[libksba PATCH] Encode OCSP nonce value as an octet string (RFC 6960)

Tomáš Trnka tomastrnka at gmx.com
Sun Jul 3 21:27:31 CEST 2016 

* src/ocsp.c (ksba_ocsp_set_nonce): Stop removing the sign bit.
 (write_request_extensions): Encode nonce as octet string.
 (parse_response_extensions): Decode nonce as octet string.

Signed-off-by: Tomáš Trnka <tomastrnka at gmx.com>
--
The type of nonce value was not specified back in RFC 2560, but RFC
6960 has clarified the situation by requiring an octet string. This
is also what OpenSSL does since 0.9.7d. Doing the same improves
interoperability with some responders (and Wireshark packet dissectors).
---
 src/ocsp.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/ocsp.c b/src/ocsp.c
index 56d2b55..4b26f8d 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -401,10 +401,6 @@ ksba_ocsp_set_nonce (ksba_ocsp_t ocsp, unsigned char *nonce, size_t noncelen)
   if (noncelen)
     {
       memcpy (ocsp->nonce, nonce, noncelen);
-      /* Reset the high bit.  We do this to make sure that we have a
-         positive integer and thus we don't need to prepend a leading
-         zero which would be needed then. */
-      ocsp->nonce[0] &= 0x7f;
     }
   ocsp->noncelen = noncelen;
   return noncelen;
@@ -492,7 +488,7 @@ write_request_extensions (ksba_ocsp_t ocsp, ksba_writer_t wout)
     err = _ksba_ber_write_tl (w1, TYPE_OCTET_STRING, CLASS_UNIVERSAL, 0,
                               2+ocsp->noncelen);
   if (!err)
-    err = _ksba_ber_write_tl (w1, TYPE_INTEGER, CLASS_UNIVERSAL, 0,
+    err = _ksba_ber_write_tl (w1, TYPE_OCTET_STRING, CLASS_UNIVERSAL, 0,
                               ocsp->noncelen);
   if (!err)
     err = ksba_writer_write (w1, ocsp->nonce, ocsp->noncelen);
@@ -907,7 +903,7 @@ parse_response_extensions (ksba_ocsp_t ocsp,
         goto leave;
       if (!strcmp (oid, oidstr_ocsp_nonce))
         {
-          err = parse_integer (&data, &datalen, &ti);
+          err = parse_octet_string (&data, &datalen, &ti);
           if (err)
             goto leave;
           if (ocsp->noncelen != ti.length
-- 
2.7.4

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2214 bytes
Desc: not available
URL: </pipermail/attachments/20160703/dfaf02d2/attachment.bin>

More information about the Gnupg-devel mailing list