From 946ea95e6f3ac2a9dad38d8f64eeee2956279a47 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sun, 30 Sep 2012 16:22:33 +0200 Subject: The OCSP response file is now set on the credentials and other additions. Changed OCSP function prototypes for almost all status_request functions to move the response file and callback to the certificate credentials structure. Added gnutls_ocsp_resp_check_crt() to check whether a response corresponds to a given certificate. --- src/ocsptool-common.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'src/ocsptool-common.c') diff --git a/src/ocsptool-common.c b/src/ocsptool-common.c index 1c441b3824..33f78948ab 100644 --- a/src/ocsptool-common.c +++ b/src/ocsptool-common.c @@ -311,7 +311,8 @@ print_ocsp_verify_res (unsigned int output) * -1: dunno */ int -check_ocsp_response (gnutls_x509_crt_t issuer, +check_ocsp_response (gnutls_x509_crt_t cert, + gnutls_x509_crt_t issuer, gnutls_datum_t *data) { gnutls_ocsp_resp_t resp; @@ -328,6 +329,14 @@ check_ocsp_response (gnutls_x509_crt_t issuer, ret = gnutls_ocsp_resp_import (resp, data); if (ret < 0) error (EXIT_FAILURE, 0, "importing response: %s", gnutls_strerror (ret)); + + ret = gnutls_ocsp_resp_check_crt(resp, cert); + if (ret < 0) + { + printf ("*** Got OCSP response on an unrelated certificate (ignoring)\n"); + ret = -1; + goto cleanup; + } ret = gnutls_ocsp_resp_verify_direct( resp, issuer, &status, 0); if (ret < 0) -- cgit v1.2.1