diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c index 5a834d447..5d4042c7e 100644 --- a/lib/hx509/revoke.c +++ b/lib/hx509/revoke.c @@ -572,10 +572,10 @@ hx509_revoke_verify(hx509_context context, continue; } - for (i = 0; i < ocsp->ocsp.tbsResponseData.responses.len; i++) { + for (j = 0; j < ocsp->ocsp.tbsResponseData.responses.len; j++) { heim_octet_string os; - ret = der_heim_integer_cmp(&ocsp->ocsp.tbsResponseData.responses.val[i].certID.serialNumber, + ret = der_heim_integer_cmp(&ocsp->ocsp.tbsResponseData.responses.val[j].certID.serialNumber, &c->tbsCertificate.serialNumber); if (ret != 0) continue; @@ -594,13 +594,13 @@ hx509_revoke_verify(hx509_context context, ret = _hx509_verify_signature(context, NULL, - &ocsp->ocsp.tbsResponseData.responses.val[i].certID.hashAlgorithm, + &ocsp->ocsp.tbsResponseData.responses.val[j].certID.hashAlgorithm, &os, - &ocsp->ocsp.tbsResponseData.responses.val[i].certID.issuerKeyHash); + &ocsp->ocsp.tbsResponseData.responses.val[j].certID.issuerKeyHash); if (ret != 0) continue; - switch (ocsp->ocsp.tbsResponseData.responses.val[i].certStatus.element) { + switch (ocsp->ocsp.tbsResponseData.responses.val[j].certStatus.element) { case choice_OCSPCertStatus_good: break; case choice_OCSPCertStatus_revoked: @@ -609,13 +609,13 @@ hx509_revoke_verify(hx509_context context, } /* don't allow the update to be in the future */ - if (ocsp->ocsp.tbsResponseData.responses.val[i].thisUpdate > + if (ocsp->ocsp.tbsResponseData.responses.val[j].thisUpdate > now + context->ocsp_time_diff) continue; /* don't allow the next updte to be in the past */ - if (ocsp->ocsp.tbsResponseData.responses.val[i].nextUpdate) { - if (*ocsp->ocsp.tbsResponseData.responses.val[i].nextUpdate < now) + if (ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate) { + if (*ocsp->ocsp.tbsResponseData.responses.val[j].nextUpdate < now) continue; } else /* Should force a refetch, but can we ? */;