eliminated TIMETOA_BUF definition
[strongswan.git] / src / pluto / ocsp.c
index b706dc9..ef270cd 100644 (file)
 #include "fetch.h"
 #include "ocsp.h"
 
-#define NONCE_LENGTH           16
+#define NONCE_LENGTH            16
 
 static const char *const cert_status_names[] = {
-    "good",
-    "revoked",
-    "unknown",
-    "undefined"
+       "good",
+       "revoked",
+       "unknown",
+       "undefined"
 };
 
 
 static const char *const response_status_names[] = {
-    "successful",
-    "malformed request",
-    "internal error",
-    "try later",
-    "status #4",
-    "signature required",
-    "unauthorized"
+       "successful",
+       "malformed request",
+       "internal error",
+       "try later",
+       "status #4",
+       "signature required",
+       "unauthorized"
 };
 
 /* response container */
 typedef struct response response_t;
 
 struct response {
-    chunk_t  tbs;
-    chunk_t  responder_id_name;
-    chunk_t  responder_id_key;
-    time_t   produced_at;
-    chunk_t  responses;
-    chunk_t  nonce;
-    int      algorithm;
-    chunk_t  signature;
+       chunk_t  tbs;
+       chunk_t  responder_id_name;
+       chunk_t  responder_id_key;
+       time_t   produced_at;
+       chunk_t  responses;
+       chunk_t  nonce;
+       int      algorithm;
+       chunk_t  signature;
 };
 
 const response_t empty_response = {
-    { NULL, 0 }   ,    /* tbs */
-    { NULL, 0 }   ,    /* responder_id_name */
-    { NULL, 0 }   ,    /* responder_id_key */
-    UNDEFINED_TIME,    /* produced_at */
-    { NULL, 0 }   ,    /* single_response */
-    { NULL, 0 }   ,    /* nonce */
-    OID_UNKNOWN   ,    /* signature_algorithm */
-    { NULL, 0 }                /* signature */
+       { NULL, 0 }   ,     /* tbs */
+       { NULL, 0 }   ,     /* responder_id_name */
+       { NULL, 0 }   ,     /* responder_id_key */
+       UNDEFINED_TIME,     /* produced_at */
+       { NULL, 0 }   ,     /* single_response */
+       { NULL, 0 }   ,     /* nonce */
+       OID_UNKNOWN   ,     /* signature_algorithm */
+       { NULL, 0 }         /* signature */
 };
 
 /* single response container */
 typedef struct single_response single_response_t;
 
 struct single_response {
-    single_response_t *next;
-    int               hash_algorithm;
-    chunk_t           issuer_name_hash;
-    chunk_t           issuer_key_hash;
-    chunk_t           serialNumber;
-    cert_status_t     status;
-    time_t            revocationTime;
-    crl_reason_t      revocationReason;
-    time_t            thisUpdate;
-    time_t            nextUpdate;
+       single_response_t *next;
+       int               hash_algorithm;
+       chunk_t           issuer_name_hash;
+       chunk_t           issuer_key_hash;
+       chunk_t           serialNumber;
+       cert_status_t     status;
+       time_t            revocationTime;
+       crl_reason_t      revocationReason;
+       time_t            thisUpdate;
+       time_t            nextUpdate;
 };
 
 const single_response_t empty_single_response = {
-      NULL            ,        /* *next */
-    OID_UNKNOWN       ,        /* hash_algorithm */
-    { NULL, 0 }       ,        /* issuer_name_hash */
-    { NULL, 0 }       ,        /* issuer_key_hash */
-    { NULL, 0 }       ,        /* serial_number */
-    CERT_UNDEFINED    ,        /* status */
-    UNDEFINED_TIME    ,        /* revocationTime */
-    REASON_UNSPECIFIED,        /* revocationReason */
-    UNDEFINED_TIME    ,        /* this_update */
-    UNDEFINED_TIME     /* next_update */
+         NULL            , /* *next */
+       OID_UNKNOWN       , /* hash_algorithm */
+       { NULL, 0 }       , /* issuer_name_hash */
+       { NULL, 0 }       , /* issuer_key_hash */
+       { NULL, 0 }       , /* serial_number */
+       CERT_UNDEFINED    , /* status */
+       UNDEFINED_TIME    , /* revocationTime */
+       REASON_UNSPECIFIED, /* revocationReason */
+       UNDEFINED_TIME    , /* this_update */
+       UNDEFINED_TIME      /* next_update */
 };
 
 
 /* list of single requests */
 typedef struct request_list request_list_t;
 struct request_list {
-    chunk_t request;
-    request_list_t *next;
+       chunk_t request;
+       request_list_t *next;
 };
 
 /* some OCSP specific prefabricated ASN.1 constants */
 
 static u_char ASN1_nonce_oid_str[] = {
-    0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
+       0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02
 };
 
 static const chunk_t ASN1_nonce_oid = chunk_from_buf(ASN1_nonce_oid_str);
 
 static u_char ASN1_response_oid_str[] = {
-    0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
+       0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x04
 };
 
 static const chunk_t ASN1_response_oid = chunk_from_buf(ASN1_response_oid_str);
 
 static u_char ASN1_response_content_str[] = {
-    0x04, 0x0D,
-         0x30, 0x0B,
-               0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
+       0x04, 0x0D,
+                 0x30, 0x0B,
+                               0x06, 0x09, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x01
 };
 
 static const chunk_t ASN1_response_content = chunk_from_buf(ASN1_response_content_str);
@@ -172,16 +172,16 @@ static const asn1Object_t ocspResponseObjects[] = {
   { 1,   "end opt",                     ASN1_EOC,          ASN1_END  }  /*  6 */
 };
 
-#define OCSP_RESPONSE_STATUS   1
-#define OCSP_RESPONSE_TYPE     4
-#define OCSP_RESPONSE          5
-#define OCSP_RESPONSE_ROOF     7
+#define OCSP_RESPONSE_STATUS    1
+#define OCSP_RESPONSE_TYPE      4
+#define OCSP_RESPONSE           5
+#define OCSP_RESPONSE_ROOF      7
 
 static const asn1Object_t basicResponseObjects[] = {
   { 0, "BasicOCSPResponse",             ASN1_SEQUENCE,        ASN1_NONE }, /*  0 */
   { 1,   "tbsResponseData",             ASN1_SEQUENCE,        ASN1_OBJ  }, /*  1 */
   { 2,     "versionContext",            ASN1_CONTEXT_C_0,     ASN1_NONE |
-                                                             ASN1_DEF  }, /*  2 */
+                                                                                                                         ASN1_DEF  }, /*  2 */
   { 3,       "version",                 ASN1_INTEGER,         ASN1_BODY }, /*  3 */
   { 2,     "responderIdContext",        ASN1_CONTEXT_C_1,     ASN1_OPT  }, /*  4 */
   { 3,       "responderIdByName",       ASN1_SEQUENCE,        ASN1_OBJ  }, /*  5 */
@@ -196,7 +196,7 @@ static const asn1Object_t basicResponseObjects[] = {
   { 4,         "extension",             ASN1_SEQUENCE,        ASN1_NONE }, /* 14 */
   { 5,           "extnID",              ASN1_OID,             ASN1_BODY }, /* 15 */
   { 5,           "critical",            ASN1_BOOLEAN,         ASN1_BODY |
-                                                             ASN1_DEF  }, /* 16 */
+                                                                                                                         ASN1_DEF  }, /* 16 */
   { 5,           "extnValue",           ASN1_OCTET_STRING,    ASN1_BODY }, /* 17 */
   { 4,         "end loop",              ASN1_EOC,             ASN1_END  }, /* 18 */
   { 2,     "end opt",                   ASN1_EOC,             ASN1_END  }, /* 19 */
@@ -205,23 +205,23 @@ static const asn1Object_t basicResponseObjects[] = {
   { 1,   "certsContext",                ASN1_CONTEXT_C_0,     ASN1_OPT  }, /* 22 */
   { 2,     "certs",                     ASN1_SEQUENCE,        ASN1_LOOP }, /* 23 */
   { 3,       "certificate",             ASN1_SEQUENCE,        ASN1_OBJ  }, /* 24 */
-  { 2,     "end loop",                  ASN1_EOC,            ASN1_END  }, /* 25 */
+  { 2,     "end loop",                  ASN1_EOC,             ASN1_END  }, /* 25 */
   { 1,   "end opt",                     ASN1_EOC,             ASN1_END  }  /* 26 */
 };
 
-#define BASIC_RESPONSE_TBS_DATA                 1
-#define BASIC_RESPONSE_VERSION          3
-#define BASIC_RESPONSE_ID_BY_NAME       5
-#define BASIC_RESPONSE_ID_BY_KEY        8
-#define BASIC_RESPONSE_PRODUCED_AT     10
-#define BASIC_RESPONSE_RESPONSES       11
-#define BASIC_RESPONSE_EXT_ID          15
-#define BASIC_RESPONSE_CRITICAL                16
-#define BASIC_RESPONSE_EXT_VALUE       17
-#define BASIC_RESPONSE_ALGORITHM       20
-#define BASIC_RESPONSE_SIGNATURE       21
-#define BASIC_RESPONSE_CERTIFICATE     24
-#define BASIC_RESPONSE_ROOF            27
+#define BASIC_RESPONSE_TBS_DATA          1
+#define BASIC_RESPONSE_VERSION           3
+#define BASIC_RESPONSE_ID_BY_NAME        5
+#define BASIC_RESPONSE_ID_BY_KEY         8
+#define BASIC_RESPONSE_PRODUCED_AT      10
+#define BASIC_RESPONSE_RESPONSES        11
+#define BASIC_RESPONSE_EXT_ID           15
+#define BASIC_RESPONSE_CRITICAL         16
+#define BASIC_RESPONSE_EXT_VALUE        17
+#define BASIC_RESPONSE_ALGORITHM        20
+#define BASIC_RESPONSE_SIGNATURE        21
+#define BASIC_RESPONSE_CERTIFICATE      24
+#define BASIC_RESPONSE_ROOF             27
 
 static const asn1Object_t responsesObjects[] = {
   { 0, "responses",                   ASN1_SEQUENCE,          ASN1_LOOP }, /*  0 */
@@ -229,8 +229,8 @@ static const asn1Object_t responsesObjects[] = {
   { 0, "end loop",                    ASN1_EOC,               ASN1_END  }  /*  2 */
 };
 
-#define RESPONSES_SINGLE_RESPONSE       1
-#define RESPONSES_ROOF                  3
+#define RESPONSES_SINGLE_RESPONSE        1
+#define RESPONSES_ROOF                   3
 
 static const asn1Object_t singleResponseObjects[] = {
   { 0, "singleResponse",            ASN1_SEQUENCE,          ASN1_BODY }, /*  0 */
@@ -258,27 +258,27 @@ static const asn1Object_t singleResponseObjects[] = {
   { 3,       "extension",           ASN1_SEQUENCE,          ASN1_NONE }, /* 22 */
   { 4,         "extnID",            ASN1_OID,               ASN1_BODY }, /* 23 */
   { 4,         "critical",          ASN1_BOOLEAN,           ASN1_BODY |
-                                                           ASN1_DEF  }, /* 24 */
+                                                                                                                       ASN1_DEF  }, /* 24 */
   { 4,         "extnValue",         ASN1_OCTET_STRING,      ASN1_BODY }, /* 25 */
   { 2,     "end loop",              ASN1_EOC,               ASN1_END  }, /* 26 */
   { 1,   "end opt",                 ASN1_EOC,               ASN1_END  }  /* 27 */
 };
 
-#define SINGLE_RESPONSE_ALGORITHM                       2
-#define SINGLE_RESPONSE_ISSUER_NAME_HASH                3
-#define SINGLE_RESPONSE_ISSUER_KEY_HASH                         4
-#define SINGLE_RESPONSE_SERIAL_NUMBER                   5
-#define SINGLE_RESPONSE_CERT_STATUS_GOOD                6
-#define SINGLE_RESPONSE_CERT_STATUS_REVOKED             8
-#define SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME     9
-#define SINGLE_RESPONSE_CERT_STATUS_CRL_REASON         11
-#define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN            14
-#define SINGLE_RESPONSE_THIS_UPDATE                    16
-#define SINGLE_RESPONSE_NEXT_UPDATE                    18
-#define SINGLE_RESPONSE_EXT_ID                         23
-#define SINGLE_RESPONSE_CRITICAL                       24
-#define SINGLE_RESPONSE_EXT_VALUE                      25
-#define SINGLE_RESPONSE_ROOF                           28
+#define SINGLE_RESPONSE_ALGORITHM                        2
+#define SINGLE_RESPONSE_ISSUER_NAME_HASH                 3
+#define SINGLE_RESPONSE_ISSUER_KEY_HASH                  4
+#define SINGLE_RESPONSE_SERIAL_NUMBER                    5
+#define SINGLE_RESPONSE_CERT_STATUS_GOOD                 6
+#define SINGLE_RESPONSE_CERT_STATUS_REVOKED              8
+#define SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME      9
+#define SINGLE_RESPONSE_CERT_STATUS_CRL_REASON          11
+#define SINGLE_RESPONSE_CERT_STATUS_UNKNOWN             14
+#define SINGLE_RESPONSE_THIS_UPDATE                     16
+#define SINGLE_RESPONSE_NEXT_UPDATE                     18
+#define SINGLE_RESPONSE_EXT_ID                          23
+#define SINGLE_RESPONSE_CRITICAL                        24
+#define SINGLE_RESPONSE_EXT_VALUE                       25
+#define SINGLE_RESPONSE_ROOF                            28
 
 /* build an ocsp location from certificate information
  * without unsharing its contents
@@ -286,48 +286,48 @@ static const asn1Object_t singleResponseObjects[] = {
 static bool
 build_ocsp_location(const x509cert_t *cert, ocsp_location_t *location)
 {
-    static u_char digest[SHA1_DIGEST_SIZE];  /* temporary storage */
+       static u_char digest[SHA1_DIGEST_SIZE];  /* temporary storage */
 
-    location->uri = cert->accessLocation;
+       location->uri = cert->accessLocation;
 
-    if (location->uri.ptr == NULL)
-    {
-       ca_info_t *ca = get_ca_info(cert->issuer, cert->authKeySerialNumber
-               , cert->authKeyID);
-       if (ca != NULL && ca->ocspuri != NULL)
+       if (location->uri.ptr == NULL)
        {
-           location->uri = chunk_create(ca->ocspuri, strlen(ca->ocspuri));
-       }
-       else
-       {   /* abort if no ocsp location uri is defined */
-           return FALSE;
+               ca_info_t *ca = get_ca_info(cert->issuer, cert->authKeySerialNumber
+                               , cert->authKeyID);
+               if (ca != NULL && ca->ocspuri != NULL)
+               {
+                       location->uri = chunk_create(ca->ocspuri, strlen(ca->ocspuri));
+               }
+               else
+               {   /* abort if no ocsp location uri is defined */
+                       return FALSE;
+               }
        }
-    }
-    
-    location->authNameID = chunk_create(digest, SHA1_DIGEST_SIZE);
-    compute_digest(cert->issuer, OID_SHA1, &location->authNameID);
-
-    location->next = NULL;
-    location->issuer = cert->issuer;
-    location->authKeyID = cert->authKeyID;
-    location->authKeySerialNumber = cert->authKeySerialNumber;
-    
-    if (cert->authKeyID.ptr == NULL) 
-    {
-       x509cert_t *authcert = get_authcert(cert->issuer
-               , cert->authKeySerialNumber, cert->authKeyID, AUTH_CA);
-
-       if (authcert != NULL)
+       
+       location->authNameID = chunk_create(digest, SHA1_DIGEST_SIZE);
+       compute_digest(cert->issuer, OID_SHA1, &location->authNameID);
+
+       location->next = NULL;
+       location->issuer = cert->issuer;
+       location->authKeyID = cert->authKeyID;
+       location->authKeySerialNumber = cert->authKeySerialNumber;
+       
+       if (cert->authKeyID.ptr == NULL) 
        {
-           location->authKeyID = authcert->subjectKeyID;
-           location->authKeySerialNumber = authcert->serialNumber;
+               x509cert_t *authcert = get_authcert(cert->issuer
+                               , cert->authKeySerialNumber, cert->authKeyID, AUTH_CA);
+
+               if (authcert != NULL)
+               {
+                       location->authKeyID = authcert->subjectKeyID;
+                       location->authKeySerialNumber = authcert->serialNumber;
+               }
        }
-    }
 
-    location->nonce = chunk_empty;
-    location->certinfo = NULL;
+       location->nonce = chunk_empty;
+       location->certinfo = NULL;
 
-    return TRUE;
+       return TRUE;
 }
 
 /*
@@ -336,11 +336,11 @@ build_ocsp_location(const x509cert_t *cert, ocsp_location_t *location)
 static bool
 same_ocsp_location(const ocsp_location_t *a, const ocsp_location_t *b)
 {
-    return ((a->authKeyID.ptr != NULL)
-               ? same_keyid(a->authKeyID, b->authKeyID)
-               : (same_dn(a->issuer, b->issuer)
-                   && same_serial(a->authKeySerialNumber, b->authKeySerialNumber)))
-           && chunk_equals(a->uri, b->uri);
+       return ((a->authKeyID.ptr != NULL)
+                               ? same_keyid(a->authKeyID, b->authKeyID)
+                               : (same_dn(a->issuer, b->issuer)
+                                       && same_serial(a->authKeySerialNumber, b->authKeySerialNumber)))
+                       && chunk_equals(a->uri, b->uri);
 }
 
 /*
@@ -350,53 +350,53 @@ ocsp_location_t*
 get_ocsp_location(const ocsp_location_t * loc, ocsp_location_t *chain)
 {
 
-    while (chain != NULL)
-    {
-       if (same_ocsp_location(loc, chain))
-           return chain;
-       chain = chain->next;
-    }
-    return NULL;
+       while (chain != NULL)
+       {
+               if (same_ocsp_location(loc, chain))
+                       return chain;
+               chain = chain->next;
+       }
+       return NULL;
 }
+
 /* retrieves the status of a cert from the ocsp cache
  * returns CERT_UNDEFINED if no status is found
  */
 static cert_status_t
 get_ocsp_status(const ocsp_location_t *loc, chunk_t serialNumber
-    ,time_t *nextUpdate, time_t *revocationTime, crl_reason_t *revocationReason)
+       ,time_t *nextUpdate, time_t *revocationTime, crl_reason_t *revocationReason)
 {
-    ocsp_certinfo_t *certinfo, **certinfop;
-    int cmp = -1;
-
-    /* find location */
-    ocsp_location_t *location = get_ocsp_location(loc, ocsp_cache);
+       ocsp_certinfo_t *certinfo, **certinfop;
+       int cmp = -1;
 
-    if (location == NULL)
-       return CERT_UNDEFINED;
+       /* find location */
+       ocsp_location_t *location = get_ocsp_location(loc, ocsp_cache);
 
-    /* traverse list of certinfos in increasing order */
-    certinfop = &location->certinfo;
-    certinfo = *certinfop;
+       if (location == NULL)
+               return CERT_UNDEFINED;
 
-    while (certinfo != NULL)
-    {
-       cmp = chunk_compare(serialNumber, certinfo->serialNumber);
-       if (cmp <= 0)
-           break;
-       certinfop = &certinfo->next;
+       /* traverse list of certinfos in increasing order */
+       certinfop = &location->certinfo;
        certinfo = *certinfop;
-    }
 
-    if (cmp == 0)
-    {
-       *nextUpdate = certinfo->nextUpdate;
-       *revocationTime = certinfo->revocationTime;
-       *revocationReason = certinfo->revocationReason;
-       return certinfo->status;
-    }
+       while (certinfo != NULL)
+       {
+               cmp = chunk_compare(serialNumber, certinfo->serialNumber);
+               if (cmp <= 0)
+                       break;
+               certinfop = &certinfo->next;
+               certinfo = *certinfop;
+       }
+
+       if (cmp == 0)
+       {
+               *nextUpdate = certinfo->nextUpdate;
+               *revocationTime = certinfo->revocationTime;
+               *revocationReason = certinfo->revocationReason;
+               return certinfo->status;
+       }
 
-    return CERT_UNDEFINED;
+       return CERT_UNDEFINED;
 }
 
 /*
@@ -406,32 +406,32 @@ cert_status_t
 verify_by_ocsp(const x509cert_t *cert, time_t *until
 , time_t *revocationDate, crl_reason_t *revocationReason)
 {
-    cert_status_t status;
-    ocsp_location_t location;
-    time_t nextUpdate = 0;
-
-    *revocationDate = UNDEFINED_TIME;
-    *revocationReason = REASON_UNSPECIFIED;
-    
-    /* is an ocsp location defined? */
-    if (!build_ocsp_location(cert, &location))
-       return CERT_UNDEFINED;
+       cert_status_t status;
+       ocsp_location_t location;
+       time_t nextUpdate = 0;
+
+       *revocationDate = UNDEFINED_TIME;
+       *revocationReason = REASON_UNSPECIFIED;
+       
+       /* is an ocsp location defined? */
+       if (!build_ocsp_location(cert, &location))
+               return CERT_UNDEFINED;
 
-    lock_ocsp_cache("verify_by_ocsp");
-    status = get_ocsp_status(&location, cert->serialNumber, &nextUpdate
-       , revocationDate, revocationReason);
-    unlock_ocsp_cache("verify_by_ocsp");
-
-    if (status == CERT_UNDEFINED || nextUpdate < time(NULL))
-    {
-       plog("ocsp status is stale or not in cache");
-       add_ocsp_fetch_request(&location, cert->serialNumber);
-
-       /* inititate fetching of ocsp status */
-       wake_fetch_thread("verify_by_ocsp");
-    }
-    *until = nextUpdate;
-    return status;
+       lock_ocsp_cache("verify_by_ocsp");
+       status = get_ocsp_status(&location, cert->serialNumber, &nextUpdate
+               , revocationDate, revocationReason);
+       unlock_ocsp_cache("verify_by_ocsp");
+
+       if (status == CERT_UNDEFINED || nextUpdate < time(NULL))
+       {
+               plog("ocsp status is stale or not in cache");
+               add_ocsp_fetch_request(&location, cert->serialNumber);
+
+               /* inititate fetching of ocsp status */
+               wake_fetch_thread("verify_by_ocsp");
+       }
+       *until = nextUpdate;
+       return status;
 }
 
 /*
@@ -440,49 +440,49 @@ verify_by_ocsp(const x509cert_t *cert, time_t *until
 void
 check_ocsp(void)
 {
-    ocsp_location_t *location;
+       ocsp_location_t *location;
 
-    lock_ocsp_cache("check_ocsp");
-    location = ocsp_cache;
-    
-    while (location != NULL)
-    {
-       char buf[BUF_LEN];
-       bool first = TRUE;
-       ocsp_certinfo_t *certinfo = location->certinfo;
-
-       while (certinfo != NULL)
+       lock_ocsp_cache("check_ocsp");
+       location = ocsp_cache;
+       
+       while (location != NULL)
        {
-           if (!certinfo->once)
-           {
-               time_t time_left = certinfo->nextUpdate - time(NULL);
+               char buf[BUF_LEN];
+               bool first = TRUE;
+               ocsp_certinfo_t *certinfo = location->certinfo;
 
-               DBG(DBG_CONTROL,
-                   if (first)
-                   {
-                       dntoa(buf, BUF_LEN, location->issuer);
-                       DBG_log("issuer: '%s'", buf);
-                       if (location->authKeyID.ptr != NULL)
+               while (certinfo != NULL)
+               {
+                       if (!certinfo->once)
                        {
-                           datatot(location->authKeyID.ptr, location->authKeyID.len
-                               , ':', buf, BUF_LEN);
-                           DBG_log("authkey: %s", buf);
+                               time_t time_left = certinfo->nextUpdate - time(NULL);
+
+                               DBG(DBG_CONTROL,
+                                       if (first)
+                                       {
+                                               dntoa(buf, BUF_LEN, location->issuer);
+                                               DBG_log("issuer: '%s'", buf);
+                                               if (location->authKeyID.ptr != NULL)
+                                               {
+                                                       datatot(location->authKeyID.ptr, location->authKeyID.len
+                                                               , ':', buf, BUF_LEN);
+                                                       DBG_log("authkey: %s", buf);
+                                               }
+                                               first = FALSE;
+                                       }
+                                       datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len
+                                               , ':', buf, BUF_LEN);
+                                       DBG_log("serial: %s, %ld seconds left", buf, time_left)
+                               )
+
+                               if (time_left < 2*crl_check_interval)
+                                       add_ocsp_fetch_request(location, certinfo->serialNumber);
                        }
-                       first = FALSE;
-                   }
-                   datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len
-                       , ':', buf, BUF_LEN);
-                   DBG_log("serial: %s, %ld seconds left", buf, time_left)
-               )
-
-               if (time_left < 2*crl_check_interval)
-                   add_ocsp_fetch_request(location, certinfo->serialNumber);
-           }
-           certinfo = certinfo->next;
+                       certinfo = certinfo->next;
+               }
+               location = location->next;
        }
-       location = location->next;
-    }
-    unlock_ocsp_cache("check_ocsp");
+       unlock_ocsp_cache("check_ocsp");
 }
 
 /*
@@ -491,8 +491,8 @@ check_ocsp(void)
 static void
 free_certinfo(ocsp_certinfo_t *certinfo)
 {
-    free(certinfo->serialNumber.ptr);
-    free(certinfo);
+       free(certinfo->serialNumber.ptr);
+       free(certinfo);
 }
 
 /*
@@ -501,14 +501,14 @@ free_certinfo(ocsp_certinfo_t *certinfo)
 static void
 free_certinfos(ocsp_certinfo_t *chain)
 {
-    ocsp_certinfo_t *certinfo;
+       ocsp_certinfo_t *certinfo;
 
-    while (chain != NULL)
-    {
-       certinfo = chain;
-       chain = chain->next;
-       free_certinfo(certinfo);
-    }
+       while (chain != NULL)
+       {
+               certinfo = chain;
+               chain = chain->next;
+               free_certinfo(certinfo);
+       }
 }
 
 /*
@@ -517,13 +517,13 @@ free_certinfos(ocsp_certinfo_t *chain)
 static void
 free_ocsp_location(ocsp_location_t* location)
 {
-    free(location->issuer.ptr);
-    free(location->authNameID.ptr);
-    free(location->authKeyID.ptr);
-    free(location->authKeySerialNumber.ptr);
-    free(location->uri.ptr);
-    free_certinfos(location->certinfo);
-    free(location);
+       free(location->issuer.ptr);
+       free(location->authNameID.ptr);
+       free(location->authKeyID.ptr);
+       free(location->authKeySerialNumber.ptr);
+       free(location->uri.ptr);
+       free_certinfos(location->certinfo);
+       free(location);
 }
 
 /*
@@ -532,12 +532,12 @@ free_ocsp_location(ocsp_location_t* location)
 void
 free_ocsp_locations(ocsp_location_t **chain)
 {
-    while (*chain != NULL)
-    {
-       ocsp_location_t *location = *chain;
-       *chain = location->next;
-       free_ocsp_location(location);
-    }
+       while (*chain != NULL)
+       {
+               ocsp_location_t *location = *chain;
+               *chain = location->next;
+               free_ocsp_location(location);
+       }
 }
 
 /*
@@ -546,9 +546,9 @@ free_ocsp_locations(ocsp_location_t **chain)
 void
 free_ocsp_cache(void)
 {
-    lock_ocsp_cache("free_ocsp_cache");
-    free_ocsp_locations(&ocsp_cache);
-    unlock_ocsp_cache("free_ocsp_cache");
+       lock_ocsp_cache("free_ocsp_cache");
+       free_ocsp_locations(&ocsp_cache);
+       unlock_ocsp_cache("free_ocsp_cache");
 }
 
 /*
@@ -557,8 +557,8 @@ free_ocsp_cache(void)
 void
 free_ocsp(void)
 {
-    free(ocsp_default_uri.ptr);
-    free_ocsp_cache();
+       free(ocsp_default_uri.ptr);
+       free_ocsp_cache();
 }
 
 /*
@@ -568,80 +568,80 @@ void
 list_ocsp_locations(ocsp_location_t *location, bool requests, bool utc
 , bool strict)
 {
-    bool first = TRUE;
-
-    while (location != NULL)
-    {
-       ocsp_certinfo_t *certinfo = location->certinfo;
+       bool first = TRUE;
 
-       if (certinfo != NULL)
+       while (location != NULL)
        {
-           u_char buf[BUF_LEN];
-
-           if (first)
-           {
-               whack_log(RC_COMMENT, " ");
-               whack_log(RC_COMMENT, "List of OCSP %s:", requests?
-                   "fetch requests":"responses");
-               first = FALSE;
-            }
-           whack_log(RC_COMMENT, " ");
-           if (location->issuer.ptr != NULL)
-           {
-               dntoa(buf, BUF_LEN, location->issuer);
-               whack_log(RC_COMMENT, "       issuer:  '%s'", buf);
-           }
-           whack_log(RC_COMMENT, "       uri:     '%.*s'", (int)location->uri.len
-               , location->uri.ptr);
-           if (location->authNameID.ptr != NULL)
-           {
-               datatot(location->authNameID.ptr, location->authNameID.len, ':'
-                   , buf, BUF_LEN);
-               whack_log(RC_COMMENT, "       authname: %s", buf);
-           }
-           if (location->authKeyID.ptr != NULL)
-           {
-               datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
-                   , buf, BUF_LEN);
-               whack_log(RC_COMMENT, "       authkey:  %s", buf);
-           }
-           if (location->authKeySerialNumber.ptr != NULL)
-           {
-               datatot(location->authKeySerialNumber.ptr
-                   , location->authKeySerialNumber.len, ':', buf, BUF_LEN);
-               whack_log(RC_COMMENT, "       aserial:  %s", buf);
-           }
-           while (certinfo != NULL)
-           {
-               char thisUpdate[TIMETOA_BUF];
-
-               strcpy(thisUpdate, timetoa(&certinfo->thisUpdate, utc));
-
-               if (requests)
-               {
-                   whack_log(RC_COMMENT, "%s, trials: %d", thisUpdate
-                       , certinfo->trials);
-               }
-               else if (certinfo->once)
-               {
-                   whack_log(RC_COMMENT, "%s, onetime use%s", thisUpdate
-                       , (certinfo->nextUpdate < time(NULL))? " (expired)": "");
-               }
-               else
+               ocsp_certinfo_t *certinfo = location->certinfo;
+
+               if (certinfo != NULL)
                {
-                   whack_log(RC_COMMENT, "%s, until %s %s", thisUpdate
-                       , timetoa(&certinfo->nextUpdate, utc)
-                       , check_expiry(certinfo->nextUpdate, OCSP_WARNING_INTERVAL, strict));
+                       u_char buf[BUF_LEN];
+
+                       if (first)
+                       {
+                               whack_log(RC_COMMENT, " ");
+                               whack_log(RC_COMMENT, "List of OCSP %s:", requests?
+                                       "fetch requests":"responses");
+                               first = FALSE;
+                       }
+                       whack_log(RC_COMMENT, " ");
+                       if (location->issuer.ptr != NULL)
+                       {
+                               dntoa(buf, BUF_LEN, location->issuer);
+                               whack_log(RC_COMMENT, "       issuer:  '%s'", buf);
+                       }
+                       whack_log(RC_COMMENT, "       uri:     '%.*s'", (int)location->uri.len
+                               , location->uri.ptr);
+                       if (location->authNameID.ptr != NULL)
+                       {
+                               datatot(location->authNameID.ptr, location->authNameID.len, ':'
+                                       , buf, BUF_LEN);
+                               whack_log(RC_COMMENT, "       authname: %s", buf);
+                       }
+                       if (location->authKeyID.ptr != NULL)
+                       {
+                               datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
+                                       , buf, BUF_LEN);
+                               whack_log(RC_COMMENT, "       authkey:  %s", buf);
+                       }
+                       if (location->authKeySerialNumber.ptr != NULL)
+                       {
+                               datatot(location->authKeySerialNumber.ptr
+                                       , location->authKeySerialNumber.len, ':', buf, BUF_LEN);
+                               whack_log(RC_COMMENT, "       aserial:  %s", buf);
+                       }
+                       while (certinfo != NULL)
+                       {
+                               char thisUpdate[BUF_LEN];
+
+                               snprintf(thisUpdate, BUF_LEN, "%T", &certinfo->thisUpdate, utc);
+
+                               if (requests)
+                               {
+                                       whack_log(RC_COMMENT, "%s, trials: %d", thisUpdate
+                                               , certinfo->trials);
+                               }
+                               else if (certinfo->once)
+                               {
+                                       whack_log(RC_COMMENT, "%s, onetime use%s", thisUpdate
+                                               , (certinfo->nextUpdate < time(NULL))? " (expired)": "");
+                               }
+                               else
+                               {
+                                       whack_log(RC_COMMENT, "%s, until %T %s", thisUpdate
+                                               , &certinfo->nextUpdate, utc
+                                               , check_expiry(certinfo->nextUpdate, OCSP_WARNING_INTERVAL, strict));
+                               }
+                               datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len, ':'
+                                       , buf, BUF_LEN);
+                               whack_log(RC_COMMENT, "       serial:   %s, %s", buf
+                                       , cert_status_names[certinfo->status]);
+                               certinfo = certinfo->next;
+                       }
                }
-               datatot(certinfo->serialNumber.ptr, certinfo->serialNumber.len, ':'
-                   , buf, BUF_LEN);
-               whack_log(RC_COMMENT, "       serial:   %s, %s", buf
-                   , cert_status_names[certinfo->status]);
-               certinfo = certinfo->next;
-           }
+               location = location->next;
        }
-       location = location->next;
-    }
 }
 
 /*
@@ -650,121 +650,121 @@ list_ocsp_locations(ocsp_location_t *location, bool requests, bool utc
 void
 list_ocsp_cache(bool utc, bool strict)
 {
-    lock_ocsp_cache("list_ocsp_cache");
-    list_ocsp_locations(ocsp_cache, FALSE, utc, strict);
-    unlock_ocsp_cache("list_ocsp_cache");
+       lock_ocsp_cache("list_ocsp_cache");
+       list_ocsp_locations(ocsp_cache, FALSE, utc, strict);
+       unlock_ocsp_cache("list_ocsp_cache");
 }
 
 static bool
 get_ocsp_requestor_cert(ocsp_location_t *location)
 {
-    x509cert_t *cert = NULL;
-
-    /* initialize temporary static storage */
-    ocsp_requestor_cert = NULL;
-    ocsp_requestor_sc   = NULL;
-    ocsp_requestor_pri  = NULL;
+       x509cert_t *cert = NULL;
 
-    for (;;)
-    {
-       char buf[BUF_LEN];
+       /* initialize temporary static storage */
+       ocsp_requestor_cert = NULL;
+       ocsp_requestor_sc   = NULL;
+       ocsp_requestor_pri  = NULL;
 
-       /* looking for a certificate from the same issuer */
-       cert = get_x509cert(location->issuer, location->authKeySerialNumber
-                   ,location->authKeyID, cert);
-       if (cert == NULL)
-           break;
-
-       DBG(DBG_CONTROL,
-           dntoa(buf, BUF_LEN, cert->subject);
-           DBG_log("candidate: '%s'", buf);
-       )
-
-       if (cert->smartcard)
+       for (;;)
        {
-           /* look for a matching private key on a smartcard */
-           smartcard_t *sc = scx_get(cert);
+               char buf[BUF_LEN];
+
+               /* looking for a certificate from the same issuer */
+               cert = get_x509cert(location->issuer, location->authKeySerialNumber
+                                       ,location->authKeyID, cert);
+               if (cert == NULL)
+                       break;
 
-           if (sc != NULL)
-           {
                DBG(DBG_CONTROL,
-                   DBG_log("matching smartcard found")
+                       dntoa(buf, BUF_LEN, cert->subject);
+                       DBG_log("candidate: '%s'", buf);
                )
-               if (sc->valid)
+
+               if (cert->smartcard)
                {
-                   ocsp_requestor_cert = cert;
-                   ocsp_requestor_sc = sc;
-                   return TRUE;
+                       /* look for a matching private key on a smartcard */
+                       smartcard_t *sc = scx_get(cert);
+
+                       if (sc != NULL)
+                       {
+                               DBG(DBG_CONTROL,
+                                       DBG_log("matching smartcard found")
+                               )
+                               if (sc->valid)
+                               {
+                                       ocsp_requestor_cert = cert;
+                                       ocsp_requestor_sc = sc;
+                                       return TRUE;
+                               }
+                               plog("unable to sign ocsp request without PIN");
+                       }
                }
-               plog("unable to sign ocsp request without PIN");
-           }
-       }
-       else
-       {
-           /* look for a matching private key in the chained list */
-           const struct RSA_private_key *pri = get_x509_private_key(cert);
+               else
+               {
+                       /* look for a matching private key in the chained list */
+                       const struct RSA_private_key *pri = get_x509_private_key(cert);
 
-           if (pri != NULL)
-           {
-               DBG(DBG_CONTROL,
-                   DBG_log("matching private key found")
-               )
-               ocsp_requestor_cert = cert;
-               ocsp_requestor_pri = pri;
-               return TRUE;
-           }
+                       if (pri != NULL)
+                       {
+                               DBG(DBG_CONTROL,
+                                       DBG_log("matching private key found")
+                               )
+                               ocsp_requestor_cert = cert;
+                               ocsp_requestor_pri = pri;
+                               return TRUE;
+                       }
+               }
        }
-    }
-    return FALSE;
+       return FALSE;
 }
 
 static chunk_t
 generate_signature(chunk_t digest, smartcard_t *sc
-    , const RSA_private_key_t *pri)
+       , const RSA_private_key_t *pri)
 {
-    chunk_t sigdata;
-    u_char *pos;
-    size_t siglen = 0;
+       chunk_t sigdata;
+       u_char *pos;
+       size_t siglen = 0;
 
-    if (sc != NULL)
-    {
-       /* RSA signature is done on smartcard */
-
-       if (!scx_establish_context(sc) || !scx_login(sc))
+       if (sc != NULL)
        {
-           scx_release_context(sc);
-           return chunk_empty;
-       }
+               /* RSA signature is done on smartcard */
+
+               if (!scx_establish_context(sc) || !scx_login(sc))
+               {
+                       scx_release_context(sc);
+                       return chunk_empty;
+               }
 
-       siglen = scx_get_keylength(sc);
+               siglen = scx_get_keylength(sc);
 
-       if (siglen == 0)
-       {
-           plog("failed to get keylength from smartcard");
-           scx_release_context(sc);
-           return chunk_empty;
-       }
+               if (siglen == 0)
+               {
+                       plog("failed to get keylength from smartcard");
+                       scx_release_context(sc);
+                       return chunk_empty;
+               }
 
-       DBG(DBG_CONTROL | DBG_CRYPT,
-           DBG_log("signing hash with RSA key from smartcard (slot: %d, id: %s)"
-               , (int)sc->slot, sc->id)
-       )
+               DBG(DBG_CONTROL | DBG_CRYPT,
+                       DBG_log("signing hash with RSA key from smartcard (slot: %d, id: %s)"
+                               , (int)sc->slot, sc->id)
+               )
 
-       pos = build_asn1_object(&sigdata, ASN1_BIT_STRING, 1 + siglen);
-       *pos++ = 0x00;
-       scx_sign_hash(sc, digest.ptr, digest.len, pos, siglen);
-       if (!pkcs11_keep_state)
-           scx_release_context(sc);
-    }
-    else
-    {
-       /* RSA signature is done in software */
-       siglen = pri->pub.k;
-       pos = build_asn1_object(&sigdata, ASN1_BIT_STRING, 1 + siglen);
-       *pos++ = 0x00;
-       sign_hash(pri, digest.ptr, digest.len, pos, siglen);
-    }
-    return sigdata;
+               pos = build_asn1_object(&sigdata, ASN1_BIT_STRING, 1 + siglen);
+               *pos++ = 0x00;
+               scx_sign_hash(sc, digest.ptr, digest.len, pos, siglen);
+               if (!pkcs11_keep_state)
+                       scx_release_context(sc);
+       }
+       else
+       {
+               /* RSA signature is done in software */
+               siglen = pri->pub.k;
+               pos = build_asn1_object(&sigdata, ASN1_BIT_STRING, 1 + siglen);
+               *pos++ = 0x00;
+               sign_hash(pri, digest.ptr, digest.len, pos, siglen);
+       }
+       return sigdata;
 }
 
 /*
@@ -775,47 +775,47 @@ generate_signature(chunk_t digest, smartcard_t *sc
 static chunk_t
 build_signature(chunk_t tbsRequest)
 {
-    chunk_t sigdata, certs;
-    chunk_t digest_info;
-
-    u_char digest_buf[MAX_DIGEST_LEN];
-    chunk_t digest_raw = { digest_buf, MAX_DIGEST_LEN };
-
-    if (!compute_digest(tbsRequest, OID_SHA1, &digest_raw))
-       return chunk_empty;
-
-    /* according to PKCS#1 v2.1 digest must be packaged into
-     * an ASN.1 structure for encryption
-     */
-    digest_info = asn1_wrap(ASN1_SEQUENCE, "cm"
-       , ASN1_sha1_id
-       , asn1_simple_object(ASN1_OCTET_STRING, digest_raw));
-
-    /* generate the RSA signature */
-    sigdata = generate_signature(digest_info
-       , ocsp_requestor_sc
-       , ocsp_requestor_pri);
-    free(digest_info.ptr);
-
-    /* has the RSA signature generation been successful? */
-    if (sigdata.ptr == NULL)
-       return chunk_empty;
-
-    /* include our certificate */
-    certs = asn1_wrap(ASN1_CONTEXT_C_0, "m"
-               , asn1_simple_object(ASN1_SEQUENCE
-                   , ocsp_requestor_cert->certificate
-                 )
-           );
-
-    /* build signature comprising algorithm, signature and cert */
-    return asn1_wrap(ASN1_CONTEXT_C_0, "m"
-               , asn1_wrap(ASN1_SEQUENCE, "cmm"
-                   , ASN1_sha1WithRSA_id
-                   , sigdata
-                   , certs
-                 )
-          );
+       chunk_t sigdata, certs;
+       chunk_t digest_info;
+
+       u_char digest_buf[MAX_DIGEST_LEN];
+       chunk_t digest_raw = { digest_buf, MAX_DIGEST_LEN };
+
+       if (!compute_digest(tbsRequest, OID_SHA1, &digest_raw))
+               return chunk_empty;
+
+       /* according to PKCS#1 v2.1 digest must be packaged into
+        * an ASN.1 structure for encryption
+        */
+       digest_info = asn1_wrap(ASN1_SEQUENCE, "cm"
+               , ASN1_sha1_id
+               , asn1_simple_object(ASN1_OCTET_STRING, digest_raw));
+
+       /* generate the RSA signature */
+       sigdata = generate_signature(digest_info
+               , ocsp_requestor_sc
+               , ocsp_requestor_pri);
+       free(digest_info.ptr);
+
+       /* has the RSA signature generation been successful? */
+       if (sigdata.ptr == NULL)
+               return chunk_empty;
+
+       /* include our certificate */
+       certs = asn1_wrap(ASN1_CONTEXT_C_0, "m"
+                               , asn1_simple_object(ASN1_SEQUENCE
+                                       , ocsp_requestor_cert->certificate
+                                 )
+                       );
+
+       /* build signature comprising algorithm, signature and cert */
+       return asn1_wrap(ASN1_CONTEXT_C_0, "m"
+                               , asn1_wrap(ASN1_SEQUENCE, "cmm"
+                                       , ASN1_sha1WithRSA_id
+                                       , sigdata
+                                       , certs
+                                 )
+                  );
 }
 
 /* build request (into requestList)
@@ -824,13 +824,13 @@ build_signature(chunk_t tbsRequest)
 static chunk_t
 build_request(ocsp_location_t *location, ocsp_certinfo_t *certinfo)
 {
-    chunk_t reqCert = asn1_wrap(ASN1_SEQUENCE, "cmmm"
-               , ASN1_sha1_id
-               , asn1_simple_object(ASN1_OCTET_STRING, location->authNameID)
-               , asn1_simple_object(ASN1_OCTET_STRING, location->authKeyID)
-               , asn1_simple_object(ASN1_INTEGER, certinfo->serialNumber));
+       chunk_t reqCert = asn1_wrap(ASN1_SEQUENCE, "cmmm"
+                               , ASN1_sha1_id
+                               , asn1_simple_object(ASN1_OCTET_STRING, location->authNameID)
+                               , asn1_simple_object(ASN1_OCTET_STRING, location->authKeyID)
+                               , asn1_simple_object(ASN1_INTEGER, certinfo->serialNumber));
 
-    return asn1_wrap(ASN1_SEQUENCE, "m", reqCert);
+       return asn1_wrap(ASN1_SEQUENCE, "m", reqCert);
 }
 
 /*
@@ -839,43 +839,43 @@ build_request(ocsp_location_t *location, ocsp_certinfo_t *certinfo)
 static chunk_t
 build_request_list(ocsp_location_t *location)
 {
-    chunk_t requestList;
-    request_list_t *reqs = NULL;
-    ocsp_certinfo_t *certinfo = location->certinfo;
-    u_char *pos;
-
-    size_t datalen = 0;
-
-    /* build content */
-    while (certinfo != NULL)
-    {
-       /* build request for every certificate in list
-        * and store them in a chained list
-        */
-       request_list_t *req = malloc_thing(request_list_t);
+       chunk_t requestList;
+       request_list_t *reqs = NULL;
+       ocsp_certinfo_t *certinfo = location->certinfo;
+       u_char *pos;
 
-       req->request = build_request(location, certinfo);
-       req->next = reqs;
-       reqs = req;
+       size_t datalen = 0;
 
-       datalen += req->request.len;
-       certinfo = certinfo->next;
-    }
+       /* build content */
+       while (certinfo != NULL)
+       {
+               /* build request for every certificate in list
+                * and store them in a chained list
+                */
+               request_list_t *req = malloc_thing(request_list_t);
 
-    pos = build_asn1_object(&requestList, ASN1_SEQUENCE
-           , datalen);
+               req->request = build_request(location, certinfo);
+               req->next = reqs;
+               reqs = req;
 
-    /* copy all in chained list, free list afterwards */
-    while (reqs != NULL)
-    {
-       request_list_t *req = reqs;
+               datalen += req->request.len;
+               certinfo = certinfo->next;
+       }
 
-       mv_chunk(&pos, req->request);
-       reqs = reqs->next;
-       free(req);
-    }
+       pos = build_asn1_object(&requestList, ASN1_SEQUENCE
+                       , datalen);
+
+       /* copy all in chained list, free list afterwards */
+       while (reqs != NULL)
+       {
+               request_list_t *req = reqs;
+
+               mv_chunk(&pos, req->request);
+               reqs = reqs->next;
+               free(req);
+       }
 
-    return requestList;
+       return requestList;
 }
 
 /*
@@ -884,9 +884,9 @@ build_request_list(ocsp_location_t *location)
 static chunk_t
 build_requestor_name(void)
 {
-    return asn1_wrap(ASN1_CONTEXT_C_1, "m"
-               , asn1_simple_object(ASN1_CONTEXT_C_4
-                   , ocsp_requestor_cert->subject));
+       return asn1_wrap(ASN1_CONTEXT_C_1, "m"
+                               , asn1_simple_object(ASN1_CONTEXT_C_4
+                                       , ocsp_requestor_cert->subject));
 }
 
 /*
@@ -895,14 +895,14 @@ build_requestor_name(void)
 static chunk_t
 build_nonce_extension(ocsp_location_t *location)
 {
-    /* generate a random nonce */
-    location->nonce.ptr = malloc(NONCE_LENGTH),
-    location->nonce.len = NONCE_LENGTH;
-    get_rnd_bytes(location->nonce.ptr, NONCE_LENGTH);
-
-    return asn1_wrap(ASN1_SEQUENCE, "cm"
-               , ASN1_nonce_oid
-               , asn1_simple_object(ASN1_OCTET_STRING, location->nonce));
+       /* generate a random nonce */
+       location->nonce.ptr = malloc(NONCE_LENGTH),
+       location->nonce.len = NONCE_LENGTH;
+       get_rnd_bytes(location->nonce.ptr, NONCE_LENGTH);
+
+       return asn1_wrap(ASN1_SEQUENCE, "cm"
+                               , ASN1_nonce_oid
+                               , asn1_simple_object(ASN1_OCTET_STRING, location->nonce));
 }
 
 /*
@@ -911,15 +911,15 @@ build_nonce_extension(ocsp_location_t *location)
 static chunk_t
 build_request_ext(ocsp_location_t *location)
 {
-    return asn1_wrap(ASN1_CONTEXT_C_2, "m"
-               , asn1_wrap(ASN1_SEQUENCE, "mm"
-                   , build_nonce_extension(location)
-                   , asn1_wrap(ASN1_SEQUENCE, "cc"
-                       , ASN1_response_oid
-                       , ASN1_response_content
-                     )
-                 )
-           );
+       return asn1_wrap(ASN1_CONTEXT_C_2, "m"
+                               , asn1_wrap(ASN1_SEQUENCE, "mm"
+                                       , build_nonce_extension(location)
+                                       , asn1_wrap(ASN1_SEQUENCE, "cc"
+                                               , ASN1_response_oid
+                                               , ASN1_response_content
+                                         )
+                                 )
+                       );
 }
 
 /*
@@ -928,13 +928,13 @@ build_request_ext(ocsp_location_t *location)
 static chunk_t
 build_tbs_request(ocsp_location_t *location, bool has_requestor_cert)
 {
-    /* version is skipped since the default is ok */
-    return asn1_wrap(ASN1_SEQUENCE, "mmm"
-               , (has_requestor_cert)
-                       ? build_requestor_name()
-                       : chunk_empty
-               , build_request_list(location)
-               , build_request_ext(location));
+       /* version is skipped since the default is ok */
+       return asn1_wrap(ASN1_SEQUENCE, "mmm"
+                               , (has_requestor_cert)
+                                               ? build_requestor_name()
+                                               : chunk_empty
+                               , build_request_list(location)
+                               , build_request_ext(location));
 }
 
 /* assembles an ocsp request to given location
@@ -943,38 +943,38 @@ build_tbs_request(ocsp_location_t *location, bool has_requestor_cert)
 chunk_t
 build_ocsp_request(ocsp_location_t *location)
 {
-    bool has_requestor_cert;
-    chunk_t tbsRequest, signature;
-    char buf[BUF_LEN];
-
-    DBG(DBG_CONTROL,
-       DBG_log("assembling ocsp request");
-       dntoa(buf, BUF_LEN, location->issuer);
-       DBG_log("issuer: '%s'", buf);
-       if (location->authKeyID.ptr != NULL)
-       {
-           datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
-               , buf, BUF_LEN);
-           DBG_log("authkey: %s", buf);
-       }
-    )
-    lock_certs_and_keys("build_ocsp_request");
+       bool has_requestor_cert;
+       chunk_t tbsRequest, signature;
+       char buf[BUF_LEN];
+
+       DBG(DBG_CONTROL,
+               DBG_log("assembling ocsp request");
+               dntoa(buf, BUF_LEN, location->issuer);
+               DBG_log("issuer: '%s'", buf);
+               if (location->authKeyID.ptr != NULL)
+               {
+                       datatot(location->authKeyID.ptr, location->authKeyID.len, ':'
+                               , buf, BUF_LEN);
+                       DBG_log("authkey: %s", buf);
+               }
+       )
+       lock_certs_and_keys("build_ocsp_request");
 
-    /* looks for requestor cert and matching private key */
-    has_requestor_cert = get_ocsp_requestor_cert(location);
+       /* looks for requestor cert and matching private key */
+       has_requestor_cert = get_ocsp_requestor_cert(location);
 
-    /* build content */
-    tbsRequest = build_tbs_request(location, has_requestor_cert);
+       /* build content */
+       tbsRequest = build_tbs_request(location, has_requestor_cert);
 
-    /* sign tbsReuqest */
-    signature = (has_requestor_cert)? build_signature(tbsRequest)
-                                   : chunk_empty;
+       /* sign tbsReuqest */
+       signature = (has_requestor_cert)? build_signature(tbsRequest)
+                                                                       : chunk_empty;
 
-    unlock_certs_and_keys("build_ocsp_request");
+       unlock_certs_and_keys("build_ocsp_request");
 
-    return asn1_wrap(ASN1_SEQUENCE, "mm"
-               , tbsRequest
-               , signature);
+       return asn1_wrap(ASN1_SEQUENCE, "mm"
+                               , tbsRequest
+                               , signature);
 }
 
 /*
@@ -983,107 +983,107 @@ build_ocsp_request(ocsp_location_t *location)
 static bool
 valid_ocsp_response(response_t *res)
 {
-    int pathlen;
-    x509cert_t *authcert;
-
-    lock_authcert_list("valid_ocsp_response");
-
-    authcert = get_authcert(res->responder_id_name, chunk_empty
-                   , res->responder_id_key, AUTH_OCSP | AUTH_CA);
-
-    if (authcert == NULL)
-    {
-       plog("no matching ocsp signer cert found");
-       unlock_authcert_list("valid_ocsp_response");
-       return FALSE;
-    }
-    DBG(DBG_CONTROL,
-       DBG_log("ocsp signer cert found")
-    )
-
-    if (!check_signature(res->tbs, res->signature, res->algorithm
-                      , res->algorithm, authcert))
-    {
-       plog("signature of ocsp response is invalid");
-       unlock_authcert_list("valid_ocsp_response");
-       return FALSE;
-    }
-    DBG(DBG_CONTROL,
-       DBG_log("signature of ocsp response is valid")
-    )
-
-
-    for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
-    {
-       u_char buf[BUF_LEN];
-       err_t ugh = NULL;
-       time_t until;
-
-       x509cert_t *cert = authcert;
-
-       DBG(DBG_CONTROL,
-           dntoa(buf, BUF_LEN, cert->subject);
-           DBG_log("subject: '%s'",buf);
-           dntoa(buf, BUF_LEN, cert->issuer);
-           DBG_log("issuer:  '%s'",buf);
-           if (cert->authKeyID.ptr != NULL)
-           {
-               datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
-                   , buf, BUF_LEN);
-               DBG_log("authkey:  %s", buf);
-           }
-       )
+       int pathlen;
+       x509cert_t *authcert;
 
-       ugh = check_validity(authcert, &until);
+       lock_authcert_list("valid_ocsp_response");
 
-       if (ugh != NULL)
-       {
-           plog("%s", ugh);
-           unlock_authcert_list("valid_ocsp_response");
-           return FALSE;
-        }
-       
-       DBG(DBG_CONTROL,
-           DBG_log("certificate is valid")
-       )
-       
-       authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
-           , cert->authKeyID, AUTH_CA);
+       authcert = get_authcert(res->responder_id_name, chunk_empty
+                                       , res->responder_id_key, AUTH_OCSP | AUTH_CA);
 
        if (authcert == NULL)
        {
-           plog("issuer cacert not found");
-           unlock_authcert_list("valid_ocsp_response");
-           return FALSE;
+               plog("no matching ocsp signer cert found");
+               unlock_authcert_list("valid_ocsp_response");
+               return FALSE;
        }
        DBG(DBG_CONTROL,
-           DBG_log("issuer cacert found")
+               DBG_log("ocsp signer cert found")
        )
 
-       if (!check_signature(cert->tbsCertificate, cert->signature
-                          , cert->algorithm, cert->algorithm, authcert))
+       if (!check_signature(res->tbs, res->signature, res->algorithm
+                                          , res->algorithm, authcert))
        {
-           plog("certificate signature is invalid");
-           unlock_authcert_list("valid_ocsp_response");
-           return FALSE;
+               plog("signature of ocsp response is invalid");
+               unlock_authcert_list("valid_ocsp_response");
+               return FALSE;
        }
        DBG(DBG_CONTROL,
-           DBG_log("certificate signature is valid")
+               DBG_log("signature of ocsp response is valid")
        )
 
-       /* check if cert is self-signed */
-       if (same_dn(cert->issuer, cert->subject))
+
+       for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
        {
-           DBG(DBG_CONTROL,
-               DBG_log("reached self-signed root ca")
-           )
-           unlock_authcert_list("valid_ocsp_response");
-           return TRUE;
+               u_char buf[BUF_LEN];
+               err_t ugh = NULL;
+               time_t until;
+
+               x509cert_t *cert = authcert;
+
+               DBG(DBG_CONTROL,
+                       dntoa(buf, BUF_LEN, cert->subject);
+                       DBG_log("subject: '%s'",buf);
+                       dntoa(buf, BUF_LEN, cert->issuer);
+                       DBG_log("issuer:  '%s'",buf);
+                       if (cert->authKeyID.ptr != NULL)
+                       {
+                               datatot(cert->authKeyID.ptr, cert->authKeyID.len, ':'
+                                       , buf, BUF_LEN);
+                               DBG_log("authkey:  %s", buf);
+                       }
+               )
+
+               ugh = check_validity(authcert, &until);
+
+               if (ugh != NULL)
+               {
+                       plog("%s", ugh);
+                       unlock_authcert_list("valid_ocsp_response");
+                       return FALSE;
+               }
+               
+               DBG(DBG_CONTROL,
+                       DBG_log("certificate is valid")
+               )
+               
+               authcert = get_authcert(cert->issuer, cert->authKeySerialNumber
+                       , cert->authKeyID, AUTH_CA);
+
+               if (authcert == NULL)
+               {
+                       plog("issuer cacert not found");
+                       unlock_authcert_list("valid_ocsp_response");
+                       return FALSE;
+               }
+               DBG(DBG_CONTROL,
+                       DBG_log("issuer cacert found")
+               )
+
+               if (!check_signature(cert->tbsCertificate, cert->signature
+                                                  , cert->algorithm, cert->algorithm, authcert))
+               {
+                       plog("certificate signature is invalid");
+                       unlock_authcert_list("valid_ocsp_response");
+                       return FALSE;
+               }
+               DBG(DBG_CONTROL,
+                       DBG_log("certificate signature is valid")
+               )
+
+               /* check if cert is self-signed */
+               if (same_dn(cert->issuer, cert->subject))
+               {
+                       DBG(DBG_CONTROL,
+                               DBG_log("reached self-signed root ca")
+                       )
+                       unlock_authcert_list("valid_ocsp_response");
+                       return TRUE;
+               }
        }
-    }
-    plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
-    unlock_authcert_list("valid_ocsp_response");
-    return FALSE;
+       plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+       unlock_authcert_list("valid_ocsp_response");
+       return FALSE;
 }
 
 /*
@@ -1092,95 +1092,95 @@ valid_ocsp_response(response_t *res)
 static bool
 parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
 {
-    asn1_ctx_t ctx;
-    bool critical;
-    chunk_t object;
-    u_int level, version;
-    u_char buf[BUF_LEN];
-    int objectID = 0;
-    int extn_oid = OID_UNKNOWN;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
-
-    while (objectID < BASIC_RESPONSE_ROOF)
-    {
-       if (!extract_object(basicResponseObjects, &objectID, &object, &level, &ctx))
-           return FALSE;
-       
-       switch (objectID)
+       asn1_ctx_t ctx;
+       bool critical;
+       chunk_t object;
+       u_int level, version;
+       u_char buf[BUF_LEN];
+       int objectID = 0;
+       int extn_oid = OID_UNKNOWN;
+
+       asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+
+       while (objectID < BASIC_RESPONSE_ROOF)
        {
-       case BASIC_RESPONSE_TBS_DATA:
-           res->tbs = object;
-           break;
-       case BASIC_RESPONSE_VERSION:
-           version = (object.len)? (1 + (u_int)*object.ptr) : 1;
-           if (version != OCSP_BASIC_RESPONSE_VERSION)
-           {
-               plog("wrong ocsp basic response version (version= %i)",  version);
-               return FALSE;
-           }
-           break;
-       case BASIC_RESPONSE_ID_BY_NAME:
-           res->responder_id_name = object;
-           DBG(DBG_PARSING,
-               dntoa(buf, BUF_LEN, object);
-               DBG_log("  '%s'",buf)
-           )
-           break;
-       case BASIC_RESPONSE_ID_BY_KEY:
-           res->responder_id_key = object;
-           break;
-       case BASIC_RESPONSE_PRODUCED_AT:
-           res->produced_at = asn1totime(&object, ASN1_GENERALIZEDTIME);
-           break;
-       case BASIC_RESPONSE_RESPONSES:
-           res->responses = object;
-           break;
-       case BASIC_RESPONSE_EXT_ID:
-           extn_oid = asn1_known_oid(object);
-           break;
-       case BASIC_RESPONSE_CRITICAL:
-           critical = object.len && *object.ptr;
-           DBG(DBG_PARSING,
-               DBG_log("  %s",(critical)?"TRUE":"FALSE");
-           )
-           break;
-       case BASIC_RESPONSE_EXT_VALUE:
-           if (extn_oid == OID_NONCE)
-               res->nonce = object;
-           break;
-       case BASIC_RESPONSE_ALGORITHM:
-           res->algorithm = parse_algorithmIdentifier(object, level+1, NULL);
-           break;
-       case BASIC_RESPONSE_SIGNATURE:
-           res->signature = object;
-           break;
-       case BASIC_RESPONSE_CERTIFICATE:
-           {
-               chunk_t blob = chunk_clone(object);
-               x509cert_t *cert = malloc_thing(x509cert_t);
-
-               *cert = empty_x509cert;
-
-               if (parse_x509cert(blob, level+1, cert)
-               && cert->isOcspSigner
-               && trust_authcert_candidate(cert, NULL))
+               if (!extract_object(basicResponseObjects, &objectID, &object, &level, &ctx))
+                       return FALSE;
+               
+               switch (objectID)
                {
-                   add_authcert(cert, AUTH_OCSP);
-               }
-               else
-               {
-                   DBG(DBG_CONTROL | DBG_PARSING,
-                       DBG_log("embedded ocsp certificate rejected")
-                   )
-                   free_x509cert(cert);
+               case BASIC_RESPONSE_TBS_DATA:
+                       res->tbs = object;
+                       break;
+               case BASIC_RESPONSE_VERSION:
+                       version = (object.len)? (1 + (u_int)*object.ptr) : 1;
+                       if (version != OCSP_BASIC_RESPONSE_VERSION)
+                       {
+                               plog("wrong ocsp basic response version (version= %i)",  version);
+                               return FALSE;
+                       }
+                       break;
+               case BASIC_RESPONSE_ID_BY_NAME:
+                       res->responder_id_name = object;
+                       DBG(DBG_PARSING,
+                               dntoa(buf, BUF_LEN, object);
+                               DBG_log("  '%s'",buf)
+                       )
+                       break;
+               case BASIC_RESPONSE_ID_BY_KEY:
+                       res->responder_id_key = object;
+                       break;
+               case BASIC_RESPONSE_PRODUCED_AT:
+                       res->produced_at = asn1totime(&object, ASN1_GENERALIZEDTIME);
+                       break;
+               case BASIC_RESPONSE_RESPONSES:
+                       res->responses = object;
+                       break;
+               case BASIC_RESPONSE_EXT_ID:
+                       extn_oid = asn1_known_oid(object);
+                       break;
+               case BASIC_RESPONSE_CRITICAL:
+                       critical = object.len && *object.ptr;
+                       DBG(DBG_PARSING,
+                               DBG_log("  %s",(critical)?"TRUE":"FALSE");
+                       )
+                       break;
+               case BASIC_RESPONSE_EXT_VALUE:
+                       if (extn_oid == OID_NONCE)
+                               res->nonce = object;
+                       break;
+               case BASIC_RESPONSE_ALGORITHM:
+                       res->algorithm = parse_algorithmIdentifier(object, level+1, NULL);
+                       break;
+               case BASIC_RESPONSE_SIGNATURE:
+                       res->signature = object;
+                       break;
+               case BASIC_RESPONSE_CERTIFICATE:
+                       {
+                               chunk_t blob = chunk_clone(object);
+                               x509cert_t *cert = malloc_thing(x509cert_t);
+
+                               *cert = empty_x509cert;
+
+                               if (parse_x509cert(blob, level+1, cert)
+                               && cert->isOcspSigner
+                               && trust_authcert_candidate(cert, NULL))
+                               {
+                                       add_authcert(cert, AUTH_OCSP);
+                               }
+                               else
+                               {
+                                       DBG(DBG_CONTROL | DBG_PARSING,
+                                               DBG_log("embedded ocsp certificate rejected")
+                                       )
+                                       free_x509cert(cert);
+                               }
+                       }
+                       break;
                }
-           }
-           break;
+               objectID++;
        }
-       objectID++;
-    }
-    return TRUE;
+       return TRUE;
 }
 
 
@@ -1190,63 +1190,63 @@ parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res)
 static response_status
 parse_ocsp_response(chunk_t blob, response_t * res)
 {
-    asn1_ctx_t ctx;
-    chunk_t object;
-    u_int level;
-    int objectID = 0;
-    int ocspResponseType = OID_UNKNOWN;
-    response_status rStatus = STATUS_INTERNALERROR;
-
-    asn1_init(&ctx, blob, 0, FALSE, DBG_RAW);
-
-    while (objectID < OCSP_RESPONSE_ROOF)
-    {
-       if (!extract_object(ocspResponseObjects, &objectID, &object, &level, &ctx))
-           return STATUS_INTERNALERROR;
-
-       switch (objectID) {
-       case OCSP_RESPONSE_STATUS:
-           rStatus = (response_status) *object.ptr;
-
-           switch (rStatus)
-           {
-           case STATUS_SUCCESSFUL:
-               break;
-           case STATUS_MALFORMEDREQUEST:
-           case STATUS_INTERNALERROR:
-           case STATUS_TRYLATER:
-           case STATUS_SIGREQUIRED:
-           case STATUS_UNAUTHORIZED:
-               plog("ocsp response: server said '%s'"
-                   , response_status_names[rStatus]);
-               return rStatus;
-           default:
-               return STATUS_INTERNALERROR;
-           }
-           break;
-       case OCSP_RESPONSE_TYPE:
-           ocspResponseType = asn1_known_oid(object);
-           break;
-       case OCSP_RESPONSE:
-           {
-               switch (ocspResponseType) {
-               case OID_BASIC:
-                   if (!parse_basic_ocsp_response(object, level+1, res))
+       asn1_ctx_t ctx;
+       chunk_t object;
+       u_int level;
+       int objectID = 0;
+       int ocspResponseType = OID_UNKNOWN;
+       response_status rStatus = STATUS_INTERNALERROR;
+
+       asn1_init(&ctx, blob, 0, FALSE, DBG_RAW);
+
+       while (objectID < OCSP_RESPONSE_ROOF)
+       {
+               if (!extract_object(ocspResponseObjects, &objectID, &object, &level, &ctx))
                        return STATUS_INTERNALERROR;
-                   break;
-               default:
-                   DBG(DBG_CONTROL,
-                       DBG_log("ocsp response is not of type BASIC");
-                       DBG_dump_chunk("ocsp response OID: ", object);
-                   )
-                   return STATUS_INTERNALERROR;
+
+               switch (objectID) {
+               case OCSP_RESPONSE_STATUS:
+                       rStatus = (response_status) *object.ptr;
+
+                       switch (rStatus)
+                       {
+                       case STATUS_SUCCESSFUL:
+                               break;
+                       case STATUS_MALFORMEDREQUEST:
+                       case STATUS_INTERNALERROR:
+                       case STATUS_TRYLATER:
+                       case STATUS_SIGREQUIRED:
+                       case STATUS_UNAUTHORIZED:
+                               plog("ocsp response: server said '%s'"
+                                       , response_status_names[rStatus]);
+                               return rStatus;
+                       default:
+                               return STATUS_INTERNALERROR;
+                       }
+                       break;
+               case OCSP_RESPONSE_TYPE:
+                       ocspResponseType = asn1_known_oid(object);
+                       break;
+               case OCSP_RESPONSE:
+                       {
+                               switch (ocspResponseType) {
+                               case OID_BASIC:
+                                       if (!parse_basic_ocsp_response(object, level+1, res))
+                                               return STATUS_INTERNALERROR;
+                                       break;
+                               default:
+                                       DBG(DBG_CONTROL,
+                                               DBG_log("ocsp response is not of type BASIC");
+                                               DBG_dump_chunk("ocsp response OID: ", object);
+                                       )
+                                       return STATUS_INTERNALERROR;
+                               }
+                       }
+                       break;
                }
-           }
-           break;
+               objectID++;
        }
-       objectID++;
-    }
-    return rStatus;
+       return rStatus;
 }
 
 /*
@@ -1255,69 +1255,69 @@ parse_ocsp_response(chunk_t blob, response_t * res)
 static bool
 parse_ocsp_single_response(chunk_t blob, int level0, single_response_t *sres)
 {
-    u_int level, extn_oid;
-    asn1_ctx_t ctx;
-    bool critical;
-    chunk_t object;
-    int objectID = 0;
-
-    asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
+       u_int level, extn_oid;
+       asn1_ctx_t ctx;
+       bool critical;
+       chunk_t object;
+       int objectID = 0;
 
-    while (objectID < SINGLE_RESPONSE_ROOF)
-    {
-       if (!extract_object(singleResponseObjects, &objectID, &object, &level, &ctx))
-           return FALSE;
+       asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
 
-       switch (objectID)
+       while (objectID < SINGLE_RESPONSE_ROOF)
        {
-       case SINGLE_RESPONSE_ALGORITHM:
-           sres->hash_algorithm = parse_algorithmIdentifier(object, level+1, NULL);
-           break;
-       case SINGLE_RESPONSE_ISSUER_NAME_HASH:
-           sres->issuer_name_hash = object;
-           break;
-       case SINGLE_RESPONSE_ISSUER_KEY_HASH:
-           sres->issuer_key_hash = object;
-           break;
-       case SINGLE_RESPONSE_SERIAL_NUMBER:
-           sres->serialNumber = object;
-           break;
-       case SINGLE_RESPONSE_CERT_STATUS_GOOD:
-           sres->status = CERT_GOOD;
-           break;
-       case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
-           sres->status = CERT_REVOKED;
-           break;
-       case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
-           sres->revocationTime = asn1totime(&object, ASN1_GENERALIZEDTIME);
-           break;
-       case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
-           sres->revocationReason = (object.len == 1)
-               ? *object.ptr : REASON_UNSPECIFIED;
-           break;
-       case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
-           sres->status = CERT_UNKNOWN;
-           break;
-       case SINGLE_RESPONSE_THIS_UPDATE:
-           sres->thisUpdate = asn1totime(&object, ASN1_GENERALIZEDTIME);
-           break;
-       case SINGLE_RESPONSE_NEXT_UPDATE:
-           sres->nextUpdate = asn1totime(&object, ASN1_GENERALIZEDTIME);
-           break;
-       case SINGLE_RESPONSE_EXT_ID:
-           extn_oid = asn1_known_oid(object);
-           break;
-       case SINGLE_RESPONSE_CRITICAL:
-           critical = object.len && *object.ptr;
-           DBG(DBG_PARSING,
-               DBG_log("  %s",(critical)?"TRUE":"FALSE");
-           )
-       case SINGLE_RESPONSE_EXT_VALUE:
-           break;
+               if (!extract_object(singleResponseObjects, &objectID, &object, &level, &ctx))
+                       return FALSE;
+
+               switch (objectID)
+               {
+               case SINGLE_RESPONSE_ALGORITHM:
+                       sres->hash_algorithm = parse_algorithmIdentifier(object, level+1, NULL);
+                       break;
+               case SINGLE_RESPONSE_ISSUER_NAME_HASH:
+                       sres->issuer_name_hash = object;
+                       break;
+               case SINGLE_RESPONSE_ISSUER_KEY_HASH:
+                       sres->issuer_key_hash = object;
+                       break;
+               case SINGLE_RESPONSE_SERIAL_NUMBER:
+                       sres->serialNumber = object;
+                       break;
+               case SINGLE_RESPONSE_CERT_STATUS_GOOD:
+                       sres->status = CERT_GOOD;
+                       break;
+               case SINGLE_RESPONSE_CERT_STATUS_REVOKED:
+                       sres->status = CERT_REVOKED;
+                       break;
+               case SINGLE_RESPONSE_CERT_STATUS_REVOCATION_TIME:
+                       sres->revocationTime = asn1totime(&object, ASN1_GENERALIZEDTIME);
+                       break;
+               case SINGLE_RESPONSE_CERT_STATUS_CRL_REASON:
+                       sres->revocationReason = (object.len == 1)
+                               ? *object.ptr : REASON_UNSPECIFIED;
+                       break;
+               case SINGLE_RESPONSE_CERT_STATUS_UNKNOWN:
+                       sres->status = CERT_UNKNOWN;
+                       break;
+               case SINGLE_RESPONSE_THIS_UPDATE:
+                       sres->thisUpdate = asn1totime(&object, ASN1_GENERALIZEDTIME);
+                       break;
+               case SINGLE_RESPONSE_NEXT_UPDATE:
+                       sres->nextUpdate = asn1totime(&object, ASN1_GENERALIZEDTIME);
+                       break;
+               case SINGLE_RESPONSE_EXT_ID:
+                       extn_oid = asn1_known_oid(object);
+                       break;
+               case SINGLE_RESPONSE_CRITICAL:
+                       critical = object.len && *object.ptr;
+                       DBG(DBG_PARSING,
+                               DBG_log("  %s",(critical)?"TRUE":"FALSE");
+                       )
+               case SINGLE_RESPONSE_EXT_VALUE:
+                       break;
+               }
+               objectID++;
        }
-       objectID++;
-    }
-    return TRUE;
+       return TRUE;
 }
 
 /*
@@ -1326,25 +1326,25 @@ parse_ocsp_single_response(chunk_t blob, int level0, single_response_t *sres)
 ocsp_location_t*
 add_ocsp_location(const ocsp_location_t *loc, ocsp_location_t **chain)
 {
-    ocsp_location_t *location = malloc_thing(ocsp_location_t);
+       ocsp_location_t *location = malloc_thing(ocsp_location_t);
 
-    /* unshare location fields */
-    location->issuer = chunk_clone(loc->issuer);
-    location->authNameID = chunk_clone(loc->authNameID);
-    location->authKeyID = chunk_clone(loc->authKeyID);
-    location->authKeySerialNumber = chunk_clone(loc->authKeySerialNumber);
-    location->uri = chunk_clone(loc->uri);
-    location->certinfo = NULL;
+       /* unshare location fields */
+       location->issuer = chunk_clone(loc->issuer);
+       location->authNameID = chunk_clone(loc->authNameID);
+       location->authKeyID = chunk_clone(loc->authKeyID);
+       location->authKeySerialNumber = chunk_clone(loc->authKeySerialNumber);
+       location->uri = chunk_clone(loc->uri);
+       location->certinfo = NULL;
 
-    /* insert new ocsp location in front of chain */
-    location->next = *chain;
-    *chain = location;
+       /* insert new ocsp location in front of chain */
+       location->next = *chain;
+       *chain = location;
 
-    DBG(DBG_CONTROL,
-       DBG_log("new ocsp location added")
-    )
+       DBG(DBG_CONTROL,
+               DBG_log("new ocsp location added")
+       )
 
-    return location;
+       return location;
 }
 
 /*
@@ -1352,76 +1352,76 @@ add_ocsp_location(const ocsp_location_t *loc, ocsp_location_t **chain)
  */
 void
 add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info, ocsp_location_t **chain
-    , bool request)
+       , bool request)
 {
-    ocsp_location_t *location;
-    ocsp_certinfo_t *certinfo, **certinfop;
-    char buf[BUF_LEN];
-    time_t now;
-    int cmp = -1;
-
-    location = get_ocsp_location(loc, *chain);
-    if (location == NULL)
-       location = add_ocsp_location(loc, chain);
-
-    /* traverse list of certinfos in increasing order */
-    certinfop = &location->certinfo;
-    certinfo = *certinfop;
-
-    while (certinfo != NULL)
-    {
-       cmp = chunk_compare(info->serialNumber, certinfo->serialNumber);
-       if (cmp <= 0)
-           break;
-       certinfop = &certinfo->next;
+       ocsp_location_t *location;
+       ocsp_certinfo_t *certinfo, **certinfop;
+       char buf[BUF_LEN];
+       time_t now;
+       int cmp = -1;
+
+       location = get_ocsp_location(loc, *chain);
+       if (location == NULL)
+               location = add_ocsp_location(loc, chain);
+
+       /* traverse list of certinfos in increasing order */
+       certinfop = &location->certinfo;
        certinfo = *certinfop;
-    }
-
-    if (cmp != 0)
-    {
-       /* add a new certinfo entry */
-       ocsp_certinfo_t *cnew = malloc_thing(ocsp_certinfo_t);
-
-       cnew->serialNumber = chunk_clone(info->serialNumber);
-       cnew->next = certinfo;
-       *certinfop = cnew;
-       certinfo = cnew;
-    }
-       
-    DBG(DBG_CONTROL,
-       datatot(info->serialNumber.ptr, info->serialNumber.len, ':'
-           , buf, BUF_LEN);
-       DBG_log("ocsp %s for serial %s %s"
-           , request?"fetch request":"certinfo"
-           , buf
-           , (cmp == 0)? (request?"already exists":"updated"):"added")
-    )
-
-    time(&now);
-   
-    if (request)
-    {
-       certinfo->status = CERT_UNDEFINED;
-       
+
+       while (certinfo != NULL)
+       {
+               cmp = chunk_compare(info->serialNumber, certinfo->serialNumber);
+               if (cmp <= 0)
+                       break;
+               certinfop = &certinfo->next;
+               certinfo = *certinfop;
+       }
+
        if (cmp != 0)
-           certinfo->thisUpdate = now;
-
-       certinfo->nextUpdate = UNDEFINED_TIME;
-    }
-    else
-    {
-       certinfo->status = info->status;
-       certinfo->revocationTime = info->revocationTime;
-       certinfo->revocationReason = info->revocationReason;
-       
-       certinfo->thisUpdate = (info->thisUpdate != UNDEFINED_TIME)?
-           info->thisUpdate : now;
+       {
+               /* add a new certinfo entry */
+               ocsp_certinfo_t *cnew = malloc_thing(ocsp_certinfo_t);
+
+               cnew->serialNumber = chunk_clone(info->serialNumber);
+               cnew->next = certinfo;
+               *certinfop = cnew;
+               certinfo = cnew;
+       }
+               
+       DBG(DBG_CONTROL,
+               datatot(info->serialNumber.ptr, info->serialNumber.len, ':'
+                       , buf, BUF_LEN);
+               DBG_log("ocsp %s for serial %s %s"
+                       , request?"fetch request":"certinfo"
+                       , buf
+                       , (cmp == 0)? (request?"already exists":"updated"):"added")
+       )
+
+       time(&now);
+
+       if (request)
+       {
+               certinfo->status = CERT_UNDEFINED;
+               
+               if (cmp != 0)
+                       certinfo->thisUpdate = now;
+
+               certinfo->nextUpdate = UNDEFINED_TIME;
+       }
+       else
+       {
+               certinfo->status = info->status;
+               certinfo->revocationTime = info->revocationTime;
+               certinfo->revocationReason = info->revocationReason;
+               
+               certinfo->thisUpdate = (info->thisUpdate != UNDEFINED_TIME)?
+                       info->thisUpdate : now;
 
-       certinfo->once = (info->nextUpdate == UNDEFINED_TIME);
+               certinfo->once = (info->nextUpdate == UNDEFINED_TIME);
 
-       certinfo->nextUpdate = (certinfo->once)?
-           (now + OCSP_DEFAULT_VALID_TIME) : info->nextUpdate;
-    }
+               certinfo->nextUpdate = (certinfo->once)?
+                       (now + OCSP_DEFAULT_VALID_TIME) : info->nextUpdate;
+       }
 }
 
 /*
@@ -1430,57 +1430,57 @@ add_certinfo(ocsp_location_t *loc, ocsp_certinfo_t *info, ocsp_location_t **chai
 static void
 process_single_response(ocsp_location_t *location, single_response_t *sres)
 {
-    ocsp_certinfo_t *certinfo, **certinfop;
-    int cmp = -1;
-
-    if (sres->hash_algorithm != OID_SHA1)
-    {
-       plog("only SHA-1 hash supported in OCSP single response");
-       return;
-    }
-    if (!(chunk_equals(sres->issuer_name_hash, location->authNameID)
-    &&   chunk_equals(sres->issuer_key_hash, location->authKeyID)))
-    {
-       plog("ocsp single response has wrong issuer");
-       return;
-    }
-    
-    /* traverse list of certinfos in increasing order */
-    certinfop = &location->certinfo;
-    certinfo = *certinfop;
-
-    while (certinfo != NULL)
-    {
-       cmp = chunk_compare(sres->serialNumber, certinfo->serialNumber);
-       if (cmp <= 0)
-           break;
-       certinfop = &certinfo->next;
+       ocsp_certinfo_t *certinfo, **certinfop;
+       int cmp = -1;
+
+       if (sres->hash_algorithm != OID_SHA1)
+       {
+               plog("only SHA-1 hash supported in OCSP single response");
+               return;
+       }
+       if (!(chunk_equals(sres->issuer_name_hash, location->authNameID)
+       &&   chunk_equals(sres->issuer_key_hash, location->authKeyID)))
+       {
+               plog("ocsp single response has wrong issuer");
+               return;
+       }
+       
+       /* traverse list of certinfos in increasing order */
+       certinfop = &location->certinfo;
        certinfo = *certinfop;
-    }
-
-    if (cmp != 0)
-    {
-       plog("received unrequested cert status from ocsp server");
-       return;
-    }
-
-    /* unlink cert from ocsp fetch request list */
-    *certinfop = certinfo->next;
-    
-    /* update certinfo using the single response information */
-    certinfo->thisUpdate = sres->thisUpdate;
-    certinfo->nextUpdate = sres->nextUpdate;
-    certinfo->status = sres->status;
-    certinfo->revocationTime = sres->revocationTime;
-    certinfo->revocationReason = sres->revocationReason;
-    
-    /* add or update certinfo in ocsp cache */
-    lock_ocsp_cache("process_single_response");
-    add_certinfo(location, certinfo, &ocsp_cache, FALSE);
-    unlock_ocsp_cache("process_single_response");
-
-    /* free certinfo unlinked from ocsp fetch request list */
-    free_certinfo(certinfo);
+
+       while (certinfo != NULL)
+       {
+               cmp = chunk_compare(sres->serialNumber, certinfo->serialNumber);
+               if (cmp <= 0)
+                       break;
+               certinfop = &certinfo->next;
+               certinfo = *certinfop;
+       }
+
+       if (cmp != 0)
+       {
+               plog("received unrequested cert status from ocsp server");
+               return;
+       }
+
+       /* unlink cert from ocsp fetch request list */
+       *certinfop = certinfo->next;
+       
+       /* update certinfo using the single response information */
+       certinfo->thisUpdate = sres->thisUpdate;
+       certinfo->nextUpdate = sres->nextUpdate;
+       certinfo->status = sres->status;
+       certinfo->revocationTime = sres->revocationTime;
+       certinfo->revocationReason = sres->revocationReason;
+       
+       /* add or update certinfo in ocsp cache */
+       lock_ocsp_cache("process_single_response");
+       add_certinfo(location, certinfo, &ocsp_cache, FALSE);
+       unlock_ocsp_cache("process_single_response");
+
+       /* free certinfo unlinked from ocsp fetch request list */
+       free_certinfo(certinfo);
 
 }
 
@@ -1490,61 +1490,61 @@ process_single_response(ocsp_location_t *location, single_response_t *sres)
 void
 parse_ocsp(ocsp_location_t *location, chunk_t blob)
 {
-    response_t res = empty_response;
-
-    /* parse the ocsp response without looking at the single responses yet */
-    response_status status = parse_ocsp_response(blob, &res);
-
-    if (status != STATUS_SUCCESSFUL)
-    {
-       plog("error in ocsp response");
-       return;
-    }
-    /* check if there was a nonce in the request */
-    if (location->nonce.ptr != NULL && res.nonce.ptr == NULL)
-    {
-       plog("ocsp response contains no nonce, replay attack possible");
-    }
-    /* check if the nonce is identical */
-    if (res.nonce.ptr != NULL && !chunk_equals(res.nonce, location->nonce))
-    {
-       plog("invalid nonce in ocsp response");
-       return;
-    }
-    /* check if the response is signed by a trusted key */
-    if (!valid_ocsp_response(&res))
-    {
-       plog("invalid ocsp response");
-       return;
-    }
-    DBG(DBG_CONTROL,
-       DBG_log("valid ocsp response")
-    )
-
-    /* now parse the single responses one at a time */
-    {
-       u_int level;
-       asn1_ctx_t ctx;
-       chunk_t object;
-       int objectID = 0;
+       response_t res = empty_response;
 
-       asn1_init(&ctx, res.responses, 0, FALSE, DBG_RAW);
+       /* parse the ocsp response without looking at the single responses yet */
+       response_status status = parse_ocsp_response(blob, &res);
 
-       while (objectID < RESPONSES_ROOF)
+       if (status != STATUS_SUCCESSFUL)
+       {
+               plog("error in ocsp response");
+               return;
+       }
+       /* check if there was a nonce in the request */
+       if (location->nonce.ptr != NULL && res.nonce.ptr == NULL)
+       {
+               plog("ocsp response contains no nonce, replay attack possible");
+       }
+       /* check if the nonce is identical */
+       if (res.nonce.ptr != NULL && !chunk_equals(res.nonce, location->nonce))
+       {
+               plog("invalid nonce in ocsp response");
+               return;
+       }
+       /* check if the response is signed by a trusted key */
+       if (!valid_ocsp_response(&res))
        {
-           if (!extract_object(responsesObjects, &objectID, &object, &level, &ctx))
+               plog("invalid ocsp response");
                return;
-           
-           if (objectID == RESPONSES_SINGLE_RESPONSE)
-           {
-               single_response_t sres = empty_single_response;
+       }
+       DBG(DBG_CONTROL,
+               DBG_log("valid ocsp response")
+       )
+
+       /* now parse the single responses one at a time */
+       {
+               u_int level;
+               asn1_ctx_t ctx;
+               chunk_t object;
+               int objectID = 0;
 
-               if (parse_ocsp_single_response(object, level+1, &sres))
+               asn1_init(&ctx, res.responses, 0, FALSE, DBG_RAW);
+
+               while (objectID < RESPONSES_ROOF)
                {
-                   process_single_response(location, &sres);
+                       if (!extract_object(responsesObjects, &objectID, &object, &level, &ctx))
+                               return;
+                       
+                       if (objectID == RESPONSES_SINGLE_RESPONSE)
+                       {
+                               single_response_t sres = empty_single_response;
+
+                               if (parse_ocsp_single_response(object, level+1, &sres))
+                               {
+                                       process_single_response(location, &sres);
+                               }
+                       }
+                       objectID++;
                }
-           }
-           objectID++;
        }
-    }
 }