updated x509 plugin to public key/x509 API changes
authorMartin Willi <martin@strongswan.org>
Mon, 24 Aug 2009 12:11:44 +0000 (14:11 +0200)
committerMartin Willi <martin@strongswan.org>
Wed, 26 Aug 2009 09:23:52 +0000 (11:23 +0200)
src/libstrongswan/plugins/x509/x509_ac.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/plugins/x509/x509_crl.c
src/libstrongswan/plugins/x509/x509_ocsp_request.c
src/libstrongswan/plugins/x509/x509_ocsp_response.c

index f8052ee..ab88c23 100644 (file)
@@ -31,8 +31,8 @@
 #include <credentials/certificates/x509.h>
 #include <credentials/keys/private_key.h>
 
-extern identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob,
-                                                        int level0, chunk_t *authKeySerialNumber);
+extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob,
+                                                                       int level0, chunk_t *authKeySerialNumber);
 
 typedef struct private_x509_ac_t private_x509_ac_t;
 
@@ -40,7 +40,7 @@ typedef struct private_x509_ac_t private_x509_ac_t;
  * private data of x509_ac_t object
  */
 struct private_x509_ac_t {
-
+       
        /**
         * public functions
         */
@@ -50,32 +50,32 @@ struct private_x509_ac_t {
         * X.509 attribute certificate encoding in ASN.1 DER format
         */
        chunk_t encoding;
-
+       
        /**
         * X.509 attribute certificate body over which signature is computed
         */
        chunk_t certificateInfo;
-
+       
        /**
         * Version of the X.509 attribute certificate
         */
        u_int version;
-
+       
        /**
         * Serial number of the X.509 attribute certificate
         */
        chunk_t serialNumber;
-
+       
        /**
         * ID representing the issuer of the holder certificate
         */
        identification_t *holderIssuer;
-
+       
        /**
         * Serial number of the holder certificate
         */
        chunk_t holderSerial;
-
+       
        /**
         * ID representing the holder
         */
@@ -85,67 +85,67 @@ struct private_x509_ac_t {
         * ID representing the attribute certificate issuer
         */
        identification_t *issuerName;
-
+       
        /**
         * Start time of certificate validity
         */
        time_t notBefore;
-
+       
        /**
         * End time of certificate validity
         */
        time_t notAfter;
-
+       
        /**
         * List of charging attributes
         */
        linked_list_t *charging;
-
+       
        /**
         * List of groub attributes
         */
        linked_list_t *groups;
-
+       
        /**
         * Authority Key Identifier
         */
-       identification_t *authKeyIdentifier;
-
+       chunk_t authKeyIdentifier;
+       
        /**
         * Authority Key Serial Number
         */
        chunk_t authKeySerialNumber;
-
+       
        /**
         * No revocation information available
         */
        bool noRevAvail;
-
+       
        /**
         * Signature algorithm
         */
        int algorithm;
-
+       
        /**
         * Signature
         */
        chunk_t signature;
-
-    /**
-     * Holder certificate
-     */
+       
+       /**
+        * Holder certificate
+        */
        certificate_t *holderCert;
-
-    /**
-     * Signer certificate
-     */
+       
+       /**
+        * Signer certificate
+        */
        certificate_t *signerCert;
-
-   /**
-    * Signer private key;
-    */
+       
+       /**
+       * Signer private key;
+       */
        private_key_t *signerKey;
-
+       
        /**
         * reference count
         */
@@ -458,7 +458,7 @@ static bool parse_certificate(private_x509_ac_t *this)
                                                break;
                                        case OID_AUTHORITY_KEY_ID:
                                                this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object,
-                                                                                                       level, &this->authKeySerialNumber);
+                                                                                                       level, &this->authKeySerialNumber);
                                                break;
                                        case OID_TARGET_INFORMATION:
                                                DBG2("  need to parse targetInformation");
@@ -567,29 +567,28 @@ static chunk_t build_attributes(private_x509_ac_t *this)
  */
 static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this)
 {
-       chunk_t keyIdentifier;
+       chunk_t keyIdentifier = chunk_empty;
        chunk_t authorityCertIssuer;
        chunk_t authorityCertSerialNumber;
-       x509_t *x509 = (x509_t*)this->signerCert;
-       identification_t *issuer = this->signerCert->get_issuer(this->signerCert);
-       public_key_t *public = this->signerCert->get_public_key(this->signerCert);
-
+       identification_t *issuer;
+       public_key_t *public;
+       x509_t *x509;
+       
+       x509 = (x509_t*)this->signerCert;
+       issuer = this->signerCert->get_issuer(this->signerCert);
+       public = this->signerCert->get_public_key(this->signerCert);
        if (public)
        {
-               identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);
-
-               this->authKeyIdentifier = keyid = keyid->clone(keyid);
-               keyIdentifier = keyid->get_encoding(keyid);             
+               if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyIdentifier))
+               {
+                       this->authKeyIdentifier = chunk_clone(keyIdentifier);
+               }
                public->destroy(public);
        }
-       else
-       {
-               keyIdentifier = chunk_empty;
-       }
        authorityCertIssuer = build_directoryName(ASN1_CONTEXT_C_1,
-                                                               issuer->get_encoding(issuer));
+                                                                                       issuer->get_encoding(issuer));
        authorityCertSerialNumber = asn1_simple_object(ASN1_CONTEXT_S_2,
-                                                                       x509->get_serial(x509));
+                                                                                       x509->get_serial(x509));
        return asn1_wrap(ASN1_SEQUENCE, "cm",
                                ASN1_authorityKeyIdentifier_oid,
                                asn1_wrap(ASN1_OCTET_STRING, "m",
@@ -675,7 +674,7 @@ static identification_t* get_holderIssuer(private_x509_ac_t *this)
 /**
  * Implementation of ac_t.get_authKeyIdentifier.
  */
-static identification_t* get_authKeyIdentifier(private_x509_ac_t *this)
+static chunk_t get_authKeyIdentifier(private_x509_ac_t *this)
 {
        return this->authKeyIdentifier;
 }
@@ -709,7 +708,7 @@ static identification_t* get_issuer(private_x509_ac_t *this)
  */
 static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject)
 {
-       return ID_MATCH_NONE;   
+       return ID_MATCH_NONE;
 }
 
 /**
@@ -717,24 +716,12 @@ static id_match_t has_subject(private_x509_ac_t *this, identification_t *subject
  */
 static id_match_t has_issuer(private_x509_ac_t *this, identification_t *issuer)
 {
-       id_match_t match;
-
-       if (issuer->get_type(issuer) == ID_PUBKEY_SHA1)
+       if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr &&
+               chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer)))
        {
-               if (this->authKeyIdentifier)
-               {
-                       match = issuer->matches(issuer, this->authKeyIdentifier);
-               }
-               else
-               {
-                       match = ID_MATCH_NONE;
-               }
-       }
-       else
-       {
-               match = this->issuerName->matches(this->issuerName, issuer);
+               return ID_MATCH_PERFECT;
        }
-       return match;
+       return this->issuerName->matches(this->issuerName, issuer);
 }
 
 /**
@@ -756,32 +743,33 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer)
        {
                return FALSE;
        }
-
+       
        /* get the public key of the issuer */
        key = issuer->get_public_key(issuer);
-
+       
        /* compare keyIdentifiers if available, otherwise use DNs */
-       if (this->authKeyIdentifier && key)
+       if (this->authKeyIdentifier.ptr && key)
        {
-               identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1);
-
-               if (!subjectKeyIdentifier->equals(subjectKeyIdentifier,
-                                                                                 this->authKeyIdentifier))
+               chunk_t fingerprint;
+               
+               if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+                       !chunk_equals(fingerprint, this->authKeyIdentifier))
                {
                        return FALSE;
                }
        }
        else 
        {
-               if (!this->issuerName->equals(this->issuerName, issuer->get_subject(issuer)))
+               if (!this->issuerName->equals(this->issuerName,
+                                                                         issuer->get_subject(issuer)))
                {
                        return FALSE;
                }
        }
-
+       
        /* determine signature scheme */
        scheme = signature_scheme_from_oid(this->algorithm);
-
+       
        if (scheme == SIGN_UNKNOWN || key == NULL)
        {
                return FALSE;
@@ -894,7 +882,6 @@ static void destroy(private_x509_ac_t *this)
                DESTROY_IF(this->holderIssuer);
                DESTROY_IF(this->entityName);
                DESTROY_IF(this->issuerName);
-               DESTROY_IF(this->authKeyIdentifier);
                DESTROY_IF(this->holderCert);
                DESTROY_IF(this->signerCert);
                DESTROY_IF(this->signerKey);
@@ -902,6 +889,7 @@ static void destroy(private_x509_ac_t *this)
                ietfAttr_list_destroy(this->charging);
                ietfAttr_list_destroy(this->groups);
                free(this->serialNumber.ptr);
+               free(this->authKeyIdentifier.ptr);
                free(this->encoding.ptr);
                free(this);
        }
@@ -918,7 +906,7 @@ static private_x509_ac_t *create_empty(void)
        this->public.interface.get_serial = (chunk_t (*)(ac_t*))get_serial;
        this->public.interface.get_holderSerial = (chunk_t (*)(ac_t*))get_holderSerial;
        this->public.interface.get_holderIssuer = (identification_t* (*)(ac_t*))get_holderIssuer;
-       this->public.interface.get_authKeyIdentifier = (identification_t* (*)(ac_t*))get_authKeyIdentifier;
+       this->public.interface.get_authKeyIdentifier = (chunk_t(*)(ac_t*))get_authKeyIdentifier;
        this->public.interface.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
        this->public.interface.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_subject;
        this->public.interface.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer;
@@ -937,10 +925,10 @@ static private_x509_ac_t *create_empty(void)
        this->encoding = chunk_empty;
        this->serialNumber = chunk_empty;
        this->holderSerial = chunk_empty;
+       this->authKeyIdentifier = chunk_empty;
        this->holderIssuer = NULL;
        this->entityName = NULL;
        this->issuerName = NULL;
-       this->authKeyIdentifier = NULL;
        this->holderCert = NULL;
        this->signerCert = NULL;
        this->signerKey = NULL;
@@ -984,9 +972,9 @@ struct private_builder_t {
 static private_x509_ac_t* build(private_builder_t *this)
 {
        private_x509_ac_t *ac = this->ac;
-
+       
        free(this);
-
+       
        /* synthesis if encoding does not exist */
        if (ac && ac->encoding.ptr == NULL)
        {
index 32627eb..81a2b33 100644 (file)
@@ -138,7 +138,7 @@ struct private_x509_cert_t {
        /**
         * Authority Key Identifier
         */
-       identification_t *authKeyIdentifier;
+       chunk_t authKeyIdentifier;
        
        /**
         * Authority Key Serial Number
@@ -421,13 +421,13 @@ static const asn1Object_t authKeyIdentifierObjects[] = {
 /**
  * Extracts an authoritykeyIdentifier
  */
-identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
+chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
                                                                                                chunk_t *authKeySerialNumber)
 {
        asn1_parser_t *parser;
        chunk_t object;
        int objectID;
-       identification_t *authKeyIdentifier = NULL;
+       chunk_t authKeyIdentifier = chunk_empty;
        
        *authKeySerialNumber = chunk_empty;
        
@@ -439,8 +439,7 @@ identification_t* x509_parse_authorityKeyIdentifier(chunk_t blob, int level0,
                switch (objectID) 
                {
                        case AUTH_KEY_ID_KEY_ID:
-                               authKeyIdentifier = identification_create_from_encoding(
-                                                                                               ID_PUBKEY_SHA1, object); 
+                               authKeyIdentifier = chunk_clone(object);
                                break;
                        case AUTH_KEY_ID_CERT_ISSUER:
                                /* TODO: x509_parse_generalNames(object, level+1, TRUE); */
@@ -847,10 +846,12 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
        enumerator_t *enumerator;
        id_match_t match, best;
        
-       if (this->encoding_hash.ptr && subject->get_type(subject) == ID_CERT_DER_SHA1 &&
-               chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+       if (this->encoding_hash.ptr && subject->get_type(subject) == ID_KEY_ID)
        {
-               return ID_MATCH_PERFECT;
+               if (chunk_equals(this->encoding_hash, subject->get_encoding(subject)))
+               {
+                       return ID_MATCH_PERFECT;
+               }
        }
        
        best = this->subject->matches(this->subject, subject);
@@ -860,11 +861,11 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje
                match = current->matches(current, subject);
                if (match > best)
                {
-                       best = match;   
+                       best = match;
                }
        }
        enumerator->destroy(enumerator);
-       return best;    
+       return best;
 }
 
 /**
@@ -1040,7 +1041,7 @@ static chunk_t get_serial(private_x509_cert_t *this)
 /**
  * Implementation of x509_t.get_authKeyIdentifier.
  */
-static identification_t *get_authKeyIdentifier(private_x509_cert_t *this)
+static chunk_t get_authKeyIdentifier(private_x509_cert_t *this)
 {
        return this->authKeyIdentifier;
 }
@@ -1083,7 +1084,7 @@ static void destroy(private_x509_cert_t *this)
                DESTROY_IF(this->issuer);
                DESTROY_IF(this->subject);
                DESTROY_IF(this->public_key);
-               DESTROY_IF(this->authKeyIdentifier);
+               chunk_free(&this->authKeyIdentifier);
                chunk_free(&this->encoding);
                chunk_free(&this->encoding_hash);
                if (!this->parsed)
@@ -1118,7 +1119,7 @@ static private_x509_cert_t* create_empty(void)
        this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy;
        this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags;
        this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial;
-       this->public.interface.get_authKeyIdentifier = (identification_t* (*)(x509_t*))get_authKeyIdentifier;
+       this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier;
        this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator;
        this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator;
        this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator;
@@ -1137,7 +1138,7 @@ static private_x509_cert_t* create_empty(void)
        this->crl_uris = linked_list_create();
        this->ocsp_uris = linked_list_create();
        this->subjectKeyID = chunk_empty;
-       this->authKeyIdentifier = NULL;
+       this->authKeyIdentifier = chunk_empty;
        this->authKeySerialNumber = chunk_empty;
        this->algorithm = 0;
        this->signature = chunk_empty;
@@ -1253,10 +1254,14 @@ static bool generate(private_builder_t *this)
        switch (this->cert->public_key->get_type(this->cert->public_key))
        {
                case KEY_RSA:
-                       key = this->cert->public_key->get_encoding(this->cert->public_key);
+                       if (!this->cert->public_key->get_encoding(this->cert->public_key,
+                                                                                                         KEY_PUB_ASN1_DER, &key))
+                       {
+                               return FALSE;
+                       }
                        key_info = asn1_wrap(ASN1_SEQUENCE, "cm",
-                                                       asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), 
-                                                       asn1_bitstring("m", key));      
+                                                       asn1_algorithmIdentifier(OID_RSA_ENCRYPTION),
+                                                       asn1_bitstring("m", key));
                        break;
                default:
                        return FALSE;
index 93203ba..e3d054c 100644 (file)
@@ -101,7 +101,7 @@ struct private_x509_crl_t {
        /**
         * Authority Key Identifier
         */
-       identification_t *authKeyIdentifier;
+       chunk_t authKeyIdentifier;
 
        /**
         * Authority Key Serial Number
@@ -127,7 +127,7 @@ struct private_x509_crl_t {
 /**
  * from x509_cert
  */
-extern identification_t* x509_parse_authorityKeyIdentifier(
+extern chunk_t x509_parse_authorityKeyIdentifier(
                                                                chunk_t blob, int level0, 
                                                                chunk_t *authKeySerialNumber);
 
@@ -337,10 +337,11 @@ static chunk_t get_serial(private_x509_crl_t *this)
 /**
  * Implementation of crl_t.get_authKeyIdentifier.
  */
-static identification_t* get_authKeyIdentifier(private_x509_crl_t *this)
+static chunk_t get_authKeyIdentifier(private_x509_crl_t *this)
 {
        return this->authKeyIdentifier;
 }
+
 /**
  * Implementation of crl_t.create_enumerator.
  */
@@ -372,24 +373,12 @@ static identification_t* get_issuer(private_x509_crl_t *this)
  */
 static id_match_t has_issuer(private_x509_crl_t *this, identification_t *issuer)
 {
-       id_match_t match;
-
-       if (issuer->get_type(issuer) == ID_PUBKEY_SHA1)
-       {
-               if (this->authKeyIdentifier)
-               {
-                       match = issuer->matches(issuer, this->authKeyIdentifier);
-               }
-               else
-               {
-                       match = ID_MATCH_NONE;
-               }
-       }
-       else
+       if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr &&
+               chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer)))
        {
-               match = this->issuer->matches(this->issuer, issuer);
+               return ID_MATCH_PERFECT;
        }
-       return match;
+       return this->issuer->matches(this->issuer, issuer);
 }
 
 /**
@@ -416,12 +405,12 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer)
        key = issuer->get_public_key(issuer);
 
        /* compare keyIdentifiers if available, otherwise use DNs */
-       if (this->authKeyIdentifier && key)
+       if (this->authKeyIdentifier.ptr && key)
        {
-               identification_t *subjectKeyIdentifier = key->get_id(key, ID_PUBKEY_SHA1);
-
-               if (!subjectKeyIdentifier->equals(subjectKeyIdentifier,
-                                                                                 this->authKeyIdentifier))
+               chunk_t fingerprint;
+               
+               if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+                       !chunk_equals(fingerprint, this->authKeyIdentifier))
                {
                        return FALSE;
                }
@@ -433,10 +422,10 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer)
                        return FALSE;
                }
        }
-
+       
        /* determine signature scheme */
        scheme = signature_scheme_from_oid(this->algorithm);
-
+       
        if (scheme == SIGN_UNKNOWN || key == NULL)
        {
                return FALSE;
@@ -562,7 +551,7 @@ static void destroy(private_x509_crl_t *this)
        {
                this->revoked->destroy_function(this->revoked, free);
                DESTROY_IF(this->issuer);
-               DESTROY_IF(this->authKeyIdentifier);
+               free(this->authKeyIdentifier.ptr);
                free(this->encoding.ptr);
                free(this);
        }
@@ -576,7 +565,7 @@ static private_x509_crl_t* create_empty(void)
        private_x509_crl_t *this = malloc_thing(private_x509_crl_t);
        
        this->public.crl.get_serial = (chunk_t (*)(crl_t*))get_serial;
-       this->public.crl.get_authKeyIdentifier = (identification_t* (*)(crl_t*))get_authKeyIdentifier;
+       this->public.crl.get_authKeyIdentifier = (chunk_t (*)(crl_t*))get_authKeyIdentifier;
        this->public.crl.create_enumerator = (enumerator_t* (*)(crl_t*))create_enumerator;
        this->public.crl.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type;
        this->public.crl.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer;
@@ -597,7 +586,7 @@ static private_x509_crl_t* create_empty(void)
        this->issuer = NULL;
        this->crlNumber = chunk_empty;
        this->revoked = linked_list_create();
-       this->authKeyIdentifier = NULL;
+       this->authKeyIdentifier = chunk_empty;
        this->authKeySerialNumber = chunk_empty;
        this->ref = 1;
        
index 4020d8d..5892e2b 100644 (file)
@@ -159,23 +159,21 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this)
                hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
                if (hasher)
                {
-                       identification_t *keyid = public->get_id(public, ID_PUBKEY_SHA1);       
-                       if (keyid)
+                       if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1,
+                                                                               &issuerKeyHash))
                        {
                                enumerator_t *enumerator;
-                       
-                               issuerKeyHash = keyid->get_encoding(keyid);
-               
+                               
                                issuer = cert->get_subject(cert);
                                hasher->allocate_hash(hasher, issuer->get_encoding(issuer),
                                                                          &issuerNameHash);
                                hasher->destroy(hasher);
-       
+                               
                                enumerator = this->candidates->create_enumerator(this->candidates);
                                while (enumerator->enumerate(enumerator, &x509))
                                {
                                        chunk_t request, serialNumber;
-                       
+                                       
                                        serialNumber = x509->get_serial(x509);
                                        request = build_Request(this, issuerNameHash, issuerKeyHash,
                                                                                        serialNumber);
index 1b31872..caaae6a 100644 (file)
@@ -173,7 +173,8 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this,
        {
                hasher_t *hasher;
                identification_t *id;
-               chunk_t hash;
+               key_encoding_type_t type;
+               chunk_t hash, fingerprint;
                
                /* check serial first, is cheaper */
                if (!chunk_equals(subject->get_serial(subject), response->serialNumber))
@@ -191,15 +192,16 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this,
                                continue;
                        }
                        switch (response->hashAlgorithm)
-                       {       /* TODO: generic mapper function */
+                       {
                                case OID_SHA1:
-                                       id = public->get_id(public, ID_PUBKEY_SHA1);
+                                       type = KEY_ID_PUBKEY_SHA1;
                                        break;
                                default:
                                        public->destroy(public);
                                        continue;
                        }
-                       if (!chunk_equals(response->issuerKeyHash, id->get_encoding(id)))
+                       if (!public->get_fingerprint(public, type, &fingerprint) ||
+                               !chunk_equals(response->issuerKeyHash, fingerprint))
                        {
                                public->destroy(public);
                                continue;
@@ -525,7 +527,7 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
                                break;
                        case BASIC_RESPONSE_ID_BY_KEY:
                                this->responderId = identification_create_from_encoding(
-                                                                                                       ID_PUBKEY_INFO_SHA1, object);
+                                                                                                       ID_KEY_ID, object);
                                DBG2("  '%Y'", this->responderId);
                                break;
                        case BASIC_RESPONSE_PRODUCED_AT:
@@ -694,30 +696,28 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer)
        {
                return FALSE;
        }
-       if (this->responderId->get_type(this->responderId) == ID_DER_ASN1_DN)
+       if (this->responderId->get_type(this->responderId) == ID_KEY_ID)
        {
-               if (!this->responderId->equals(this->responderId,
-                                                                          issuer->get_subject(issuer)))
+               chunk_t fingerprint;
+               
+               key = issuer->get_public_key(issuer);
+               if (!key ||
+                       !key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) ||
+                       !chunk_equals(fingerprint,
+                                                 this->responderId->get_encoding(this->responderId)))
                {
+                       DESTROY_IF(key);
                        return FALSE;
                }
+               key->destroy(key);
        }
-       else
+       else 
        {
-               bool equal;
-               public_key_t *public = issuer->get_public_key(issuer);
-
-               if (public == NULL)
+               if (!this->responderId->equals(this->responderId,
+                                                                          issuer->get_subject(issuer)))
                {
                        return FALSE;
                }
-               equal = this->responderId->equals(this->responderId,
-                                                                                 public->get_id(public, ID_PUBKEY_SHA1));
-               public->destroy(public);
-               if (!equal)
-               {
-                               return FALSE;
-               }
        }
        if (!(x509->get_flags(x509) & X509_OCSP_SIGNER) &&
                !(x509->get_flags(x509) & X509_CA))