@@ -153,9 +153,10 @@ bool OCSP::compareResponderCert(const X509Cert &cert) const
153153 if (hash)
154154 {
155155 std::array<unsigned char ,SHA_DIGEST_LENGTH > sha1{};
156- ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr (cert.handle ());
157- SHA1 (key->data , size_t (key->length ), sha1.data ());
158- if (!equal (sha1.cbegin (), sha1.cend (), hash->data , std::next (hash->data , hash->length )))
156+ auto *key = X509_get0_pubkey_bitstr (cert.handle ());
157+ SHA1 (ASN1_STRING_get0_data (key), size_t (ASN1_STRING_length (key)), sha1.data ());
158+ const unsigned char *data = ASN1_STRING_get0_data (hash);
159+ if (!equal (sha1.cbegin (), sha1.cend (), data, std::next (data, ASN1_STRING_length (hash))))
159160 return false ;
160161 }
161162 else if (X509_NAME_cmp (X509_get_subject_name (cert.handle ()), name) != 0 )
@@ -277,12 +278,13 @@ vector<unsigned char> OCSP::nonce() const
277278 int resp_idx = OCSP_BASICRESP_get_ext_by_NID (basic.get (), NID_id_pkix_OCSP_Nonce, -1 );
278279 if (resp_idx < 0 )
279280 return nonce;
280- X509_EXTENSION *ext = OCSP_BASICRESP_get_ext (basic.get (), resp_idx);
281+ auto *ext = OCSP_BASICRESP_get_ext (basic.get (), resp_idx);
281282 if (!ext)
282283 return nonce;
283284
284- ASN1_OCTET_STRING *value = X509_EXTENSION_get_data (ext);
285- nonce.assign (value->data , std::next (value->data , value->length ));
285+ auto *value = X509_EXTENSION_get_data (ext);
286+ const unsigned char *data = ASN1_STRING_get0_data (value);
287+ nonce.assign (data, std::next (data, ASN1_STRING_length (value)));
286288 // OpenSSL OCSP created messages NID_id_pkix_OCSP_Nonce field is DER encoded twice, not a problem with java impl
287289 // XXX: UglyHackTM check if nonceAsn1 contains ASN1_OCTET_STRING
288290 // XXX: if first 2 bytes seem to be beginning of DER ASN1_OCTET_STRING then remove them
0 commit comments