Parse CertID in OCSP response

Populate the function x509_ocsp_get_cert_id() that parses the following ASN.1 structure: CertID ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier, issuerNameHash OCTET STRING, -- Hash of issuer's DN issuerKeyHash OCTET STRING, -- Hash of issuer's public key serialNumber CertificateSerialNumber } x509_ocsp_get_cert_id() parses the top-level SEQUENCE component and calls the following helpers for the actual contents of the CertID: * mbedtls_x509_get_md_alg(): Parses the hashAlgorithm * x509_ocsp_get_octet_string(): Parses the OCTET STRINGs issuerNameHash and issuerKeyHash, but does not actually check that the length or hashes are actually correct or correspond to the expected length given the hashAlgorithm * mbedtls_x509_get_serial: Parses the serialNumber
2026-04-06 04:25:43 +02:00 · 2017-08-25 11:58:05 +01:00
parent 45289f4ca6
commit cc4b2aa957
1 changed files with 77 additions and 0 deletions
--- a/library/x509_ocsp.c
+++ b/library/x509_ocsp.c
@@ -251,10 +251,87 @@ static int x509_ocsp_get_generalized_time( unsigned char **p,
    return( 0 );
 }

+static int x509_ocsp_get_octet_string( unsigned char **p,
+                                       const unsigned char *end,
+                                       mbedtls_x509_buf *buf )
+{
+    int ret;
+    size_t len;
+
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                                      MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    buf->len = len;
+    buf->tag = MBEDTLS_ASN1_OCTET_STRING;
+    buf->p = *p;
+
+    *p = *p + len;
+
+    return( 0 );
+}
+
 static int x509_ocsp_get_cert_id( unsigned char **p,
                                  const unsigned char *end,
                            mbedtls_x509_ocsp_single_response *single_resp )
 {
+    int ret;
+    size_t len;
+
+    /*
+     * CertID ::= SEQUENCE {
+     *  hashAlgorithm       AlgorithmIdentifier,
+     *  issuesNameHash      OCTET STRING,
+     *  issuerKeyHash       OCTET STRING,
+     *  serialNumber        CertificateSerialNumber }
+     */
+    if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
+                MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
+    {
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
+    }
+
+    end = *p + len;
+
+    /* Parse hashAlgorithm */
+    if( ( ret = mbedtls_x509_get_alg_null( p, end,
+                                           &single_resp->md_oid ) ) != 0 )
+    {
+        return( ret );
+    }
+    else if( ( ret = mbedtls_oid_get_md_alg( &single_resp->md_oid,
+                                             &single_resp->md_alg ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    /* Parse issuerNameHash */
+    if( ( ret = x509_ocsp_get_octet_string( p, end,
+                                    &single_resp->issuer_name_hash ) ) != 0 )
+    {
+        return( 0 );
+    }
+
+    /* Parse issuerKeyHash */
+    if( ( ret = x509_ocsp_get_octet_string( p, end,
+                                    &single_resp->issues_key_hash ) ) != 0 )
+    {
+        return( 0 );
+    }
+
+    /* Parse serialNumber */
+    if( ( ret = mbedtls_x509_get_serial( p, end,
+                                         &single_resp->serial ) ) != 0 )
+    {
+        return( ret );
+    }
+
+    if( *p != end )
+        return( MBEDTLS_ERR_X509_INVALID_FORMAT +
+                MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
+
    return( 0 );
 }