From cd0e4d5297882b88b17e52ba7bc042764771e352 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 22 Nov 2019 16:36:20 +0100
Subject: [PATCH] x509: Correctly parse nonce in OCSP response

Fixes: d7dc677ee572 ("x509: Correctly encode nonce in OCSP request")
---
 src/libstrongswan/plugins/x509/x509_ocsp_response.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
index 75eb9d779..f3ade37e4 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c
@@ -577,7 +577,9 @@ static bool parse_basicOCSPResponse(private_x509_ocsp_response_t *this,
 				DBG2(DBG_ASN, "  %s", critical ? "TRUE" : "FALSE");
 				break;
 			case BASIC_RESPONSE_EXT_VALUE:
-				if (extn_oid == OID_NONCE)
+				if (extn_oid == OID_NONCE &&
+					asn1_parse_simple_object(&object, ASN1_OCTET_STRING,
+										parser->get_level(parser)+1, "nonce"))
 				{
 					this->nonce = object;
 				}