/*
 * TLSv1 client - OCSP
 * Copyright (c) 2015, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"

#include "common.h"
#include "crypto/tls.h"
#include "crypto/sha1.h"
#include "asn1.h"
#include "x509v3.h"
#include "tlsv1_common.h"
#include "tlsv1_record.h"
#include "tlsv1_client.h"
#include "tlsv1_client_i.h"


/* RFC 6960, 4.2.1: OCSPResponseStatus ::= ENUMERATED */
enum ocsp_response_status {
	OCSP_RESP_STATUS_SUCCESSFUL = 0,
	OCSP_RESP_STATUS_MALFORMED_REQ = 1,
	OCSP_RESP_STATUS_INT_ERROR = 2,
	OCSP_RESP_STATUS_TRY_LATER = 3,
	/* 4 not used */
	OCSP_RESP_STATUS_SIG_REQUIRED = 5,
	OCSP_RESP_STATUS_UNAUTHORIZED = 6,
};


static int is_oid_basic_ocsp_resp(struct asn1_oid *oid)
{
	return oid->len == 10 &&
		oid->oid[0] == 1 /* iso */ &&
		oid->oid[1] == 3 /* identified-organization */ &&
		oid->oid[2] == 6 /* dod */ &&
		oid->oid[3] == 1 /* internet */ &&
		oid->oid[4] == 5 /* security */ &&
		oid->oid[5] == 5 /* mechanisms */ &&
		oid->oid[6] == 7 /* id-pkix */ &&
		oid->oid[7] == 48 /* id-ad */ &&
		oid->oid[8] == 1 /* id-pkix-ocsp */ &&
		oid->oid[9] == 1 /* id-pkix-ocsp-basic */;
}


static int ocsp_responder_id_match(struct x509_certificate *signer,
				   struct x509_name *name, const u8 *key_hash)
{
	if (key_hash) {
		u8 hash[SHA1_MAC_LEN];
		const u8 *addr[1] = { signer->public_key };
		size_t len[1] = { signer->public_key_len };

		if (sha1_vector(1, addr, len, hash) < 0)
			return 0;
		return os_memcmp(hash, key_hash, SHA1_MAC_LEN) == 0;
	}

	return x509_name_compare(&signer->subject, name) == 0;
}


static unsigned int ocsp_hash_data(struct asn1_oid *alg, const u8 *data,
				   size_t data_len, u8 *hash)
{
	const u8 *addr[1] = { data };
	size_t len[1] = { data_len };
	char buf[100];

	if (x509_sha1_oid(alg)) {
		if (sha1_vector(1, addr, len, hash) < 0)
			return 0;
		wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA1)", hash, 20);
		return 20;
	}

	if (x509_sha256_oid(alg)) {
		if (sha256_vector(1, addr, len, hash) < 0)
			return 0;
		wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA256)", hash, 32);
		return 32;
	}

	if (x509_sha384_oid(alg)) {
		if (sha384_vector(1, addr, len, hash) < 0)
			return 0;
		wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA384)", hash, 48);
		return 48;
	}

	if (x509_sha512_oid(alg)) {
		if (sha512_vector(1, addr, len, hash) < 0)
			return 0;
		wpa_hexdump(MSG_MSGDUMP, "OCSP: Hash (SHA512)", hash, 64);
		return 64;
	}


	asn1_oid_to_str(alg, buf, sizeof(buf));
	wpa_printf(MSG_DEBUG, "OCSP: Could not calculate hash with alg %s",
		   buf);
	return 0;
}


static int tls_process_ocsp_single_response(struct tlsv1_client *conn,
					    struct x509_certificate *cert,
					    struct x509_certificate *issuer,
					    const u8 *resp, size_t len,
					    enum tls_ocsp_result *res)
{
	struct asn1_hdr hdr;
	const u8 *pos, *end;
	struct x509_algorithm_identifier alg;
	const u8 *name_hash, *key_hash;
	size_t name_hash_len, key_hash_len;
	const u8 *serial_number;
	size_t serial_number_len;
	u8 hash[64];
	unsigned int hash_len;
	unsigned int cert_status;
	os_time_t update;
	struct os_time now;

	wpa_hexdump(MSG_MSGDUMP, "OCSP: SingleResponse", resp, len);

	/*
	 * SingleResponse ::= SEQUENCE {
	 *    certID                       CertID,
	 *    certStatus                   CertStatus,
	 *    thisUpdate                   GeneralizedTime,
	 *    nextUpdate         [0]       EXPLICIT GeneralizedTime OPTIONAL,
	 *    singleExtensions   [1]       EXPLICIT Extensions OPTIONAL }
	 */

	/* CertID ::= SEQUENCE */
	if (asn1_get_next(resp, len, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected SEQUENCE (CertID) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}
	pos = hdr.payload;
	end = hdr.payload + hdr.length;

	/*
	 * CertID ::= SEQUENCE {
	 *    hashAlgorithm           AlgorithmIdentifier,
	 *    issuerNameHash          OCTET STRING,
	 *    issuerKeyHash           OCTET STRING,
	 *    serialNumber            CertificateSerialNumber }
	 */

	/* hashAlgorithm  AlgorithmIdentifier */
	if (x509_parse_algorithm_identifier(pos, end - pos, &alg, &pos))
		return -1;

	/* issuerNameHash  OCTET STRING */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_OCTETSTRING) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected OCTET STRING (issuerNameHash) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}
	name_hash = hdr.payload;
	name_hash_len = hdr.length;
	wpa_hexdump(MSG_DEBUG, "OCSP: issuerNameHash",
		    name_hash, name_hash_len);
	pos = hdr.payload + hdr.length;

	wpa_hexdump(MSG_DEBUG, "OCSP: Issuer subject DN",
		    issuer->subject_dn, issuer->subject_dn_len);
	hash_len = ocsp_hash_data(&alg.oid, issuer->subject_dn,
				  issuer->subject_dn_len, hash);
	if (hash_len == 0 || name_hash_len != hash_len ||
	    os_memcmp(name_hash, hash, hash_len) != 0) {
		wpa_printf(MSG_DEBUG, "OCSP: issuerNameHash mismatch");
		wpa_hexdump(MSG_DEBUG, "OCSP: Calculated issuerNameHash",
			    hash, hash_len);
		return -1;
	}

	/* issuerKeyHash  OCTET STRING */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_OCTETSTRING) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected OCTET STRING (issuerKeyHash) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}
	key_hash = hdr.payload;
	key_hash_len = hdr.length;
	wpa_hexdump(MSG_DEBUG, "OCSP: issuerKeyHash", key_hash, key_hash_len);
	pos = hdr.payload + hdr.length;

	hash_len = ocsp_hash_data(&alg.oid, issuer->public_key,
				  issuer->public_key_len, hash);
	if (hash_len == 0 || key_hash_len != hash_len ||
	    os_memcmp(key_hash, hash, hash_len) != 0) {
		wpa_printf(MSG_DEBUG, "OCSP: issuerKeyHash mismatch");
		wpa_hexdump(MSG_DEBUG, "OCSP: Calculated issuerKeyHash",
			    hash, hash_len);
		return -1;
	}

	/* serialNumber CertificateSerialNumber ::= INTEGER */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_INTEGER ||
	    hdr.length < 1 || hdr.length > X509_MAX_SERIAL_NUM_LEN) {
		wpa_printf(MSG_DEBUG, "OCSP: No INTEGER tag found for serialNumber; class=%d tag=0x%x length=%u",
			   hdr.class, hdr.tag, hdr.length);
		return -1;
	}
	serial_number = hdr.payload;
	serial_number_len = hdr.length;
	while (serial_number_len > 0 && serial_number[0] == 0) {
		serial_number++;
		serial_number_len--;
	}
	wpa_hexdump(MSG_MSGDUMP, "OCSP: serialNumber", serial_number,
		    serial_number_len);

	if (serial_number_len != cert->serial_number_len ||
	    os_memcmp(serial_number, cert->serial_number,
		      serial_number_len) != 0) {
		wpa_printf(MSG_DEBUG, "OCSP: serialNumber mismatch");
		return -1;
	}

	pos = end;
	end = resp + len;

	/* certStatus CertStatus ::= CHOICE */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected CHOICE (CertStatus) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return -1;
	}
	cert_status = hdr.tag;
	wpa_printf(MSG_DEBUG, "OCSP: certStatus=%u", cert_status);
	wpa_hexdump(MSG_DEBUG, "OCSP: CertStatus additional data",
		    hdr.payload, hdr.length);
	pos = hdr.payload + hdr.length;

	os_get_time(&now);
	/* thisUpdate  GeneralizedTime */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_GENERALIZEDTIME ||
	    x509_parse_time(hdr.payload, hdr.length, hdr.tag, &update) < 0) {
		wpa_printf(MSG_DEBUG, "OCSP: Failed to parse thisUpdate");
		return -1;
	}
	wpa_printf(MSG_DEBUG, "OCSP: thisUpdate %lu", (unsigned long) update);
	pos = hdr.payload + hdr.length;
	if ((unsigned long) now.sec < (unsigned long) update) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: thisUpdate time in the future (response not yet valid)");
		return -1;
	}

	/* nextUpdate  [0]  EXPLICIT GeneralizedTime OPTIONAL */
	if (pos < end) {
		if (asn1_get_next(pos, end - pos, &hdr) < 0)
			return -1;
		if (hdr.class == ASN1_CLASS_CONTEXT_SPECIFIC && hdr.tag == 0) {
			const u8 *next = hdr.payload + hdr.length;

			if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
			    hdr.class != ASN1_CLASS_UNIVERSAL ||
			    hdr.tag != ASN1_TAG_GENERALIZEDTIME ||
			    x509_parse_time(hdr.payload, hdr.length, hdr.tag,
					    &update) < 0) {
				wpa_printf(MSG_DEBUG,
					   "OCSP: Failed to parse nextUpdate");
				return -1;
			}
			wpa_printf(MSG_DEBUG, "OCSP: nextUpdate %lu",
				   (unsigned long) update);
			pos = next;
			if ((unsigned long) now.sec > (unsigned long) update) {
				wpa_printf(MSG_DEBUG, "OCSP: nextUpdate time in the past (response has expired)");
				return -1;
			}
		}
	}

	/* singleExtensions  [1]  EXPLICIT Extensions OPTIONAL */
	if (pos < end) {
		wpa_hexdump(MSG_MSGDUMP, "OCSP: singleExtensions",
			    pos, end - pos);
		/* Ignore for now */
	}

	if (cert_status == 0 /* good */)
		*res = TLS_OCSP_GOOD;
	else if (cert_status == 1 /* revoked */)
		*res = TLS_OCSP_REVOKED;
	else
		return -1;
	return 0;
}


static enum tls_ocsp_result
tls_process_ocsp_responses(struct tlsv1_client *conn,
			   struct x509_certificate *cert,
			   struct x509_certificate *issuer, const u8 *resp,
			   size_t len)
{
	struct asn1_hdr hdr;
	const u8 *pos, *end;
	enum tls_ocsp_result res;

	pos = resp;
	end = resp + len;
	while (pos < end) {
		/* SingleResponse ::= SEQUENCE */
		if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
		    hdr.class != ASN1_CLASS_UNIVERSAL ||
		    hdr.tag != ASN1_TAG_SEQUENCE) {
			wpa_printf(MSG_DEBUG,
				   "OCSP: Expected SEQUENCE (SingleResponse) - found class %d tag 0x%x",
				   hdr.class, hdr.tag);
			return TLS_OCSP_INVALID;
		}
		if (tls_process_ocsp_single_response(conn, cert, issuer,
						     hdr.payload, hdr.length,
						     &res) == 0)
			return res;
		pos = hdr.payload + hdr.length;
	}

	wpa_printf(MSG_DEBUG,
		   "OCSP: Did not find a response matching the server certificate");
	return TLS_OCSP_NO_RESPONSE;
}


static enum tls_ocsp_result
tls_process_basic_ocsp_response(struct tlsv1_client *conn,
				struct x509_certificate *srv_cert,
				const u8 *resp, size_t len)
{
	struct asn1_hdr hdr;
	const u8 *pos, *end;
	const u8 *resp_data, *sign_value, *key_hash = NULL, *responses;
	const u8 *resp_data_signed;
	size_t resp_data_len, sign_value_len, responses_len;
	size_t resp_data_signed_len;
	struct x509_algorithm_identifier alg;
	struct x509_certificate *certs = NULL, *last_cert = NULL;
	struct x509_certificate *issuer, *signer;
	struct x509_name name; /* used if key_hash == NULL */
	char buf[100];
	os_time_t produced_at;
	enum tls_ocsp_result res;

	wpa_hexdump(MSG_MSGDUMP, "OCSP: BasicOCSPResponse", resp, len);

	os_memset(&name, 0, sizeof(name));

	/*
	 * RFC 6960, 4.2.1:
	 * BasicOCSPResponse       ::= SEQUENCE {
	 *    tbsResponseData      ResponseData,
	 *    signatureAlgorithm   AlgorithmIdentifier,
	 *    signature            BIT STRING,
	 *    certs            [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
	 */

	if (asn1_get_next(resp, len, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected SEQUENCE (BasicOCSPResponse) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return TLS_OCSP_INVALID;
	}
	pos = hdr.payload;
	end = hdr.payload + hdr.length;

	/* ResponseData ::= SEQUENCE */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected SEQUENCE (ResponseData) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return TLS_OCSP_INVALID;
	}
	resp_data = hdr.payload;
	resp_data_len = hdr.length;
	resp_data_signed = pos;
	pos = hdr.payload + hdr.length;
	resp_data_signed_len = pos - resp_data_signed;

	/* signatureAlgorithm  AlgorithmIdentifier */
	if (x509_parse_algorithm_identifier(pos, end - pos, &alg, &pos))
		return TLS_OCSP_INVALID;

	/* signature  BIT STRING */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_BITSTRING) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected BITSTRING (signature) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return TLS_OCSP_INVALID;
	}
	if (hdr.length < 1)
		return TLS_OCSP_INVALID;
	pos = hdr.payload;
	if (*pos) {
		wpa_printf(MSG_DEBUG, "OCSP: BITSTRING - %d unused bits", *pos);
		/* PKCS #1 v1.5 10.2.1:
		 * It is an error if the length in bits of the signature S is
		 * not a multiple of eight.
		 */
		return TLS_OCSP_INVALID;
	}
	sign_value = pos + 1;
	sign_value_len = hdr.length - 1;
	pos += hdr.length;
	wpa_hexdump(MSG_MSGDUMP, "OCSP: signature", sign_value, sign_value_len);

	/* certs  [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL */
	if (pos < end) {
		if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
		    hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
		    hdr.tag != 0) {
			wpa_printf(MSG_DEBUG,
				   "OCSP: Expected [0] EXPLICIT (certs) - found class %d tag 0x%x",
				   hdr.class, hdr.tag);
			return TLS_OCSP_INVALID;
		}
		wpa_hexdump(MSG_MSGDUMP, "OCSP: certs",
			    hdr.payload, hdr.length);
		pos = hdr.payload;
		end = hdr.payload + hdr.length;
		while (pos < end) {
			struct x509_certificate *cert;

			if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
			    hdr.class != ASN1_CLASS_UNIVERSAL ||
			    hdr.tag != ASN1_TAG_SEQUENCE) {
				wpa_printf(MSG_DEBUG,
					   "OCSP: Expected SEQUENCE (Certificate) - found class %d tag 0x%x",
					   hdr.class, hdr.tag);
				goto fail;
			}

			cert = x509_certificate_parse(hdr.payload, hdr.length);
			if (!cert)
				goto fail;
			if (last_cert) {
				last_cert->next = cert;
				last_cert = cert;
			} else {
				last_cert = certs = cert;
			}
			pos = hdr.payload + hdr.length;
		}
	}

	/*
	 * ResponseData ::= SEQUENCE {
	 *    version              [0] EXPLICIT Version DEFAULT v1,
	 *    responderID              ResponderID,
	 *    producedAt               GeneralizedTime,
	 *    responses                SEQUENCE OF SingleResponse,
	 *    responseExtensions   [1] EXPLICIT Extensions OPTIONAL }
	 */
	pos = resp_data;
	end = resp_data + resp_data_len;
	wpa_hexdump(MSG_MSGDUMP, "OCSP: ResponseData", pos, end - pos);

	/*
	 * version [0] EXPLICIT Version DEFAULT v1
	 * Version ::= INTEGER { v1(0) }
	 */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 &&
	    hdr.class == ASN1_CLASS_CONTEXT_SPECIFIC &&
	    hdr.tag == 0) {
		if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
		    hdr.class != ASN1_CLASS_UNIVERSAL ||
		    hdr.tag != ASN1_TAG_INTEGER ||
		    hdr.length != 1) {
			wpa_printf(MSG_DEBUG,
				   "OCSP: No INTEGER (len=1) tag found for version field - found class %d tag 0x%x length %d",
				   hdr.class, hdr.tag, hdr.length);
			goto fail;
		}
		wpa_printf(MSG_DEBUG, "OCSP: ResponseData version %u",
			   hdr.payload[0]);
		if (hdr.payload[0] != 0) {
			wpa_printf(MSG_DEBUG,
				   "OCSP: Unsupported ResponseData version %u",
				   hdr.payload[0]);
			goto no_resp;
		}
		pos = hdr.payload + hdr.length;
	} else {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Default ResponseData version (v1)");
	}

	/*
	 * ResponderID ::= CHOICE {
	 *    byName              [1] Name,
	 *    byKey               [2] KeyHash }
	 */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected CHOICE (ResponderID) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		goto fail;
	}

	if (hdr.tag == 1) {
		/* Name */
		if (x509_parse_name(hdr.payload, hdr.length, &name, &pos) < 0)
			goto fail;
		x509_name_string(&name, buf, sizeof(buf));
		wpa_printf(MSG_DEBUG, "OCSP: ResponderID byName Name: %s", buf);
	} else if (hdr.tag == 2) {
		/* KeyHash ::= OCTET STRING */
		if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
		    hdr.class != ASN1_CLASS_UNIVERSAL ||
		    hdr.tag != ASN1_TAG_OCTETSTRING) {
			wpa_printf(MSG_DEBUG,
				   "OCSP: Expected OCTET STRING (KeyHash) - found class %d tag 0x%x",
				   hdr.class, hdr.tag);
			goto fail;
		}
		key_hash = hdr.payload;
		wpa_hexdump(MSG_DEBUG, "OCSP: ResponderID byKey KeyHash",
			    key_hash, hdr.length);
		if (hdr.length != SHA1_MAC_LEN) {
			wpa_printf(MSG_DEBUG,
				   "OCSP: Unexpected byKey KeyHash length %u - expected %u for SHA-1",
				   hdr.length, SHA1_MAC_LEN);
			goto fail;
		}
		pos = hdr.payload + hdr.length;
	} else {
		wpa_printf(MSG_DEBUG, "OCSP: Unexpected ResponderID CHOICE %u",
			   hdr.tag);
		goto fail;
	}

	/* producedAt  GeneralizedTime */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_GENERALIZEDTIME ||
	    x509_parse_time(hdr.payload, hdr.length, hdr.tag,
			    &produced_at) < 0) {
		wpa_printf(MSG_DEBUG, "OCSP: Failed to parse producedAt");
		goto fail;
	}
	wpa_printf(MSG_DEBUG, "OCSP: producedAt %lu",
		   (unsigned long) produced_at);
	pos = hdr.payload + hdr.length;

	/* responses  SEQUENCE OF SingleResponse */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected SEQUENCE (responses) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		goto fail;
	}
	responses = hdr.payload;
	responses_len = hdr.length;
	wpa_hexdump(MSG_MSGDUMP, "OCSP: responses", responses, responses_len);
	pos = hdr.payload + hdr.length;

	if (pos < end) {
		/* responseExtensions  [1] EXPLICIT Extensions OPTIONAL */
		wpa_hexdump(MSG_MSGDUMP, "OCSP: responseExtensions",
			    pos, end - pos);
		/* Ignore for now. */
	}

	if (!srv_cert) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Server certificate not known - cannot check OCSP response");
		goto no_resp;
	}

	if (srv_cert->next) {
		/* Issuer has already been verified in the chain */
		issuer = srv_cert->next;
	} else {
		/* Find issuer from the set of trusted certificates */
		for (issuer = conn->cred ? conn->cred->trusted_certs : NULL;
		     issuer; issuer = issuer->next) {
			if (x509_name_compare(&srv_cert->issuer,
					      &issuer->subject) == 0)
				break;
		}
	}
	if (!issuer) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Server certificate issuer not known - cannot check OCSP response");
		goto no_resp;
	}

	if (ocsp_responder_id_match(issuer, &name, key_hash)) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Server certificate issuer certificate matches ResponderID");
		signer = issuer;
	} else {
		for (signer = certs; signer; signer = signer->next) {
			if (!ocsp_responder_id_match(signer, &name, key_hash) ||
			    x509_name_compare(&srv_cert->issuer,
					      &issuer->subject) != 0 ||
			    !(signer->ext_key_usage &
			      X509_EXT_KEY_USAGE_OCSP) ||
			    x509_certificate_check_signature(issuer, signer) <
			    0)
				continue;
			wpa_printf(MSG_DEBUG,
				   "OCSP: An extra certificate from the response matches ResponderID and is trusted as an OCSP signer");
			break;
		}
		if (!signer) {
			wpa_printf(MSG_DEBUG,
				   "OCSP: Could not find OCSP signer certificate");
			goto no_resp;
		}
	}

	x509_free_name(&name);
	os_memset(&name, 0, sizeof(name));
	x509_certificate_chain_free(certs);
	certs = NULL;

	if (x509_check_signature(signer, &alg, sign_value, sign_value_len,
				 resp_data_signed, resp_data_signed_len) < 0) {
		    wpa_printf(MSG_DEBUG, "OCSP: Invalid signature");
		    return TLS_OCSP_INVALID;
	}

	res = tls_process_ocsp_responses(conn, srv_cert, issuer,
					 responses, responses_len);
	if (res == TLS_OCSP_REVOKED)
		srv_cert->ocsp_revoked = 1;
	else if (res == TLS_OCSP_GOOD)
		srv_cert->ocsp_good = 1;
	return res;

no_resp:
	x509_free_name(&name);
	x509_certificate_chain_free(certs);
	return TLS_OCSP_NO_RESPONSE;

fail:
	x509_free_name(&name);
	x509_certificate_chain_free(certs);
	return TLS_OCSP_INVALID;
}


enum tls_ocsp_result tls_process_ocsp_response(struct tlsv1_client *conn,
					       const u8 *resp, size_t len)
{
	struct asn1_hdr hdr;
	const u8 *pos, *end;
	u8 resp_status;
	struct asn1_oid oid;
	char obuf[80];
	struct x509_certificate *cert;
	enum tls_ocsp_result res = TLS_OCSP_NO_RESPONSE;
	enum tls_ocsp_result res_first = res;

	wpa_hexdump(MSG_MSGDUMP, "TLSv1: OCSPResponse", resp, len);

	/*
	 * RFC 6960, 4.2.1:
	 * OCSPResponse ::= SEQUENCE {
	 *    responseStatus  OCSPResponseStatus,
	 *    responseBytes   [0] EXPLICIT ResponseBytes OPTIONAL }
	 */

	if (asn1_get_next(resp, len, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected SEQUENCE (OCSPResponse) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return TLS_OCSP_INVALID;
	}
	pos = hdr.payload;
	end = hdr.payload + hdr.length;

	/* OCSPResponseStatus ::= ENUMERATED */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_ENUMERATED ||
	    hdr.length != 1) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected ENUMERATED (responseStatus) - found class %d tag 0x%x length %u",
			   hdr.class, hdr.tag, hdr.length);
		return TLS_OCSP_INVALID;
	}
	resp_status = hdr.payload[0];
	wpa_printf(MSG_DEBUG, "OCSP: responseStatus %u", resp_status);
	pos = hdr.payload + hdr.length;
	if (resp_status != OCSP_RESP_STATUS_SUCCESSFUL) {
		wpa_printf(MSG_DEBUG, "OCSP: No stapling result");
		return TLS_OCSP_NO_RESPONSE;
	}

	/* responseBytes   [0] EXPLICIT ResponseBytes OPTIONAL */
	if (pos == end)
		return TLS_OCSP_NO_RESPONSE;

	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_CONTEXT_SPECIFIC ||
	    hdr.tag != 0) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected [0] EXPLICIT (responseBytes) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return TLS_OCSP_INVALID;
	}

	/*
	 * ResponseBytes ::= SEQUENCE {
	 *     responseType   OBJECT IDENTIFIER,
	 *     response       OCTET STRING }
	 */

	if (asn1_get_next(hdr.payload, hdr.length, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_SEQUENCE) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected SEQUENCE (ResponseBytes) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return TLS_OCSP_INVALID;
	}
	pos = hdr.payload;
	end = hdr.payload + hdr.length;

	/* responseType   OBJECT IDENTIFIER */
	if (asn1_get_oid(pos, end - pos, &oid, &pos)) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Failed to parse OID (responseType)");
		return TLS_OCSP_INVALID;
	}
	asn1_oid_to_str(&oid, obuf, sizeof(obuf));
	wpa_printf(MSG_DEBUG, "OCSP: responseType %s", obuf);
	if (!is_oid_basic_ocsp_resp(&oid)) {
		wpa_printf(MSG_DEBUG, "OCSP: Ignore unsupported response type");
		return TLS_OCSP_NO_RESPONSE;
	}

	/* response       OCTET STRING */
	if (asn1_get_next(pos, end - pos, &hdr) < 0 ||
	    hdr.class != ASN1_CLASS_UNIVERSAL ||
	    hdr.tag != ASN1_TAG_OCTETSTRING) {
		wpa_printf(MSG_DEBUG,
			   "OCSP: Expected OCTET STRING (response) - found class %d tag 0x%x",
			   hdr.class, hdr.tag);
		return TLS_OCSP_INVALID;
	}

	cert = conn->server_cert;
	while (cert) {
		if (!cert->ocsp_good && !cert->ocsp_revoked) {
			char sbuf[128];

			x509_name_string(&cert->subject, sbuf, sizeof(sbuf));
			wpa_printf(MSG_DEBUG,
				   "OCSP: Trying to find certificate status for %s",
				   sbuf);

			res = tls_process_basic_ocsp_response(conn, cert,
							      hdr.payload,
							      hdr.length);
			if (cert == conn->server_cert)
				res_first = res;
		}
		if (res == TLS_OCSP_REVOKED || cert->issuer_trusted)
			break;
		cert = cert->next;
	}
	return res == TLS_OCSP_REVOKED ? res : res_first;
}