summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ts
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2014-02-27 21:04:58 +0000
committercvs2svn <admin@example.com>2014-02-27 21:04:58 +0000
commit726818f36b5221c023cd04c4b90bdbc08e94cd96 (patch)
treecf8221f3aa5bf5a578ddf1ecf5677ad08c04d342 /src/lib/libcrypto/ts
parent3b6d92e82b1421b811bcdec7f7fdfb31eeef18de (diff)
downloadopenbsd-OPENBSD_5_5_BASE.tar.gz
openbsd-OPENBSD_5_5_BASE.tar.bz2
openbsd-OPENBSD_5_5_BASE.zip
This commit was manufactured by cvs2git to create tag 'OPENBSD_5_5_BASE'.OPENBSD_5_5_BASE
Diffstat (limited to 'src/lib/libcrypto/ts')
-rw-r--r--src/lib/libcrypto/ts/ts.h858
-rw-r--r--src/lib/libcrypto/ts/ts_asn1.c322
-rw-r--r--src/lib/libcrypto/ts/ts_conf.c507
-rw-r--r--src/lib/libcrypto/ts/ts_err.c179
-rw-r--r--src/lib/libcrypto/ts/ts_lib.c145
-rw-r--r--src/lib/libcrypto/ts/ts_req_print.c102
-rw-r--r--src/lib/libcrypto/ts/ts_req_utils.c234
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_print.c287
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_sign.c1020
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_utils.c409
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_verify.c730
-rw-r--r--src/lib/libcrypto/ts/ts_verify_ctx.c159
12 files changed, 0 insertions, 4952 deletions
diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h
deleted file mode 100644
index c2448e3c3b..0000000000
--- a/src/lib/libcrypto/ts/ts.h
+++ /dev/null
@@ -1,858 +0,0 @@
1/* crypto/ts/ts.h */
2/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
3 * project 2002, 2003, 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#ifndef HEADER_TS_H
60#define HEADER_TS_H
61
62#include <openssl/opensslconf.h>
63#include <openssl/symhacks.h>
64#ifndef OPENSSL_NO_BUFFER
65#include <openssl/buffer.h>
66#endif
67#ifndef OPENSSL_NO_EVP
68#include <openssl/evp.h>
69#endif
70#ifndef OPENSSL_NO_BIO
71#include <openssl/bio.h>
72#endif
73#include <openssl/stack.h>
74#include <openssl/asn1.h>
75#include <openssl/safestack.h>
76
77#ifndef OPENSSL_NO_RSA
78#include <openssl/rsa.h>
79#endif
80
81#ifndef OPENSSL_NO_DSA
82#include <openssl/dsa.h>
83#endif
84
85#ifndef OPENSSL_NO_DH
86#include <openssl/dh.h>
87#endif
88
89#ifdef __cplusplus
90extern "C" {
91#endif
92
93#ifdef WIN32
94/* Under Win32 this is defined in wincrypt.h */
95#undef X509_NAME
96#endif
97
98#include <openssl/x509.h>
99#include <openssl/x509v3.h>
100
101/*
102MessageImprint ::= SEQUENCE {
103 hashAlgorithm AlgorithmIdentifier,
104 hashedMessage OCTET STRING }
105*/
106
107typedef struct TS_msg_imprint_st
108 {
109 X509_ALGOR *hash_algo;
110 ASN1_OCTET_STRING *hashed_msg;
111 } TS_MSG_IMPRINT;
112
113/*
114TimeStampReq ::= SEQUENCE {
115 version INTEGER { v1(1) },
116 messageImprint MessageImprint,
117 --a hash algorithm OID and the hash value of the data to be
118 --time-stamped
119 reqPolicy TSAPolicyId OPTIONAL,
120 nonce INTEGER OPTIONAL,
121 certReq BOOLEAN DEFAULT FALSE,
122 extensions [0] IMPLICIT Extensions OPTIONAL }
123*/
124
125typedef struct TS_req_st
126 {
127 ASN1_INTEGER *version;
128 TS_MSG_IMPRINT *msg_imprint;
129 ASN1_OBJECT *policy_id; /* OPTIONAL */
130 ASN1_INTEGER *nonce; /* OPTIONAL */
131 ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */
132 STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */
133 } TS_REQ;
134
135/*
136Accuracy ::= SEQUENCE {
137 seconds INTEGER OPTIONAL,
138 millis [0] INTEGER (1..999) OPTIONAL,
139 micros [1] INTEGER (1..999) OPTIONAL }
140*/
141
142typedef struct TS_accuracy_st
143 {
144 ASN1_INTEGER *seconds;
145 ASN1_INTEGER *millis;
146 ASN1_INTEGER *micros;
147 } TS_ACCURACY;
148
149/*
150TSTInfo ::= SEQUENCE {
151 version INTEGER { v1(1) },
152 policy TSAPolicyId,
153 messageImprint MessageImprint,
154 -- MUST have the same value as the similar field in
155 -- TimeStampReq
156 serialNumber INTEGER,
157 -- Time-Stamping users MUST be ready to accommodate integers
158 -- up to 160 bits.
159 genTime GeneralizedTime,
160 accuracy Accuracy OPTIONAL,
161 ordering BOOLEAN DEFAULT FALSE,
162 nonce INTEGER OPTIONAL,
163 -- MUST be present if the similar field was present
164 -- in TimeStampReq. In that case it MUST have the same value.
165 tsa [0] GeneralName OPTIONAL,
166 extensions [1] IMPLICIT Extensions OPTIONAL }
167*/
168
169typedef struct TS_tst_info_st
170 {
171 ASN1_INTEGER *version;
172 ASN1_OBJECT *policy_id;
173 TS_MSG_IMPRINT *msg_imprint;
174 ASN1_INTEGER *serial;
175 ASN1_GENERALIZEDTIME *time;
176 TS_ACCURACY *accuracy;
177 ASN1_BOOLEAN ordering;
178 ASN1_INTEGER *nonce;
179 GENERAL_NAME *tsa;
180 STACK_OF(X509_EXTENSION) *extensions;
181 } TS_TST_INFO;
182
183/*
184PKIStatusInfo ::= SEQUENCE {
185 status PKIStatus,
186 statusString PKIFreeText OPTIONAL,
187 failInfo PKIFailureInfo OPTIONAL }
188
189From RFC 1510 - section 3.1.1:
190PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
191 -- text encoded as UTF-8 String (note: each UTF8String SHOULD
192 -- include an RFC 1766 language tag to indicate the language
193 -- of the contained text)
194*/
195
196/* Possible values for status. See ts_resp_print.c && ts_resp_verify.c. */
197
198#define TS_STATUS_GRANTED 0
199#define TS_STATUS_GRANTED_WITH_MODS 1
200#define TS_STATUS_REJECTION 2
201#define TS_STATUS_WAITING 3
202#define TS_STATUS_REVOCATION_WARNING 4
203#define TS_STATUS_REVOCATION_NOTIFICATION 5
204
205/* Possible values for failure_info. See ts_resp_print.c && ts_resp_verify.c */
206
207#define TS_INFO_BAD_ALG 0
208#define TS_INFO_BAD_REQUEST 2
209#define TS_INFO_BAD_DATA_FORMAT 5
210#define TS_INFO_TIME_NOT_AVAILABLE 14
211#define TS_INFO_UNACCEPTED_POLICY 15
212#define TS_INFO_UNACCEPTED_EXTENSION 16
213#define TS_INFO_ADD_INFO_NOT_AVAILABLE 17
214#define TS_INFO_SYSTEM_FAILURE 25
215
216typedef struct TS_status_info_st
217 {
218 ASN1_INTEGER *status;
219 STACK_OF(ASN1_UTF8STRING) *text;
220 ASN1_BIT_STRING *failure_info;
221 } TS_STATUS_INFO;
222
223DECLARE_STACK_OF(ASN1_UTF8STRING)
224DECLARE_ASN1_SET_OF(ASN1_UTF8STRING)
225
226/*
227TimeStampResp ::= SEQUENCE {
228 status PKIStatusInfo,
229 timeStampToken TimeStampToken OPTIONAL }
230*/
231
232typedef struct TS_resp_st
233 {
234 TS_STATUS_INFO *status_info;
235 PKCS7 *token;
236 TS_TST_INFO *tst_info;
237 } TS_RESP;
238
239/* The structure below would belong to the ESS component. */
240
241/*
242IssuerSerial ::= SEQUENCE {
243 issuer GeneralNames,
244 serialNumber CertificateSerialNumber
245 }
246*/
247
248typedef struct ESS_issuer_serial
249 {
250 STACK_OF(GENERAL_NAME) *issuer;
251 ASN1_INTEGER *serial;
252 } ESS_ISSUER_SERIAL;
253
254/*
255ESSCertID ::= SEQUENCE {
256 certHash Hash,
257 issuerSerial IssuerSerial OPTIONAL
258}
259*/
260
261typedef struct ESS_cert_id
262 {
263 ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */
264 ESS_ISSUER_SERIAL *issuer_serial;
265 } ESS_CERT_ID;
266
267DECLARE_STACK_OF(ESS_CERT_ID)
268DECLARE_ASN1_SET_OF(ESS_CERT_ID)
269
270/*
271SigningCertificate ::= SEQUENCE {
272 certs SEQUENCE OF ESSCertID,
273 policies SEQUENCE OF PolicyInformation OPTIONAL
274}
275*/
276
277typedef struct ESS_signing_cert
278 {
279 STACK_OF(ESS_CERT_ID) *cert_ids;
280 STACK_OF(POLICYINFO) *policy_info;
281 } ESS_SIGNING_CERT;
282
283
284TS_REQ *TS_REQ_new(void);
285void TS_REQ_free(TS_REQ *a);
286int i2d_TS_REQ(const TS_REQ *a, unsigned char **pp);
287TS_REQ *d2i_TS_REQ(TS_REQ **a, const unsigned char **pp, long length);
288
289TS_REQ *TS_REQ_dup(TS_REQ *a);
290
291TS_REQ *d2i_TS_REQ_fp(FILE *fp, TS_REQ **a);
292int i2d_TS_REQ_fp(FILE *fp, TS_REQ *a);
293TS_REQ *d2i_TS_REQ_bio(BIO *fp, TS_REQ **a);
294int i2d_TS_REQ_bio(BIO *fp, TS_REQ *a);
295
296TS_MSG_IMPRINT *TS_MSG_IMPRINT_new(void);
297void TS_MSG_IMPRINT_free(TS_MSG_IMPRINT *a);
298int i2d_TS_MSG_IMPRINT(const TS_MSG_IMPRINT *a, unsigned char **pp);
299TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT(TS_MSG_IMPRINT **a,
300 const unsigned char **pp, long length);
301
302TS_MSG_IMPRINT *TS_MSG_IMPRINT_dup(TS_MSG_IMPRINT *a);
303
304TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT **a);
305int i2d_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT *a);
306TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_bio(BIO *fp, TS_MSG_IMPRINT **a);
307int i2d_TS_MSG_IMPRINT_bio(BIO *fp, TS_MSG_IMPRINT *a);
308
309TS_RESP *TS_RESP_new(void);
310void TS_RESP_free(TS_RESP *a);
311int i2d_TS_RESP(const TS_RESP *a, unsigned char **pp);
312TS_RESP *d2i_TS_RESP(TS_RESP **a, const unsigned char **pp, long length);
313TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token);
314TS_RESP *TS_RESP_dup(TS_RESP *a);
315
316TS_RESP *d2i_TS_RESP_fp(FILE *fp, TS_RESP **a);
317int i2d_TS_RESP_fp(FILE *fp, TS_RESP *a);
318TS_RESP *d2i_TS_RESP_bio(BIO *fp, TS_RESP **a);
319int i2d_TS_RESP_bio(BIO *fp, TS_RESP *a);
320
321TS_STATUS_INFO *TS_STATUS_INFO_new(void);
322void TS_STATUS_INFO_free(TS_STATUS_INFO *a);
323int i2d_TS_STATUS_INFO(const TS_STATUS_INFO *a, unsigned char **pp);
324TS_STATUS_INFO *d2i_TS_STATUS_INFO(TS_STATUS_INFO **a,
325 const unsigned char **pp, long length);
326TS_STATUS_INFO *TS_STATUS_INFO_dup(TS_STATUS_INFO *a);
327
328TS_TST_INFO *TS_TST_INFO_new(void);
329void TS_TST_INFO_free(TS_TST_INFO *a);
330int i2d_TS_TST_INFO(const TS_TST_INFO *a, unsigned char **pp);
331TS_TST_INFO *d2i_TS_TST_INFO(TS_TST_INFO **a, const unsigned char **pp,
332 long length);
333TS_TST_INFO *TS_TST_INFO_dup(TS_TST_INFO *a);
334
335TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a);
336int i2d_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO *a);
337TS_TST_INFO *d2i_TS_TST_INFO_bio(BIO *fp, TS_TST_INFO **a);
338int i2d_TS_TST_INFO_bio(BIO *fp, TS_TST_INFO *a);
339
340TS_ACCURACY *TS_ACCURACY_new(void);
341void TS_ACCURACY_free(TS_ACCURACY *a);
342int i2d_TS_ACCURACY(const TS_ACCURACY *a, unsigned char **pp);
343TS_ACCURACY *d2i_TS_ACCURACY(TS_ACCURACY **a, const unsigned char **pp,
344 long length);
345TS_ACCURACY *TS_ACCURACY_dup(TS_ACCURACY *a);
346
347ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void);
348void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a);
349int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a,
350 unsigned char **pp);
351ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a,
352 const unsigned char **pp, long length);
353ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a);
354
355ESS_CERT_ID *ESS_CERT_ID_new(void);
356void ESS_CERT_ID_free(ESS_CERT_ID *a);
357int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp);
358ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp,
359 long length);
360ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a);
361
362ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void);
363void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a);
364int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a,
365 unsigned char **pp);
366ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a,
367 const unsigned char **pp, long length);
368ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a);
369
370void ERR_load_TS_strings(void);
371
372int TS_REQ_set_version(TS_REQ *a, long version);
373long TS_REQ_get_version(const TS_REQ *a);
374
375int TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint);
376TS_MSG_IMPRINT *TS_REQ_get_msg_imprint(TS_REQ *a);
377
378int TS_MSG_IMPRINT_set_algo(TS_MSG_IMPRINT *a, X509_ALGOR *alg);
379X509_ALGOR *TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a);
380
381int TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len);
382ASN1_OCTET_STRING *TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a);
383
384int TS_REQ_set_policy_id(TS_REQ *a, ASN1_OBJECT *policy);
385ASN1_OBJECT *TS_REQ_get_policy_id(TS_REQ *a);
386
387int TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce);
388const ASN1_INTEGER *TS_REQ_get_nonce(const TS_REQ *a);
389
390int TS_REQ_set_cert_req(TS_REQ *a, int cert_req);
391int TS_REQ_get_cert_req(const TS_REQ *a);
392
393STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a);
394void TS_REQ_ext_free(TS_REQ *a);
395int TS_REQ_get_ext_count(TS_REQ *a);
396int TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos);
397int TS_REQ_get_ext_by_OBJ(TS_REQ *a, ASN1_OBJECT *obj, int lastpos);
398int TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos);
399X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc);
400X509_EXTENSION *TS_REQ_delete_ext(TS_REQ *a, int loc);
401int TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc);
402void *TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx);
403
404/* Function declarations for TS_REQ defined in ts/ts_req_print.c */
405
406int TS_REQ_print_bio(BIO *bio, TS_REQ *a);
407
408/* Function declarations for TS_RESP defined in ts/ts_resp_utils.c */
409
410int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *info);
411TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a);
412
413/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
414void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info);
415PKCS7 *TS_RESP_get_token(TS_RESP *a);
416TS_TST_INFO *TS_RESP_get_tst_info(TS_RESP *a);
417
418int TS_TST_INFO_set_version(TS_TST_INFO *a, long version);
419long TS_TST_INFO_get_version(const TS_TST_INFO *a);
420
421int TS_TST_INFO_set_policy_id(TS_TST_INFO *a, ASN1_OBJECT *policy_id);
422ASN1_OBJECT *TS_TST_INFO_get_policy_id(TS_TST_INFO *a);
423
424int TS_TST_INFO_set_msg_imprint(TS_TST_INFO *a, TS_MSG_IMPRINT *msg_imprint);
425TS_MSG_IMPRINT *TS_TST_INFO_get_msg_imprint(TS_TST_INFO *a);
426
427int TS_TST_INFO_set_serial(TS_TST_INFO *a, const ASN1_INTEGER *serial);
428const ASN1_INTEGER *TS_TST_INFO_get_serial(const TS_TST_INFO *a);
429
430int TS_TST_INFO_set_time(TS_TST_INFO *a, const ASN1_GENERALIZEDTIME *gtime);
431const ASN1_GENERALIZEDTIME *TS_TST_INFO_get_time(const TS_TST_INFO *a);
432
433int TS_TST_INFO_set_accuracy(TS_TST_INFO *a, TS_ACCURACY *accuracy);
434TS_ACCURACY *TS_TST_INFO_get_accuracy(TS_TST_INFO *a);
435
436int TS_ACCURACY_set_seconds(TS_ACCURACY *a, const ASN1_INTEGER *seconds);
437const ASN1_INTEGER *TS_ACCURACY_get_seconds(const TS_ACCURACY *a);
438
439int TS_ACCURACY_set_millis(TS_ACCURACY *a, const ASN1_INTEGER *millis);
440const ASN1_INTEGER *TS_ACCURACY_get_millis(const TS_ACCURACY *a);
441
442int TS_ACCURACY_set_micros(TS_ACCURACY *a, const ASN1_INTEGER *micros);
443const ASN1_INTEGER *TS_ACCURACY_get_micros(const TS_ACCURACY *a);
444
445int TS_TST_INFO_set_ordering(TS_TST_INFO *a, int ordering);
446int TS_TST_INFO_get_ordering(const TS_TST_INFO *a);
447
448int TS_TST_INFO_set_nonce(TS_TST_INFO *a, const ASN1_INTEGER *nonce);
449const ASN1_INTEGER *TS_TST_INFO_get_nonce(const TS_TST_INFO *a);
450
451int TS_TST_INFO_set_tsa(TS_TST_INFO *a, GENERAL_NAME *tsa);
452GENERAL_NAME *TS_TST_INFO_get_tsa(TS_TST_INFO *a);
453
454STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a);
455void TS_TST_INFO_ext_free(TS_TST_INFO *a);
456int TS_TST_INFO_get_ext_count(TS_TST_INFO *a);
457int TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos);
458int TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, ASN1_OBJECT *obj, int lastpos);
459int TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos);
460X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc);
461X509_EXTENSION *TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc);
462int TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc);
463void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx);
464
465/* Declarations related to response generation, defined in ts/ts_resp_sign.c. */
466
467/* Optional flags for response generation. */
468
469/* Don't include the TSA name in response. */
470#define TS_TSA_NAME 0x01
471
472/* Set ordering to true in response. */
473#define TS_ORDERING 0x02
474
475/*
476 * Include the signer certificate and the other specified certificates in
477 * the ESS signing certificate attribute beside the PKCS7 signed data.
478 * Only the signer certificates is included by default.
479 */
480#define TS_ESS_CERT_ID_CHAIN 0x04
481
482/* Forward declaration. */
483struct TS_resp_ctx;
484
485/* This must return a unique number less than 160 bits long. */
486typedef ASN1_INTEGER *(*TS_serial_cb)(struct TS_resp_ctx *, void *);
487
488/* This must return the seconds and microseconds since Jan 1, 1970 in
489 the sec and usec variables allocated by the caller.
490 Return non-zero for success and zero for failure. */
491typedef int (*TS_time_cb)(struct TS_resp_ctx *, void *, long *sec, long *usec);
492
493/* This must process the given extension.
494 * It can modify the TS_TST_INFO object of the context.
495 * Return values: !0 (processed), 0 (error, it must set the
496 * status info/failure info of the response).
497 */
498typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *);
499
500typedef struct TS_resp_ctx
501 {
502 X509 *signer_cert;
503 EVP_PKEY *signer_key;
504 STACK_OF(X509) *certs; /* Certs to include in signed data. */
505 STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */
506 ASN1_OBJECT *default_policy; /* It may appear in policies, too. */
507 STACK_OF(EVP_MD) *mds; /* Acceptable message digests. */
508 ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */
509 ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */
510 ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */
511 unsigned clock_precision_digits; /* fraction of seconds in
512 time stamp token. */
513 unsigned flags; /* Optional info, see values above. */
514
515 /* Callback functions. */
516 TS_serial_cb serial_cb;
517 void *serial_cb_data; /* User data for serial_cb. */
518
519 TS_time_cb time_cb;
520 void *time_cb_data; /* User data for time_cb. */
521
522 TS_extension_cb extension_cb;
523 void *extension_cb_data; /* User data for extension_cb. */
524
525 /* These members are used only while creating the response. */
526 TS_REQ *request;
527 TS_RESP *response;
528 TS_TST_INFO *tst_info;
529 } TS_RESP_CTX;
530
531DECLARE_STACK_OF(EVP_MD)
532DECLARE_ASN1_SET_OF(EVP_MD)
533
534/* Creates a response context that can be used for generating responses. */
535TS_RESP_CTX *TS_RESP_CTX_new(void);
536void TS_RESP_CTX_free(TS_RESP_CTX *ctx);
537
538/* This parameter must be set. */
539int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer);
540
541/* This parameter must be set. */
542int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key);
543
544/* This parameter must be set. */
545int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy);
546
547/* No additional certs are included in the response by default. */
548int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs);
549
550/* Adds a new acceptable policy, only the default policy
551 is accepted by default. */
552int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy);
553
554/* Adds a new acceptable message digest. Note that no message digests
555 are accepted by default. The md argument is shared with the caller. */
556int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md);
557
558/* Accuracy is not included by default. */
559int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx,
560 int secs, int millis, int micros);
561
562/* Clock precision digits, i.e. the number of decimal digits:
563 '0' means sec, '3' msec, '6' usec, and so on. Default is 0. */
564int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
565 unsigned clock_precision_digits);
566/* At most we accept usec precision. */
567#define TS_MAX_CLOCK_PRECISION_DIGITS 6
568
569/* No flags are set by default. */
570void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
571
572/* Default callback always returns a constant. */
573void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data);
574
575/* Default callback uses the gettimeofday() and gmtime() system calls. */
576void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data);
577
578/* Default callback rejects all extensions. The extension callback is called
579 * when the TS_TST_INFO object is already set up and not signed yet. */
580/* FIXME: extension handling is not tested yet. */
581void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx,
582 TS_extension_cb cb, void *data);
583
584/* The following methods can be used in the callbacks. */
585int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx,
586 int status, const char *text);
587
588/* Sets the status info only if it is still TS_STATUS_GRANTED. */
589int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx,
590 int status, const char *text);
591
592int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure);
593
594/* The get methods below can be used in the extension callback. */
595TS_REQ *TS_RESP_CTX_get_request(TS_RESP_CTX *ctx);
596
597TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx);
598
599/*
600 * Creates the signed TS_TST_INFO and puts it in TS_RESP.
601 * In case of errors it sets the status info properly.
602 * Returns NULL only in case of memory allocation/fatal error.
603 */
604TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio);
605
606/*
607 * Declarations related to response verification,
608 * they are defined in ts/ts_resp_verify.c.
609 */
610
611int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
612 X509_STORE *store, X509 **signer_out);
613
614/* Context structure for the generic verify method. */
615
616/* Verify the signer's certificate and the signature of the response. */
617#define TS_VFY_SIGNATURE (1u << 0)
618/* Verify the version number of the response. */
619#define TS_VFY_VERSION (1u << 1)
620/* Verify if the policy supplied by the user matches the policy of the TSA. */
621#define TS_VFY_POLICY (1u << 2)
622/* Verify the message imprint provided by the user. This flag should not be
623 specified with TS_VFY_DATA. */
624#define TS_VFY_IMPRINT (1u << 3)
625/* Verify the message imprint computed by the verify method from the user
626 provided data and the MD algorithm of the response. This flag should not be
627 specified with TS_VFY_IMPRINT. */
628#define TS_VFY_DATA (1u << 4)
629/* Verify the nonce value. */
630#define TS_VFY_NONCE (1u << 5)
631/* Verify if the TSA name field matches the signer certificate. */
632#define TS_VFY_SIGNER (1u << 6)
633/* Verify if the TSA name field equals to the user provided name. */
634#define TS_VFY_TSA_NAME (1u << 7)
635
636/* You can use the following convenience constants. */
637#define TS_VFY_ALL_IMPRINT (TS_VFY_SIGNATURE \
638 | TS_VFY_VERSION \
639 | TS_VFY_POLICY \
640 | TS_VFY_IMPRINT \
641 | TS_VFY_NONCE \
642 | TS_VFY_SIGNER \
643 | TS_VFY_TSA_NAME)
644#define TS_VFY_ALL_DATA (TS_VFY_SIGNATURE \
645 | TS_VFY_VERSION \
646 | TS_VFY_POLICY \
647 | TS_VFY_DATA \
648 | TS_VFY_NONCE \
649 | TS_VFY_SIGNER \
650 | TS_VFY_TSA_NAME)
651
652typedef struct TS_verify_ctx
653 {
654 /* Set this to the union of TS_VFY_... flags you want to carry out. */
655 unsigned flags;
656
657 /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */
658 X509_STORE *store;
659 STACK_OF(X509) *certs;
660
661 /* Must be set only with TS_VFY_POLICY. */
662 ASN1_OBJECT *policy;
663
664 /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
665 the algorithm from the response is used. */
666 X509_ALGOR *md_alg;
667 unsigned char *imprint;
668 unsigned imprint_len;
669
670 /* Must be set only with TS_VFY_DATA. */
671 BIO *data;
672
673 /* Must be set only with TS_VFY_TSA_NAME. */
674 ASN1_INTEGER *nonce;
675
676 /* Must be set only with TS_VFY_TSA_NAME. */
677 GENERAL_NAME *tsa_name;
678 } TS_VERIFY_CTX;
679
680int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response);
681int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token);
682
683/*
684 * Declarations related to response verification context,
685 * they are defined in ts/ts_verify_ctx.c.
686 */
687
688/* Set all fields to zero. */
689TS_VERIFY_CTX *TS_VERIFY_CTX_new(void);
690void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
691void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
692void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
693
694/*
695 * If ctx is NULL, it allocates and returns a new object, otherwise
696 * it returns ctx. It initialises all the members as follows:
697 * flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE)
698 * certs = NULL
699 * store = NULL
700 * policy = policy from the request or NULL if absent (in this case
701 * TS_VFY_POLICY is cleared from flags as well)
702 * md_alg = MD algorithm from request
703 * imprint, imprint_len = imprint from request
704 * data = NULL
705 * nonce, nonce_len = nonce from the request or NULL if absent (in this case
706 * TS_VFY_NONCE is cleared from flags as well)
707 * tsa_name = NULL
708 * Important: after calling this method TS_VFY_SIGNATURE should be added!
709 */
710TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx);
711
712/* Function declarations for TS_RESP defined in ts/ts_resp_print.c */
713
714int TS_RESP_print_bio(BIO *bio, TS_RESP *a);
715int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a);
716int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a);
717
718/* Common utility functions defined in ts/ts_lib.c */
719
720int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num);
721int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj);
722int TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions);
723int TS_X509_ALGOR_print_bio(BIO *bio, const X509_ALGOR *alg);
724int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *msg);
725
726/* Function declarations for handling configuration options,
727 defined in ts/ts_conf.c */
728
729X509 *TS_CONF_load_cert(const char *file);
730STACK_OF(X509) *TS_CONF_load_certs(const char *file);
731EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass);
732const char *TS_CONF_get_tsa_section(CONF *conf, const char *section);
733int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb,
734 TS_RESP_CTX *ctx);
735int TS_CONF_set_crypto_device(CONF *conf, const char *section,
736 const char *device);
737int TS_CONF_set_default_engine(const char *name);
738int TS_CONF_set_signer_cert(CONF *conf, const char *section,
739 const char *cert, TS_RESP_CTX *ctx);
740int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
741 TS_RESP_CTX *ctx);
742int TS_CONF_set_signer_key(CONF *conf, const char *section,
743 const char *key, const char *pass, TS_RESP_CTX *ctx);
744int TS_CONF_set_def_policy(CONF *conf, const char *section,
745 const char *policy, TS_RESP_CTX *ctx);
746int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx);
747int TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx);
748int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx);
749int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
750 TS_RESP_CTX *ctx);
751int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx);
752int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx);
753int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section,
754 TS_RESP_CTX *ctx);
755
756/* -------------------------------------------------- */
757/* BEGIN ERROR CODES */
758/* The following lines are auto generated by the script mkerr.pl. Any changes
759 * made after this point may be overwritten when the script is next run.
760 */
761void ERR_load_TS_strings(void);
762
763/* Error codes for the TS functions. */
764
765/* Function codes. */
766#define TS_F_D2I_TS_RESP 147
767#define TS_F_DEF_SERIAL_CB 110
768#define TS_F_DEF_TIME_CB 111
769#define TS_F_ESS_ADD_SIGNING_CERT 112
770#define TS_F_ESS_CERT_ID_NEW_INIT 113
771#define TS_F_ESS_SIGNING_CERT_NEW_INIT 114
772#define TS_F_INT_TS_RESP_VERIFY_TOKEN 149
773#define TS_F_PKCS7_TO_TS_TST_INFO 148
774#define TS_F_TS_ACCURACY_SET_MICROS 115
775#define TS_F_TS_ACCURACY_SET_MILLIS 116
776#define TS_F_TS_ACCURACY_SET_SECONDS 117
777#define TS_F_TS_CHECK_IMPRINTS 100
778#define TS_F_TS_CHECK_NONCES 101
779#define TS_F_TS_CHECK_POLICY 102
780#define TS_F_TS_CHECK_SIGNING_CERTS 103
781#define TS_F_TS_CHECK_STATUS_INFO 104
782#define TS_F_TS_COMPUTE_IMPRINT 145
783#define TS_F_TS_CONF_SET_DEFAULT_ENGINE 146
784#define TS_F_TS_GET_STATUS_TEXT 105
785#define TS_F_TS_MSG_IMPRINT_SET_ALGO 118
786#define TS_F_TS_REQ_SET_MSG_IMPRINT 119
787#define TS_F_TS_REQ_SET_NONCE 120
788#define TS_F_TS_REQ_SET_POLICY_ID 121
789#define TS_F_TS_RESP_CREATE_RESPONSE 122
790#define TS_F_TS_RESP_CREATE_TST_INFO 123
791#define TS_F_TS_RESP_CTX_ADD_FAILURE_INFO 124
792#define TS_F_TS_RESP_CTX_ADD_MD 125
793#define TS_F_TS_RESP_CTX_ADD_POLICY 126
794#define TS_F_TS_RESP_CTX_NEW 127
795#define TS_F_TS_RESP_CTX_SET_ACCURACY 128
796#define TS_F_TS_RESP_CTX_SET_CERTS 129
797#define TS_F_TS_RESP_CTX_SET_DEF_POLICY 130
798#define TS_F_TS_RESP_CTX_SET_SIGNER_CERT 131
799#define TS_F_TS_RESP_CTX_SET_STATUS_INFO 132
800#define TS_F_TS_RESP_GET_POLICY 133
801#define TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION 134
802#define TS_F_TS_RESP_SET_STATUS_INFO 135
803#define TS_F_TS_RESP_SET_TST_INFO 150
804#define TS_F_TS_RESP_SIGN 136
805#define TS_F_TS_RESP_VERIFY_SIGNATURE 106
806#define TS_F_TS_RESP_VERIFY_TOKEN 107
807#define TS_F_TS_TST_INFO_SET_ACCURACY 137
808#define TS_F_TS_TST_INFO_SET_MSG_IMPRINT 138
809#define TS_F_TS_TST_INFO_SET_NONCE 139
810#define TS_F_TS_TST_INFO_SET_POLICY_ID 140
811#define TS_F_TS_TST_INFO_SET_SERIAL 141
812#define TS_F_TS_TST_INFO_SET_TIME 142
813#define TS_F_TS_TST_INFO_SET_TSA 143
814#define TS_F_TS_VERIFY 108
815#define TS_F_TS_VERIFY_CERT 109
816#define TS_F_TS_VERIFY_CTX_NEW 144
817
818/* Reason codes. */
819#define TS_R_BAD_PKCS7_TYPE 132
820#define TS_R_BAD_TYPE 133
821#define TS_R_CERTIFICATE_VERIFY_ERROR 100
822#define TS_R_COULD_NOT_SET_ENGINE 127
823#define TS_R_COULD_NOT_SET_TIME 115
824#define TS_R_D2I_TS_RESP_INT_FAILED 128
825#define TS_R_DETACHED_CONTENT 134
826#define TS_R_ESS_ADD_SIGNING_CERT_ERROR 116
827#define TS_R_ESS_SIGNING_CERTIFICATE_ERROR 101
828#define TS_R_INVALID_NULL_POINTER 102
829#define TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE 117
830#define TS_R_MESSAGE_IMPRINT_MISMATCH 103
831#define TS_R_NONCE_MISMATCH 104
832#define TS_R_NONCE_NOT_RETURNED 105
833#define TS_R_NO_CONTENT 106
834#define TS_R_NO_TIME_STAMP_TOKEN 107
835#define TS_R_PKCS7_ADD_SIGNATURE_ERROR 118
836#define TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR 119
837#define TS_R_PKCS7_TO_TS_TST_INFO_FAILED 129
838#define TS_R_POLICY_MISMATCH 108
839#define TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 120
840#define TS_R_RESPONSE_SETUP_ERROR 121
841#define TS_R_SIGNATURE_FAILURE 109
842#define TS_R_THERE_MUST_BE_ONE_SIGNER 110
843#define TS_R_TIME_SYSCALL_ERROR 122
844#define TS_R_TOKEN_NOT_PRESENT 130
845#define TS_R_TOKEN_PRESENT 131
846#define TS_R_TSA_NAME_MISMATCH 111
847#define TS_R_TSA_UNTRUSTED 112
848#define TS_R_TST_INFO_SETUP_ERROR 123
849#define TS_R_TS_DATASIGN 124
850#define TS_R_UNACCEPTABLE_POLICY 125
851#define TS_R_UNSUPPORTED_MD_ALGORITHM 126
852#define TS_R_UNSUPPORTED_VERSION 113
853#define TS_R_WRONG_CONTENT_TYPE 114
854
855#ifdef __cplusplus
856}
857#endif
858#endif
diff --git a/src/lib/libcrypto/ts/ts_asn1.c b/src/lib/libcrypto/ts/ts_asn1.c
deleted file mode 100644
index 40b730c5e2..0000000000
--- a/src/lib/libcrypto/ts/ts_asn1.c
+++ /dev/null
@@ -1,322 +0,0 @@
1/* crypto/ts/ts_asn1.c */
2/* Written by Nils Larsch for the OpenSSL project 2004.
3 */
4/* ====================================================================
5 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com).
55 *
56 */
57
58#include <openssl/ts.h>
59#include <openssl/err.h>
60#include <openssl/asn1t.h>
61
62ASN1_SEQUENCE(TS_MSG_IMPRINT) = {
63 ASN1_SIMPLE(TS_MSG_IMPRINT, hash_algo, X509_ALGOR),
64 ASN1_SIMPLE(TS_MSG_IMPRINT, hashed_msg, ASN1_OCTET_STRING)
65} ASN1_SEQUENCE_END(TS_MSG_IMPRINT)
66
67IMPLEMENT_ASN1_FUNCTIONS_const(TS_MSG_IMPRINT)
68IMPLEMENT_ASN1_DUP_FUNCTION(TS_MSG_IMPRINT)
69#ifndef OPENSSL_NO_BIO
70TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT **a)
71 {
72 return ASN1_d2i_bio_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new, d2i_TS_MSG_IMPRINT, bp, a);
73 }
74
75int i2d_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT *a)
76{
77 return ASN1_i2d_bio_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, bp, a);
78}
79#endif
80#ifndef OPENSSL_NO_FP_API
81TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT **a)
82 {
83 return ASN1_d2i_fp_of(TS_MSG_IMPRINT, TS_MSG_IMPRINT_new, d2i_TS_MSG_IMPRINT, fp, a);
84 }
85
86int i2d_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT *a)
87 {
88 return ASN1_i2d_fp_of_const(TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, fp, a);
89 }
90#endif
91
92ASN1_SEQUENCE(TS_REQ) = {
93 ASN1_SIMPLE(TS_REQ, version, ASN1_INTEGER),
94 ASN1_SIMPLE(TS_REQ, msg_imprint, TS_MSG_IMPRINT),
95 ASN1_OPT(TS_REQ, policy_id, ASN1_OBJECT),
96 ASN1_OPT(TS_REQ, nonce, ASN1_INTEGER),
97 ASN1_OPT(TS_REQ, cert_req, ASN1_FBOOLEAN),
98 ASN1_IMP_SEQUENCE_OF_OPT(TS_REQ, extensions, X509_EXTENSION, 0)
99} ASN1_SEQUENCE_END(TS_REQ)
100
101IMPLEMENT_ASN1_FUNCTIONS_const(TS_REQ)
102IMPLEMENT_ASN1_DUP_FUNCTION(TS_REQ)
103#ifndef OPENSSL_NO_BIO
104TS_REQ *d2i_TS_REQ_bio(BIO *bp, TS_REQ **a)
105 {
106 return ASN1_d2i_bio_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, bp, a);
107 }
108
109int i2d_TS_REQ_bio(BIO *bp, TS_REQ *a)
110 {
111 return ASN1_i2d_bio_of_const(TS_REQ, i2d_TS_REQ, bp, a);
112 }
113#endif
114#ifndef OPENSSL_NO_FP_API
115TS_REQ *d2i_TS_REQ_fp(FILE *fp, TS_REQ **a)
116 {
117 return ASN1_d2i_fp_of(TS_REQ, TS_REQ_new, d2i_TS_REQ, fp, a);
118 }
119
120int i2d_TS_REQ_fp(FILE *fp, TS_REQ *a)
121 {
122 return ASN1_i2d_fp_of_const(TS_REQ, i2d_TS_REQ, fp, a);
123 }
124#endif
125
126ASN1_SEQUENCE(TS_ACCURACY) = {
127 ASN1_OPT(TS_ACCURACY, seconds, ASN1_INTEGER),
128 ASN1_IMP_OPT(TS_ACCURACY, millis, ASN1_INTEGER, 0),
129 ASN1_IMP_OPT(TS_ACCURACY, micros, ASN1_INTEGER, 1)
130} ASN1_SEQUENCE_END(TS_ACCURACY)
131
132IMPLEMENT_ASN1_FUNCTIONS_const(TS_ACCURACY)
133IMPLEMENT_ASN1_DUP_FUNCTION(TS_ACCURACY)
134
135ASN1_SEQUENCE(TS_TST_INFO) = {
136 ASN1_SIMPLE(TS_TST_INFO, version, ASN1_INTEGER),
137 ASN1_SIMPLE(TS_TST_INFO, policy_id, ASN1_OBJECT),
138 ASN1_SIMPLE(TS_TST_INFO, msg_imprint, TS_MSG_IMPRINT),
139 ASN1_SIMPLE(TS_TST_INFO, serial, ASN1_INTEGER),
140 ASN1_SIMPLE(TS_TST_INFO, time, ASN1_GENERALIZEDTIME),
141 ASN1_OPT(TS_TST_INFO, accuracy, TS_ACCURACY),
142 ASN1_OPT(TS_TST_INFO, ordering, ASN1_FBOOLEAN),
143 ASN1_OPT(TS_TST_INFO, nonce, ASN1_INTEGER),
144 ASN1_EXP_OPT(TS_TST_INFO, tsa, GENERAL_NAME, 0),
145 ASN1_IMP_SEQUENCE_OF_OPT(TS_TST_INFO, extensions, X509_EXTENSION, 1)
146} ASN1_SEQUENCE_END(TS_TST_INFO)
147
148IMPLEMENT_ASN1_FUNCTIONS_const(TS_TST_INFO)
149IMPLEMENT_ASN1_DUP_FUNCTION(TS_TST_INFO)
150#ifndef OPENSSL_NO_BIO
151TS_TST_INFO *d2i_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO **a)
152 {
153 return ASN1_d2i_bio_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO, bp, a);
154 }
155
156int i2d_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO *a)
157 {
158 return ASN1_i2d_bio_of_const(TS_TST_INFO, i2d_TS_TST_INFO, bp, a);
159 }
160#endif
161#ifndef OPENSSL_NO_FP_API
162TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a)
163 {
164 return ASN1_d2i_fp_of(TS_TST_INFO, TS_TST_INFO_new, d2i_TS_TST_INFO, fp, a);
165 }
166
167int i2d_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO *a)
168 {
169 return ASN1_i2d_fp_of_const(TS_TST_INFO, i2d_TS_TST_INFO, fp, a);
170 }
171#endif
172
173ASN1_SEQUENCE(TS_STATUS_INFO) = {
174 ASN1_SIMPLE(TS_STATUS_INFO, status, ASN1_INTEGER),
175 ASN1_SEQUENCE_OF_OPT(TS_STATUS_INFO, text, ASN1_UTF8STRING),
176 ASN1_OPT(TS_STATUS_INFO, failure_info, ASN1_BIT_STRING)
177} ASN1_SEQUENCE_END(TS_STATUS_INFO)
178
179IMPLEMENT_ASN1_FUNCTIONS_const(TS_STATUS_INFO)
180IMPLEMENT_ASN1_DUP_FUNCTION(TS_STATUS_INFO)
181
182static int ts_resp_set_tst_info(TS_RESP *a)
183{
184 long status;
185
186 status = ASN1_INTEGER_get(a->status_info->status);
187
188 if (a->token) {
189 if (status != 0 && status != 1) {
190 TSerr(TS_F_TS_RESP_SET_TST_INFO, TS_R_TOKEN_PRESENT);
191 return 0;
192 }
193 if (a->tst_info != NULL)
194 TS_TST_INFO_free(a->tst_info);
195 a->tst_info = PKCS7_to_TS_TST_INFO(a->token);
196 if (!a->tst_info) {
197 TSerr(TS_F_TS_RESP_SET_TST_INFO, TS_R_PKCS7_TO_TS_TST_INFO_FAILED);
198 return 0;
199 }
200 } else if (status == 0 || status == 1) {
201 TSerr(TS_F_TS_RESP_SET_TST_INFO, TS_R_TOKEN_NOT_PRESENT);
202 return 0;
203 }
204
205 return 1;
206}
207
208static int ts_resp_cb(int op, ASN1_VALUE **pval, const ASN1_ITEM *it,
209 void *exarg)
210{
211 TS_RESP *ts_resp = (TS_RESP *)*pval;
212 if (op == ASN1_OP_NEW_POST) {
213 ts_resp->tst_info = NULL;
214 } else if (op == ASN1_OP_FREE_POST) {
215 if (ts_resp->tst_info != NULL)
216 TS_TST_INFO_free(ts_resp->tst_info);
217 } else if (op == ASN1_OP_D2I_POST) {
218 if (ts_resp_set_tst_info(ts_resp) == 0)
219 return 0;
220 }
221 return 1;
222}
223
224ASN1_SEQUENCE_cb(TS_RESP, ts_resp_cb) = {
225 ASN1_SIMPLE(TS_RESP, status_info, TS_STATUS_INFO),
226 ASN1_OPT(TS_RESP, token, PKCS7),
227} ASN1_SEQUENCE_END_cb(TS_RESP, TS_RESP)
228
229IMPLEMENT_ASN1_FUNCTIONS_const(TS_RESP)
230IMPLEMENT_ASN1_DUP_FUNCTION(TS_RESP)
231#ifndef OPENSSL_NO_BIO
232TS_RESP *d2i_TS_RESP_bio(BIO *bp, TS_RESP **a)
233 {
234 return ASN1_d2i_bio_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, bp, a);
235 }
236
237int i2d_TS_RESP_bio(BIO *bp, TS_RESP *a)
238 {
239 return ASN1_i2d_bio_of_const(TS_RESP, i2d_TS_RESP, bp, a);
240 }
241#endif
242#ifndef OPENSSL_NO_FP_API
243TS_RESP *d2i_TS_RESP_fp(FILE *fp, TS_RESP **a)
244 {
245 return ASN1_d2i_fp_of(TS_RESP, TS_RESP_new, d2i_TS_RESP, fp, a);
246 }
247
248int i2d_TS_RESP_fp(FILE *fp, TS_RESP *a)
249 {
250 return ASN1_i2d_fp_of_const(TS_RESP, i2d_TS_RESP, fp, a);
251 }
252#endif
253
254ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = {
255 ASN1_SEQUENCE_OF(ESS_ISSUER_SERIAL, issuer, GENERAL_NAME),
256 ASN1_SIMPLE(ESS_ISSUER_SERIAL, serial, ASN1_INTEGER)
257} ASN1_SEQUENCE_END(ESS_ISSUER_SERIAL)
258
259IMPLEMENT_ASN1_FUNCTIONS_const(ESS_ISSUER_SERIAL)
260IMPLEMENT_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL)
261
262ASN1_SEQUENCE(ESS_CERT_ID) = {
263 ASN1_SIMPLE(ESS_CERT_ID, hash, ASN1_OCTET_STRING),
264 ASN1_OPT(ESS_CERT_ID, issuer_serial, ESS_ISSUER_SERIAL)
265} ASN1_SEQUENCE_END(ESS_CERT_ID)
266
267IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID)
268IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID)
269
270ASN1_SEQUENCE(ESS_SIGNING_CERT) = {
271 ASN1_SEQUENCE_OF(ESS_SIGNING_CERT, cert_ids, ESS_CERT_ID),
272 ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT, policy_info, POLICYINFO)
273} ASN1_SEQUENCE_END(ESS_SIGNING_CERT)
274
275IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT)
276IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
277
278/* Getting encapsulated TS_TST_INFO object from PKCS7. */
279TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token)
280{
281 PKCS7_SIGNED *pkcs7_signed;
282 PKCS7 *enveloped;
283 ASN1_TYPE *tst_info_wrapper;
284 ASN1_OCTET_STRING *tst_info_der;
285 const unsigned char *p;
286
287 if (!PKCS7_type_is_signed(token))
288 {
289 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE);
290 return NULL;
291 }
292
293 /* Content must be present. */
294 if (PKCS7_get_detached(token))
295 {
296 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_DETACHED_CONTENT);
297 return NULL;
298 }
299
300 /* We have a signed data with content. */
301 pkcs7_signed = token->d.sign;
302 enveloped = pkcs7_signed->contents;
303 if (OBJ_obj2nid(enveloped->type) != NID_id_smime_ct_TSTInfo)
304 {
305 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE);
306 return NULL;
307 }
308
309 /* We have a DER encoded TST_INFO as the signed data. */
310 tst_info_wrapper = enveloped->d.other;
311 if (tst_info_wrapper->type != V_ASN1_OCTET_STRING)
312 {
313 TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_TYPE);
314 return NULL;
315 }
316
317 /* We have the correct ASN1_OCTET_STRING type. */
318 tst_info_der = tst_info_wrapper->value.octet_string;
319 /* At last, decode the TST_INFO. */
320 p = tst_info_der->data;
321 return d2i_TS_TST_INFO(NULL, &p, tst_info_der->length);
322}
diff --git a/src/lib/libcrypto/ts/ts_conf.c b/src/lib/libcrypto/ts/ts_conf.c
deleted file mode 100644
index c39be76f28..0000000000
--- a/src/lib/libcrypto/ts/ts_conf.c
+++ /dev/null
@@ -1,507 +0,0 @@
1/* crypto/ts/ts_conf.c */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <string.h>
60
61#include <openssl/crypto.h>
62#include "cryptlib.h"
63#include <openssl/pem.h>
64#ifndef OPENSSL_NO_ENGINE
65#include <openssl/engine.h>
66#endif
67#include <openssl/ts.h>
68
69/* Macro definitions for the configuration file. */
70
71#define BASE_SECTION "tsa"
72#define ENV_DEFAULT_TSA "default_tsa"
73#define ENV_SERIAL "serial"
74#define ENV_CRYPTO_DEVICE "crypto_device"
75#define ENV_SIGNER_CERT "signer_cert"
76#define ENV_CERTS "certs"
77#define ENV_SIGNER_KEY "signer_key"
78#define ENV_DEFAULT_POLICY "default_policy"
79#define ENV_OTHER_POLICIES "other_policies"
80#define ENV_DIGESTS "digests"
81#define ENV_ACCURACY "accuracy"
82#define ENV_ORDERING "ordering"
83#define ENV_TSA_NAME "tsa_name"
84#define ENV_ESS_CERT_ID_CHAIN "ess_cert_id_chain"
85#define ENV_VALUE_SECS "secs"
86#define ENV_VALUE_MILLISECS "millisecs"
87#define ENV_VALUE_MICROSECS "microsecs"
88#define ENV_CLOCK_PRECISION_DIGITS "clock_precision_digits"
89#define ENV_VALUE_YES "yes"
90#define ENV_VALUE_NO "no"
91
92/* Function definitions for certificate and key loading. */
93
94X509 *TS_CONF_load_cert(const char *file)
95 {
96 BIO *cert = NULL;
97 X509 *x = NULL;
98
99 if ((cert = BIO_new_file(file, "r")) == NULL) goto end;
100 x = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
101end:
102 if (x == NULL)
103 fprintf(stderr, "unable to load certificate: %s\n", file);
104 BIO_free(cert);
105 return x;
106 }
107
108STACK_OF(X509) *TS_CONF_load_certs(const char *file)
109 {
110 BIO *certs = NULL;
111 STACK_OF(X509) *othercerts = NULL;
112 STACK_OF(X509_INFO) *allcerts = NULL;
113 int i;
114
115 if (!(certs = BIO_new_file(file, "r"))) goto end;
116
117 if (!(othercerts = sk_X509_new_null())) goto end;
118 allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL);
119 for(i = 0; i < sk_X509_INFO_num(allcerts); i++)
120 {
121 X509_INFO *xi = sk_X509_INFO_value(allcerts, i);
122 if (xi->x509)
123 {
124 sk_X509_push(othercerts, xi->x509);
125 xi->x509 = NULL;
126 }
127 }
128end:
129 if (othercerts == NULL)
130 fprintf(stderr, "unable to load certificates: %s\n", file);
131 sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
132 BIO_free(certs);
133 return othercerts;
134 }
135
136EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass)
137 {
138 BIO *key = NULL;
139 EVP_PKEY *pkey = NULL;
140
141 if (!(key = BIO_new_file(file, "r"))) goto end;
142 pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, (char *) pass);
143 end:
144 if (pkey == NULL)
145 fprintf(stderr, "unable to load private key: %s\n", file);
146 BIO_free(key);
147 return pkey;
148 }
149
150/* Function definitions for handling configuration options. */
151
152static void TS_CONF_lookup_fail(const char *name, const char *tag)
153 {
154 fprintf(stderr, "variable lookup failed for %s::%s\n", name, tag);
155 }
156
157static void TS_CONF_invalid(const char *name, const char *tag)
158 {
159 fprintf(stderr, "invalid variable value for %s::%s\n", name, tag);
160 }
161
162const char *TS_CONF_get_tsa_section(CONF *conf, const char *section)
163 {
164 if (!section)
165 {
166 section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_TSA);
167 if (!section)
168 TS_CONF_lookup_fail(BASE_SECTION, ENV_DEFAULT_TSA);
169 }
170 return section;
171 }
172
173int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb,
174 TS_RESP_CTX *ctx)
175 {
176 int ret = 0;
177 char *serial = NCONF_get_string(conf, section, ENV_SERIAL);
178 if (!serial)
179 {
180 TS_CONF_lookup_fail(section, ENV_SERIAL);
181 goto err;
182 }
183 TS_RESP_CTX_set_serial_cb(ctx, cb, serial);
184
185 ret = 1;
186 err:
187 return ret;
188 }
189
190#ifndef OPENSSL_NO_ENGINE
191
192int TS_CONF_set_crypto_device(CONF *conf, const char *section,
193 const char *device)
194 {
195 int ret = 0;
196
197 if (!device)
198 device = NCONF_get_string(conf, section,
199 ENV_CRYPTO_DEVICE);
200
201 if (device && !TS_CONF_set_default_engine(device))
202 {
203 TS_CONF_invalid(section, ENV_CRYPTO_DEVICE);
204 goto err;
205 }
206 ret = 1;
207 err:
208 return ret;
209 }
210
211int TS_CONF_set_default_engine(const char *name)
212 {
213 ENGINE *e = NULL;
214 int ret = 0;
215
216 /* Leave the default if builtin specified. */
217 if (strcmp(name, "builtin") == 0) return 1;
218
219 if (!(e = ENGINE_by_id(name))) goto err;
220 /* Enable the use of the NCipher HSM for forked children. */
221 if (strcmp(name, "chil") == 0)
222 ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
223 /* All the operations are going to be carried out by the engine. */
224 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) goto err;
225 ret = 1;
226 err:
227 if (!ret)
228 {
229 TSerr(TS_F_TS_CONF_SET_DEFAULT_ENGINE,
230 TS_R_COULD_NOT_SET_ENGINE);
231 ERR_add_error_data(2, "engine:", name);
232 }
233 if (e) ENGINE_free(e);
234 return ret;
235 }
236
237#endif
238
239int TS_CONF_set_signer_cert(CONF *conf, const char *section,
240 const char *cert, TS_RESP_CTX *ctx)
241 {
242 int ret = 0;
243 X509 *cert_obj = NULL;
244 if (!cert)
245 cert = NCONF_get_string(conf, section, ENV_SIGNER_CERT);
246 if (!cert)
247 {
248 TS_CONF_lookup_fail(section, ENV_SIGNER_CERT);
249 goto err;
250 }
251 if (!(cert_obj = TS_CONF_load_cert(cert)))
252 goto err;
253 if (!TS_RESP_CTX_set_signer_cert(ctx, cert_obj))
254 goto err;
255
256 ret = 1;
257 err:
258 X509_free(cert_obj);
259 return ret;
260 }
261
262int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
263 TS_RESP_CTX *ctx)
264 {
265 int ret = 0;
266 STACK_OF(X509) *certs_obj = NULL;
267 if (!certs)
268 certs = NCONF_get_string(conf, section, ENV_CERTS);
269 /* Certificate chain is optional. */
270 if (!certs) goto end;
271 if (!(certs_obj = TS_CONF_load_certs(certs))) goto err;
272 if (!TS_RESP_CTX_set_certs(ctx, certs_obj)) goto err;
273 end:
274 ret = 1;
275 err:
276 sk_X509_pop_free(certs_obj, X509_free);
277 return ret;
278 }
279
280int TS_CONF_set_signer_key(CONF *conf, const char *section,
281 const char *key, const char *pass,
282 TS_RESP_CTX *ctx)
283 {
284 int ret = 0;
285 EVP_PKEY *key_obj = NULL;
286 if (!key)
287 key = NCONF_get_string(conf, section, ENV_SIGNER_KEY);
288 if (!key)
289 {
290 TS_CONF_lookup_fail(section, ENV_SIGNER_KEY);
291 goto err;
292 }
293 if (!(key_obj = TS_CONF_load_key(key, pass))) goto err;
294 if (!TS_RESP_CTX_set_signer_key(ctx, key_obj)) goto err;
295
296 ret = 1;
297 err:
298 EVP_PKEY_free(key_obj);
299 return ret;
300 }
301
302int TS_CONF_set_def_policy(CONF *conf, const char *section,
303 const char *policy, TS_RESP_CTX *ctx)
304 {
305 int ret = 0;
306 ASN1_OBJECT *policy_obj = NULL;
307 if (!policy)
308 policy = NCONF_get_string(conf, section,
309 ENV_DEFAULT_POLICY);
310 if (!policy)
311 {
312 TS_CONF_lookup_fail(section, ENV_DEFAULT_POLICY);
313 goto err;
314 }
315 if (!(policy_obj = OBJ_txt2obj(policy, 0)))
316 {
317 TS_CONF_invalid(section, ENV_DEFAULT_POLICY);
318 goto err;
319 }
320 if (!TS_RESP_CTX_set_def_policy(ctx, policy_obj))
321 goto err;
322
323 ret = 1;
324 err:
325 ASN1_OBJECT_free(policy_obj);
326 return ret;
327 }
328
329int TS_CONF_set_policies(CONF *conf, const char *section,
330 TS_RESP_CTX *ctx)
331 {
332 int ret = 0;
333 int i;
334 STACK_OF(CONF_VALUE) *list = NULL;
335 char *policies = NCONF_get_string(conf, section,
336 ENV_OTHER_POLICIES);
337 /* If no other policy is specified, that's fine. */
338 if (policies && !(list = X509V3_parse_list(policies)))
339 {
340 TS_CONF_invalid(section, ENV_OTHER_POLICIES);
341 goto err;
342 }
343 for (i = 0; i < sk_CONF_VALUE_num(list); ++i)
344 {
345 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
346 const char *extval = val->value ? val->value : val->name;
347 ASN1_OBJECT *objtmp;
348 if (!(objtmp = OBJ_txt2obj(extval, 0)))
349 {
350 TS_CONF_invalid(section, ENV_OTHER_POLICIES);
351 goto err;
352 }
353 if (!TS_RESP_CTX_add_policy(ctx, objtmp))
354 goto err;
355 ASN1_OBJECT_free(objtmp);
356 }
357
358 ret = 1;
359 err:
360 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
361 return ret;
362 }
363
364int TS_CONF_set_digests(CONF *conf, const char *section,
365 TS_RESP_CTX *ctx)
366 {
367 int ret = 0;
368 int i;
369 STACK_OF(CONF_VALUE) *list = NULL;
370 char *digests = NCONF_get_string(conf, section, ENV_DIGESTS);
371 if (!digests)
372 {
373 TS_CONF_lookup_fail(section, ENV_DIGESTS);
374 goto err;
375 }
376 if (!(list = X509V3_parse_list(digests)))
377 {
378 TS_CONF_invalid(section, ENV_DIGESTS);
379 goto err;
380 }
381 if (sk_CONF_VALUE_num(list) == 0)
382 {
383 TS_CONF_invalid(section, ENV_DIGESTS);
384 goto err;
385 }
386 for (i = 0; i < sk_CONF_VALUE_num(list); ++i)
387 {
388 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
389 const char *extval = val->value ? val->value : val->name;
390 const EVP_MD *md;
391 if (!(md = EVP_get_digestbyname(extval)))
392 {
393 TS_CONF_invalid(section, ENV_DIGESTS);
394 goto err;
395 }
396 if (!TS_RESP_CTX_add_md(ctx, md))
397 goto err;
398 }
399
400 ret = 1;
401 err:
402 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
403 return ret;
404 }
405
406int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx)
407 {
408 int ret = 0;
409 int i;
410 int secs = 0, millis = 0, micros = 0;
411 STACK_OF(CONF_VALUE) *list = NULL;
412 char *accuracy = NCONF_get_string(conf, section, ENV_ACCURACY);
413
414 if (accuracy && !(list = X509V3_parse_list(accuracy)))
415 {
416 TS_CONF_invalid(section, ENV_ACCURACY);
417 goto err;
418 }
419 for (i = 0; i < sk_CONF_VALUE_num(list); ++i)
420 {
421 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
422 if (strcmp(val->name, ENV_VALUE_SECS) == 0)
423 {
424 if (val->value) secs = atoi(val->value);
425 }
426 else if (strcmp(val->name, ENV_VALUE_MILLISECS) == 0)
427 {
428 if (val->value) millis = atoi(val->value);
429 }
430 else if (strcmp(val->name, ENV_VALUE_MICROSECS) == 0)
431 {
432 if (val->value) micros = atoi(val->value);
433 }
434 else
435 {
436 TS_CONF_invalid(section, ENV_ACCURACY);
437 goto err;
438 }
439 }
440 if (!TS_RESP_CTX_set_accuracy(ctx, secs, millis, micros))
441 goto err;
442
443 ret = 1;
444 err:
445 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
446 return ret;
447 }
448
449int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
450 TS_RESP_CTX *ctx)
451 {
452 int ret = 0;
453 long digits = 0;
454
455 /* If not specified, set the default value to 0, i.e. sec precision */
456 if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS,
457 &digits))
458 digits = 0;
459 if (digits < 0 || digits > TS_MAX_CLOCK_PRECISION_DIGITS)
460 {
461 TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS);
462 goto err;
463 }
464
465 if (!TS_RESP_CTX_set_clock_precision_digits(ctx, digits))
466 goto err;
467
468 return 1;
469 err:
470 return ret;
471 }
472
473static int TS_CONF_add_flag(CONF *conf, const char *section, const char *field,
474 int flag, TS_RESP_CTX *ctx)
475 {
476 /* Default is false. */
477 const char *value = NCONF_get_string(conf, section, field);
478 if (value)
479 {
480 if (strcmp(value, ENV_VALUE_YES) == 0)
481 TS_RESP_CTX_add_flags(ctx, flag);
482 else if (strcmp(value, ENV_VALUE_NO) != 0)
483 {
484 TS_CONF_invalid(section, field);
485 return 0;
486 }
487 }
488
489 return 1;
490 }
491
492int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx)
493 {
494 return TS_CONF_add_flag(conf, section, ENV_ORDERING, TS_ORDERING, ctx);
495 }
496
497int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx)
498 {
499 return TS_CONF_add_flag(conf, section, ENV_TSA_NAME, TS_TSA_NAME, ctx);
500 }
501
502int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section,
503 TS_RESP_CTX *ctx)
504 {
505 return TS_CONF_add_flag(conf, section, ENV_ESS_CERT_ID_CHAIN,
506 TS_ESS_CERT_ID_CHAIN, ctx);
507 }
diff --git a/src/lib/libcrypto/ts/ts_err.c b/src/lib/libcrypto/ts/ts_err.c
deleted file mode 100644
index a08b0ffa23..0000000000
--- a/src/lib/libcrypto/ts/ts_err.c
+++ /dev/null
@@ -1,179 +0,0 @@
1/* crypto/ts/ts_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/ts.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_TS,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_TS,0,reason)
70
71static ERR_STRING_DATA TS_str_functs[]=
72 {
73{ERR_FUNC(TS_F_D2I_TS_RESP), "d2i_TS_RESP"},
74{ERR_FUNC(TS_F_DEF_SERIAL_CB), "DEF_SERIAL_CB"},
75{ERR_FUNC(TS_F_DEF_TIME_CB), "DEF_TIME_CB"},
76{ERR_FUNC(TS_F_ESS_ADD_SIGNING_CERT), "ESS_ADD_SIGNING_CERT"},
77{ERR_FUNC(TS_F_ESS_CERT_ID_NEW_INIT), "ESS_CERT_ID_NEW_INIT"},
78{ERR_FUNC(TS_F_ESS_SIGNING_CERT_NEW_INIT), "ESS_SIGNING_CERT_NEW_INIT"},
79{ERR_FUNC(TS_F_INT_TS_RESP_VERIFY_TOKEN), "INT_TS_RESP_VERIFY_TOKEN"},
80{ERR_FUNC(TS_F_PKCS7_TO_TS_TST_INFO), "PKCS7_to_TS_TST_INFO"},
81{ERR_FUNC(TS_F_TS_ACCURACY_SET_MICROS), "TS_ACCURACY_set_micros"},
82{ERR_FUNC(TS_F_TS_ACCURACY_SET_MILLIS), "TS_ACCURACY_set_millis"},
83{ERR_FUNC(TS_F_TS_ACCURACY_SET_SECONDS), "TS_ACCURACY_set_seconds"},
84{ERR_FUNC(TS_F_TS_CHECK_IMPRINTS), "TS_CHECK_IMPRINTS"},
85{ERR_FUNC(TS_F_TS_CHECK_NONCES), "TS_CHECK_NONCES"},
86{ERR_FUNC(TS_F_TS_CHECK_POLICY), "TS_CHECK_POLICY"},
87{ERR_FUNC(TS_F_TS_CHECK_SIGNING_CERTS), "TS_CHECK_SIGNING_CERTS"},
88{ERR_FUNC(TS_F_TS_CHECK_STATUS_INFO), "TS_CHECK_STATUS_INFO"},
89{ERR_FUNC(TS_F_TS_COMPUTE_IMPRINT), "TS_COMPUTE_IMPRINT"},
90{ERR_FUNC(TS_F_TS_CONF_SET_DEFAULT_ENGINE), "TS_CONF_set_default_engine"},
91{ERR_FUNC(TS_F_TS_GET_STATUS_TEXT), "TS_GET_STATUS_TEXT"},
92{ERR_FUNC(TS_F_TS_MSG_IMPRINT_SET_ALGO), "TS_MSG_IMPRINT_set_algo"},
93{ERR_FUNC(TS_F_TS_REQ_SET_MSG_IMPRINT), "TS_REQ_set_msg_imprint"},
94{ERR_FUNC(TS_F_TS_REQ_SET_NONCE), "TS_REQ_set_nonce"},
95{ERR_FUNC(TS_F_TS_REQ_SET_POLICY_ID), "TS_REQ_set_policy_id"},
96{ERR_FUNC(TS_F_TS_RESP_CREATE_RESPONSE), "TS_RESP_create_response"},
97{ERR_FUNC(TS_F_TS_RESP_CREATE_TST_INFO), "TS_RESP_CREATE_TST_INFO"},
98{ERR_FUNC(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO), "TS_RESP_CTX_add_failure_info"},
99{ERR_FUNC(TS_F_TS_RESP_CTX_ADD_MD), "TS_RESP_CTX_add_md"},
100{ERR_FUNC(TS_F_TS_RESP_CTX_ADD_POLICY), "TS_RESP_CTX_add_policy"},
101{ERR_FUNC(TS_F_TS_RESP_CTX_NEW), "TS_RESP_CTX_new"},
102{ERR_FUNC(TS_F_TS_RESP_CTX_SET_ACCURACY), "TS_RESP_CTX_set_accuracy"},
103{ERR_FUNC(TS_F_TS_RESP_CTX_SET_CERTS), "TS_RESP_CTX_set_certs"},
104{ERR_FUNC(TS_F_TS_RESP_CTX_SET_DEF_POLICY), "TS_RESP_CTX_set_def_policy"},
105{ERR_FUNC(TS_F_TS_RESP_CTX_SET_SIGNER_CERT), "TS_RESP_CTX_set_signer_cert"},
106{ERR_FUNC(TS_F_TS_RESP_CTX_SET_STATUS_INFO), "TS_RESP_CTX_set_status_info"},
107{ERR_FUNC(TS_F_TS_RESP_GET_POLICY), "TS_RESP_GET_POLICY"},
108{ERR_FUNC(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION), "TS_RESP_SET_GENTIME_WITH_PRECISION"},
109{ERR_FUNC(TS_F_TS_RESP_SET_STATUS_INFO), "TS_RESP_set_status_info"},
110{ERR_FUNC(TS_F_TS_RESP_SET_TST_INFO), "TS_RESP_set_tst_info"},
111{ERR_FUNC(TS_F_TS_RESP_SIGN), "TS_RESP_SIGN"},
112{ERR_FUNC(TS_F_TS_RESP_VERIFY_SIGNATURE), "TS_RESP_verify_signature"},
113{ERR_FUNC(TS_F_TS_RESP_VERIFY_TOKEN), "TS_RESP_verify_token"},
114{ERR_FUNC(TS_F_TS_TST_INFO_SET_ACCURACY), "TS_TST_INFO_set_accuracy"},
115{ERR_FUNC(TS_F_TS_TST_INFO_SET_MSG_IMPRINT), "TS_TST_INFO_set_msg_imprint"},
116{ERR_FUNC(TS_F_TS_TST_INFO_SET_NONCE), "TS_TST_INFO_set_nonce"},
117{ERR_FUNC(TS_F_TS_TST_INFO_SET_POLICY_ID), "TS_TST_INFO_set_policy_id"},
118{ERR_FUNC(TS_F_TS_TST_INFO_SET_SERIAL), "TS_TST_INFO_set_serial"},
119{ERR_FUNC(TS_F_TS_TST_INFO_SET_TIME), "TS_TST_INFO_set_time"},
120{ERR_FUNC(TS_F_TS_TST_INFO_SET_TSA), "TS_TST_INFO_set_tsa"},
121{ERR_FUNC(TS_F_TS_VERIFY), "TS_VERIFY"},
122{ERR_FUNC(TS_F_TS_VERIFY_CERT), "TS_VERIFY_CERT"},
123{ERR_FUNC(TS_F_TS_VERIFY_CTX_NEW), "TS_VERIFY_CTX_new"},
124{0,NULL}
125 };
126
127static ERR_STRING_DATA TS_str_reasons[]=
128 {
129{ERR_REASON(TS_R_BAD_PKCS7_TYPE) ,"bad pkcs7 type"},
130{ERR_REASON(TS_R_BAD_TYPE) ,"bad type"},
131{ERR_REASON(TS_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"},
132{ERR_REASON(TS_R_COULD_NOT_SET_ENGINE) ,"could not set engine"},
133{ERR_REASON(TS_R_COULD_NOT_SET_TIME) ,"could not set time"},
134{ERR_REASON(TS_R_D2I_TS_RESP_INT_FAILED) ,"d2i ts resp int failed"},
135{ERR_REASON(TS_R_DETACHED_CONTENT) ,"detached content"},
136{ERR_REASON(TS_R_ESS_ADD_SIGNING_CERT_ERROR),"ess add signing cert error"},
137{ERR_REASON(TS_R_ESS_SIGNING_CERTIFICATE_ERROR),"ess signing certificate error"},
138{ERR_REASON(TS_R_INVALID_NULL_POINTER) ,"invalid null pointer"},
139{ERR_REASON(TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE),"invalid signer certificate purpose"},
140{ERR_REASON(TS_R_MESSAGE_IMPRINT_MISMATCH),"message imprint mismatch"},
141{ERR_REASON(TS_R_NONCE_MISMATCH) ,"nonce mismatch"},
142{ERR_REASON(TS_R_NONCE_NOT_RETURNED) ,"nonce not returned"},
143{ERR_REASON(TS_R_NO_CONTENT) ,"no content"},
144{ERR_REASON(TS_R_NO_TIME_STAMP_TOKEN) ,"no time stamp token"},
145{ERR_REASON(TS_R_PKCS7_ADD_SIGNATURE_ERROR),"pkcs7 add signature error"},
146{ERR_REASON(TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR),"pkcs7 add signed attr error"},
147{ERR_REASON(TS_R_PKCS7_TO_TS_TST_INFO_FAILED),"pkcs7 to ts tst info failed"},
148{ERR_REASON(TS_R_POLICY_MISMATCH) ,"policy mismatch"},
149{ERR_REASON(TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"},
150{ERR_REASON(TS_R_RESPONSE_SETUP_ERROR) ,"response setup error"},
151{ERR_REASON(TS_R_SIGNATURE_FAILURE) ,"signature failure"},
152{ERR_REASON(TS_R_THERE_MUST_BE_ONE_SIGNER),"there must be one signer"},
153{ERR_REASON(TS_R_TIME_SYSCALL_ERROR) ,"time syscall error"},
154{ERR_REASON(TS_R_TOKEN_NOT_PRESENT) ,"token not present"},
155{ERR_REASON(TS_R_TOKEN_PRESENT) ,"token present"},
156{ERR_REASON(TS_R_TSA_NAME_MISMATCH) ,"tsa name mismatch"},
157{ERR_REASON(TS_R_TSA_UNTRUSTED) ,"tsa untrusted"},
158{ERR_REASON(TS_R_TST_INFO_SETUP_ERROR) ,"tst info setup error"},
159{ERR_REASON(TS_R_TS_DATASIGN) ,"ts datasign"},
160{ERR_REASON(TS_R_UNACCEPTABLE_POLICY) ,"unacceptable policy"},
161{ERR_REASON(TS_R_UNSUPPORTED_MD_ALGORITHM),"unsupported md algorithm"},
162{ERR_REASON(TS_R_UNSUPPORTED_VERSION) ,"unsupported version"},
163{ERR_REASON(TS_R_WRONG_CONTENT_TYPE) ,"wrong content type"},
164{0,NULL}
165 };
166
167#endif
168
169void ERR_load_TS_strings(void)
170 {
171#ifndef OPENSSL_NO_ERR
172
173 if (ERR_func_error_string(TS_str_functs[0].error) == NULL)
174 {
175 ERR_load_strings(0,TS_str_functs);
176 ERR_load_strings(0,TS_str_reasons);
177 }
178#endif
179 }
diff --git a/src/lib/libcrypto/ts/ts_lib.c b/src/lib/libcrypto/ts/ts_lib.c
deleted file mode 100644
index e8608dbf71..0000000000
--- a/src/lib/libcrypto/ts/ts_lib.c
+++ /dev/null
@@ -1,145 +0,0 @@
1/* crypto/ts/ts_lib.c */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/objects.h>
62#include <openssl/bn.h>
63#include <openssl/x509v3.h>
64#include "ts.h"
65
66/* Local function declarations. */
67
68/* Function definitions. */
69
70int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num)
71 {
72 BIGNUM num_bn;
73 int result = 0;
74 char *hex;
75
76 BN_init(&num_bn);
77 ASN1_INTEGER_to_BN(num, &num_bn);
78 if ((hex = BN_bn2hex(&num_bn)))
79 {
80 result = BIO_write(bio, "0x", 2) > 0;
81 result = result && BIO_write(bio, hex, strlen(hex)) > 0;
82 OPENSSL_free(hex);
83 }
84 BN_free(&num_bn);
85
86 return result;
87 }
88
89int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
90 {
91 char obj_txt[128];
92
93 int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
94 BIO_write(bio, obj_txt, len);
95 BIO_write(bio, "\n", 1);
96
97 return 1;
98 }
99
100int TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions)
101 {
102 int i, critical, n;
103 X509_EXTENSION *ex;
104 ASN1_OBJECT *obj;
105
106 BIO_printf(bio, "Extensions:\n");
107 n = X509v3_get_ext_count(extensions);
108 for (i = 0; i < n; i++)
109 {
110 ex = X509v3_get_ext(extensions, i);
111 obj = X509_EXTENSION_get_object(ex);
112 i2a_ASN1_OBJECT(bio, obj);
113 critical = X509_EXTENSION_get_critical(ex);
114 BIO_printf(bio, ": %s\n", critical ? "critical" : "");
115 if (!X509V3_EXT_print(bio, ex, 0, 4))
116 {
117 BIO_printf(bio, "%4s", "");
118 M_ASN1_OCTET_STRING_print(bio, ex->value);
119 }
120 BIO_write(bio, "\n", 1);
121 }
122
123 return 1;
124 }
125
126int TS_X509_ALGOR_print_bio(BIO *bio, const X509_ALGOR *alg)
127 {
128 int i = OBJ_obj2nid(alg->algorithm);
129 return BIO_printf(bio, "Hash Algorithm: %s\n",
130 (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
131 }
132
133int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a)
134 {
135 const ASN1_OCTET_STRING *msg;
136
137 TS_X509_ALGOR_print_bio(bio, TS_MSG_IMPRINT_get_algo(a));
138
139 BIO_printf(bio, "Message data:\n");
140 msg = TS_MSG_IMPRINT_get_msg(a);
141 BIO_dump_indent(bio, (const char *)M_ASN1_STRING_data(msg),
142 M_ASN1_STRING_length(msg), 4);
143
144 return 1;
145 }
diff --git a/src/lib/libcrypto/ts/ts_req_print.c b/src/lib/libcrypto/ts/ts_req_print.c
deleted file mode 100644
index eba12c3824..0000000000
--- a/src/lib/libcrypto/ts/ts_req_print.c
+++ /dev/null
@@ -1,102 +0,0 @@
1/* crypto/ts/ts_req_print.c */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/objects.h>
62#include <openssl/bn.h>
63#include <openssl/x509v3.h>
64#include <openssl/ts.h>
65
66/* Function definitions. */
67
68int TS_REQ_print_bio(BIO *bio, TS_REQ *a)
69 {
70 int v;
71 ASN1_OBJECT *policy_id;
72 const ASN1_INTEGER *nonce;
73
74 if (a == NULL) return 0;
75
76 v = TS_REQ_get_version(a);
77 BIO_printf(bio, "Version: %d\n", v);
78
79 TS_MSG_IMPRINT_print_bio(bio, TS_REQ_get_msg_imprint(a));
80
81 BIO_printf(bio, "Policy OID: ");
82 policy_id = TS_REQ_get_policy_id(a);
83 if (policy_id == NULL)
84 BIO_printf(bio, "unspecified\n");
85 else
86 TS_OBJ_print_bio(bio, policy_id);
87
88 BIO_printf(bio, "Nonce: ");
89 nonce = TS_REQ_get_nonce(a);
90 if (nonce == NULL)
91 BIO_printf(bio, "unspecified");
92 else
93 TS_ASN1_INTEGER_print_bio(bio, nonce);
94 BIO_write(bio, "\n", 1);
95
96 BIO_printf(bio, "Certificate required: %s\n",
97 TS_REQ_get_cert_req(a) ? "yes" : "no");
98
99 TS_ext_print_bio(bio, TS_REQ_get_exts(a));
100
101 return 1;
102 }
diff --git a/src/lib/libcrypto/ts/ts_req_utils.c b/src/lib/libcrypto/ts/ts_req_utils.c
deleted file mode 100644
index 43280c1587..0000000000
--- a/src/lib/libcrypto/ts/ts_req_utils.c
+++ /dev/null
@@ -1,234 +0,0 @@
1/* crypto/ts/ts_req_utils.c */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/objects.h>
62#include <openssl/x509v3.h>
63#include <openssl/ts.h>
64
65int TS_REQ_set_version(TS_REQ *a, long version)
66 {
67 return ASN1_INTEGER_set(a->version, version);
68 }
69
70long TS_REQ_get_version(const TS_REQ *a)
71 {
72 return ASN1_INTEGER_get(a->version);
73 }
74
75int TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint)
76 {
77 TS_MSG_IMPRINT *new_msg_imprint;
78
79 if (a->msg_imprint == msg_imprint)
80 return 1;
81 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint);
82 if (new_msg_imprint == NULL)
83 {
84 TSerr(TS_F_TS_REQ_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE);
85 return 0;
86 }
87 TS_MSG_IMPRINT_free(a->msg_imprint);
88 a->msg_imprint = new_msg_imprint;
89 return 1;
90 }
91
92TS_MSG_IMPRINT *TS_REQ_get_msg_imprint(TS_REQ *a)
93 {
94 return a->msg_imprint;
95 }
96
97int TS_MSG_IMPRINT_set_algo(TS_MSG_IMPRINT *a, X509_ALGOR *alg)
98 {
99 X509_ALGOR *new_alg;
100
101 if (a->hash_algo == alg)
102 return 1;
103 new_alg = X509_ALGOR_dup(alg);
104 if (new_alg == NULL)
105 {
106 TSerr(TS_F_TS_MSG_IMPRINT_SET_ALGO, ERR_R_MALLOC_FAILURE);
107 return 0;
108 }
109 X509_ALGOR_free(a->hash_algo);
110 a->hash_algo = new_alg;
111 return 1;
112 }
113
114X509_ALGOR *TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a)
115 {
116 return a->hash_algo;
117 }
118
119int TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len)
120 {
121 return ASN1_OCTET_STRING_set(a->hashed_msg, d, len);
122 }
123
124ASN1_OCTET_STRING *TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a)
125 {
126 return a->hashed_msg;
127 }
128
129int TS_REQ_set_policy_id(TS_REQ *a, ASN1_OBJECT *policy)
130 {
131 ASN1_OBJECT *new_policy;
132
133 if (a->policy_id == policy)
134 return 1;
135 new_policy = OBJ_dup(policy);
136 if (new_policy == NULL)
137 {
138 TSerr(TS_F_TS_REQ_SET_POLICY_ID, ERR_R_MALLOC_FAILURE);
139 return 0;
140 }
141 ASN1_OBJECT_free(a->policy_id);
142 a->policy_id = new_policy;
143 return 1;
144 }
145
146ASN1_OBJECT *TS_REQ_get_policy_id(TS_REQ *a)
147 {
148 return a->policy_id;
149 }
150
151int TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce)
152 {
153 ASN1_INTEGER *new_nonce;
154
155 if (a->nonce == nonce)
156 return 1;
157 new_nonce = ASN1_INTEGER_dup(nonce);
158 if (new_nonce == NULL)
159 {
160 TSerr(TS_F_TS_REQ_SET_NONCE, ERR_R_MALLOC_FAILURE);
161 return 0;
162 }
163 ASN1_INTEGER_free(a->nonce);
164 a->nonce = new_nonce;
165 return 1;
166 }
167
168const ASN1_INTEGER *TS_REQ_get_nonce(const TS_REQ *a)
169 {
170 return a->nonce;
171 }
172
173int TS_REQ_set_cert_req(TS_REQ *a, int cert_req)
174 {
175 a->cert_req = cert_req ? 0xFF : 0x00;
176 return 1;
177 }
178
179int TS_REQ_get_cert_req(const TS_REQ *a)
180 {
181 return a->cert_req ? 1 : 0;
182 }
183
184STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a)
185 {
186 return a->extensions;
187 }
188
189void TS_REQ_ext_free(TS_REQ *a)
190 {
191 if (!a) return;
192 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free);
193 a->extensions = NULL;
194 }
195
196int TS_REQ_get_ext_count(TS_REQ *a)
197 {
198 return X509v3_get_ext_count(a->extensions);
199 }
200
201int TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos)
202 {
203 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos);
204 }
205
206int TS_REQ_get_ext_by_OBJ(TS_REQ *a, ASN1_OBJECT *obj, int lastpos)
207 {
208 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos);
209 }
210
211int TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos)
212 {
213 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos);
214 }
215
216X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc)
217 {
218 return X509v3_get_ext(a->extensions,loc);
219 }
220
221X509_EXTENSION *TS_REQ_delete_ext(TS_REQ *a, int loc)
222 {
223 return X509v3_delete_ext(a->extensions,loc);
224 }
225
226int TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc)
227 {
228 return X509v3_add_ext(&a->extensions,ex,loc) != NULL;
229 }
230
231void *TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx)
232 {
233 return X509V3_get_d2i(a->extensions, nid, crit, idx);
234 }
diff --git a/src/lib/libcrypto/ts/ts_rsp_print.c b/src/lib/libcrypto/ts/ts_rsp_print.c
deleted file mode 100644
index 21062517ba..0000000000
--- a/src/lib/libcrypto/ts/ts_rsp_print.c
+++ /dev/null
@@ -1,287 +0,0 @@
1/* crypto/ts/ts_resp_print.c */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/objects.h>
62#include <openssl/bn.h>
63#include <openssl/x509v3.h>
64#include "ts.h"
65
66struct status_map_st
67 {
68 int bit;
69 const char *text;
70 };
71
72/* Local function declarations. */
73
74static int TS_status_map_print(BIO *bio, struct status_map_st *a,
75 ASN1_BIT_STRING *v);
76static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy);
77
78/* Function definitions. */
79
80int TS_RESP_print_bio(BIO *bio, TS_RESP *a)
81 {
82 TS_TST_INFO *tst_info;
83
84 BIO_printf(bio, "Status info:\n");
85 TS_STATUS_INFO_print_bio(bio, TS_RESP_get_status_info(a));
86
87 BIO_printf(bio, "\nTST info:\n");
88 tst_info = TS_RESP_get_tst_info(a);
89 if (tst_info != NULL)
90 TS_TST_INFO_print_bio(bio, TS_RESP_get_tst_info(a));
91 else
92 BIO_printf(bio, "Not included.\n");
93
94 return 1;
95 }
96
97int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a)
98 {
99 static const char *status_map[] =
100 {
101 "Granted.",
102 "Granted with modifications.",
103 "Rejected.",
104 "Waiting.",
105 "Revocation warning.",
106 "Revoked."
107 };
108 static struct status_map_st failure_map[] =
109 {
110 { TS_INFO_BAD_ALG,
111 "unrecognized or unsupported algorithm identifier" },
112 { TS_INFO_BAD_REQUEST,
113 "transaction not permitted or supported" },
114 { TS_INFO_BAD_DATA_FORMAT,
115 "the data submitted has the wrong format" },
116 { TS_INFO_TIME_NOT_AVAILABLE,
117 "the TSA's time source is not available" },
118 { TS_INFO_UNACCEPTED_POLICY,
119 "the requested TSA policy is not supported by the TSA" },
120 { TS_INFO_UNACCEPTED_EXTENSION,
121 "the requested extension is not supported by the TSA" },
122 { TS_INFO_ADD_INFO_NOT_AVAILABLE,
123 "the additional information requested could not be understood "
124 "or is not available" },
125 { TS_INFO_SYSTEM_FAILURE,
126 "the request cannot be handled due to system failure" },
127 { -1, NULL }
128 };
129 long status;
130 int i, lines = 0;
131
132 /* Printing status code. */
133 BIO_printf(bio, "Status: ");
134 status = ASN1_INTEGER_get(a->status);
135 if (0 <= status && status < (long)(sizeof(status_map)/sizeof(status_map[0])))
136 BIO_printf(bio, "%s\n", status_map[status]);
137 else
138 BIO_printf(bio, "out of bounds\n");
139
140 /* Printing status description. */
141 BIO_printf(bio, "Status description: ");
142 for (i = 0; i < sk_ASN1_UTF8STRING_num(a->text); ++i)
143 {
144 if (i > 0)
145 BIO_puts(bio, "\t");
146 ASN1_STRING_print_ex(bio, sk_ASN1_UTF8STRING_value(a->text, i),
147 0);
148 BIO_puts(bio, "\n");
149 }
150 if (i == 0)
151 BIO_printf(bio, "unspecified\n");
152
153 /* Printing failure information. */
154 BIO_printf(bio, "Failure info: ");
155 if (a->failure_info != NULL)
156 lines = TS_status_map_print(bio, failure_map,
157 a->failure_info);
158 if (lines == 0)
159 BIO_printf(bio, "unspecified");
160 BIO_printf(bio, "\n");
161
162 return 1;
163 }
164
165static int TS_status_map_print(BIO *bio, struct status_map_st *a,
166 ASN1_BIT_STRING *v)
167 {
168 int lines = 0;
169
170 for (; a->bit >= 0; ++a)
171 {
172 if (ASN1_BIT_STRING_get_bit(v, a->bit))
173 {
174 if (++lines > 1)
175 BIO_printf(bio, ", ");
176 BIO_printf(bio, "%s", a->text);
177 }
178 }
179
180 return lines;
181 }
182
183int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
184 {
185 int v;
186 ASN1_OBJECT *policy_id;
187 const ASN1_INTEGER *serial;
188 const ASN1_GENERALIZEDTIME *gtime;
189 TS_ACCURACY *accuracy;
190 const ASN1_INTEGER *nonce;
191 GENERAL_NAME *tsa_name;
192
193 if (a == NULL) return 0;
194
195 /* Print version. */
196 v = TS_TST_INFO_get_version(a);
197 BIO_printf(bio, "Version: %d\n", v);
198
199 /* Print policy id. */
200 BIO_printf(bio, "Policy OID: ");
201 policy_id = TS_TST_INFO_get_policy_id(a);
202 TS_OBJ_print_bio(bio, policy_id);
203
204 /* Print message imprint. */
205 TS_MSG_IMPRINT_print_bio(bio, TS_TST_INFO_get_msg_imprint(a));
206
207 /* Print serial number. */
208 BIO_printf(bio, "Serial number: ");
209 serial = TS_TST_INFO_get_serial(a);
210 if (serial == NULL)
211 BIO_printf(bio, "unspecified");
212 else
213 TS_ASN1_INTEGER_print_bio(bio, serial);
214 BIO_write(bio, "\n", 1);
215
216 /* Print time stamp. */
217 BIO_printf(bio, "Time stamp: ");
218 gtime = TS_TST_INFO_get_time(a);
219 ASN1_GENERALIZEDTIME_print(bio, gtime);
220 BIO_write(bio, "\n", 1);
221
222 /* Print accuracy. */
223 BIO_printf(bio, "Accuracy: ");
224 accuracy = TS_TST_INFO_get_accuracy(a);
225 if (accuracy == NULL)
226 BIO_printf(bio, "unspecified");
227 else
228 TS_ACCURACY_print_bio(bio, accuracy);
229 BIO_write(bio, "\n", 1);
230
231 /* Print ordering. */
232 BIO_printf(bio, "Ordering: %s\n",
233 TS_TST_INFO_get_ordering(a) ? "yes" : "no");
234
235 /* Print nonce. */
236 BIO_printf(bio, "Nonce: ");
237 nonce = TS_TST_INFO_get_nonce(a);
238 if (nonce == NULL)
239 BIO_printf(bio, "unspecified");
240 else
241 TS_ASN1_INTEGER_print_bio(bio, nonce);
242 BIO_write(bio, "\n", 1);
243
244 /* Print TSA name. */
245 BIO_printf(bio, "TSA: ");
246 tsa_name = TS_TST_INFO_get_tsa(a);
247 if (tsa_name == NULL)
248 BIO_printf(bio, "unspecified");
249 else
250 {
251 STACK_OF(CONF_VALUE) *nval;
252 if ((nval = i2v_GENERAL_NAME(NULL, tsa_name, NULL)))
253 X509V3_EXT_val_prn(bio, nval, 0, 0);
254 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
255 }
256 BIO_write(bio, "\n", 1);
257
258 /* Print extensions. */
259 TS_ext_print_bio(bio, TS_TST_INFO_get_exts(a));
260
261 return 1;
262 }
263
264static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy)
265 {
266 const ASN1_INTEGER *seconds = TS_ACCURACY_get_seconds(accuracy);
267 const ASN1_INTEGER *millis = TS_ACCURACY_get_millis(accuracy);
268 const ASN1_INTEGER *micros = TS_ACCURACY_get_micros(accuracy);
269
270 if (seconds != NULL)
271 TS_ASN1_INTEGER_print_bio(bio, seconds);
272 else
273 BIO_printf(bio, "unspecified");
274 BIO_printf(bio, " seconds, ");
275 if (millis != NULL)
276 TS_ASN1_INTEGER_print_bio(bio, millis);
277 else
278 BIO_printf(bio, "unspecified");
279 BIO_printf(bio, " millis, ");
280 if (micros != NULL)
281 TS_ASN1_INTEGER_print_bio(bio, micros);
282 else
283 BIO_printf(bio, "unspecified");
284 BIO_printf(bio, " micros");
285
286 return 1;
287 }
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
deleted file mode 100644
index b0f023c9d2..0000000000
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ /dev/null
@@ -1,1020 +0,0 @@
1/* crypto/ts/ts_resp_sign.c */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60
61#if defined(OPENSSL_SYS_UNIX)
62#include <sys/time.h>
63#endif
64
65#include <openssl/objects.h>
66#include <openssl/ts.h>
67#include <openssl/pkcs7.h>
68
69/* Private function declarations. */
70
71static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *);
72static int def_time_cb(struct TS_resp_ctx *, void *, long *sec, long *usec);
73static int def_extension_cb(struct TS_resp_ctx *, X509_EXTENSION *, void *);
74
75static void TS_RESP_CTX_init(TS_RESP_CTX *ctx);
76static void TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx);
77static int TS_RESP_check_request(TS_RESP_CTX *ctx);
78static ASN1_OBJECT *TS_RESP_get_policy(TS_RESP_CTX *ctx);
79static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx,
80 ASN1_OBJECT *policy);
81static int TS_RESP_process_extensions(TS_RESP_CTX *ctx);
82static int TS_RESP_sign(TS_RESP_CTX *ctx);
83
84static ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert,
85 STACK_OF(X509) *certs);
86static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
87static int TS_TST_INFO_content_new(PKCS7 *p7);
88static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
89
90static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision(
91 ASN1_GENERALIZEDTIME *, long, long, unsigned);
92
93/* Default callbacks for response generation. */
94
95static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *ctx, void *data)
96 {
97 ASN1_INTEGER *serial = ASN1_INTEGER_new();
98 if (!serial) goto err;
99 if (!ASN1_INTEGER_set(serial, 1)) goto err;
100 return serial;
101 err:
102 TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE);
103 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
104 "Error during serial number generation.");
105 return NULL;
106 }
107
108#if defined(OPENSSL_SYS_UNIX)
109
110/* Use the gettimeofday function call. */
111static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
112 long *sec, long *usec)
113 {
114 struct timeval tv;
115 if (gettimeofday(&tv, NULL) != 0)
116 {
117 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR);
118 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
119 "Time is not available.");
120 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE);
121 return 0;
122 }
123 /* Return time to caller. */
124 *sec = tv.tv_sec;
125 *usec = tv.tv_usec;
126
127 return 1;
128 }
129
130#else
131
132/* Use the time function call that provides only seconds precision. */
133static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
134 long *sec, long *usec)
135 {
136 time_t t;
137 if (time(&t) == (time_t) -1)
138 {
139 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR);
140 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
141 "Time is not available.");
142 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE);
143 return 0;
144 }
145 /* Return time to caller, only second precision. */
146 *sec = (long) t;
147 *usec = 0;
148
149 return 1;
150 }
151
152#endif
153
154static int def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext,
155 void *data)
156 {
157 /* No extensions are processed here. */
158 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
159 "Unsupported extension.");
160 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_EXTENSION);
161 return 0;
162 }
163
164/* TS_RESP_CTX management functions. */
165
166TS_RESP_CTX *TS_RESP_CTX_new()
167 {
168 TS_RESP_CTX *ctx;
169
170 if (!(ctx = (TS_RESP_CTX *) OPENSSL_malloc(sizeof(TS_RESP_CTX))))
171 {
172 TSerr(TS_F_TS_RESP_CTX_NEW, ERR_R_MALLOC_FAILURE);
173 return NULL;
174 }
175 memset(ctx, 0, sizeof(TS_RESP_CTX));
176
177 /* Setting default callbacks. */
178 ctx->serial_cb = def_serial_cb;
179 ctx->time_cb = def_time_cb;
180 ctx->extension_cb = def_extension_cb;
181
182 return ctx;
183 }
184
185void TS_RESP_CTX_free(TS_RESP_CTX *ctx)
186 {
187 if (!ctx) return;
188
189 X509_free(ctx->signer_cert);
190 EVP_PKEY_free(ctx->signer_key);
191 sk_X509_pop_free(ctx->certs, X509_free);
192 sk_ASN1_OBJECT_pop_free(ctx->policies, ASN1_OBJECT_free);
193 ASN1_OBJECT_free(ctx->default_policy);
194 sk_EVP_MD_free(ctx->mds); /* No EVP_MD_free method exists. */
195 ASN1_INTEGER_free(ctx->seconds);
196 ASN1_INTEGER_free(ctx->millis);
197 ASN1_INTEGER_free(ctx->micros);
198 OPENSSL_free(ctx);
199 }
200
201int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer)
202 {
203 if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1)
204 {
205 TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT,
206 TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
207 return 0;
208 }
209 if (ctx->signer_cert) X509_free(ctx->signer_cert);
210 ctx->signer_cert = signer;
211 CRYPTO_add(&ctx->signer_cert->references, +1, CRYPTO_LOCK_X509);
212 return 1;
213 }
214
215int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key)
216 {
217 if (ctx->signer_key) EVP_PKEY_free(ctx->signer_key);
218 ctx->signer_key = key;
219 CRYPTO_add(&ctx->signer_key->references, +1, CRYPTO_LOCK_EVP_PKEY);
220
221 return 1;
222 }
223
224int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy)
225 {
226 if (ctx->default_policy) ASN1_OBJECT_free(ctx->default_policy);
227 if (!(ctx->default_policy = OBJ_dup(def_policy))) goto err;
228 return 1;
229 err:
230 TSerr(TS_F_TS_RESP_CTX_SET_DEF_POLICY, ERR_R_MALLOC_FAILURE);
231 return 0;
232 }
233
234int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs)
235 {
236 int i;
237
238 if (ctx->certs)
239 {
240 sk_X509_pop_free(ctx->certs, X509_free);
241 ctx->certs = NULL;
242 }
243 if (!certs) return 1;
244 if (!(ctx->certs = sk_X509_dup(certs)))
245 {
246 TSerr(TS_F_TS_RESP_CTX_SET_CERTS, ERR_R_MALLOC_FAILURE);
247 return 0;
248 }
249 for (i = 0; i < sk_X509_num(ctx->certs); ++i)
250 {
251 X509 *cert = sk_X509_value(ctx->certs, i);
252 CRYPTO_add(&cert->references, +1, CRYPTO_LOCK_X509);
253 }
254
255 return 1;
256 }
257
258int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
259 {
260 ASN1_OBJECT *copy = NULL;
261
262 /* Create new policy stack if necessary. */
263 if (!ctx->policies && !(ctx->policies = sk_ASN1_OBJECT_new_null()))
264 goto err;
265 if (!(copy = OBJ_dup(policy))) goto err;
266 if (!sk_ASN1_OBJECT_push(ctx->policies, copy)) goto err;
267
268 return 1;
269 err:
270 TSerr(TS_F_TS_RESP_CTX_ADD_POLICY, ERR_R_MALLOC_FAILURE);
271 ASN1_OBJECT_free(copy);
272 return 0;
273 }
274
275int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md)
276 {
277 /* Create new md stack if necessary. */
278 if (!ctx->mds && !(ctx->mds = sk_EVP_MD_new_null()))
279 goto err;
280 /* Add the shared md, no copy needed. */
281 if (!sk_EVP_MD_push(ctx->mds, (EVP_MD *)md)) goto err;
282
283 return 1;
284 err:
285 TSerr(TS_F_TS_RESP_CTX_ADD_MD, ERR_R_MALLOC_FAILURE);
286 return 0;
287 }
288
289#define TS_RESP_CTX_accuracy_free(ctx) \
290 ASN1_INTEGER_free(ctx->seconds); \
291 ctx->seconds = NULL; \
292 ASN1_INTEGER_free(ctx->millis); \
293 ctx->millis = NULL; \
294 ASN1_INTEGER_free(ctx->micros); \
295 ctx->micros = NULL;
296
297int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx,
298 int secs, int millis, int micros)
299 {
300
301 TS_RESP_CTX_accuracy_free(ctx);
302 if (secs && (!(ctx->seconds = ASN1_INTEGER_new())
303 || !ASN1_INTEGER_set(ctx->seconds, secs)))
304 goto err;
305 if (millis && (!(ctx->millis = ASN1_INTEGER_new())
306 || !ASN1_INTEGER_set(ctx->millis, millis)))
307 goto err;
308 if (micros && (!(ctx->micros = ASN1_INTEGER_new())
309 || !ASN1_INTEGER_set(ctx->micros, micros)))
310 goto err;
311
312 return 1;
313 err:
314 TS_RESP_CTX_accuracy_free(ctx);
315 TSerr(TS_F_TS_RESP_CTX_SET_ACCURACY, ERR_R_MALLOC_FAILURE);
316 return 0;
317 }
318
319void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags)
320 {
321 ctx->flags |= flags;
322 }
323
324void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data)
325 {
326 ctx->serial_cb = cb;
327 ctx->serial_cb_data = data;
328 }
329
330void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data)
331 {
332 ctx->time_cb = cb;
333 ctx->time_cb_data = data;
334 }
335
336void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx,
337 TS_extension_cb cb, void *data)
338 {
339 ctx->extension_cb = cb;
340 ctx->extension_cb_data = data;
341 }
342
343int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx,
344 int status, const char *text)
345 {
346 TS_STATUS_INFO *si = NULL;
347 ASN1_UTF8STRING *utf8_text = NULL;
348 int ret = 0;
349
350 if (!(si = TS_STATUS_INFO_new())) goto err;
351 if (!ASN1_INTEGER_set(si->status, status)) goto err;
352 if (text)
353 {
354 if (!(utf8_text = ASN1_UTF8STRING_new())
355 || !ASN1_STRING_set(utf8_text, text, strlen(text)))
356 goto err;
357 if (!si->text && !(si->text = sk_ASN1_UTF8STRING_new_null()))
358 goto err;
359 if (!sk_ASN1_UTF8STRING_push(si->text, utf8_text)) goto err;
360 utf8_text = NULL; /* Ownership is lost. */
361 }
362 if (!TS_RESP_set_status_info(ctx->response, si)) goto err;
363 ret = 1;
364 err:
365 if (!ret)
366 TSerr(TS_F_TS_RESP_CTX_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE);
367 TS_STATUS_INFO_free(si);
368 ASN1_UTF8STRING_free(utf8_text);
369 return ret;
370 }
371
372int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx,
373 int status, const char *text)
374 {
375 int ret = 1;
376 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response);
377
378 if (ASN1_INTEGER_get(si->status) == TS_STATUS_GRANTED)
379 {
380 /* Status has not been set, set it now. */
381 ret = TS_RESP_CTX_set_status_info(ctx, status, text);
382 }
383 return ret;
384 }
385
386int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure)
387 {
388 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response);
389 if (!si->failure_info && !(si->failure_info = ASN1_BIT_STRING_new()))
390 goto err;
391 if (!ASN1_BIT_STRING_set_bit(si->failure_info, failure, 1))
392 goto err;
393 return 1;
394 err:
395 TSerr(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO, ERR_R_MALLOC_FAILURE);
396 return 0;
397 }
398
399TS_REQ *TS_RESP_CTX_get_request(TS_RESP_CTX *ctx)
400 {
401 return ctx->request;
402 }
403
404TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx)
405 {
406 return ctx->tst_info;
407 }
408
409int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, unsigned precision)
410 {
411 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
412 return 0;
413 ctx->clock_precision_digits = precision;
414 return 1;
415 }
416
417/* Main entry method of the response generation. */
418TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio)
419 {
420 ASN1_OBJECT *policy;
421 TS_RESP *response;
422 int result = 0;
423
424 TS_RESP_CTX_init(ctx);
425
426 /* Creating the response object. */
427 if (!(ctx->response = TS_RESP_new()))
428 {
429 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, ERR_R_MALLOC_FAILURE);
430 goto end;
431 }
432
433 /* Parsing DER request. */
434 if (!(ctx->request = d2i_TS_REQ_bio(req_bio, NULL)))
435 {
436 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
437 "Bad request format or "
438 "system error.");
439 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
440 goto end;
441 }
442
443 /* Setting default status info. */
444 if (!TS_RESP_CTX_set_status_info(ctx, TS_STATUS_GRANTED, NULL))
445 goto end;
446
447 /* Checking the request format. */
448 if (!TS_RESP_check_request(ctx)) goto end;
449
450 /* Checking acceptable policies. */
451 if (!(policy = TS_RESP_get_policy(ctx))) goto end;
452
453 /* Creating the TS_TST_INFO object. */
454 if (!(ctx->tst_info = TS_RESP_create_tst_info(ctx, policy)))
455 goto end;
456
457 /* Processing extensions. */
458 if (!TS_RESP_process_extensions(ctx)) goto end;
459
460 /* Generating the signature. */
461 if (!TS_RESP_sign(ctx)) goto end;
462
463 /* Everything was successful. */
464 result = 1;
465 end:
466 if (!result)
467 {
468 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, TS_R_RESPONSE_SETUP_ERROR);
469 if (ctx->response != NULL)
470 {
471 if (TS_RESP_CTX_set_status_info_cond(ctx,
472 TS_STATUS_REJECTION, "Error during response "
473 "generation.") == 0)
474 {
475 TS_RESP_free(ctx->response);
476 ctx->response = NULL;
477 }
478 }
479 }
480 response = ctx->response;
481 ctx->response = NULL; /* Ownership will be returned to caller. */
482 TS_RESP_CTX_cleanup(ctx);
483 return response;
484 }
485
486/* Initializes the variable part of the context. */
487static void TS_RESP_CTX_init(TS_RESP_CTX *ctx)
488 {
489 ctx->request = NULL;
490 ctx->response = NULL;
491 ctx->tst_info = NULL;
492 }
493
494/* Cleans up the variable part of the context. */
495static void TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx)
496 {
497 TS_REQ_free(ctx->request);
498 ctx->request = NULL;
499 TS_RESP_free(ctx->response);
500 ctx->response = NULL;
501 TS_TST_INFO_free(ctx->tst_info);
502 ctx->tst_info = NULL;
503 }
504
505/* Checks the format and content of the request. */
506static int TS_RESP_check_request(TS_RESP_CTX *ctx)
507 {
508 TS_REQ *request = ctx->request;
509 TS_MSG_IMPRINT *msg_imprint;
510 X509_ALGOR *md_alg;
511 int md_alg_id;
512 const ASN1_OCTET_STRING *digest;
513 EVP_MD *md = NULL;
514 int i;
515
516 /* Checking request version. */
517 if (TS_REQ_get_version(request) != 1)
518 {
519 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
520 "Bad request version.");
521 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_REQUEST);
522 return 0;
523 }
524
525 /* Checking message digest algorithm. */
526 msg_imprint = TS_REQ_get_msg_imprint(request);
527 md_alg = TS_MSG_IMPRINT_get_algo(msg_imprint);
528 md_alg_id = OBJ_obj2nid(md_alg->algorithm);
529 for (i = 0; !md && i < sk_EVP_MD_num(ctx->mds); ++i)
530 {
531 EVP_MD *current_md = sk_EVP_MD_value(ctx->mds, i);
532 if (md_alg_id == EVP_MD_type(current_md))
533 md = current_md;
534 }
535 if (!md)
536 {
537 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
538 "Message digest algorithm is "
539 "not supported.");
540 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG);
541 return 0;
542 }
543
544 /* No message digest takes parameter. */
545 if (md_alg->parameter
546 && ASN1_TYPE_get(md_alg->parameter) != V_ASN1_NULL)
547 {
548 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
549 "Superfluous message digest "
550 "parameter.");
551 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG);
552 return 0;
553 }
554 /* Checking message digest size. */
555 digest = TS_MSG_IMPRINT_get_msg(msg_imprint);
556 if (digest->length != EVP_MD_size(md))
557 {
558 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
559 "Bad message digest.");
560 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
561 return 0;
562 }
563
564 return 1;
565 }
566
567/* Returns the TSA policy based on the requested and acceptable policies. */
568static ASN1_OBJECT *TS_RESP_get_policy(TS_RESP_CTX *ctx)
569 {
570 ASN1_OBJECT *requested = TS_REQ_get_policy_id(ctx->request);
571 ASN1_OBJECT *policy = NULL;
572 int i;
573
574 if (ctx->default_policy == NULL)
575 {
576 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_INVALID_NULL_POINTER);
577 return NULL;
578 }
579 /* Return the default policy if none is requested or the default is
580 requested. */
581 if (!requested || !OBJ_cmp(requested, ctx->default_policy))
582 policy = ctx->default_policy;
583
584 /* Check if the policy is acceptable. */
585 for (i = 0; !policy && i < sk_ASN1_OBJECT_num(ctx->policies); ++i)
586 {
587 ASN1_OBJECT *current = sk_ASN1_OBJECT_value(ctx->policies, i);
588 if (!OBJ_cmp(requested, current))
589 policy = current;
590 }
591 if (!policy)
592 {
593 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_UNACCEPTABLE_POLICY);
594 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
595 "Requested policy is not "
596 "supported.");
597 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_POLICY);
598 }
599 return policy;
600 }
601
602/* Creates the TS_TST_INFO object based on the settings of the context. */
603static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx,
604 ASN1_OBJECT *policy)
605 {
606 int result = 0;
607 TS_TST_INFO *tst_info = NULL;
608 ASN1_INTEGER *serial = NULL;
609 ASN1_GENERALIZEDTIME *asn1_time = NULL;
610 long sec, usec;
611 TS_ACCURACY *accuracy = NULL;
612 const ASN1_INTEGER *nonce;
613 GENERAL_NAME *tsa_name = NULL;
614
615 if (!(tst_info = TS_TST_INFO_new())) goto end;
616 if (!TS_TST_INFO_set_version(tst_info, 1)) goto end;
617 if (!TS_TST_INFO_set_policy_id(tst_info, policy)) goto end;
618 if (!TS_TST_INFO_set_msg_imprint(tst_info, ctx->request->msg_imprint))
619 goto end;
620 if (!(serial = (*ctx->serial_cb)(ctx, ctx->serial_cb_data))
621 || !TS_TST_INFO_set_serial(tst_info, serial))
622 goto end;
623 if (!(*ctx->time_cb)(ctx, ctx->time_cb_data, &sec, &usec)
624 || !(asn1_time = TS_RESP_set_genTime_with_precision(NULL,
625 sec, usec,
626 ctx->clock_precision_digits))
627 || !TS_TST_INFO_set_time(tst_info, asn1_time))
628 goto end;
629
630 /* Setting accuracy if needed. */
631 if ((ctx->seconds || ctx->millis || ctx->micros)
632 && !(accuracy = TS_ACCURACY_new()))
633 goto end;
634
635 if (ctx->seconds && !TS_ACCURACY_set_seconds(accuracy, ctx->seconds))
636 goto end;
637 if (ctx->millis && !TS_ACCURACY_set_millis(accuracy, ctx->millis))
638 goto end;
639 if (ctx->micros && !TS_ACCURACY_set_micros(accuracy, ctx->micros))
640 goto end;
641 if (accuracy && !TS_TST_INFO_set_accuracy(tst_info, accuracy))
642 goto end;
643
644 /* Setting ordering. */
645 if ((ctx->flags & TS_ORDERING)
646 && !TS_TST_INFO_set_ordering(tst_info, 1))
647 goto end;
648
649 /* Setting nonce if needed. */
650 if ((nonce = TS_REQ_get_nonce(ctx->request)) != NULL
651 && !TS_TST_INFO_set_nonce(tst_info, nonce))
652 goto end;
653
654 /* Setting TSA name to subject of signer certificate. */
655 if (ctx->flags & TS_TSA_NAME)
656 {
657 if (!(tsa_name = GENERAL_NAME_new())) goto end;
658 tsa_name->type = GEN_DIRNAME;
659 tsa_name->d.dirn =
660 X509_NAME_dup(ctx->signer_cert->cert_info->subject);
661 if (!tsa_name->d.dirn) goto end;
662 if (!TS_TST_INFO_set_tsa(tst_info, tsa_name)) goto end;
663 }
664
665 result = 1;
666 end:
667 if (!result)
668 {
669 TS_TST_INFO_free(tst_info);
670 tst_info = NULL;
671 TSerr(TS_F_TS_RESP_CREATE_TST_INFO, TS_R_TST_INFO_SETUP_ERROR);
672 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
673 "Error during TSTInfo "
674 "generation.");
675 }
676 GENERAL_NAME_free(tsa_name);
677 TS_ACCURACY_free(accuracy);
678 ASN1_GENERALIZEDTIME_free(asn1_time);
679 ASN1_INTEGER_free(serial);
680
681 return tst_info;
682 }
683
684/* Processing the extensions of the request. */
685static int TS_RESP_process_extensions(TS_RESP_CTX *ctx)
686 {
687 STACK_OF(X509_EXTENSION) *exts = TS_REQ_get_exts(ctx->request);
688 int i;
689 int ok = 1;
690
691 for (i = 0; ok && i < sk_X509_EXTENSION_num(exts); ++i)
692 {
693 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
694 /* XXXXX The last argument was previously
695 (void *)ctx->extension_cb, but ISO C doesn't permit
696 converting a function pointer to void *. For lack of
697 better information, I'm placing a NULL there instead.
698 The callback can pick its own address out from the ctx
699 anyway...
700 */
701 ok = (*ctx->extension_cb)(ctx, ext, NULL);
702 }
703
704 return ok;
705 }
706
707/* Functions for signing the TS_TST_INFO structure of the context. */
708static int TS_RESP_sign(TS_RESP_CTX *ctx)
709 {
710 int ret = 0;
711 PKCS7 *p7 = NULL;
712 PKCS7_SIGNER_INFO *si;
713 STACK_OF(X509) *certs; /* Certificates to include in sc. */
714 ESS_SIGNING_CERT *sc = NULL;
715 ASN1_OBJECT *oid;
716 BIO *p7bio = NULL;
717 int i;
718
719 /* Check if signcert and pkey match. */
720 if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) {
721 TSerr(TS_F_TS_RESP_SIGN,
722 TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
723 goto err;
724 }
725
726 /* Create a new PKCS7 signed object. */
727 if (!(p7 = PKCS7_new())) {
728 TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE);
729 goto err;
730 }
731 if (!PKCS7_set_type(p7, NID_pkcs7_signed)) goto err;
732
733 /* Force SignedData version to be 3 instead of the default 1. */
734 if (!ASN1_INTEGER_set(p7->d.sign->version, 3)) goto err;
735
736 /* Add signer certificate and optional certificate chain. */
737 if (TS_REQ_get_cert_req(ctx->request))
738 {
739 PKCS7_add_certificate(p7, ctx->signer_cert);
740 if (ctx->certs)
741 {
742 for(i = 0; i < sk_X509_num(ctx->certs); ++i)
743 {
744 X509 *cert = sk_X509_value(ctx->certs, i);
745 PKCS7_add_certificate(p7, cert);
746 }
747 }
748 }
749
750 /* Add a new signer info. */
751 if (!(si = PKCS7_add_signature(p7, ctx->signer_cert,
752 ctx->signer_key, EVP_sha1())))
753 {
754 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
755 goto err;
756 }
757
758 /* Add content type signed attribute to the signer info. */
759 oid = OBJ_nid2obj(NID_id_smime_ct_TSTInfo);
760 if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
761 V_ASN1_OBJECT, oid))
762 {
763 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR);
764 goto err;
765 }
766
767 /* Create the ESS SigningCertificate attribute which contains
768 the signer certificate id and optionally the certificate chain. */
769 certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
770 if (!(sc = ESS_SIGNING_CERT_new_init(ctx->signer_cert, certs)))
771 goto err;
772
773 /* Add SigningCertificate signed attribute to the signer info. */
774 if (!ESS_add_signing_cert(si, sc))
775 {
776 TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR);
777 goto err;
778 }
779
780 /* Add a new empty NID_id_smime_ct_TSTInfo encapsulated content. */
781 if (!TS_TST_INFO_content_new(p7)) goto err;
782
783 /* Add the DER encoded tst_info to the PKCS7 structure. */
784 if (!(p7bio = PKCS7_dataInit(p7, NULL))) {
785 TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE);
786 goto err;
787 }
788
789 /* Convert tst_info to DER. */
790 if (!i2d_TS_TST_INFO_bio(p7bio, ctx->tst_info))
791 {
792 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN);
793 goto err;
794 }
795
796 /* Create the signature and add it to the signer info. */
797 if (!PKCS7_dataFinal(p7, p7bio))
798 {
799 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN);
800 goto err;
801 }
802
803 /* Set new PKCS7 and TST_INFO objects. */
804 TS_RESP_set_tst_info(ctx->response, p7, ctx->tst_info);
805 p7 = NULL; /* Ownership is lost. */
806 ctx->tst_info = NULL; /* Ownership is lost. */
807
808 ret = 1;
809 err:
810 if (!ret)
811 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
812 "Error during signature "
813 "generation.");
814 BIO_free_all(p7bio);
815 ESS_SIGNING_CERT_free(sc);
816 PKCS7_free(p7);
817 return ret;
818 }
819
820static ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert,
821 STACK_OF(X509) *certs)
822 {
823 ESS_CERT_ID *cid;
824 ESS_SIGNING_CERT *sc = NULL;
825 int i;
826
827 /* Creating the ESS_CERT_ID stack. */
828 if (!(sc = ESS_SIGNING_CERT_new())) goto err;
829 if (!sc->cert_ids && !(sc->cert_ids = sk_ESS_CERT_ID_new_null()))
830 goto err;
831
832 /* Adding the signing certificate id. */
833 if (!(cid = ESS_CERT_ID_new_init(signcert, 0))
834 || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
835 goto err;
836 /* Adding the certificate chain ids. */
837 for (i = 0; i < sk_X509_num(certs); ++i)
838 {
839 X509 *cert = sk_X509_value(certs, i);
840 if (!(cid = ESS_CERT_ID_new_init(cert, 1))
841 || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
842 goto err;
843 }
844
845 return sc;
846err:
847 ESS_SIGNING_CERT_free(sc);
848 TSerr(TS_F_ESS_SIGNING_CERT_NEW_INIT, ERR_R_MALLOC_FAILURE);
849 return NULL;
850 }
851
852static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
853 {
854 ESS_CERT_ID *cid = NULL;
855 GENERAL_NAME *name = NULL;
856
857 /* Recompute SHA1 hash of certificate if necessary (side effect). */
858 X509_check_purpose(cert, -1, 0);
859
860 if (!(cid = ESS_CERT_ID_new())) goto err;
861 if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,
862 sizeof(cert->sha1_hash)))
863 goto err;
864
865 /* Setting the issuer/serial if requested. */
866 if (issuer_needed)
867 {
868 /* Creating issuer/serial structure. */
869 if (!cid->issuer_serial
870 && !(cid->issuer_serial = ESS_ISSUER_SERIAL_new()))
871 goto err;
872 /* Creating general name from the certificate issuer. */
873 if (!(name = GENERAL_NAME_new())) goto err;
874 name->type = GEN_DIRNAME;
875 if (!(name->d.dirn = X509_NAME_dup(cert->cert_info->issuer)))
876 goto err;
877 if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
878 goto err;
879 name = NULL; /* Ownership is lost. */
880 /* Setting the serial number. */
881 ASN1_INTEGER_free(cid->issuer_serial->serial);
882 if (!(cid->issuer_serial->serial =
883 ASN1_INTEGER_dup(cert->cert_info->serialNumber)))
884 goto err;
885 }
886
887 return cid;
888err:
889 GENERAL_NAME_free(name);
890 ESS_CERT_ID_free(cid);
891 TSerr(TS_F_ESS_CERT_ID_NEW_INIT, ERR_R_MALLOC_FAILURE);
892 return NULL;
893 }
894
895static int TS_TST_INFO_content_new(PKCS7 *p7)
896 {
897 PKCS7 *ret = NULL;
898 ASN1_OCTET_STRING *octet_string = NULL;
899
900 /* Create new encapsulated NID_id_smime_ct_TSTInfo content. */
901 if (!(ret = PKCS7_new())) goto err;
902 if (!(ret->d.other = ASN1_TYPE_new())) goto err;
903 ret->type = OBJ_nid2obj(NID_id_smime_ct_TSTInfo);
904 if (!(octet_string = ASN1_OCTET_STRING_new())) goto err;
905 ASN1_TYPE_set(ret->d.other, V_ASN1_OCTET_STRING, octet_string);
906 octet_string = NULL;
907
908 /* Add encapsulated content to signed PKCS7 structure. */
909 if (!PKCS7_set_content(p7, ret)) goto err;
910
911 return 1;
912 err:
913 ASN1_OCTET_STRING_free(octet_string);
914 PKCS7_free(ret);
915 return 0;
916 }
917
918static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
919 {
920 ASN1_STRING *seq = NULL;
921 unsigned char *p, *pp = NULL;
922 int len;
923
924 len = i2d_ESS_SIGNING_CERT(sc, NULL);
925 if (!(pp = (unsigned char *) OPENSSL_malloc(len)))
926 {
927 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE);
928 goto err;
929 }
930 p = pp;
931 i2d_ESS_SIGNING_CERT(sc, &p);
932 if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len))
933 {
934 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE);
935 goto err;
936 }
937 OPENSSL_free(pp); pp = NULL;
938 return PKCS7_add_signed_attribute(si,
939 NID_id_smime_aa_signingCertificate,
940 V_ASN1_SEQUENCE, seq);
941 err:
942 ASN1_STRING_free(seq);
943 OPENSSL_free(pp);
944
945 return 0;
946 }
947
948
949static ASN1_GENERALIZEDTIME *
950TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
951 long sec, long usec, unsigned precision)
952 {
953 time_t time_sec = (time_t) sec;
954 struct tm *tm = NULL;
955 char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS];
956 char *p = genTime_str;
957 char *p_end = genTime_str + sizeof(genTime_str);
958
959 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
960 goto err;
961
962
963 if (!(tm = gmtime(&time_sec)))
964 goto err;
965
966 /*
967 * Put "genTime_str" in GeneralizedTime format. We work around the
968 * restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST
969 * NOT include fractional seconds") and OpenSSL related functions to
970 * meet the rfc3161 requirement: "GeneralizedTime syntax can include
971 * fraction-of-second details".
972 */
973 p += BIO_snprintf(p, p_end - p,
974 "%04d%02d%02d%02d%02d%02d",
975 tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
976 tm->tm_hour, tm->tm_min, tm->tm_sec);
977 if (precision > 0)
978 {
979 /* Add fraction of seconds (leave space for dot and null). */
980 BIO_snprintf(p, 2 + precision, ".%ld", usec);
981 /* We cannot use the snprintf return value,
982 because it might have been truncated. */
983 p += strlen(p);
984
985 /* To make things a bit harder, X.690 | ISO/IEC 8825-1 provides
986 the following restrictions for a DER-encoding, which OpenSSL
987 (specifically ASN1_GENERALIZEDTIME_check() function) doesn't
988 support:
989 "The encoding MUST terminate with a "Z" (which means "Zulu"
990 time). The decimal point element, if present, MUST be the
991 point option ".". The fractional-seconds elements,
992 if present, MUST omit all trailing 0's;
993 if the elements correspond to 0, they MUST be wholly
994 omitted, and the decimal point element also MUST be
995 omitted." */
996 /* Remove trailing zeros. The dot guarantees the exit
997 condition of this loop even if all the digits are zero. */
998 while (*--p == '0')
999 /* empty */;
1000 /* p points to either the dot or the last non-zero digit. */
1001 if (*p != '.') ++p;
1002 }
1003 /* Add the trailing Z and the terminating null. */
1004 *p++ = 'Z';
1005 *p++ = '\0';
1006
1007 /* Now call OpenSSL to check and set our genTime value */
1008 if (!asn1_time && !(asn1_time = M_ASN1_GENERALIZEDTIME_new()))
1009 goto err;
1010 if (!ASN1_GENERALIZEDTIME_set_string(asn1_time, genTime_str))
1011 {
1012 ASN1_GENERALIZEDTIME_free(asn1_time);
1013 goto err;
1014 }
1015
1016 return asn1_time;
1017 err:
1018 TSerr(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION, TS_R_COULD_NOT_SET_TIME);
1019 return NULL;
1020 }
diff --git a/src/lib/libcrypto/ts/ts_rsp_utils.c b/src/lib/libcrypto/ts/ts_rsp_utils.c
deleted file mode 100644
index 401c1fdc51..0000000000
--- a/src/lib/libcrypto/ts/ts_rsp_utils.c
+++ /dev/null
@@ -1,409 +0,0 @@
1/* crypto/ts/ts_resp_utils.c */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/objects.h>
62#include <openssl/ts.h>
63#include <openssl/pkcs7.h>
64
65/* Function definitions. */
66
67int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *status_info)
68 {
69 TS_STATUS_INFO *new_status_info;
70
71 if (a->status_info == status_info)
72 return 1;
73 new_status_info = TS_STATUS_INFO_dup(status_info);
74 if (new_status_info == NULL)
75 {
76 TSerr(TS_F_TS_RESP_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE);
77 return 0;
78 }
79 TS_STATUS_INFO_free(a->status_info);
80 a->status_info = new_status_info;
81
82 return 1;
83 }
84
85TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a)
86 {
87 return a->status_info;
88 }
89
90/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
91void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info)
92 {
93 /* Set new PKCS7 and TST_INFO objects. */
94 PKCS7_free(a->token);
95 a->token = p7;
96 TS_TST_INFO_free(a->tst_info);
97 a->tst_info = tst_info;
98 }
99
100PKCS7 *TS_RESP_get_token(TS_RESP *a)
101 {
102 return a->token;
103 }
104
105TS_TST_INFO *TS_RESP_get_tst_info(TS_RESP *a)
106 {
107 return a->tst_info;
108 }
109
110int TS_TST_INFO_set_version(TS_TST_INFO *a, long version)
111 {
112 return ASN1_INTEGER_set(a->version, version);
113 }
114
115long TS_TST_INFO_get_version(const TS_TST_INFO *a)
116 {
117 return ASN1_INTEGER_get(a->version);
118 }
119
120int TS_TST_INFO_set_policy_id(TS_TST_INFO *a, ASN1_OBJECT *policy)
121 {
122 ASN1_OBJECT *new_policy;
123
124 if (a->policy_id == policy)
125 return 1;
126 new_policy = OBJ_dup(policy);
127 if (new_policy == NULL)
128 {
129 TSerr(TS_F_TS_TST_INFO_SET_POLICY_ID, ERR_R_MALLOC_FAILURE);
130 return 0;
131 }
132 ASN1_OBJECT_free(a->policy_id);
133 a->policy_id = new_policy;
134 return 1;
135 }
136
137ASN1_OBJECT *TS_TST_INFO_get_policy_id(TS_TST_INFO *a)
138 {
139 return a->policy_id;
140 }
141
142int TS_TST_INFO_set_msg_imprint(TS_TST_INFO *a, TS_MSG_IMPRINT *msg_imprint)
143 {
144 TS_MSG_IMPRINT *new_msg_imprint;
145
146 if (a->msg_imprint == msg_imprint)
147 return 1;
148 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint);
149 if (new_msg_imprint == NULL)
150 {
151 TSerr(TS_F_TS_TST_INFO_SET_MSG_IMPRINT, ERR_R_MALLOC_FAILURE);
152 return 0;
153 }
154 TS_MSG_IMPRINT_free(a->msg_imprint);
155 a->msg_imprint = new_msg_imprint;
156 return 1;
157 }
158
159TS_MSG_IMPRINT *TS_TST_INFO_get_msg_imprint(TS_TST_INFO *a)
160 {
161 return a->msg_imprint;
162 }
163
164int TS_TST_INFO_set_serial(TS_TST_INFO *a, const ASN1_INTEGER *serial)
165 {
166 ASN1_INTEGER *new_serial;
167
168 if (a->serial == serial)
169 return 1;
170 new_serial = ASN1_INTEGER_dup(serial);
171 if (new_serial == NULL)
172 {
173 TSerr(TS_F_TS_TST_INFO_SET_SERIAL, ERR_R_MALLOC_FAILURE);
174 return 0;
175 }
176 ASN1_INTEGER_free(a->serial);
177 a->serial = new_serial;
178 return 1;
179 }
180
181const ASN1_INTEGER *TS_TST_INFO_get_serial(const TS_TST_INFO *a)
182 {
183 return a->serial;
184 }
185
186int TS_TST_INFO_set_time(TS_TST_INFO *a, const ASN1_GENERALIZEDTIME *gtime)
187 {
188 ASN1_GENERALIZEDTIME *new_time;
189
190 if (a->time == gtime)
191 return 1;
192 new_time = M_ASN1_GENERALIZEDTIME_dup(gtime);
193 if (new_time == NULL)
194 {
195 TSerr(TS_F_TS_TST_INFO_SET_TIME, ERR_R_MALLOC_FAILURE);
196 return 0;
197 }
198 ASN1_GENERALIZEDTIME_free(a->time);
199 a->time = new_time;
200 return 1;
201 }
202
203const ASN1_GENERALIZEDTIME *TS_TST_INFO_get_time(const TS_TST_INFO *a)
204 {
205 return a->time;
206 }
207
208int TS_TST_INFO_set_accuracy(TS_TST_INFO *a, TS_ACCURACY *accuracy)
209 {
210 TS_ACCURACY *new_accuracy;
211
212 if (a->accuracy == accuracy)
213 return 1;
214 new_accuracy = TS_ACCURACY_dup(accuracy);
215 if (new_accuracy == NULL)
216 {
217 TSerr(TS_F_TS_TST_INFO_SET_ACCURACY, ERR_R_MALLOC_FAILURE);
218 return 0;
219 }
220 TS_ACCURACY_free(a->accuracy);
221 a->accuracy = new_accuracy;
222 return 1;
223 }
224
225TS_ACCURACY *TS_TST_INFO_get_accuracy(TS_TST_INFO *a)
226 {
227 return a->accuracy;
228 }
229
230int TS_ACCURACY_set_seconds(TS_ACCURACY *a, const ASN1_INTEGER *seconds)
231 {
232 ASN1_INTEGER *new_seconds;
233
234 if (a->seconds == seconds)
235 return 1;
236 new_seconds = ASN1_INTEGER_dup(seconds);
237 if (new_seconds == NULL)
238 {
239 TSerr(TS_F_TS_ACCURACY_SET_SECONDS, ERR_R_MALLOC_FAILURE);
240 return 0;
241 }
242 ASN1_INTEGER_free(a->seconds);
243 a->seconds = new_seconds;
244 return 1;
245 }
246
247const ASN1_INTEGER *TS_ACCURACY_get_seconds(const TS_ACCURACY *a)
248 {
249 return a->seconds;
250 }
251
252int TS_ACCURACY_set_millis(TS_ACCURACY *a, const ASN1_INTEGER *millis)
253 {
254 ASN1_INTEGER *new_millis = NULL;
255
256 if (a->millis == millis)
257 return 1;
258 if (millis != NULL)
259 {
260 new_millis = ASN1_INTEGER_dup(millis);
261 if (new_millis == NULL)
262 {
263 TSerr(TS_F_TS_ACCURACY_SET_MILLIS,
264 ERR_R_MALLOC_FAILURE);
265 return 0;
266 }
267 }
268 ASN1_INTEGER_free(a->millis);
269 a->millis = new_millis;
270 return 1;
271 }
272
273const ASN1_INTEGER *TS_ACCURACY_get_millis(const TS_ACCURACY *a)
274 {
275 return a->millis;
276 }
277
278int TS_ACCURACY_set_micros(TS_ACCURACY *a, const ASN1_INTEGER *micros)
279 {
280 ASN1_INTEGER *new_micros = NULL;
281
282 if (a->micros == micros)
283 return 1;
284 if (micros != NULL)
285 {
286 new_micros = ASN1_INTEGER_dup(micros);
287 if (new_micros == NULL)
288 {
289 TSerr(TS_F_TS_ACCURACY_SET_MICROS,
290 ERR_R_MALLOC_FAILURE);
291 return 0;
292 }
293 }
294 ASN1_INTEGER_free(a->micros);
295 a->micros = new_micros;
296 return 1;
297 }
298
299const ASN1_INTEGER *TS_ACCURACY_get_micros(const TS_ACCURACY *a)
300 {
301 return a->micros;
302 }
303
304int TS_TST_INFO_set_ordering(TS_TST_INFO *a, int ordering)
305 {
306 a->ordering = ordering ? 0xFF : 0x00;
307 return 1;
308 }
309
310int TS_TST_INFO_get_ordering(const TS_TST_INFO *a)
311 {
312 return a->ordering ? 1 : 0;
313 }
314
315int TS_TST_INFO_set_nonce(TS_TST_INFO *a, const ASN1_INTEGER *nonce)
316 {
317 ASN1_INTEGER *new_nonce;
318
319 if (a->nonce == nonce)
320 return 1;
321 new_nonce = ASN1_INTEGER_dup(nonce);
322 if (new_nonce == NULL)
323 {
324 TSerr(TS_F_TS_TST_INFO_SET_NONCE, ERR_R_MALLOC_FAILURE);
325 return 0;
326 }
327 ASN1_INTEGER_free(a->nonce);
328 a->nonce = new_nonce;
329 return 1;
330 }
331
332const ASN1_INTEGER *TS_TST_INFO_get_nonce(const TS_TST_INFO *a)
333 {
334 return a->nonce;
335 }
336
337int TS_TST_INFO_set_tsa(TS_TST_INFO *a, GENERAL_NAME *tsa)
338 {
339 GENERAL_NAME *new_tsa;
340
341 if (a->tsa == tsa)
342 return 1;
343 new_tsa = GENERAL_NAME_dup(tsa);
344 if (new_tsa == NULL)
345 {
346 TSerr(TS_F_TS_TST_INFO_SET_TSA, ERR_R_MALLOC_FAILURE);
347 return 0;
348 }
349 GENERAL_NAME_free(a->tsa);
350 a->tsa = new_tsa;
351 return 1;
352 }
353
354GENERAL_NAME *TS_TST_INFO_get_tsa(TS_TST_INFO *a)
355 {
356 return a->tsa;
357 }
358
359STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a)
360 {
361 return a->extensions;
362 }
363
364void TS_TST_INFO_ext_free(TS_TST_INFO *a)
365 {
366 if (!a) return;
367 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free);
368 a->extensions = NULL;
369 }
370
371int TS_TST_INFO_get_ext_count(TS_TST_INFO *a)
372 {
373 return X509v3_get_ext_count(a->extensions);
374 }
375
376int TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos)
377 {
378 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos);
379 }
380
381int TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, ASN1_OBJECT *obj, int lastpos)
382 {
383 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos);
384 }
385
386int TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos)
387 {
388 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos);
389 }
390
391X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc)
392 {
393 return X509v3_get_ext(a->extensions,loc);
394 }
395
396X509_EXTENSION *TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc)
397 {
398 return X509v3_delete_ext(a->extensions,loc);
399 }
400
401int TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc)
402 {
403 return X509v3_add_ext(&a->extensions,ex,loc) != NULL;
404 }
405
406void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx)
407 {
408 return X509V3_get_d2i(a->extensions, nid, crit, idx);
409 }
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
deleted file mode 100644
index a003207428..0000000000
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ /dev/null
@@ -1,730 +0,0 @@
1/* crypto/ts/ts_resp_verify.c */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include "cryptlib.h"
61#include <openssl/objects.h>
62#include <openssl/ts.h>
63#include <openssl/pkcs7.h>
64
65/* Private function declarations. */
66
67static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
68 X509 *signer, STACK_OF(X509) **chain);
69static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain);
70static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si);
71static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert);
72static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo);
73static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx,
74 PKCS7 *token, TS_TST_INFO *tst_info);
75static int TS_check_status_info(TS_RESP *response);
76static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text);
77static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info);
78static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
79 X509_ALGOR **md_alg,
80 unsigned char **imprint, unsigned *imprint_len);
81static int TS_check_imprints(X509_ALGOR *algor_a,
82 unsigned char *imprint_a, unsigned len_a,
83 TS_TST_INFO *tst_info);
84static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info);
85static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer);
86static int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name);
87
88/*
89 * Local mapping between response codes and descriptions.
90 * Don't forget to change TS_STATUS_BUF_SIZE when modifying
91 * the elements of this array.
92 */
93static const char *TS_status_text[] =
94 { "granted",
95 "grantedWithMods",
96 "rejection",
97 "waiting",
98 "revocationWarning",
99 "revocationNotification" };
100
101#define TS_STATUS_TEXT_SIZE (sizeof(TS_status_text)/sizeof(*TS_status_text))
102
103/*
104 * This must be greater or equal to the sum of the strings in TS_status_text
105 * plus the number of its elements.
106 */
107#define TS_STATUS_BUF_SIZE 256
108
109static struct
110 {
111 int code;
112 const char *text;
113 } TS_failure_info[] =
114 { { TS_INFO_BAD_ALG, "badAlg" },
115 { TS_INFO_BAD_REQUEST, "badRequest" },
116 { TS_INFO_BAD_DATA_FORMAT, "badDataFormat" },
117 { TS_INFO_TIME_NOT_AVAILABLE, "timeNotAvailable" },
118 { TS_INFO_UNACCEPTED_POLICY, "unacceptedPolicy" },
119 { TS_INFO_UNACCEPTED_EXTENSION, "unacceptedExtension" },
120 { TS_INFO_ADD_INFO_NOT_AVAILABLE, "addInfoNotAvailable" },
121 { TS_INFO_SYSTEM_FAILURE, "systemFailure" } };
122
123#define TS_FAILURE_INFO_SIZE (sizeof(TS_failure_info) / \
124 sizeof(*TS_failure_info))
125
126/* Functions for verifying a signed TS_TST_INFO structure. */
127
128/*
129 * This function carries out the following tasks:
130 * - Checks if there is one and only one signer.
131 * - Search for the signing certificate in 'certs' and in the response.
132 * - Check the extended key usage and key usage fields of the signer
133 * certificate (done by the path validation).
134 * - Build and validate the certificate path.
135 * - Check if the certificate path meets the requirements of the
136 * SigningCertificate ESS signed attribute.
137 * - Verify the signature value.
138 * - Returns the signer certificate in 'signer', if 'signer' is not NULL.
139 */
140int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
141 X509_STORE *store, X509 **signer_out)
142 {
143 STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL;
144 PKCS7_SIGNER_INFO *si;
145 STACK_OF(X509) *signers = NULL;
146 X509 *signer;
147 STACK_OF(X509) *chain = NULL;
148 char buf[4096];
149 int i, j = 0, ret = 0;
150 BIO *p7bio = NULL;
151
152 /* Some sanity checks first. */
153 if (!token)
154 {
155 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_INVALID_NULL_POINTER);
156 goto err;
157 }
158
159 /* Check for the correct content type */
160 if(!PKCS7_type_is_signed(token))
161 {
162 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_WRONG_CONTENT_TYPE);
163 goto err;
164 }
165
166 /* Check if there is one and only one signer. */
167 sinfos = PKCS7_get_signer_info(token);
168 if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1)
169 {
170 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE,
171 TS_R_THERE_MUST_BE_ONE_SIGNER);
172 goto err;
173 }
174 si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0);
175
176 /* Check for no content: no data to verify signature. */
177 if (PKCS7_get_detached(token))
178 {
179 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_NO_CONTENT);
180 goto err;
181 }
182
183 /* Get hold of the signer certificate, search only internal
184 certificates if it was requested. */
185 signers = PKCS7_get0_signers(token, certs, 0);
186 if (!signers || sk_X509_num(signers) != 1) goto err;
187 signer = sk_X509_value(signers, 0);
188
189 /* Now verify the certificate. */
190 if (!TS_verify_cert(store, certs, signer, &chain)) goto err;
191
192 /* Check if the signer certificate is consistent with the
193 ESS extension. */
194 if (!TS_check_signing_certs(si, chain)) goto err;
195
196 /* Creating the message digest. */
197 p7bio = PKCS7_dataInit(token, NULL);
198
199 /* We now have to 'read' from p7bio to calculate digests etc. */
200 while ((i = BIO_read(p7bio,buf,sizeof(buf))) > 0);
201
202 /* Verifying the signature. */
203 j = PKCS7_signatureVerify(p7bio, token, si, signer);
204 if (j <= 0)
205 {
206 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_SIGNATURE_FAILURE);
207 goto err;
208 }
209
210 /* Return the signer certificate if needed. */
211 if (signer_out)
212 {
213 *signer_out = signer;
214 CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509);
215 }
216
217 ret = 1;
218
219 err:
220 BIO_free_all(p7bio);
221 sk_X509_pop_free(chain, X509_free);
222 sk_X509_free(signers);
223
224 return ret;
225 }
226
227/*
228 * The certificate chain is returned in chain. Caller is responsible for
229 * freeing the vector.
230 */
231static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
232 X509 *signer, STACK_OF(X509) **chain)
233 {
234 X509_STORE_CTX cert_ctx;
235 int i;
236 int ret = 1;
237
238 /* chain is an out argument. */
239 *chain = NULL;
240 X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted);
241 X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
242 i = X509_verify_cert(&cert_ctx);
243 if (i <= 0)
244 {
245 int j = X509_STORE_CTX_get_error(&cert_ctx);
246 TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR);
247 ERR_add_error_data(2, "Verify error:",
248 X509_verify_cert_error_string(j));
249 ret = 0;
250 }
251 else
252 {
253 /* Get a copy of the certificate chain. */
254 *chain = X509_STORE_CTX_get1_chain(&cert_ctx);
255 }
256
257 X509_STORE_CTX_cleanup(&cert_ctx);
258
259 return ret;
260 }
261
262static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain)
263 {
264 ESS_SIGNING_CERT *ss = ESS_get_signing_cert(si);
265 STACK_OF(ESS_CERT_ID) *cert_ids = NULL;
266 X509 *cert;
267 int i = 0;
268 int ret = 0;
269
270 if (!ss) goto err;
271 cert_ids = ss->cert_ids;
272 /* The signer certificate must be the first in cert_ids. */
273 cert = sk_X509_value(chain, 0);
274 if (TS_find_cert(cert_ids, cert) != 0) goto err;
275
276 /* Check the other certificates of the chain if there are more
277 than one certificate ids in cert_ids. */
278 if (sk_ESS_CERT_ID_num(cert_ids) > 1)
279 {
280 /* All the certificates of the chain must be in cert_ids. */
281 for (i = 1; i < sk_X509_num(chain); ++i)
282 {
283 cert = sk_X509_value(chain, i);
284 if (TS_find_cert(cert_ids, cert) < 0) goto err;
285 }
286 }
287 ret = 1;
288 err:
289 if (!ret)
290 TSerr(TS_F_TS_CHECK_SIGNING_CERTS,
291 TS_R_ESS_SIGNING_CERTIFICATE_ERROR);
292 ESS_SIGNING_CERT_free(ss);
293 return ret;
294 }
295
296static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si)
297 {
298 ASN1_TYPE *attr;
299 const unsigned char *p;
300 attr = PKCS7_get_signed_attribute(si,
301 NID_id_smime_aa_signingCertificate);
302 if (!attr) return NULL;
303 p = attr->value.sequence->data;
304 return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
305 }
306
307/* Returns < 0 if certificate is not found, certificate index otherwise. */
308static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
309 {
310 int i;
311
312 if (!cert_ids || !cert) return -1;
313
314 /* Recompute SHA1 hash of certificate if necessary (side effect). */
315 X509_check_purpose(cert, -1, 0);
316
317 /* Look for cert in the cert_ids vector. */
318 for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i)
319 {
320 ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
321
322 /* Check the SHA-1 hash first. */
323 if (cid->hash->length == sizeof(cert->sha1_hash)
324 && !memcmp(cid->hash->data, cert->sha1_hash,
325 sizeof(cert->sha1_hash)))
326 {
327 /* Check the issuer/serial as well if specified. */
328 ESS_ISSUER_SERIAL *is = cid->issuer_serial;
329 if (!is || !TS_issuer_serial_cmp(is, cert->cert_info))
330 return i;
331 }
332 }
333
334 return -1;
335 }
336
337static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo)
338 {
339 GENERAL_NAME *issuer;
340
341 if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1) return -1;
342
343 /* Check the issuer first. It must be a directory name. */
344 issuer = sk_GENERAL_NAME_value(is->issuer, 0);
345 if (issuer->type != GEN_DIRNAME
346 || X509_NAME_cmp(issuer->d.dirn, cinfo->issuer))
347 return -1;
348
349 /* Check the serial number, too. */
350 if (ASN1_INTEGER_cmp(is->serial, cinfo->serialNumber))
351 return -1;
352
353 return 0;
354 }
355
356/*
357 * Verifies whether 'response' contains a valid response with regards
358 * to the settings of the context:
359 * - Gives an error message if the TS_TST_INFO is not present.
360 * - Calls _TS_RESP_verify_token to verify the token content.
361 */
362int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response)
363 {
364 PKCS7 *token = TS_RESP_get_token(response);
365 TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
366 int ret = 0;
367
368 /* Check if we have a successful TS_TST_INFO object in place. */
369 if (!TS_check_status_info(response)) goto err;
370
371 /* Check the contents of the time stamp token. */
372 if (!int_TS_RESP_verify_token(ctx, token, tst_info))
373 goto err;
374
375 ret = 1;
376 err:
377 return ret;
378 }
379
380/*
381 * Tries to extract a TS_TST_INFO structure from the PKCS7 token and
382 * calls the internal int_TS_RESP_verify_token function for verifying it.
383 */
384int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token)
385 {
386 TS_TST_INFO *tst_info = PKCS7_to_TS_TST_INFO(token);
387 int ret = 0;
388 if (tst_info)
389 {
390 ret = int_TS_RESP_verify_token(ctx, token, tst_info);
391 TS_TST_INFO_free(tst_info);
392 }
393 return ret;
394 }
395
396/*
397 * Verifies whether the 'token' contains a valid time stamp token
398 * with regards to the settings of the context. Only those checks are
399 * carried out that are specified in the context:
400 * - Verifies the signature of the TS_TST_INFO.
401 * - Checks the version number of the response.
402 * - Check if the requested and returned policies math.
403 * - Check if the message imprints are the same.
404 * - Check if the nonces are the same.
405 * - Check if the TSA name matches the signer.
406 * - Check if the TSA name is the expected TSA.
407 */
408static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx,
409 PKCS7 *token, TS_TST_INFO *tst_info)
410 {
411 X509 *signer = NULL;
412 GENERAL_NAME *tsa_name = TS_TST_INFO_get_tsa(tst_info);
413 X509_ALGOR *md_alg = NULL;
414 unsigned char *imprint = NULL;
415 unsigned imprint_len = 0;
416 int ret = 0;
417
418 /* Verify the signature. */
419 if ((ctx->flags & TS_VFY_SIGNATURE)
420 && !TS_RESP_verify_signature(token, ctx->certs, ctx->store,
421 &signer))
422 goto err;
423
424 /* Check version number of response. */
425 if ((ctx->flags & TS_VFY_VERSION)
426 && TS_TST_INFO_get_version(tst_info) != 1)
427 {
428 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_UNSUPPORTED_VERSION);
429 goto err;
430 }
431
432 /* Check policies. */
433 if ((ctx->flags & TS_VFY_POLICY)
434 && !TS_check_policy(ctx->policy, tst_info))
435 goto err;
436
437 /* Check message imprints. */
438 if ((ctx->flags & TS_VFY_IMPRINT)
439 && !TS_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len,
440 tst_info))
441 goto err;
442
443 /* Compute and check message imprints. */
444 if ((ctx->flags & TS_VFY_DATA)
445 && (!TS_compute_imprint(ctx->data, tst_info,
446 &md_alg, &imprint, &imprint_len)
447 || !TS_check_imprints(md_alg, imprint, imprint_len, tst_info)))
448 goto err;
449
450 /* Check nonces. */
451 if ((ctx->flags & TS_VFY_NONCE)
452 && !TS_check_nonces(ctx->nonce, tst_info))
453 goto err;
454
455 /* Check whether TSA name and signer certificate match. */
456 if ((ctx->flags & TS_VFY_SIGNER)
457 && tsa_name && !TS_check_signer_name(tsa_name, signer))
458 {
459 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_NAME_MISMATCH);
460 goto err;
461 }
462
463 /* Check whether the TSA is the expected one. */
464 if ((ctx->flags & TS_VFY_TSA_NAME)
465 && !TS_check_signer_name(ctx->tsa_name, signer))
466 {
467 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_UNTRUSTED);
468 goto err;
469 }
470
471 ret = 1;
472 err:
473 X509_free(signer);
474 X509_ALGOR_free(md_alg);
475 OPENSSL_free(imprint);
476 return ret;
477 }
478
479static int TS_check_status_info(TS_RESP *response)
480 {
481 TS_STATUS_INFO *info = TS_RESP_get_status_info(response);
482 long status = ASN1_INTEGER_get(info->status);
483 const char *status_text = NULL;
484 char *embedded_status_text = NULL;
485 char failure_text[TS_STATUS_BUF_SIZE] = "";
486
487 /* Check if everything went fine. */
488 if (status == 0 || status == 1) return 1;
489
490 /* There was an error, get the description in status_text. */
491 if (0 <= status && status < (long)TS_STATUS_TEXT_SIZE)
492 status_text = TS_status_text[status];
493 else
494 status_text = "unknown code";
495
496 /* Set the embedded_status_text to the returned description. */
497 if (sk_ASN1_UTF8STRING_num(info->text) > 0
498 && !(embedded_status_text = TS_get_status_text(info->text)))
499 return 0;
500
501 /* Filling in failure_text with the failure information. */
502 if (info->failure_info)
503 {
504 int i;
505 int first = 1;
506 for (i = 0; i < (int)TS_FAILURE_INFO_SIZE; ++i)
507 {
508 if (ASN1_BIT_STRING_get_bit(info->failure_info,
509 TS_failure_info[i].code))
510 {
511 if (!first)
512 strlcat(failure_text, ",",
513 TS_STATUS_BUF_SIZE);
514 else
515 first = 0;
516 strlcat(failure_text, TS_failure_info[i].text,
517 TS_STATUS_BUF_SIZE);
518 }
519 }
520 }
521 if (failure_text[0] == '\0')
522 strlcpy(failure_text, "unspecified", TS_STATUS_BUF_SIZE);
523
524 /* Making up the error string. */
525 TSerr(TS_F_TS_CHECK_STATUS_INFO, TS_R_NO_TIME_STAMP_TOKEN);
526 ERR_add_error_data(6,
527 "status code: ", status_text,
528 ", status text: ", embedded_status_text ?
529 embedded_status_text : "unspecified",
530 ", failure codes: ", failure_text);
531 OPENSSL_free(embedded_status_text);
532
533 return 0;
534 }
535
536static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
537 {
538 int i;
539 unsigned int length = 0;
540 char *result = NULL;
541 char *p;
542
543 /* Determine length first. */
544 for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i)
545 {
546 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
547 length += ASN1_STRING_length(current);
548 length += 1; /* separator character */
549 }
550 /* Allocate memory (closing '\0' included). */
551 if (!(result = OPENSSL_malloc(length)))
552 {
553 TSerr(TS_F_TS_GET_STATUS_TEXT, ERR_R_MALLOC_FAILURE);
554 return NULL;
555 }
556 /* Concatenate the descriptions. */
557 for (i = 0, p = result; i < sk_ASN1_UTF8STRING_num(text); ++i)
558 {
559 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
560 length = ASN1_STRING_length(current);
561 if (i > 0) *p++ = '/';
562 strncpy(p, (const char *)ASN1_STRING_data(current), length);
563 p += length;
564 }
565 /* We do have space for this, too. */
566 *p = '\0';
567
568 return result;
569 }
570
571static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info)
572 {
573 ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info);
574
575 if (OBJ_cmp(req_oid, resp_oid) != 0)
576 {
577 TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH);
578 return 0;
579 }
580
581 return 1;
582 }
583
584static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
585 X509_ALGOR **md_alg,
586 unsigned char **imprint, unsigned *imprint_len)
587 {
588 TS_MSG_IMPRINT *msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info);
589 X509_ALGOR *md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint);
590 const EVP_MD *md;
591 EVP_MD_CTX md_ctx;
592 unsigned char buffer[4096];
593 int length;
594
595 *md_alg = NULL;
596 *imprint = NULL;
597
598 /* Return the MD algorithm of the response. */
599 if (!(*md_alg = X509_ALGOR_dup(md_alg_resp))) goto err;
600
601 /* Getting the MD object. */
602 if (!(md = EVP_get_digestbyobj((*md_alg)->algorithm)))
603 {
604 TSerr(TS_F_TS_COMPUTE_IMPRINT, TS_R_UNSUPPORTED_MD_ALGORITHM);
605 goto err;
606 }
607
608 /* Compute message digest. */
609 length = EVP_MD_size(md);
610 if (length < 0)
611 goto err;
612 *imprint_len = length;
613 if (!(*imprint = OPENSSL_malloc(*imprint_len)))
614 {
615 TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE);
616 goto err;
617 }
618
619 if (!EVP_DigestInit(&md_ctx, md))
620 goto err;
621 while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0)
622 {
623 if (!EVP_DigestUpdate(&md_ctx, buffer, length))
624 goto err;
625 }
626 if (!EVP_DigestFinal(&md_ctx, *imprint, NULL))
627 goto err;
628
629 return 1;
630 err:
631 X509_ALGOR_free(*md_alg);
632 OPENSSL_free(*imprint);
633 *imprint_len = 0;
634 return 0;
635 }
636
637static int TS_check_imprints(X509_ALGOR *algor_a,
638 unsigned char *imprint_a, unsigned len_a,
639 TS_TST_INFO *tst_info)
640 {
641 TS_MSG_IMPRINT *b = TS_TST_INFO_get_msg_imprint(tst_info);
642 X509_ALGOR *algor_b = TS_MSG_IMPRINT_get_algo(b);
643 int ret = 0;
644
645 /* algor_a is optional. */
646 if (algor_a)
647 {
648 /* Compare algorithm OIDs. */
649 if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm)) goto err;
650
651 /* The parameter must be NULL in both. */
652 if ((algor_a->parameter
653 && ASN1_TYPE_get(algor_a->parameter) != V_ASN1_NULL)
654 || (algor_b->parameter
655 && ASN1_TYPE_get(algor_b->parameter) != V_ASN1_NULL))
656 goto err;
657 }
658
659 /* Compare octet strings. */
660 ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) &&
661 memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0;
662 err:
663 if (!ret)
664 TSerr(TS_F_TS_CHECK_IMPRINTS, TS_R_MESSAGE_IMPRINT_MISMATCH);
665 return ret;
666 }
667
668static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info)
669 {
670 const ASN1_INTEGER *b = TS_TST_INFO_get_nonce(tst_info);
671
672 /* Error if nonce is missing. */
673 if (!b)
674 {
675 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_NOT_RETURNED);
676 return 0;
677 }
678
679 /* No error if a nonce is returned without being requested. */
680 if (ASN1_INTEGER_cmp(a, b) != 0)
681 {
682 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_MISMATCH);
683 return 0;
684 }
685
686 return 1;
687 }
688
689/* Check if the specified TSA name matches either the subject
690 or one of the subject alternative names of the TSA certificate. */
691static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer)
692 {
693 STACK_OF(GENERAL_NAME) *gen_names = NULL;
694 int idx = -1;
695 int found = 0;
696
697 /* Check the subject name first. */
698 if (tsa_name->type == GEN_DIRNAME
699 && X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0)
700 return 1;
701
702 /* Check all the alternative names. */
703 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name,
704 NULL, &idx);
705 while (gen_names != NULL
706 && !(found = TS_find_name(gen_names, tsa_name) >= 0))
707 {
708 /* Get the next subject alternative name,
709 although there should be no more than one. */
710 GENERAL_NAMES_free(gen_names);
711 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name,
712 NULL, &idx);
713 }
714 if (gen_names) GENERAL_NAMES_free(gen_names);
715
716 return found;
717 }
718
719/* Returns 1 if name is in gen_names, 0 otherwise. */
720static int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name)
721 {
722 int i, found;
723 for (i = 0, found = 0; !found && i < sk_GENERAL_NAME_num(gen_names);
724 ++i)
725 {
726 GENERAL_NAME *current = sk_GENERAL_NAME_value(gen_names, i);
727 found = GENERAL_NAME_cmp(current, name) == 0;
728 }
729 return found ? i - 1 : -1;
730 }
diff --git a/src/lib/libcrypto/ts/ts_verify_ctx.c b/src/lib/libcrypto/ts/ts_verify_ctx.c
deleted file mode 100644
index 609b7735d4..0000000000
--- a/src/lib/libcrypto/ts/ts_verify_ctx.c
+++ /dev/null
@@ -1,159 +0,0 @@
1/* crypto/ts/ts_verify_ctx.c */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2003.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include "cryptlib.h"
60#include <openssl/objects.h>
61#include <openssl/ts.h>
62
63TS_VERIFY_CTX *TS_VERIFY_CTX_new(void)
64 {
65 TS_VERIFY_CTX *ctx =
66 (TS_VERIFY_CTX *) OPENSSL_malloc(sizeof(TS_VERIFY_CTX));
67 if (ctx)
68 memset(ctx, 0, sizeof(TS_VERIFY_CTX));
69 else
70 TSerr(TS_F_TS_VERIFY_CTX_NEW, ERR_R_MALLOC_FAILURE);
71 return ctx;
72 }
73
74void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx)
75 {
76 OPENSSL_assert(ctx != NULL);
77 memset(ctx, 0, sizeof(TS_VERIFY_CTX));
78 }
79
80void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx)
81 {
82 if (!ctx) return;
83
84 TS_VERIFY_CTX_cleanup(ctx);
85 OPENSSL_free(ctx);
86 }
87
88void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
89 {
90 if (!ctx) return;
91
92 X509_STORE_free(ctx->store);
93 sk_X509_pop_free(ctx->certs, X509_free);
94
95 ASN1_OBJECT_free(ctx->policy);
96
97 X509_ALGOR_free(ctx->md_alg);
98 OPENSSL_free(ctx->imprint);
99
100 BIO_free_all(ctx->data);
101
102 ASN1_INTEGER_free(ctx->nonce);
103
104 GENERAL_NAME_free(ctx->tsa_name);
105
106 TS_VERIFY_CTX_init(ctx);
107 }
108
109TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
110 {
111 TS_VERIFY_CTX *ret = ctx;
112 ASN1_OBJECT *policy;
113 TS_MSG_IMPRINT *imprint;
114 X509_ALGOR *md_alg;
115 ASN1_OCTET_STRING *msg;
116 const ASN1_INTEGER *nonce;
117
118 OPENSSL_assert(req != NULL);
119 if (ret)
120 TS_VERIFY_CTX_cleanup(ret);
121 else
122 if (!(ret = TS_VERIFY_CTX_new())) return NULL;
123
124 /* Setting flags. */
125 ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE);
126
127 /* Setting policy. */
128 if ((policy = TS_REQ_get_policy_id(req)) != NULL)
129 {
130 if (!(ret->policy = OBJ_dup(policy))) goto err;
131 }
132 else
133 ret->flags &= ~TS_VFY_POLICY;
134
135 /* Setting md_alg, imprint and imprint_len. */
136 imprint = TS_REQ_get_msg_imprint(req);
137 md_alg = TS_MSG_IMPRINT_get_algo(imprint);
138 if (!(ret->md_alg = X509_ALGOR_dup(md_alg))) goto err;
139 msg = TS_MSG_IMPRINT_get_msg(imprint);
140 ret->imprint_len = ASN1_STRING_length(msg);
141 if (!(ret->imprint = OPENSSL_malloc(ret->imprint_len))) goto err;
142 memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len);
143
144 /* Setting nonce. */
145 if ((nonce = TS_REQ_get_nonce(req)) != NULL)
146 {
147 if (!(ret->nonce = ASN1_INTEGER_dup(nonce))) goto err;
148 }
149 else
150 ret->flags &= ~TS_VFY_NONCE;
151
152 return ret;
153 err:
154 if (ctx)
155 TS_VERIFY_CTX_cleanup(ctx);
156 else
157 TS_VERIFY_CTX_free(ret);
158 return NULL;
159 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 20:14:01 +0000