Parse certificates in in OCSP

Populate the function x509_ocsp_get_certs() to parse the OPTIONAL list of certificates in the BasicOCSPResponse ASN.1 structure of the OCSP response: certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL x509_ocsp_get_certs() only parses the SEQUENCE OF (the EXPLICIT tag is parsed by the caller) and delegates the actual parsing of the certificate to the x509_crt.c module. NOTE: The parsing of certificates in x509_ocsp.c is currently very inefficient in terms of space as x509_ocsp.c and x509_crt.c both make an internal copy of the buffer passed to them. This will be optimised in the future.
2026-04-05 20:15:36 +02:00 · 2017-08-25 12:55:28 +01:00
parent b565031a2b
commit 98f7bb911f
1 changed files with 58 additions and 1 deletions
--- a/library/x509_ocsp.c
+++ b/library/x509_ocsp.c
@@ -785,7 +785,64 @@ static int x509_ocsp_get_sig_alg( mbedtls_x509_ocsp_response *resp,
 static int x509_ocsp_get_certs( unsigned char **p, const unsigned char *end,
                                mbedtls_x509_crt *certs )
 {
-    return( 0 );
+    int ret;
+    size_t len;
+    unsigned char *cert_p;
+
+    /*
+     * certs            SEQUENCE OF Certificate
+     *
+     * Note: the standard allows an OCSPResponse that has no certs
+     */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = *p + len;
+
+    while( *p < end )
+    {
+        /*
+         * mbedtls_x509_crt_parse_der() takes a buffer and length instead of
+         * begining and end (such as the asn1 functions). To make this work
+         * we need to parse the SEQUENCE of each Certificate and manually
+         * compute the length
+         */
+        cert_p = *p;
+
+        if( ( ret = mbedtls_asn1_get_tag( &cert_p, end, &len,
+                    MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+        {
+            return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+        }
+
+        /*
+         * Add the size of the tag and the length octets to the total buffer
+         * length
+         */
+        len += cert_p - *p;
+
+        /*
+         * Parse Certificate and populate cur
+         *
+         * TODO: This is massively innefficient in terms of space because
+         * internally mbedtls_x509_crt_parse_der will allocate a buffer for
+         * the raw certificates, but mbedtls_x509_ocsp_response already has
+         * another buffer.
+         */
+        if( ( ret = mbedtls_x509_crt_parse_der( certs, *p, len ) ) != 0 )
+            return( ret );
+
+        *p = *p + len;
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
+    return( ret );
 }

 static int x509_ocsp_get_response( mbedtls_x509_ocsp_response *resp,