    word32 oid;

    CYASSL_ENTER("DecodeAuthInfo");
@ -3088,35 +3089,26 @@ static void DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
    /* Unwrap the list of AIAs */
    if (GetSequence(input, &idx, &length, sz) < 0) return;

-    /* Unwrap a single AIA */
-    if (GetSequence(input, &idx, &length, sz) < 0) return;
+    while (idx < (word32)sz) {
+        /* Unwrap a single AIA */
+        if (GetSequence(input, &idx, &length, sz) < 0) return;

-    oid = 0;
-    if (GetObjectId(input, &idx, &oid, sz) < 0) return;
+        oid = 0;
+        if (GetObjectId(input, &idx, &oid, sz) < 0) return;

-    /* Only supporting URIs right now. */
-    if (input[idx] == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI))
-    {
-        idx++;
+        /* Only supporting URIs right now. */
+        b = input[idx++];
        if (GetLength(input, &idx, &length, sz) < 0) return;

-        cert->extAuthInfoSz = length;
-        cert->extAuthInfo = input + idx;
+        if (b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI) &&
+            oid == AIA_OCSP_OID)
+        {
+            cert->extAuthInfoSz = length;
+            cert->extAuthInfo = input + idx;
+            break;
+        }
        idx += length;
    }
-    else
-    {
-        /* Skip anything else. */
-        idx++;
-        if (GetLength(input, &idx, &length, sz) < 0) return;
-        idx += length;
-    }
-
-    if (idx < (word32)sz)
-    {
-        CYASSL_MSG("\tThere are more Authority Information Access records, "
-                   "but we only use first one.");
-    }

    return;
 }
--- a/cyassl/ctaocrypt/asn.h
+++ b/cyassl/ctaocrypt/asn.h
@ -227,6 +227,11 @@ enum SepHardwareName_Sum {
    HW_NAME_OID     = 79   /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/
 };

+enum AuthInfo_Sum {
+    AIA_OCSP_OID      = 116, /* 1.3.6.1.5.5.7.48.1 */
+    AIA_CA_ISSUER_OID = 117  /* 1.3.6.1.5.5.7.48.2 */
+};
+

 enum VerifyType {
    NO_VERIFY = 0,