This fixes some certs revocation check failures I encountered.
For the first patch (constructor tag in CRYPT_AsnDecodeOCSPSignatureInfoCertEncoded) see [1], p. 4.2.1: ``` BasicOCSPResponse ::= SEQUENCE { tbsResponseData ResponseData, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } ``` Mind the [0] which is that constructor tag which is handled elsewhere when processing OCSP resonse but not here. Without that decoding any response with certs present is failing.
I am attaching the test for the second patch separately, mostly because it is hard to make it reliable, it inherently depends on OCSP responder. Note that the test with existing cert which I am replacing does not actually test what it is supposed to. OCSP response fails with code '6' received from server (unauthorized request; reproducible from a browser querying the same URL and parsing the response with openssl). On Windows with CERT_VERIFY_REV_SERVER_OCSP_FLAG (which we currently don't support) the revocation check fails as well, the tests succeeds both on Windows and Wine by falling back to CRL check which is also defined in the certificate. I screwed in some support for CERT_VERIFY_REV_SERVER_OCSP_FLAG in the test patch, otherwise revocation check will succeed even with OCSP not working without patch 2 (the same way as existing test).
For the second patch itself, InternetCombineUrlW() doesn't work in an obvious way one could expect. If base url contains local path (e. g., http://ocsp.pki.goog/gts1c3 like in the separate test's cert) InternetCombineUrlW will strip off the local part and append the relative URL to the base URL which is http://ocsp.pki.goog, resulting in error 404 from http request. We already escape the added relative part, so I guess we can just concat that.
1. https://www.ietf.org/rfc/rfc2560.txt
UPDATE: here is the test patch: [0001-do-not-commit-cryptnet-Test-OCSP-URL-with-local-path.patch](/uploads/3aa81a331c50c6fb87ba32e641fc5184/0001-do-not-commit-cryptnet-Test-OCSP-URL-with-local-path.patch)