diff --git a/src/ssl.c b/src/ssl.c index 9c655791d..75cc1c572 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4237,6 +4237,10 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify) #endif XMEMCPY(signer->subjectNameHash, cert->subjectHash, SIGNER_DIGEST_SIZE); + #ifdef HAVE_OCSP + XMEMCPY(signer->subjectKeyHash, cert->subjectKeyHash, + KEYID_SIZE); + #endif signer->keyUsage = cert->extKeyUsageSet ? cert->extKeyUsage : 0xFFFF; signer->next = NULL; /* If Key Usage not set, all uses valid. */ diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 06b8aaf3d..39d4cc46f 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -4337,11 +4337,19 @@ static int GetKey(DecodedCert* cert) case RSAk: { int ret; - ret = CheckBitString(cert->source, &cert->srcIdx, NULL, + + ret = CheckBitString(cert->source, &cert->srcIdx, &length, cert->maxIdx, 1, NULL); if (ret != 0) return ret; + #ifdef HAVE_OCSP + ret = CalcHashId(cert->source + cert->srcIdx, length, + cert->subjectKeyHash); + if (ret != 0) + return ret; + #endif + return StoreRsaKey(cert); } @@ -4434,6 +4442,12 @@ static int GetKey(DecodedCert* cert) cert->maxIdx, 1, NULL); if (ret != 0) return ret; + #ifdef HAVE_OCSP + ret = CalcHashId(cert->source + cert->srcIdx, length, + cert->subjectKeyHash); + if (ret != 0) + return ret; + #endif } publicKey = (byte*)XMALLOC(pubLen, cert->heap, @@ -4463,6 +4477,13 @@ static int GetKey(DecodedCert* cert) if (ret != 0) return ret; + #ifdef HAVE_OCSP + ret = CalcHashId(cert->source + cert->srcIdx, length, + cert->subjectKeyHash); + if (ret != 0) + return ret; + #endif + publicKey = (byte*) XMALLOC(length, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); if (publicKey == NULL) @@ -8076,10 +8097,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) #ifdef HAVE_OCSP /* Need the CA's public key hash for OCSP */ - ret = CalcHashId(cert->ca->publicKey, cert->ca->pubKeySize, - cert->issuerKeyHash); - if (ret != 0) - return ret; + XMEMCPY(cert->issuerKeyHash, cert->ca->subjectKeyHash, KEYID_SIZE); #endif /* HAVE_OCSP */ } } @@ -8139,21 +8157,7 @@ Signer* MakeSigner(void* heap) Signer* signer = (Signer*) XMALLOC(sizeof(Signer), heap, DYNAMIC_TYPE_SIGNER); if (signer) { - signer->pubKeySize = 0; - signer->keyOID = 0; - signer->publicKey = NULL; - signer->nameLen = 0; - signer->name = NULL; - #ifndef IGNORE_NAME_CONSTRAINTS - signer->permittedNames = NULL; - signer->excludedNames = NULL; - #endif /* IGNORE_NAME_CONSTRAINTS */ - signer->pathLengthSet = 0; - signer->pathLength = 0; - #ifdef WOLFSSL_SIGNER_DER_CERT - signer->derCert = NULL; - #endif - signer->next = NULL; + XMEMSET(signer, 0, sizeof(Signer)); } (void)heap; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index a9eb70c76..34b14721a 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -696,6 +696,7 @@ struct DecodedCert { byte subjectHash[KEYID_SIZE]; /* hash of all Names */ byte issuerHash[KEYID_SIZE]; /* hash of all Names */ #ifdef HAVE_OCSP + byte subjectKeyHash[KEYID_SIZE]; /* hash of the public Key */ byte issuerKeyHash[KEYID_SIZE]; /* hash of the public Key */ #endif /* HAVE_OCSP */ const byte* signature; /* not owned, points into raw cert */ @@ -874,6 +875,9 @@ struct Signer { byte subjectKeyIdHash[SIGNER_DIGEST_SIZE]; /* sha hash of names in certificate */ #endif + #ifdef HAVE_OCSP + byte subjectKeyHash[KEYID_SIZE]; + #endif #ifdef WOLFSSL_SIGNER_DER_CERT DerBuffer* derCert; #endif