summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ts
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2025-04-14 17:32:06 +0000
committercvs2svn <admin@example.com>2025-04-14 17:32:06 +0000
commiteb8dd9dca1228af0cd132f515509051ecfabf6f6 (patch)
treeedb6da6af7e865d488dc1a29309f1e1ec226e603 /src/lib/libcrypto/ts
parent247f0352e0ed72a4f476db9dc91f4d982bc83eb2 (diff)
downloadopenbsd-tb_20250414.tar.gz
openbsd-tb_20250414.tar.bz2
openbsd-tb_20250414.zip
This commit was manufactured by cvs2git to create tag 'tb_20250414'.tb_20250414
Diffstat (limited to 'src/lib/libcrypto/ts')
-rw-r--r--src/lib/libcrypto/ts/ts.h660
-rw-r--r--src/lib/libcrypto/ts/ts_asn1.c1077
-rw-r--r--src/lib/libcrypto/ts/ts_conf.c517
-rw-r--r--src/lib/libcrypto/ts/ts_err.c126
-rw-r--r--src/lib/libcrypto/ts/ts_lib.c163
-rw-r--r--src/lib/libcrypto/ts/ts_local.h316
-rw-r--r--src/lib/libcrypto/ts/ts_req_print.c105
-rw-r--r--src/lib/libcrypto/ts/ts_req_utils.c281
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_print.c306
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_sign.c982
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_utils.c503
-rw-r--r--src/lib/libcrypto/ts/ts_rsp_verify.c847
-rw-r--r--src/lib/libcrypto/ts/ts_verify_ctx.c236
13 files changed, 0 insertions, 6119 deletions
diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h
deleted file mode 100644
index c2b2a9ed3d..0000000000
--- a/src/lib/libcrypto/ts/ts.h
+++ /dev/null
@@ -1,660 +0,0 @@
1/* $OpenBSD: ts.h,v 1.24 2024/03/26 00:39:22 beck Exp $ */
2/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
3 * project 2002, 2003, 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#ifndef HEADER_TS_H
60#define HEADER_TS_H
61
62#include <openssl/opensslconf.h>
63
64#ifndef OPENSSL_NO_BUFFER
65#include <openssl/buffer.h>
66#endif
67#ifndef OPENSSL_NO_EVP
68#include <openssl/evp.h>
69#endif
70#ifndef OPENSSL_NO_BIO
71#include <openssl/bio.h>
72#endif
73#include <openssl/stack.h>
74#include <openssl/asn1.h>
75#include <openssl/safestack.h>
76
77#ifndef OPENSSL_NO_RSA
78#include <openssl/rsa.h>
79#endif
80
81#ifndef OPENSSL_NO_DSA
82#include <openssl/dsa.h>
83#endif
84
85#ifndef OPENSSL_NO_DH
86#include <openssl/dh.h>
87#endif
88
89#ifdef __cplusplus
90extern "C" {
91#endif
92
93#include <openssl/x509.h>
94#include <openssl/x509v3.h>
95
96typedef struct TS_msg_imprint_st TS_MSG_IMPRINT;
97typedef struct TS_req_st TS_REQ;
98typedef struct TS_accuracy_st TS_ACCURACY;
99typedef struct TS_tst_info_st TS_TST_INFO;
100
101/* Possible values for status. */
102#define TS_STATUS_GRANTED 0
103#define TS_STATUS_GRANTED_WITH_MODS 1
104#define TS_STATUS_REJECTION 2
105#define TS_STATUS_WAITING 3
106#define TS_STATUS_REVOCATION_WARNING 4
107#define TS_STATUS_REVOCATION_NOTIFICATION 5
108
109/* Possible values for failure_info. */
110#define TS_INFO_BAD_ALG 0
111#define TS_INFO_BAD_REQUEST 2
112#define TS_INFO_BAD_DATA_FORMAT 5
113#define TS_INFO_TIME_NOT_AVAILABLE 14
114#define TS_INFO_UNACCEPTED_POLICY 15
115#define TS_INFO_UNACCEPTED_EXTENSION 16
116#define TS_INFO_ADD_INFO_NOT_AVAILABLE 17
117#define TS_INFO_SYSTEM_FAILURE 25
118
119typedef struct TS_status_info_st TS_STATUS_INFO;
120
121DECLARE_STACK_OF(ASN1_UTF8STRING)
122
123typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL;
124typedef struct ESS_cert_id ESS_CERT_ID;
125DECLARE_STACK_OF(ESS_CERT_ID)
126typedef struct ESS_signing_cert ESS_SIGNING_CERT;
127
128typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2;
129DECLARE_STACK_OF(ESS_CERT_ID_V2)
130
131typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2;
132
133typedef struct TS_resp_st TS_RESP;
134
135TS_REQ *TS_REQ_new(void);
136void TS_REQ_free(TS_REQ *a);
137int i2d_TS_REQ(const TS_REQ *a, unsigned char **pp);
138TS_REQ *d2i_TS_REQ(TS_REQ **a, const unsigned char **pp, long length);
139
140TS_REQ *TS_REQ_dup(TS_REQ *a);
141
142TS_REQ *d2i_TS_REQ_fp(FILE *fp, TS_REQ **a);
143int i2d_TS_REQ_fp(FILE *fp, TS_REQ *a);
144TS_REQ *d2i_TS_REQ_bio(BIO *fp, TS_REQ **a);
145int i2d_TS_REQ_bio(BIO *fp, TS_REQ *a);
146
147TS_MSG_IMPRINT *TS_MSG_IMPRINT_new(void);
148void TS_MSG_IMPRINT_free(TS_MSG_IMPRINT *a);
149int i2d_TS_MSG_IMPRINT(const TS_MSG_IMPRINT *a, unsigned char **pp);
150TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT(TS_MSG_IMPRINT **a,
151 const unsigned char **pp, long length);
152
153TS_MSG_IMPRINT *TS_MSG_IMPRINT_dup(TS_MSG_IMPRINT *a);
154
155TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT **a);
156int i2d_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT *a);
157TS_MSG_IMPRINT *d2i_TS_MSG_IMPRINT_bio(BIO *fp, TS_MSG_IMPRINT **a);
158int i2d_TS_MSG_IMPRINT_bio(BIO *fp, TS_MSG_IMPRINT *a);
159
160TS_RESP *TS_RESP_new(void);
161void TS_RESP_free(TS_RESP *a);
162int i2d_TS_RESP(const TS_RESP *a, unsigned char **pp);
163TS_RESP *d2i_TS_RESP(TS_RESP **a, const unsigned char **pp, long length);
164TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token);
165TS_RESP *TS_RESP_dup(TS_RESP *a);
166
167TS_RESP *d2i_TS_RESP_fp(FILE *fp, TS_RESP **a);
168int i2d_TS_RESP_fp(FILE *fp, TS_RESP *a);
169TS_RESP *d2i_TS_RESP_bio(BIO *fp, TS_RESP **a);
170int i2d_TS_RESP_bio(BIO *fp, TS_RESP *a);
171
172TS_STATUS_INFO *TS_STATUS_INFO_new(void);
173void TS_STATUS_INFO_free(TS_STATUS_INFO *a);
174int i2d_TS_STATUS_INFO(const TS_STATUS_INFO *a, unsigned char **pp);
175TS_STATUS_INFO *d2i_TS_STATUS_INFO(TS_STATUS_INFO **a,
176 const unsigned char **pp, long length);
177TS_STATUS_INFO *TS_STATUS_INFO_dup(TS_STATUS_INFO *a);
178
179TS_TST_INFO *TS_TST_INFO_new(void);
180void TS_TST_INFO_free(TS_TST_INFO *a);
181int i2d_TS_TST_INFO(const TS_TST_INFO *a, unsigned char **pp);
182TS_TST_INFO *d2i_TS_TST_INFO(TS_TST_INFO **a, const unsigned char **pp,
183 long length);
184TS_TST_INFO *TS_TST_INFO_dup(TS_TST_INFO *a);
185
186TS_TST_INFO *d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a);
187int i2d_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO *a);
188TS_TST_INFO *d2i_TS_TST_INFO_bio(BIO *fp, TS_TST_INFO **a);
189int i2d_TS_TST_INFO_bio(BIO *fp, TS_TST_INFO *a);
190
191TS_ACCURACY *TS_ACCURACY_new(void);
192void TS_ACCURACY_free(TS_ACCURACY *a);
193int i2d_TS_ACCURACY(const TS_ACCURACY *a, unsigned char **pp);
194TS_ACCURACY *d2i_TS_ACCURACY(TS_ACCURACY **a, const unsigned char **pp,
195 long length);
196TS_ACCURACY *TS_ACCURACY_dup(TS_ACCURACY *a);
197
198ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void);
199void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a);
200int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a,
201 unsigned char **pp);
202ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a,
203 const unsigned char **pp, long length);
204ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a);
205
206ESS_CERT_ID *ESS_CERT_ID_new(void);
207void ESS_CERT_ID_free(ESS_CERT_ID *a);
208int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp);
209ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp,
210 long length);
211ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a);
212
213ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void);
214void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a);
215int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a,
216 unsigned char **pp);
217ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a,
218 const unsigned char **pp, long length);
219ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a);
220
221int TS_REQ_set_version(TS_REQ *a, long version);
222long TS_REQ_get_version(const TS_REQ *a);
223
224int TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint);
225TS_MSG_IMPRINT *TS_REQ_get_msg_imprint(TS_REQ *a);
226
227int TS_MSG_IMPRINT_set_algo(TS_MSG_IMPRINT *a, X509_ALGOR *alg);
228X509_ALGOR *TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a);
229
230int TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len);
231ASN1_OCTET_STRING *TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a);
232
233int TS_REQ_set_policy_id(TS_REQ *a, const ASN1_OBJECT *policy);
234ASN1_OBJECT *TS_REQ_get_policy_id(TS_REQ *a);
235
236int TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce);
237const ASN1_INTEGER *TS_REQ_get_nonce(const TS_REQ *a);
238
239int TS_REQ_set_cert_req(TS_REQ *a, int cert_req);
240int TS_REQ_get_cert_req(const TS_REQ *a);
241
242STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a);
243void TS_REQ_ext_free(TS_REQ *a);
244int TS_REQ_get_ext_count(TS_REQ *a);
245int TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos);
246int TS_REQ_get_ext_by_OBJ(TS_REQ *a, const ASN1_OBJECT *obj, int lastpos);
247int TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos);
248X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc);
249X509_EXTENSION *TS_REQ_delete_ext(TS_REQ *a, int loc);
250int TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc);
251void *TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx);
252
253/* Function declarations for TS_REQ defined in ts/ts_req_print.c */
254
255int TS_REQ_print_bio(BIO *bio, TS_REQ *a);
256
257/* Function declarations for TS_RESP defined in ts/ts_rsp_utils.c */
258
259int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *info);
260TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a);
261
262const ASN1_UTF8STRING *TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO *si);
263const STACK_OF(ASN1_UTF8STRING) *
264 TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si);
265const ASN1_INTEGER *TS_STATUS_INFO_get0_status(const TS_STATUS_INFO *si);
266int TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i);
267
268/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
269void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info);
270PKCS7 *TS_RESP_get_token(TS_RESP *a);
271TS_TST_INFO *TS_RESP_get_tst_info(TS_RESP *a);
272
273int TS_TST_INFO_set_version(TS_TST_INFO *a, long version);
274long TS_TST_INFO_get_version(const TS_TST_INFO *a);
275
276int TS_TST_INFO_set_policy_id(TS_TST_INFO *a, ASN1_OBJECT *policy_id);
277ASN1_OBJECT *TS_TST_INFO_get_policy_id(TS_TST_INFO *a);
278
279int TS_TST_INFO_set_msg_imprint(TS_TST_INFO *a, TS_MSG_IMPRINT *msg_imprint);
280TS_MSG_IMPRINT *TS_TST_INFO_get_msg_imprint(TS_TST_INFO *a);
281
282int TS_TST_INFO_set_serial(TS_TST_INFO *a, const ASN1_INTEGER *serial);
283const ASN1_INTEGER *TS_TST_INFO_get_serial(const TS_TST_INFO *a);
284
285int TS_TST_INFO_set_time(TS_TST_INFO *a, const ASN1_GENERALIZEDTIME *gtime);
286const ASN1_GENERALIZEDTIME *TS_TST_INFO_get_time(const TS_TST_INFO *a);
287
288int TS_TST_INFO_set_accuracy(TS_TST_INFO *a, TS_ACCURACY *accuracy);
289TS_ACCURACY *TS_TST_INFO_get_accuracy(TS_TST_INFO *a);
290
291int TS_ACCURACY_set_seconds(TS_ACCURACY *a, const ASN1_INTEGER *seconds);
292const ASN1_INTEGER *TS_ACCURACY_get_seconds(const TS_ACCURACY *a);
293
294int TS_ACCURACY_set_millis(TS_ACCURACY *a, const ASN1_INTEGER *millis);
295const ASN1_INTEGER *TS_ACCURACY_get_millis(const TS_ACCURACY *a);
296
297int TS_ACCURACY_set_micros(TS_ACCURACY *a, const ASN1_INTEGER *micros);
298const ASN1_INTEGER *TS_ACCURACY_get_micros(const TS_ACCURACY *a);
299
300int TS_TST_INFO_set_ordering(TS_TST_INFO *a, int ordering);
301int TS_TST_INFO_get_ordering(const TS_TST_INFO *a);
302
303int TS_TST_INFO_set_nonce(TS_TST_INFO *a, const ASN1_INTEGER *nonce);
304const ASN1_INTEGER *TS_TST_INFO_get_nonce(const TS_TST_INFO *a);
305
306int TS_TST_INFO_set_tsa(TS_TST_INFO *a, GENERAL_NAME *tsa);
307GENERAL_NAME *TS_TST_INFO_get_tsa(TS_TST_INFO *a);
308
309STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a);
310void TS_TST_INFO_ext_free(TS_TST_INFO *a);
311int TS_TST_INFO_get_ext_count(TS_TST_INFO *a);
312int TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos);
313int TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, const ASN1_OBJECT *obj,
314 int lastpos);
315int TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos);
316X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc);
317X509_EXTENSION *TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc);
318int TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc);
319void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx);
320
321/* Declarations related to response generation, defined in ts/ts_rsp_sign.c. */
322
323/* Optional flags for response generation. */
324
325/* Don't include the TSA name in response. */
326#define TS_TSA_NAME 0x01
327
328/* Set ordering to true in response. */
329#define TS_ORDERING 0x02
330
331/*
332 * Include the signer certificate and the other specified certificates in
333 * the ESS signing certificate attribute beside the PKCS7 signed data.
334 * Only the signer certificates is included by default.
335 */
336#define TS_ESS_CERT_ID_CHAIN 0x04
337
338/* Forward declaration. */
339struct TS_resp_ctx;
340
341/* This must return a unique number less than 160 bits long. */
342typedef ASN1_INTEGER *(*TS_serial_cb)(struct TS_resp_ctx *, void *);
343
344/* This must return the seconds and microseconds since Jan 1, 1970 in
345 the sec and usec variables allocated by the caller.
346 Return non-zero for success and zero for failure. */
347typedef int (*TS_time_cb)(struct TS_resp_ctx *, void *, time_t *sec, long *usec);
348
349/* This must process the given extension.
350 * It can modify the TS_TST_INFO object of the context.
351 * Return values: !0 (processed), 0 (error, it must set the
352 * status info/failure info of the response).
353 */
354typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *);
355
356typedef struct TS_resp_ctx TS_RESP_CTX;
357
358DECLARE_STACK_OF(EVP_MD)
359
360/* Creates a response context that can be used for generating responses. */
361TS_RESP_CTX *TS_RESP_CTX_new(void);
362void TS_RESP_CTX_free(TS_RESP_CTX *ctx);
363
364/* This parameter must be set. */
365int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer);
366
367/* This parameter must be set. */
368int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key);
369
370/* This parameter must be set. */
371int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *def_policy);
372
373/* No additional certs are included in the response by default. */
374int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs);
375
376/* Adds a new acceptable policy, only the default policy
377 is accepted by default. */
378int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *policy);
379
380/* Adds a new acceptable message digest. Note that no message digests
381 are accepted by default. The md argument is shared with the caller. */
382int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md);
383
384/* Accuracy is not included by default. */
385int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx,
386 int secs, int millis, int micros);
387
388/* Clock precision digits, i.e. the number of decimal digits:
389 '0' means sec, '3' msec, '6' usec, and so on. Default is 0. */
390int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
391 unsigned clock_precision_digits);
392/* At most we accept sec precision. */
393#define TS_MAX_CLOCK_PRECISION_DIGITS 0
394
395/* No flags are set by default. */
396void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);
397
398/* Default callback always returns a constant. */
399void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data);
400
401/* Default callback uses gettimeofday() and gmtime(). */
402void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data);
403
404/* Default callback rejects all extensions. The extension callback is called
405 * when the TS_TST_INFO object is already set up and not signed yet. */
406/* FIXME: extension handling is not tested yet. */
407void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx,
408 TS_extension_cb cb, void *data);
409
410/* The following methods can be used in the callbacks. */
411int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx,
412 int status, const char *text);
413
414/* Sets the status info only if it is still TS_STATUS_GRANTED. */
415int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx,
416 int status, const char *text);
417
418int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure);
419
420/* The get methods below can be used in the extension callback. */
421TS_REQ *TS_RESP_CTX_get_request(TS_RESP_CTX *ctx);
422
423TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx);
424
425/*
426 * Creates the signed TS_TST_INFO and puts it in TS_RESP.
427 * In case of errors it sets the status info properly.
428 * Returns NULL only in case of memory allocation/fatal error.
429 */
430TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio);
431
432/*
433 * Declarations related to response verification,
434 * they are defined in ts/ts_rsp_verify.c.
435 */
436
437int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
438 X509_STORE *store, X509 **signer_out);
439
440/* Context structure for the generic verify method. */
441
442/* Verify the signer's certificate and the signature of the response. */
443#define TS_VFY_SIGNATURE (1u << 0)
444/* Verify the version number of the response. */
445#define TS_VFY_VERSION (1u << 1)
446/* Verify if the policy supplied by the user matches the policy of the TSA. */
447#define TS_VFY_POLICY (1u << 2)
448/* Verify the message imprint provided by the user. This flag should not be
449 specified with TS_VFY_DATA. */
450#define TS_VFY_IMPRINT (1u << 3)
451/* Verify the message imprint computed by the verify method from the user
452 provided data and the MD algorithm of the response. This flag should not be
453 specified with TS_VFY_IMPRINT. */
454#define TS_VFY_DATA (1u << 4)
455/* Verify the nonce value. */
456#define TS_VFY_NONCE (1u << 5)
457/* Verify if the TSA name field matches the signer certificate. */
458#define TS_VFY_SIGNER (1u << 6)
459/* Verify if the TSA name field equals to the user provided name. */
460#define TS_VFY_TSA_NAME (1u << 7)
461
462/* You can use the following convenience constants. */
463#define TS_VFY_ALL_IMPRINT (TS_VFY_SIGNATURE \
464 | TS_VFY_VERSION \
465 | TS_VFY_POLICY \
466 | TS_VFY_IMPRINT \
467 | TS_VFY_NONCE \
468 | TS_VFY_SIGNER \
469 | TS_VFY_TSA_NAME)
470#define TS_VFY_ALL_DATA (TS_VFY_SIGNATURE \
471 | TS_VFY_VERSION \
472 | TS_VFY_POLICY \
473 | TS_VFY_DATA \
474 | TS_VFY_NONCE \
475 | TS_VFY_SIGNER \
476 | TS_VFY_TSA_NAME)
477
478typedef struct TS_verify_ctx TS_VERIFY_CTX;
479
480int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response);
481int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token);
482
483/*
484 * Declarations related to response verification context,
485 * they are defined in ts/ts_verify_ctx.c.
486 */
487
488/* Set all fields to zero. */
489TS_VERIFY_CTX *TS_VERIFY_CTX_new(void);
490void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
491void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
492
493int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags);
494int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags);
495BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio);
496X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *store);
497/* R$ special */
498#define TS_VERIFY_CTS_set_certs TS_VERIFY_CTX_set_certs
499STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx,
500 STACK_OF(X509) *certs);
501unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
502 unsigned char *imprint, long imprint_len);
503
504/*
505 * If ctx is NULL, it allocates and returns a new object, otherwise
506 * it returns ctx. It initialises all the members as follows:
507 * flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE)
508 * certs = NULL
509 * store = NULL
510 * policy = policy from the request or NULL if absent (in this case
511 * TS_VFY_POLICY is cleared from flags as well)
512 * md_alg = MD algorithm from request
513 * imprint, imprint_len = imprint from request
514 * data = NULL
515 * nonce, nonce_len = nonce from the request or NULL if absent (in this case
516 * TS_VFY_NONCE is cleared from flags as well)
517 * tsa_name = NULL
518 * Important: after calling this method TS_VFY_SIGNATURE should be added!
519 */
520TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx);
521
522/* Function declarations for TS_RESP defined in ts/ts_rsp_print.c */
523
524int TS_RESP_print_bio(BIO *bio, TS_RESP *a);
525int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a);
526int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a);
527
528/* Common utility functions defined in ts/ts_lib.c */
529
530int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num);
531int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj);
532int TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions);
533int TS_X509_ALGOR_print_bio(BIO *bio, const X509_ALGOR *alg);
534int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *msg);
535
536/* Function declarations for handling configuration options,
537 defined in ts/ts_conf.c */
538
539X509 *TS_CONF_load_cert(const char *file);
540STACK_OF(X509) *TS_CONF_load_certs(const char *file);
541EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass);
542const char *TS_CONF_get_tsa_section(CONF *conf, const char *section);
543int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb,
544 TS_RESP_CTX *ctx);
545int TS_CONF_set_signer_cert(CONF *conf, const char *section,
546 const char *cert, TS_RESP_CTX *ctx);
547int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
548 TS_RESP_CTX *ctx);
549int TS_CONF_set_signer_key(CONF *conf, const char *section,
550 const char *key, const char *pass, TS_RESP_CTX *ctx);
551int TS_CONF_set_def_policy(CONF *conf, const char *section,
552 const char *policy, TS_RESP_CTX *ctx);
553int TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx);
554int TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx);
555int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx);
556int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
557 TS_RESP_CTX *ctx);
558int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx);
559int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx);
560int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section,
561 TS_RESP_CTX *ctx);
562
563void ERR_load_TS_strings(void);
564
565/* Error codes for the TS functions. */
566
567/* Function codes. */
568#define TS_F_D2I_TS_RESP 147
569#define TS_F_DEF_SERIAL_CB 110
570#define TS_F_DEF_TIME_CB 111
571#define TS_F_ESS_ADD_SIGNING_CERT 112
572#define TS_F_ESS_CERT_ID_NEW_INIT 113
573#define TS_F_ESS_SIGNING_CERT_NEW_INIT 114
574#define TS_F_INT_TS_RESP_VERIFY_TOKEN 149
575#define TS_F_PKCS7_TO_TS_TST_INFO 148
576#define TS_F_TS_ACCURACY_SET_MICROS 115
577#define TS_F_TS_ACCURACY_SET_MILLIS 116
578#define TS_F_TS_ACCURACY_SET_SECONDS 117
579#define TS_F_TS_CHECK_IMPRINTS 100
580#define TS_F_TS_CHECK_NONCES 101
581#define TS_F_TS_CHECK_POLICY 102
582#define TS_F_TS_CHECK_SIGNING_CERTS 103
583#define TS_F_TS_CHECK_STATUS_INFO 104
584#define TS_F_TS_COMPUTE_IMPRINT 145
585#define TS_F_TS_CONF_SET_DEFAULT_ENGINE 146
586#define TS_F_TS_GET_STATUS_TEXT 105
587#define TS_F_TS_MSG_IMPRINT_SET_ALGO 118
588#define TS_F_TS_REQ_SET_MSG_IMPRINT 119
589#define TS_F_TS_REQ_SET_NONCE 120
590#define TS_F_TS_REQ_SET_POLICY_ID 121
591#define TS_F_TS_RESP_CREATE_RESPONSE 122
592#define TS_F_TS_RESP_CREATE_TST_INFO 123
593#define TS_F_TS_RESP_CTX_ADD_FAILURE_INFO 124
594#define TS_F_TS_RESP_CTX_ADD_MD 125
595#define TS_F_TS_RESP_CTX_ADD_POLICY 126
596#define TS_F_TS_RESP_CTX_NEW 127
597#define TS_F_TS_RESP_CTX_SET_ACCURACY 128
598#define TS_F_TS_RESP_CTX_SET_CERTS 129
599#define TS_F_TS_RESP_CTX_SET_DEF_POLICY 130
600#define TS_F_TS_RESP_CTX_SET_SIGNER_CERT 131
601#define TS_F_TS_RESP_CTX_SET_STATUS_INFO 132
602#define TS_F_TS_RESP_GET_POLICY 133
603#define TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION 134
604#define TS_F_TS_RESP_SET_STATUS_INFO 135
605#define TS_F_TS_RESP_SET_TST_INFO 150
606#define TS_F_TS_RESP_SIGN 136
607#define TS_F_TS_RESP_VERIFY_SIGNATURE 106
608#define TS_F_TS_RESP_VERIFY_TOKEN 107
609#define TS_F_TS_TST_INFO_SET_ACCURACY 137
610#define TS_F_TS_TST_INFO_SET_MSG_IMPRINT 138
611#define TS_F_TS_TST_INFO_SET_NONCE 139
612#define TS_F_TS_TST_INFO_SET_POLICY_ID 140
613#define TS_F_TS_TST_INFO_SET_SERIAL 141
614#define TS_F_TS_TST_INFO_SET_TIME 142
615#define TS_F_TS_TST_INFO_SET_TSA 143
616#define TS_F_TS_VERIFY 108
617#define TS_F_TS_VERIFY_CERT 109
618#define TS_F_TS_VERIFY_CTX_NEW 144
619
620/* Reason codes. */
621#define TS_R_BAD_PKCS7_TYPE 132
622#define TS_R_BAD_TYPE 133
623#define TS_R_CERTIFICATE_VERIFY_ERROR 100
624#define TS_R_COULD_NOT_SET_ENGINE 127
625#define TS_R_COULD_NOT_SET_TIME 115
626#define TS_R_D2I_TS_RESP_INT_FAILED 128
627#define TS_R_DETACHED_CONTENT 134
628#define TS_R_ESS_ADD_SIGNING_CERT_ERROR 116
629#define TS_R_ESS_SIGNING_CERTIFICATE_ERROR 101
630#define TS_R_INVALID_NULL_POINTER 102
631#define TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE 117
632#define TS_R_MESSAGE_IMPRINT_MISMATCH 103
633#define TS_R_NONCE_MISMATCH 104
634#define TS_R_NONCE_NOT_RETURNED 105
635#define TS_R_NO_CONTENT 106
636#define TS_R_NO_TIME_STAMP_TOKEN 107
637#define TS_R_PKCS7_ADD_SIGNATURE_ERROR 118
638#define TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR 119
639#define TS_R_PKCS7_TO_TS_TST_INFO_FAILED 129
640#define TS_R_POLICY_MISMATCH 108
641#define TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 120
642#define TS_R_RESPONSE_SETUP_ERROR 121
643#define TS_R_SIGNATURE_FAILURE 109
644#define TS_R_THERE_MUST_BE_ONE_SIGNER 110
645#define TS_R_TIME_SYSCALL_ERROR 122
646#define TS_R_TOKEN_NOT_PRESENT 130
647#define TS_R_TOKEN_PRESENT 131
648#define TS_R_TSA_NAME_MISMATCH 111
649#define TS_R_TSA_UNTRUSTED 112
650#define TS_R_TST_INFO_SETUP_ERROR 123
651#define TS_R_TS_DATASIGN 124
652#define TS_R_UNACCEPTABLE_POLICY 125
653#define TS_R_UNSUPPORTED_MD_ALGORITHM 126
654#define TS_R_UNSUPPORTED_VERSION 113
655#define TS_R_WRONG_CONTENT_TYPE 114
656
657#ifdef __cplusplus
658}
659#endif
660#endif
diff --git a/src/lib/libcrypto/ts/ts_asn1.c b/src/lib/libcrypto/ts/ts_asn1.c
deleted file mode 100644
index feb2da68f9..0000000000
--- a/src/lib/libcrypto/ts/ts_asn1.c
+++ /dev/null
@@ -1,1077 +0,0 @@
1/* $OpenBSD: ts_asn1.c,v 1.15 2024/04/15 15:52:46 tb Exp $ */
2/* Written by Nils Larsch for the OpenSSL project 2004.
3 */
4/* ====================================================================
5 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com).
55 *
56 */
57
58#include <openssl/opensslconf.h>
59
60#include <openssl/ts.h>
61#include <openssl/err.h>
62#include <openssl/asn1t.h>
63
64#include "ts_local.h"
65
66static const ASN1_TEMPLATE TS_MSG_IMPRINT_seq_tt[] = {
67 {
68 .flags = 0,
69 .tag = 0,
70 .offset = offsetof(TS_MSG_IMPRINT, hash_algo),
71 .field_name = "hash_algo",
72 .item = &X509_ALGOR_it,
73 },
74 {
75 .flags = 0,
76 .tag = 0,
77 .offset = offsetof(TS_MSG_IMPRINT, hashed_msg),
78 .field_name = "hashed_msg",
79 .item = &ASN1_OCTET_STRING_it,
80 },
81};
82
83static const ASN1_ITEM TS_MSG_IMPRINT_it = {
84 .itype = ASN1_ITYPE_SEQUENCE,
85 .utype = V_ASN1_SEQUENCE,
86 .templates = TS_MSG_IMPRINT_seq_tt,
87 .tcount = sizeof(TS_MSG_IMPRINT_seq_tt) / sizeof(ASN1_TEMPLATE),
88 .funcs = NULL,
89 .size = sizeof(TS_MSG_IMPRINT),
90 .sname = "TS_MSG_IMPRINT",
91};
92
93
94TS_MSG_IMPRINT *
95d2i_TS_MSG_IMPRINT(TS_MSG_IMPRINT **a, const unsigned char **in, long len)
96{
97 return (TS_MSG_IMPRINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
98 &TS_MSG_IMPRINT_it);
99}
100LCRYPTO_ALIAS(d2i_TS_MSG_IMPRINT);
101
102int
103i2d_TS_MSG_IMPRINT(const TS_MSG_IMPRINT *a, unsigned char **out)
104{
105 return ASN1_item_i2d((ASN1_VALUE *)a, out, &TS_MSG_IMPRINT_it);
106}
107LCRYPTO_ALIAS(i2d_TS_MSG_IMPRINT);
108
109TS_MSG_IMPRINT *
110TS_MSG_IMPRINT_new(void)
111{
112 return (TS_MSG_IMPRINT *)ASN1_item_new(&TS_MSG_IMPRINT_it);
113}
114LCRYPTO_ALIAS(TS_MSG_IMPRINT_new);
115
116void
117TS_MSG_IMPRINT_free(TS_MSG_IMPRINT *a)
118{
119 ASN1_item_free((ASN1_VALUE *)a, &TS_MSG_IMPRINT_it);
120}
121LCRYPTO_ALIAS(TS_MSG_IMPRINT_free);
122
123TS_MSG_IMPRINT *
124TS_MSG_IMPRINT_dup(TS_MSG_IMPRINT *x)
125{
126 return ASN1_item_dup(&TS_MSG_IMPRINT_it, x);
127}
128LCRYPTO_ALIAS(TS_MSG_IMPRINT_dup);
129
130#ifndef OPENSSL_NO_BIO
131TS_MSG_IMPRINT *
132d2i_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT **a)
133{
134 return ASN1_item_d2i_bio(&TS_MSG_IMPRINT_it, bp, a);
135}
136LCRYPTO_ALIAS(d2i_TS_MSG_IMPRINT_bio);
137
138int
139i2d_TS_MSG_IMPRINT_bio(BIO *bp, TS_MSG_IMPRINT *a)
140{
141 return ASN1_item_i2d_bio(&TS_MSG_IMPRINT_it, bp, a);
142}
143LCRYPTO_ALIAS(i2d_TS_MSG_IMPRINT_bio);
144#endif
145
146TS_MSG_IMPRINT *
147d2i_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT **a)
148{
149 return ASN1_item_d2i_fp(&TS_MSG_IMPRINT_it, fp, a);
150}
151LCRYPTO_ALIAS(d2i_TS_MSG_IMPRINT_fp);
152
153int
154i2d_TS_MSG_IMPRINT_fp(FILE *fp, TS_MSG_IMPRINT *a)
155{
156 return ASN1_item_i2d_fp(&TS_MSG_IMPRINT_it, fp, a);
157}
158LCRYPTO_ALIAS(i2d_TS_MSG_IMPRINT_fp);
159
160static const ASN1_TEMPLATE TS_REQ_seq_tt[] = {
161 {
162 .flags = 0,
163 .tag = 0,
164 .offset = offsetof(TS_REQ, version),
165 .field_name = "version",
166 .item = &ASN1_INTEGER_it,
167 },
168 {
169 .flags = 0,
170 .tag = 0,
171 .offset = offsetof(TS_REQ, msg_imprint),
172 .field_name = "msg_imprint",
173 .item = &TS_MSG_IMPRINT_it,
174 },
175 {
176 .flags = ASN1_TFLG_OPTIONAL,
177 .tag = 0,
178 .offset = offsetof(TS_REQ, policy_id),
179 .field_name = "policy_id",
180 .item = &ASN1_OBJECT_it,
181 },
182 {
183 .flags = ASN1_TFLG_OPTIONAL,
184 .tag = 0,
185 .offset = offsetof(TS_REQ, nonce),
186 .field_name = "nonce",
187 .item = &ASN1_INTEGER_it,
188 },
189 {
190 .flags = ASN1_TFLG_OPTIONAL,
191 .tag = 0,
192 .offset = offsetof(TS_REQ, cert_req),
193 .field_name = "cert_req",
194 .item = &ASN1_FBOOLEAN_it,
195 },
196 {
197 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
198 .tag = 0,
199 .offset = offsetof(TS_REQ, extensions),
200 .field_name = "extensions",
201 .item = &X509_EXTENSION_it,
202 },
203};
204
205static const ASN1_ITEM TS_REQ_it = {
206 .itype = ASN1_ITYPE_SEQUENCE,
207 .utype = V_ASN1_SEQUENCE,
208 .templates = TS_REQ_seq_tt,
209 .tcount = sizeof(TS_REQ_seq_tt) / sizeof(ASN1_TEMPLATE),
210 .funcs = NULL,
211 .size = sizeof(TS_REQ),
212 .sname = "TS_REQ",
213};
214
215
216TS_REQ *
217d2i_TS_REQ(TS_REQ **a, const unsigned char **in, long len)
218{
219 return (TS_REQ *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
220 &TS_REQ_it);
221}
222LCRYPTO_ALIAS(d2i_TS_REQ);
223
224int
225i2d_TS_REQ(const TS_REQ *a, unsigned char **out)
226{
227 return ASN1_item_i2d((ASN1_VALUE *)a, out, &TS_REQ_it);
228}
229LCRYPTO_ALIAS(i2d_TS_REQ);
230
231TS_REQ *
232TS_REQ_new(void)
233{
234 return (TS_REQ *)ASN1_item_new(&TS_REQ_it);
235}
236LCRYPTO_ALIAS(TS_REQ_new);
237
238void
239TS_REQ_free(TS_REQ *a)
240{
241 ASN1_item_free((ASN1_VALUE *)a, &TS_REQ_it);
242}
243LCRYPTO_ALIAS(TS_REQ_free);
244
245TS_REQ *
246TS_REQ_dup(TS_REQ *x)
247{
248 return ASN1_item_dup(&TS_REQ_it, x);
249}
250LCRYPTO_ALIAS(TS_REQ_dup);
251
252#ifndef OPENSSL_NO_BIO
253TS_REQ *
254d2i_TS_REQ_bio(BIO *bp, TS_REQ **a)
255{
256 return ASN1_item_d2i_bio(&TS_REQ_it, bp, a);
257}
258LCRYPTO_ALIAS(d2i_TS_REQ_bio);
259
260int
261i2d_TS_REQ_bio(BIO *bp, TS_REQ *a)
262{
263 return ASN1_item_i2d_bio(&TS_REQ_it, bp, a);
264}
265LCRYPTO_ALIAS(i2d_TS_REQ_bio);
266#endif
267
268TS_REQ *
269d2i_TS_REQ_fp(FILE *fp, TS_REQ **a)
270{
271 return ASN1_item_d2i_fp(&TS_REQ_it, fp, a);
272}
273LCRYPTO_ALIAS(d2i_TS_REQ_fp);
274
275int
276i2d_TS_REQ_fp(FILE *fp, TS_REQ *a)
277{
278 return ASN1_item_i2d_fp(&TS_REQ_it, fp, a);
279}
280LCRYPTO_ALIAS(i2d_TS_REQ_fp);
281
282static const ASN1_TEMPLATE TS_ACCURACY_seq_tt[] = {
283 {
284 .flags = ASN1_TFLG_OPTIONAL,
285 .tag = 0,
286 .offset = offsetof(TS_ACCURACY, seconds),
287 .field_name = "seconds",
288 .item = &ASN1_INTEGER_it,
289 },
290 {
291 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
292 .tag = 0,
293 .offset = offsetof(TS_ACCURACY, millis),
294 .field_name = "millis",
295 .item = &ASN1_INTEGER_it,
296 },
297 {
298 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
299 .tag = 1,
300 .offset = offsetof(TS_ACCURACY, micros),
301 .field_name = "micros",
302 .item = &ASN1_INTEGER_it,
303 },
304};
305
306static const ASN1_ITEM TS_ACCURACY_it = {
307 .itype = ASN1_ITYPE_SEQUENCE,
308 .utype = V_ASN1_SEQUENCE,
309 .templates = TS_ACCURACY_seq_tt,
310 .tcount = sizeof(TS_ACCURACY_seq_tt) / sizeof(ASN1_TEMPLATE),
311 .funcs = NULL,
312 .size = sizeof(TS_ACCURACY),
313 .sname = "TS_ACCURACY",
314};
315
316
317TS_ACCURACY *
318d2i_TS_ACCURACY(TS_ACCURACY **a, const unsigned char **in, long len)
319{
320 return (TS_ACCURACY *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
321 &TS_ACCURACY_it);
322}
323LCRYPTO_ALIAS(d2i_TS_ACCURACY);
324
325int
326i2d_TS_ACCURACY(const TS_ACCURACY *a, unsigned char **out)
327{
328 return ASN1_item_i2d((ASN1_VALUE *)a, out, &TS_ACCURACY_it);
329}
330LCRYPTO_ALIAS(i2d_TS_ACCURACY);
331
332TS_ACCURACY *
333TS_ACCURACY_new(void)
334{
335 return (TS_ACCURACY *)ASN1_item_new(&TS_ACCURACY_it);
336}
337LCRYPTO_ALIAS(TS_ACCURACY_new);
338
339void
340TS_ACCURACY_free(TS_ACCURACY *a)
341{
342 ASN1_item_free((ASN1_VALUE *)a, &TS_ACCURACY_it);
343}
344LCRYPTO_ALIAS(TS_ACCURACY_free);
345
346TS_ACCURACY *
347TS_ACCURACY_dup(TS_ACCURACY *x)
348{
349 return ASN1_item_dup(&TS_ACCURACY_it, x);
350}
351LCRYPTO_ALIAS(TS_ACCURACY_dup);
352
353static const ASN1_TEMPLATE TS_TST_INFO_seq_tt[] = {
354 {
355 .flags = 0,
356 .tag = 0,
357 .offset = offsetof(TS_TST_INFO, version),
358 .field_name = "version",
359 .item = &ASN1_INTEGER_it,
360 },
361 {
362 .flags = 0,
363 .tag = 0,
364 .offset = offsetof(TS_TST_INFO, policy_id),
365 .field_name = "policy_id",
366 .item = &ASN1_OBJECT_it,
367 },
368 {
369 .flags = 0,
370 .tag = 0,
371 .offset = offsetof(TS_TST_INFO, msg_imprint),
372 .field_name = "msg_imprint",
373 .item = &TS_MSG_IMPRINT_it,
374 },
375 {
376 .flags = 0,
377 .tag = 0,
378 .offset = offsetof(TS_TST_INFO, serial),
379 .field_name = "serial",
380 .item = &ASN1_INTEGER_it,
381 },
382 {
383 .flags = 0,
384 .tag = 0,
385 .offset = offsetof(TS_TST_INFO, time),
386 .field_name = "time",
387 .item = &ASN1_GENERALIZEDTIME_it,
388 },
389 {
390 .flags = ASN1_TFLG_OPTIONAL,
391 .tag = 0,
392 .offset = offsetof(TS_TST_INFO, accuracy),
393 .field_name = "accuracy",
394 .item = &TS_ACCURACY_it,
395 },
396 {
397 .flags = ASN1_TFLG_OPTIONAL,
398 .tag = 0,
399 .offset = offsetof(TS_TST_INFO, ordering),
400 .field_name = "ordering",
401 .item = &ASN1_FBOOLEAN_it,
402 },
403 {
404 .flags = ASN1_TFLG_OPTIONAL,
405 .tag = 0,
406 .offset = offsetof(TS_TST_INFO, nonce),
407 .field_name = "nonce",
408 .item = &ASN1_INTEGER_it,
409 },
410 {
411 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
412 .tag = 0,
413 .offset = offsetof(TS_TST_INFO, tsa),
414 .field_name = "tsa",
415 .item = &GENERAL_NAME_it,
416 },
417 {
418 .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
419 .tag = 1,
420 .offset = offsetof(TS_TST_INFO, extensions),
421 .field_name = "extensions",
422 .item = &X509_EXTENSION_it,
423 },
424};
425
426static const ASN1_ITEM TS_TST_INFO_it = {
427 .itype = ASN1_ITYPE_SEQUENCE,
428 .utype = V_ASN1_SEQUENCE,
429 .templates = TS_TST_INFO_seq_tt,
430 .tcount = sizeof(TS_TST_INFO_seq_tt) / sizeof(ASN1_TEMPLATE),
431 .funcs = NULL,
432 .size = sizeof(TS_TST_INFO),
433 .sname = "TS_TST_INFO",
434};
435
436
437TS_TST_INFO *
438d2i_TS_TST_INFO(TS_TST_INFO **a, const unsigned char **in, long len)
439{
440 return (TS_TST_INFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
441 &TS_TST_INFO_it);
442}
443LCRYPTO_ALIAS(d2i_TS_TST_INFO);
444
445int
446i2d_TS_TST_INFO(const TS_TST_INFO *a, unsigned char **out)
447{
448 return ASN1_item_i2d((ASN1_VALUE *)a, out, &TS_TST_INFO_it);
449}
450LCRYPTO_ALIAS(i2d_TS_TST_INFO);
451
452TS_TST_INFO *
453TS_TST_INFO_new(void)
454{
455 return (TS_TST_INFO *)ASN1_item_new(&TS_TST_INFO_it);
456}
457LCRYPTO_ALIAS(TS_TST_INFO_new);
458
459void
460TS_TST_INFO_free(TS_TST_INFO *a)
461{
462 ASN1_item_free((ASN1_VALUE *)a, &TS_TST_INFO_it);
463}
464LCRYPTO_ALIAS(TS_TST_INFO_free);
465
466TS_TST_INFO *
467TS_TST_INFO_dup(TS_TST_INFO *x)
468{
469 return ASN1_item_dup(&TS_TST_INFO_it, x);
470}
471LCRYPTO_ALIAS(TS_TST_INFO_dup);
472
473#ifndef OPENSSL_NO_BIO
474TS_TST_INFO *
475d2i_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO **a)
476{
477 return ASN1_item_d2i_bio(&TS_TST_INFO_it, bp, a);
478}
479LCRYPTO_ALIAS(d2i_TS_TST_INFO_bio);
480
481int
482i2d_TS_TST_INFO_bio(BIO *bp, TS_TST_INFO *a)
483{
484 return ASN1_item_i2d_bio(&TS_TST_INFO_it, bp, a);
485}
486LCRYPTO_ALIAS(i2d_TS_TST_INFO_bio);
487#endif
488
489TS_TST_INFO *
490d2i_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO **a)
491{
492 return ASN1_item_d2i_fp(&TS_TST_INFO_it, fp, a);
493}
494LCRYPTO_ALIAS(d2i_TS_TST_INFO_fp);
495
496int
497i2d_TS_TST_INFO_fp(FILE *fp, TS_TST_INFO *a)
498{
499 return ASN1_item_i2d_fp(&TS_TST_INFO_it, fp, a);
500}
501LCRYPTO_ALIAS(i2d_TS_TST_INFO_fp);
502
503static const ASN1_TEMPLATE TS_STATUS_INFO_seq_tt[] = {
504 {
505 .flags = 0,
506 .tag = 0,
507 .offset = offsetof(TS_STATUS_INFO, status),
508 .field_name = "status",
509 .item = &ASN1_INTEGER_it,
510 },
511 {
512 .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
513 .tag = 0,
514 .offset = offsetof(TS_STATUS_INFO, text),
515 .field_name = "text",
516 .item = &ASN1_UTF8STRING_it,
517 },
518 {
519 .flags = ASN1_TFLG_OPTIONAL,
520 .tag = 0,
521 .offset = offsetof(TS_STATUS_INFO, failure_info),
522 .field_name = "failure_info",
523 .item = &ASN1_BIT_STRING_it,
524 },
525};
526
527static const ASN1_ITEM TS_STATUS_INFO_it = {
528 .itype = ASN1_ITYPE_SEQUENCE,
529 .utype = V_ASN1_SEQUENCE,
530 .templates = TS_STATUS_INFO_seq_tt,
531 .tcount = sizeof(TS_STATUS_INFO_seq_tt) / sizeof(ASN1_TEMPLATE),
532 .funcs = NULL,
533 .size = sizeof(TS_STATUS_INFO),
534 .sname = "TS_STATUS_INFO",
535};
536
537
538TS_STATUS_INFO *
539d2i_TS_STATUS_INFO(TS_STATUS_INFO **a, const unsigned char **in, long len)
540{
541 return (TS_STATUS_INFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
542 &TS_STATUS_INFO_it);
543}
544LCRYPTO_ALIAS(d2i_TS_STATUS_INFO);
545
546int
547i2d_TS_STATUS_INFO(const TS_STATUS_INFO *a, unsigned char **out)
548{
549 return ASN1_item_i2d((ASN1_VALUE *)a, out, &TS_STATUS_INFO_it);
550}
551LCRYPTO_ALIAS(i2d_TS_STATUS_INFO);
552
553TS_STATUS_INFO *
554TS_STATUS_INFO_new(void)
555{
556 return (TS_STATUS_INFO *)ASN1_item_new(&TS_STATUS_INFO_it);
557}
558LCRYPTO_ALIAS(TS_STATUS_INFO_new);
559
560void
561TS_STATUS_INFO_free(TS_STATUS_INFO *a)
562{
563 ASN1_item_free((ASN1_VALUE *)a, &TS_STATUS_INFO_it);
564}
565LCRYPTO_ALIAS(TS_STATUS_INFO_free);
566
567TS_STATUS_INFO *
568TS_STATUS_INFO_dup(TS_STATUS_INFO *x)
569{
570 return ASN1_item_dup(&TS_STATUS_INFO_it, x);
571}
572LCRYPTO_ALIAS(TS_STATUS_INFO_dup);
573
574static int
575ts_resp_set_tst_info(TS_RESP *a)
576{
577 long status;
578
579 status = ASN1_INTEGER_get(a->status_info->status);
580
581 if (a->token) {
582 if (status != 0 && status != 1) {
583 TSerror(TS_R_TOKEN_PRESENT);
584 return 0;
585 }
586 if (a->tst_info != NULL)
587 TS_TST_INFO_free(a->tst_info);
588 a->tst_info = PKCS7_to_TS_TST_INFO(a->token);
589 if (!a->tst_info) {
590 TSerror(TS_R_PKCS7_TO_TS_TST_INFO_FAILED);
591 return 0;
592 }
593 } else if (status == 0 || status == 1) {
594 TSerror(TS_R_TOKEN_NOT_PRESENT);
595 return 0;
596 }
597
598 return 1;
599}
600
601static int
602ts_resp_cb(int op, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
603{
604 TS_RESP *ts_resp = (TS_RESP *)*pval;
605
606 if (op == ASN1_OP_NEW_POST) {
607 ts_resp->tst_info = NULL;
608 } else if (op == ASN1_OP_FREE_POST) {
609 if (ts_resp->tst_info != NULL)
610 TS_TST_INFO_free(ts_resp->tst_info);
611 } else if (op == ASN1_OP_D2I_POST) {
612 if (ts_resp_set_tst_info(ts_resp) == 0)
613 return 0;
614 }
615 return 1;
616}
617
618static const ASN1_AUX TS_RESP_aux = {
619 .app_data = NULL,
620 .flags = 0,
621 .ref_offset = 0,
622 .ref_lock = 0,
623 .asn1_cb = ts_resp_cb,
624 .enc_offset = 0,
625};
626static const ASN1_TEMPLATE TS_RESP_seq_tt[] = {
627 {
628 .flags = 0,
629 .tag = 0,
630 .offset = offsetof(TS_RESP, status_info),
631 .field_name = "status_info",
632 .item = &TS_STATUS_INFO_it,
633 },
634 {
635 .flags = ASN1_TFLG_OPTIONAL,
636 .tag = 0,
637 .offset = offsetof(TS_RESP, token),
638 .field_name = "token",
639 .item = &PKCS7_it,
640 },
641};
642
643static const ASN1_ITEM TS_RESP_it = {
644 .itype = ASN1_ITYPE_SEQUENCE,
645 .utype = V_ASN1_SEQUENCE,
646 .templates = TS_RESP_seq_tt,
647 .tcount = sizeof(TS_RESP_seq_tt) / sizeof(ASN1_TEMPLATE),
648 .funcs = &TS_RESP_aux,
649 .size = sizeof(TS_RESP),
650 .sname = "TS_RESP",
651};
652
653
654TS_RESP *
655d2i_TS_RESP(TS_RESP **a, const unsigned char **in, long len)
656{
657 return (TS_RESP *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
658 &TS_RESP_it);
659}
660LCRYPTO_ALIAS(d2i_TS_RESP);
661
662int
663i2d_TS_RESP(const TS_RESP *a, unsigned char **out)
664{
665 return ASN1_item_i2d((ASN1_VALUE *)a, out, &TS_RESP_it);
666}
667LCRYPTO_ALIAS(i2d_TS_RESP);
668
669TS_RESP *
670TS_RESP_new(void)
671{
672 return (TS_RESP *)ASN1_item_new(&TS_RESP_it);
673}
674LCRYPTO_ALIAS(TS_RESP_new);
675
676void
677TS_RESP_free(TS_RESP *a)
678{
679 ASN1_item_free((ASN1_VALUE *)a, &TS_RESP_it);
680}
681LCRYPTO_ALIAS(TS_RESP_free);
682
683TS_RESP *
684TS_RESP_dup(TS_RESP *x)
685{
686 return ASN1_item_dup(&TS_RESP_it, x);
687}
688LCRYPTO_ALIAS(TS_RESP_dup);
689
690#ifndef OPENSSL_NO_BIO
691TS_RESP *
692d2i_TS_RESP_bio(BIO *bp, TS_RESP **a)
693{
694 return ASN1_item_d2i_bio(&TS_RESP_it, bp, a);
695}
696LCRYPTO_ALIAS(d2i_TS_RESP_bio);
697
698int
699i2d_TS_RESP_bio(BIO *bp, TS_RESP *a)
700{
701 return ASN1_item_i2d_bio(&TS_RESP_it, bp, a);
702}
703LCRYPTO_ALIAS(i2d_TS_RESP_bio);
704#endif
705
706TS_RESP *
707d2i_TS_RESP_fp(FILE *fp, TS_RESP **a)
708{
709 return ASN1_item_d2i_fp(&TS_RESP_it, fp, a);
710}
711LCRYPTO_ALIAS(d2i_TS_RESP_fp);
712
713int
714i2d_TS_RESP_fp(FILE *fp, TS_RESP *a)
715{
716 return ASN1_item_i2d_fp(&TS_RESP_it, fp, a);
717}
718LCRYPTO_ALIAS(i2d_TS_RESP_fp);
719
720static const ASN1_TEMPLATE ESS_ISSUER_SERIAL_seq_tt[] = {
721 {
722 .flags = ASN1_TFLG_SEQUENCE_OF,
723 .tag = 0,
724 .offset = offsetof(ESS_ISSUER_SERIAL, issuer),
725 .field_name = "issuer",
726 .item = &GENERAL_NAME_it,
727 },
728 {
729 .flags = 0,
730 .tag = 0,
731 .offset = offsetof(ESS_ISSUER_SERIAL, serial),
732 .field_name = "serial",
733 .item = &ASN1_INTEGER_it,
734 },
735};
736
737static const ASN1_ITEM ESS_ISSUER_SERIAL_it = {
738 .itype = ASN1_ITYPE_SEQUENCE,
739 .utype = V_ASN1_SEQUENCE,
740 .templates = ESS_ISSUER_SERIAL_seq_tt,
741 .tcount = sizeof(ESS_ISSUER_SERIAL_seq_tt) / sizeof(ASN1_TEMPLATE),
742 .funcs = NULL,
743 .size = sizeof(ESS_ISSUER_SERIAL),
744 .sname = "ESS_ISSUER_SERIAL",
745};
746
747
748ESS_ISSUER_SERIAL *
749d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a, const unsigned char **in, long len)
750{
751 return (ESS_ISSUER_SERIAL *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
752 &ESS_ISSUER_SERIAL_it);
753}
754LCRYPTO_ALIAS(d2i_ESS_ISSUER_SERIAL);
755
756int
757i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a, unsigned char **out)
758{
759 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_ISSUER_SERIAL_it);
760}
761LCRYPTO_ALIAS(i2d_ESS_ISSUER_SERIAL);
762
763ESS_ISSUER_SERIAL *
764ESS_ISSUER_SERIAL_new(void)
765{
766 return (ESS_ISSUER_SERIAL *)ASN1_item_new(&ESS_ISSUER_SERIAL_it);
767}
768LCRYPTO_ALIAS(ESS_ISSUER_SERIAL_new);
769
770void
771ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a)
772{
773 ASN1_item_free((ASN1_VALUE *)a, &ESS_ISSUER_SERIAL_it);
774}
775LCRYPTO_ALIAS(ESS_ISSUER_SERIAL_free);
776
777ESS_ISSUER_SERIAL *
778ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *x)
779{
780 return ASN1_item_dup(&ESS_ISSUER_SERIAL_it, x);
781}
782LCRYPTO_ALIAS(ESS_ISSUER_SERIAL_dup);
783
784static const ASN1_TEMPLATE ESS_CERT_ID_seq_tt[] = {
785 {
786 .flags = 0,
787 .tag = 0,
788 .offset = offsetof(ESS_CERT_ID, hash),
789 .field_name = "hash",
790 .item = &ASN1_OCTET_STRING_it,
791 },
792 {
793 .flags = ASN1_TFLG_OPTIONAL,
794 .tag = 0,
795 .offset = offsetof(ESS_CERT_ID, issuer_serial),
796 .field_name = "issuer_serial",
797 .item = &ESS_ISSUER_SERIAL_it,
798 },
799};
800
801static const ASN1_ITEM ESS_CERT_ID_it = {
802 .itype = ASN1_ITYPE_SEQUENCE,
803 .utype = V_ASN1_SEQUENCE,
804 .templates = ESS_CERT_ID_seq_tt,
805 .tcount = sizeof(ESS_CERT_ID_seq_tt) / sizeof(ASN1_TEMPLATE),
806 .funcs = NULL,
807 .size = sizeof(ESS_CERT_ID),
808 .sname = "ESS_CERT_ID",
809};
810
811
812ESS_CERT_ID *
813d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **in, long len)
814{
815 return (ESS_CERT_ID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
816 &ESS_CERT_ID_it);
817}
818LCRYPTO_ALIAS(d2i_ESS_CERT_ID);
819
820int
821i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **out)
822{
823 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_CERT_ID_it);
824}
825LCRYPTO_ALIAS(i2d_ESS_CERT_ID);
826
827ESS_CERT_ID *
828ESS_CERT_ID_new(void)
829{
830 return (ESS_CERT_ID *)ASN1_item_new(&ESS_CERT_ID_it);
831}
832LCRYPTO_ALIAS(ESS_CERT_ID_new);
833
834void
835ESS_CERT_ID_free(ESS_CERT_ID *a)
836{
837 ASN1_item_free((ASN1_VALUE *)a, &ESS_CERT_ID_it);
838}
839LCRYPTO_ALIAS(ESS_CERT_ID_free);
840
841ESS_CERT_ID *
842ESS_CERT_ID_dup(ESS_CERT_ID *x)
843{
844 return ASN1_item_dup(&ESS_CERT_ID_it, x);
845}
846LCRYPTO_ALIAS(ESS_CERT_ID_dup);
847
848static const ASN1_TEMPLATE ESS_SIGNING_CERT_seq_tt[] = {
849 {
850 .flags = ASN1_TFLG_SEQUENCE_OF,
851 .tag = 0,
852 .offset = offsetof(ESS_SIGNING_CERT, cert_ids),
853 .field_name = "cert_ids",
854 .item = &ESS_CERT_ID_it,
855 },
856 {
857 .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
858 .tag = 0,
859 .offset = offsetof(ESS_SIGNING_CERT, policy_info),
860 .field_name = "policy_info",
861 .item = &POLICYINFO_it,
862 },
863};
864
865static const ASN1_ITEM ESS_SIGNING_CERT_it = {
866 .itype = ASN1_ITYPE_SEQUENCE,
867 .utype = V_ASN1_SEQUENCE,
868 .templates = ESS_SIGNING_CERT_seq_tt,
869 .tcount = sizeof(ESS_SIGNING_CERT_seq_tt) / sizeof(ASN1_TEMPLATE),
870 .funcs = NULL,
871 .size = sizeof(ESS_SIGNING_CERT),
872 .sname = "ESS_SIGNING_CERT",
873};
874
875
876ESS_SIGNING_CERT *
877d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a, const unsigned char **in, long len)
878{
879 return (ESS_SIGNING_CERT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
880 &ESS_SIGNING_CERT_it);
881}
882LCRYPTO_ALIAS(d2i_ESS_SIGNING_CERT);
883
884int
885i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a, unsigned char **out)
886{
887 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_SIGNING_CERT_it);
888}
889LCRYPTO_ALIAS(i2d_ESS_SIGNING_CERT);
890
891ESS_SIGNING_CERT *
892ESS_SIGNING_CERT_new(void)
893{
894 return (ESS_SIGNING_CERT *)ASN1_item_new(&ESS_SIGNING_CERT_it);
895}
896LCRYPTO_ALIAS(ESS_SIGNING_CERT_new);
897
898void
899ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a)
900{
901 ASN1_item_free((ASN1_VALUE *)a, &ESS_SIGNING_CERT_it);
902}
903LCRYPTO_ALIAS(ESS_SIGNING_CERT_free);
904
905ESS_SIGNING_CERT *
906ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *x)
907{
908 return ASN1_item_dup(&ESS_SIGNING_CERT_it, x);
909}
910LCRYPTO_ALIAS(ESS_SIGNING_CERT_dup);
911
912static const ASN1_TEMPLATE ESS_CERT_ID_V2_seq_tt[] = {
913 {
914 .flags = ASN1_TFLG_OPTIONAL,
915 .tag = 0,
916 .offset = offsetof(ESS_CERT_ID_V2, hash_alg),
917 .field_name = "hash_alg",
918 .item = &X509_ALGOR_it,
919 },
920 {
921 .flags = 0,
922 .tag = 0,
923 .offset = offsetof(ESS_CERT_ID_V2, hash),
924 .field_name = "hash",
925 .item = &ASN1_OCTET_STRING_it,
926 },
927 {
928 .flags = ASN1_TFLG_OPTIONAL,
929 .tag = 0,
930 .offset = offsetof(ESS_CERT_ID_V2, issuer_serial),
931 .field_name = "issuer_serial",
932 .item = &ESS_ISSUER_SERIAL_it,
933 },
934};
935
936static const ASN1_ITEM ESS_CERT_ID_V2_it = {
937 .itype = ASN1_ITYPE_SEQUENCE,
938 .utype = V_ASN1_SEQUENCE,
939 .templates = ESS_CERT_ID_V2_seq_tt,
940 .tcount = sizeof(ESS_CERT_ID_V2_seq_tt) / sizeof(ASN1_TEMPLATE),
941 .funcs = NULL,
942 .size = sizeof(ESS_CERT_ID_V2),
943 .sname = "ESS_CERT_ID_V2",
944};
945
946ESS_CERT_ID_V2 *
947d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **in, long len)
948{
949 return (ESS_CERT_ID_V2 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
950 &ESS_CERT_ID_V2_it);
951}
952
953int
954i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **out)
955{
956 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_CERT_ID_V2_it);
957}
958
959ESS_CERT_ID_V2 *
960ESS_CERT_ID_V2_new(void)
961{
962 return (ESS_CERT_ID_V2 *)ASN1_item_new(&ESS_CERT_ID_V2_it);
963}
964
965void
966ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a)
967{
968 ASN1_item_free((ASN1_VALUE *)a, &ESS_CERT_ID_V2_it);
969}
970
971ESS_CERT_ID_V2 *
972ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *x)
973{
974 return ASN1_item_dup(&ESS_CERT_ID_V2_it, x);
975}
976
977static const ASN1_TEMPLATE ESS_SIGNING_CERT_V2_seq_tt[] = {
978 {
979 .flags = ASN1_TFLG_SEQUENCE_OF,
980 .tag = 0,
981 .offset = offsetof(ESS_SIGNING_CERT_V2, cert_ids),
982 .field_name = "cert_ids",
983 .item = &ESS_CERT_ID_V2_it,
984 },
985 {
986 .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
987 .tag = 0,
988 .offset = offsetof(ESS_SIGNING_CERT_V2, policy_info),
989 .field_name = "policy_info",
990 .item = &POLICYINFO_it,
991 },
992};
993
994static const ASN1_ITEM ESS_SIGNING_CERT_V2_it = {
995 .itype = ASN1_ITYPE_SEQUENCE,
996 .utype = V_ASN1_SEQUENCE,
997 .templates = ESS_SIGNING_CERT_V2_seq_tt,
998 .tcount = sizeof(ESS_SIGNING_CERT_V2_seq_tt) / sizeof(ASN1_TEMPLATE),
999 .funcs = NULL,
1000 .size = sizeof(ESS_SIGNING_CERT_V2),
1001 .sname = "ESS_SIGNING_CERT_V2",
1002};
1003
1004ESS_SIGNING_CERT_V2 *
1005d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a, const unsigned char **in, long len)
1006{
1007 return (ESS_SIGNING_CERT_V2 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
1008 &ESS_SIGNING_CERT_V2_it);
1009}
1010
1011int
1012i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, unsigned char **out)
1013{
1014 return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_SIGNING_CERT_V2_it);
1015}
1016
1017ESS_SIGNING_CERT_V2 *
1018ESS_SIGNING_CERT_V2_new(void)
1019{
1020 return (ESS_SIGNING_CERT_V2 *)ASN1_item_new(&ESS_SIGNING_CERT_V2_it);
1021}
1022
1023void
1024ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a)
1025{
1026 ASN1_item_free((ASN1_VALUE *)a, &ESS_SIGNING_CERT_V2_it);
1027}
1028
1029ESS_SIGNING_CERT_V2 *
1030ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *x)
1031{
1032 return ASN1_item_dup(&ESS_SIGNING_CERT_V2_it, x);
1033}
1034
1035/* Getting encapsulated TS_TST_INFO object from PKCS7. */
1036TS_TST_INFO *
1037PKCS7_to_TS_TST_INFO(PKCS7 *token)
1038{
1039 PKCS7_SIGNED *pkcs7_signed;
1040 PKCS7 *enveloped;
1041 ASN1_TYPE *tst_info_wrapper;
1042 ASN1_OCTET_STRING *tst_info_der;
1043 const unsigned char *p;
1044
1045 if (!PKCS7_type_is_signed(token)) {
1046 TSerror(TS_R_BAD_PKCS7_TYPE);
1047 return NULL;
1048 }
1049
1050 /* Content must be present. */
1051 if (PKCS7_get_detached(token)) {
1052 TSerror(TS_R_DETACHED_CONTENT);
1053 return NULL;
1054 }
1055
1056 /* We have a signed data with content. */
1057 pkcs7_signed = token->d.sign;
1058 enveloped = pkcs7_signed->contents;
1059 if (OBJ_obj2nid(enveloped->type) != NID_id_smime_ct_TSTInfo) {
1060 TSerror(TS_R_BAD_PKCS7_TYPE);
1061 return NULL;
1062 }
1063
1064 /* We have a DER encoded TST_INFO as the signed data. */
1065 tst_info_wrapper = enveloped->d.other;
1066 if (tst_info_wrapper->type != V_ASN1_OCTET_STRING) {
1067 TSerror(TS_R_BAD_TYPE);
1068 return NULL;
1069 }
1070
1071 /* We have the correct ASN1_OCTET_STRING type. */
1072 tst_info_der = tst_info_wrapper->value.octet_string;
1073 /* At last, decode the TST_INFO. */
1074 p = tst_info_der->data;
1075 return d2i_TS_TST_INFO(NULL, &p, tst_info_der->length);
1076}
1077LCRYPTO_ALIAS(PKCS7_to_TS_TST_INFO);
diff --git a/src/lib/libcrypto/ts/ts_conf.c b/src/lib/libcrypto/ts/ts_conf.c
deleted file mode 100644
index bd499238f5..0000000000
--- a/src/lib/libcrypto/ts/ts_conf.c
+++ /dev/null
@@ -1,517 +0,0 @@
1/* $OpenBSD: ts_conf.c,v 1.15 2024/08/26 22:01:28 op Exp $ */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <limits.h>
60#include <stdlib.h>
61#include <string.h>
62
63#include <openssl/opensslconf.h>
64
65#include <openssl/crypto.h>
66#include <openssl/err.h>
67#include <openssl/pem.h>
68#include <openssl/ts.h>
69
70/* Macro definitions for the configuration file. */
71
72#define BASE_SECTION "tsa"
73#define ENV_DEFAULT_TSA "default_tsa"
74#define ENV_SERIAL "serial"
75#define ENV_CRYPTO_DEVICE "crypto_device"
76#define ENV_SIGNER_CERT "signer_cert"
77#define ENV_CERTS "certs"
78#define ENV_SIGNER_KEY "signer_key"
79#define ENV_DEFAULT_POLICY "default_policy"
80#define ENV_OTHER_POLICIES "other_policies"
81#define ENV_DIGESTS "digests"
82#define ENV_ACCURACY "accuracy"
83#define ENV_ORDERING "ordering"
84#define ENV_TSA_NAME "tsa_name"
85#define ENV_ESS_CERT_ID_CHAIN "ess_cert_id_chain"
86#define ENV_VALUE_SECS "secs"
87#define ENV_VALUE_MILLISECS "millisecs"
88#define ENV_VALUE_MICROSECS "microsecs"
89#define ENV_CLOCK_PRECISION_DIGITS "clock_precision_digits"
90#define ENV_VALUE_YES "yes"
91#define ENV_VALUE_NO "no"
92
93/* Function definitions for certificate and key loading. */
94
95X509 *
96TS_CONF_load_cert(const char *file)
97{
98 BIO *cert = NULL;
99 X509 *x = NULL;
100
101 if ((cert = BIO_new_file(file, "r")) == NULL)
102 goto end;
103 x = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
104
105end:
106 if (x == NULL)
107 fprintf(stderr, "unable to load certificate: %s\n", file);
108 BIO_free(cert);
109 return x;
110}
111LCRYPTO_ALIAS(TS_CONF_load_cert);
112
113STACK_OF(X509) *
114TS_CONF_load_certs(const char *file)
115{
116 BIO *certs = NULL;
117 STACK_OF(X509) *othercerts = NULL;
118 STACK_OF(X509_INFO) *allcerts = NULL;
119 int i;
120
121 if (!(certs = BIO_new_file(file, "r")))
122 goto end;
123
124 if (!(othercerts = sk_X509_new_null()))
125 goto end;
126 allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL);
127 for (i = 0; i < sk_X509_INFO_num(allcerts); i++) {
128 X509_INFO *xi = sk_X509_INFO_value(allcerts, i);
129 if (xi->x509) {
130 if (sk_X509_push(othercerts, xi->x509) == 0) {
131 sk_X509_pop_free(othercerts, X509_free);
132 othercerts = NULL;
133 goto end;
134 }
135 xi->x509 = NULL;
136 }
137 }
138
139end:
140 if (othercerts == NULL)
141 fprintf(stderr, "unable to load certificates: %s\n", file);
142 sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
143 BIO_free(certs);
144 return othercerts;
145}
146LCRYPTO_ALIAS(TS_CONF_load_certs);
147
148EVP_PKEY *
149TS_CONF_load_key(const char *file, const char *pass)
150{
151 BIO *key = NULL;
152 EVP_PKEY *pkey = NULL;
153
154 if (!(key = BIO_new_file(file, "r")))
155 goto end;
156 pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, (char *) pass);
157
158end:
159 if (pkey == NULL)
160 fprintf(stderr, "unable to load private key: %s\n", file);
161 BIO_free(key);
162 return pkey;
163}
164LCRYPTO_ALIAS(TS_CONF_load_key);
165
166/* Function definitions for handling configuration options. */
167
168static void
169TS_CONF_lookup_fail(const char *name, const char *tag)
170{
171 fprintf(stderr, "variable lookup failed for %s::%s\n", name, tag);
172}
173
174static void
175TS_CONF_invalid(const char *name, const char *tag)
176{
177 fprintf(stderr, "invalid variable value for %s::%s\n", name, tag);
178}
179
180const char *
181TS_CONF_get_tsa_section(CONF *conf, const char *section)
182{
183 if (!section) {
184 section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_TSA);
185 if (!section)
186 TS_CONF_lookup_fail(BASE_SECTION, ENV_DEFAULT_TSA);
187 }
188 return section;
189}
190LCRYPTO_ALIAS(TS_CONF_get_tsa_section);
191
192int
193TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb,
194 TS_RESP_CTX *ctx)
195{
196 int ret = 0;
197 char *serial = NCONF_get_string(conf, section, ENV_SERIAL);
198
199 if (!serial) {
200 TS_CONF_lookup_fail(section, ENV_SERIAL);
201 goto err;
202 }
203 TS_RESP_CTX_set_serial_cb(ctx, cb, serial);
204
205 ret = 1;
206
207err:
208 return ret;
209}
210LCRYPTO_ALIAS(TS_CONF_set_serial);
211
212int
213TS_CONF_set_signer_cert(CONF *conf, const char *section, const char *cert,
214 TS_RESP_CTX *ctx)
215{
216 int ret = 0;
217 X509 *cert_obj = NULL;
218
219 if (!cert)
220 cert = NCONF_get_string(conf, section, ENV_SIGNER_CERT);
221 if (!cert) {
222 TS_CONF_lookup_fail(section, ENV_SIGNER_CERT);
223 goto err;
224 }
225 if (!(cert_obj = TS_CONF_load_cert(cert)))
226 goto err;
227 if (!TS_RESP_CTX_set_signer_cert(ctx, cert_obj))
228 goto err;
229
230 ret = 1;
231
232err:
233 X509_free(cert_obj);
234 return ret;
235}
236LCRYPTO_ALIAS(TS_CONF_set_signer_cert);
237
238int
239TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
240 TS_RESP_CTX *ctx)
241{
242 int ret = 0;
243 STACK_OF(X509) *certs_obj = NULL;
244
245 if (!certs)
246 certs = NCONF_get_string(conf, section, ENV_CERTS);
247 /* Certificate chain is optional. */
248 if (!certs)
249 goto end;
250 if (!(certs_obj = TS_CONF_load_certs(certs)))
251 goto err;
252 if (!TS_RESP_CTX_set_certs(ctx, certs_obj))
253 goto err;
254
255end:
256 ret = 1;
257err:
258 sk_X509_pop_free(certs_obj, X509_free);
259 return ret;
260}
261LCRYPTO_ALIAS(TS_CONF_set_certs);
262
263int
264TS_CONF_set_signer_key(CONF *conf, const char *section, const char *key,
265 const char *pass, TS_RESP_CTX *ctx)
266{
267 int ret = 0;
268 EVP_PKEY *key_obj = NULL;
269
270 if (!key)
271 key = NCONF_get_string(conf, section, ENV_SIGNER_KEY);
272 if (!key) {
273 TS_CONF_lookup_fail(section, ENV_SIGNER_KEY);
274 goto err;
275 }
276 if (!(key_obj = TS_CONF_load_key(key, pass)))
277 goto err;
278 if (!TS_RESP_CTX_set_signer_key(ctx, key_obj))
279 goto err;
280
281 ret = 1;
282
283err:
284 EVP_PKEY_free(key_obj);
285 return ret;
286}
287LCRYPTO_ALIAS(TS_CONF_set_signer_key);
288
289int
290TS_CONF_set_def_policy(CONF *conf, const char *section, const char *policy,
291 TS_RESP_CTX *ctx)
292{
293 int ret = 0;
294 ASN1_OBJECT *policy_obj = NULL;
295
296 if (!policy)
297 policy = NCONF_get_string(conf, section, ENV_DEFAULT_POLICY);
298 if (!policy) {
299 TS_CONF_lookup_fail(section, ENV_DEFAULT_POLICY);
300 goto err;
301 }
302 if (!(policy_obj = OBJ_txt2obj(policy, 0))) {
303 TS_CONF_invalid(section, ENV_DEFAULT_POLICY);
304 goto err;
305 }
306 if (!TS_RESP_CTX_set_def_policy(ctx, policy_obj))
307 goto err;
308
309 ret = 1;
310
311err:
312 ASN1_OBJECT_free(policy_obj);
313 return ret;
314}
315LCRYPTO_ALIAS(TS_CONF_set_def_policy);
316
317int
318TS_CONF_set_policies(CONF *conf, const char *section, TS_RESP_CTX *ctx)
319{
320 int ret = 0;
321 int i;
322 STACK_OF(CONF_VALUE) *list = NULL;
323 char *policies = NCONF_get_string(conf, section, ENV_OTHER_POLICIES);
324
325 /* If no other policy is specified, that's fine. */
326 if (policies && !(list = X509V3_parse_list(policies))) {
327 TS_CONF_invalid(section, ENV_OTHER_POLICIES);
328 goto err;
329 }
330 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) {
331 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
332 const char *extval = val->value ? val->value : val->name;
333 ASN1_OBJECT *objtmp;
334 if (!(objtmp = OBJ_txt2obj(extval, 0))) {
335 TS_CONF_invalid(section, ENV_OTHER_POLICIES);
336 goto err;
337 }
338 if (!TS_RESP_CTX_add_policy(ctx, objtmp))
339 goto err;
340 ASN1_OBJECT_free(objtmp);
341 }
342
343 ret = 1;
344
345err:
346 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
347 return ret;
348}
349LCRYPTO_ALIAS(TS_CONF_set_policies);
350
351int
352TS_CONF_set_digests(CONF *conf, const char *section, TS_RESP_CTX *ctx)
353{
354 int ret = 0;
355 int i;
356 STACK_OF(CONF_VALUE) *list = NULL;
357 char *digests = NCONF_get_string(conf, section, ENV_DIGESTS);
358
359 if (!digests) {
360 TS_CONF_lookup_fail(section, ENV_DIGESTS);
361 goto err;
362 }
363 if (!(list = X509V3_parse_list(digests))) {
364 TS_CONF_invalid(section, ENV_DIGESTS);
365 goto err;
366 }
367 if (sk_CONF_VALUE_num(list) == 0) {
368 TS_CONF_invalid(section, ENV_DIGESTS);
369 goto err;
370 }
371 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) {
372 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
373 const char *extval = val->value ? val->value : val->name;
374 const EVP_MD *md;
375 if (!(md = EVP_get_digestbyname(extval))) {
376 TS_CONF_invalid(section, ENV_DIGESTS);
377 goto err;
378 }
379 if (!TS_RESP_CTX_add_md(ctx, md))
380 goto err;
381 }
382
383 ret = 1;
384
385err:
386 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
387 return ret;
388}
389LCRYPTO_ALIAS(TS_CONF_set_digests);
390
391int
392TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx)
393{
394 int ret = 0;
395 int i;
396 int secs = 0, millis = 0, micros = 0;
397 STACK_OF(CONF_VALUE) *list = NULL;
398 char *accuracy = NCONF_get_string(conf, section, ENV_ACCURACY);
399 const char *errstr;
400
401 if (accuracy && !(list = X509V3_parse_list(accuracy))) {
402 TS_CONF_invalid(section, ENV_ACCURACY);
403 goto err;
404 }
405 for (i = 0; i < sk_CONF_VALUE_num(list); ++i) {
406 CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
407 if (strcmp(val->name, ENV_VALUE_SECS) == 0) {
408 if (val->value) {
409 secs = strtonum(val->value, 0, INT_MAX,
410 &errstr);
411 if (errstr != NULL) {
412 TS_CONF_invalid(section,
413 ENV_VALUE_SECS);
414 goto err;
415 }
416 }
417 } else if (strcmp(val->name, ENV_VALUE_MILLISECS) == 0) {
418 if (val->value) {
419 millis = strtonum(val->value, 1, 999, &errstr);
420 if (errstr != NULL) {
421 TS_CONF_invalid(section,
422 ENV_VALUE_MILLISECS);
423 goto err;
424 }
425 }
426 } else if (strcmp(val->name, ENV_VALUE_MICROSECS) == 0) {
427 if (val->value) {
428 micros = strtonum(val->value, 1, 999, &errstr);
429 if (errstr != NULL) {
430 TS_CONF_invalid(section,
431 ENV_VALUE_MICROSECS);
432 goto err;
433 }
434 }
435 } else {
436 TS_CONF_invalid(section, ENV_ACCURACY);
437 goto err;
438 }
439 }
440 if (!TS_RESP_CTX_set_accuracy(ctx, secs, millis, micros))
441 goto err;
442
443 ret = 1;
444
445err:
446 sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
447 return ret;
448}
449LCRYPTO_ALIAS(TS_CONF_set_accuracy);
450
451int
452TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
453 TS_RESP_CTX *ctx)
454{
455 int ret = 0;
456 long digits = 0;
457
458 /* If not specified, set the default value to 0, i.e. sec precision */
459 if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS,
460 &digits))
461 digits = 0;
462 /* We only support second precision, so reject everything else */
463 if (digits != 0) {
464 TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS);
465 goto err;
466 }
467
468 if (!TS_RESP_CTX_set_clock_precision_digits(ctx, digits))
469 goto err;
470
471 return 1;
472
473err:
474 return ret;
475}
476LCRYPTO_ALIAS(TS_CONF_set_clock_precision_digits);
477
478static int
479TS_CONF_add_flag(CONF *conf, const char *section, const char *field, int flag,
480 TS_RESP_CTX *ctx)
481{
482 /* Default is false. */
483 const char *value = NCONF_get_string(conf, section, field);
484
485 if (value) {
486 if (strcmp(value, ENV_VALUE_YES) == 0)
487 TS_RESP_CTX_add_flags(ctx, flag);
488 else if (strcmp(value, ENV_VALUE_NO) != 0) {
489 TS_CONF_invalid(section, field);
490 return 0;
491 }
492 }
493
494 return 1;
495}
496
497int
498TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx)
499{
500 return TS_CONF_add_flag(conf, section, ENV_ORDERING, TS_ORDERING, ctx);
501}
502LCRYPTO_ALIAS(TS_CONF_set_ordering);
503
504int
505TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx)
506{
507 return TS_CONF_add_flag(conf, section, ENV_TSA_NAME, TS_TSA_NAME, ctx);
508}
509LCRYPTO_ALIAS(TS_CONF_set_tsa_name);
510
511int
512TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, TS_RESP_CTX *ctx)
513{
514 return TS_CONF_add_flag(conf, section, ENV_ESS_CERT_ID_CHAIN,
515 TS_ESS_CERT_ID_CHAIN, ctx);
516}
517LCRYPTO_ALIAS(TS_CONF_set_ess_cert_id_chain);
diff --git a/src/lib/libcrypto/ts/ts_err.c b/src/lib/libcrypto/ts/ts_err.c
deleted file mode 100644
index c0dcc73099..0000000000
--- a/src/lib/libcrypto/ts/ts_err.c
+++ /dev/null
@@ -1,126 +0,0 @@
1/* $OpenBSD: ts_err.c,v 1.8 2024/06/24 06:43:22 tb Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56#include <stdio.h>
57
58#include <openssl/opensslconf.h>
59
60#include <openssl/err.h>
61#include <openssl/ts.h>
62
63#include "err_local.h"
64
65#ifndef OPENSSL_NO_ERR
66
67#define ERR_FUNC(func) ERR_PACK(ERR_LIB_TS,func,0)
68#define ERR_REASON(reason) ERR_PACK(ERR_LIB_TS,0,reason)
69
70static const ERR_STRING_DATA TS_str_functs[] = {
71 {ERR_FUNC(0xfff), "CRYPTO_internal"},
72 {0, NULL}
73};
74
75static const ERR_STRING_DATA TS_str_reasons[] = {
76 {ERR_REASON(TS_R_BAD_PKCS7_TYPE) , "bad pkcs7 type"},
77 {ERR_REASON(TS_R_BAD_TYPE) , "bad type"},
78 {ERR_REASON(TS_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
79 {ERR_REASON(TS_R_COULD_NOT_SET_ENGINE) , "could not set engine"},
80 {ERR_REASON(TS_R_COULD_NOT_SET_TIME) , "could not set time"},
81 {ERR_REASON(TS_R_D2I_TS_RESP_INT_FAILED) , "d2i ts resp int failed"},
82 {ERR_REASON(TS_R_DETACHED_CONTENT) , "detached content"},
83 {ERR_REASON(TS_R_ESS_ADD_SIGNING_CERT_ERROR), "ess add signing cert error"},
84 {ERR_REASON(TS_R_ESS_SIGNING_CERTIFICATE_ERROR), "ess signing certificate error"},
85 {ERR_REASON(TS_R_INVALID_NULL_POINTER) , "invalid null pointer"},
86 {ERR_REASON(TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE), "invalid signer certificate purpose"},
87 {ERR_REASON(TS_R_MESSAGE_IMPRINT_MISMATCH), "message imprint mismatch"},
88 {ERR_REASON(TS_R_NONCE_MISMATCH) , "nonce mismatch"},
89 {ERR_REASON(TS_R_NONCE_NOT_RETURNED) , "nonce not returned"},
90 {ERR_REASON(TS_R_NO_CONTENT) , "no content"},
91 {ERR_REASON(TS_R_NO_TIME_STAMP_TOKEN) , "no time stamp token"},
92 {ERR_REASON(TS_R_PKCS7_ADD_SIGNATURE_ERROR), "pkcs7 add signature error"},
93 {ERR_REASON(TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR), "pkcs7 add signed attr error"},
94 {ERR_REASON(TS_R_PKCS7_TO_TS_TST_INFO_FAILED), "pkcs7 to ts tst info failed"},
95 {ERR_REASON(TS_R_POLICY_MISMATCH) , "policy mismatch"},
96 {ERR_REASON(TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), "private key does not match certificate"},
97 {ERR_REASON(TS_R_RESPONSE_SETUP_ERROR) , "response setup error"},
98 {ERR_REASON(TS_R_SIGNATURE_FAILURE) , "signature failure"},
99 {ERR_REASON(TS_R_THERE_MUST_BE_ONE_SIGNER), "there must be one signer"},
100 {ERR_REASON(TS_R_TIME_SYSCALL_ERROR) , "time syscall error"},
101 {ERR_REASON(TS_R_TOKEN_NOT_PRESENT) , "token not present"},
102 {ERR_REASON(TS_R_TOKEN_PRESENT) , "token present"},
103 {ERR_REASON(TS_R_TSA_NAME_MISMATCH) , "tsa name mismatch"},
104 {ERR_REASON(TS_R_TSA_UNTRUSTED) , "tsa untrusted"},
105 {ERR_REASON(TS_R_TST_INFO_SETUP_ERROR) , "tst info setup error"},
106 {ERR_REASON(TS_R_TS_DATASIGN) , "ts datasign"},
107 {ERR_REASON(TS_R_UNACCEPTABLE_POLICY) , "unacceptable policy"},
108 {ERR_REASON(TS_R_UNSUPPORTED_MD_ALGORITHM), "unsupported md algorithm"},
109 {ERR_REASON(TS_R_UNSUPPORTED_VERSION) , "unsupported version"},
110 {ERR_REASON(TS_R_WRONG_CONTENT_TYPE) , "wrong content type"},
111 {0, NULL}
112};
113
114#endif
115
116void
117ERR_load_TS_strings(void)
118{
119#ifndef OPENSSL_NO_ERR
120 if (ERR_func_error_string(TS_str_functs[0].error) == NULL) {
121 ERR_load_const_strings(TS_str_functs);
122 ERR_load_const_strings(TS_str_reasons);
123 }
124#endif
125}
126LCRYPTO_ALIAS(ERR_load_TS_strings);
diff --git a/src/lib/libcrypto/ts/ts_lib.c b/src/lib/libcrypto/ts/ts_lib.c
deleted file mode 100644
index 7e40101752..0000000000
--- a/src/lib/libcrypto/ts/ts_lib.c
+++ /dev/null
@@ -1,163 +0,0 @@
1/* $OpenBSD: ts_lib.c,v 1.15 2025/01/07 14:22:19 tb Exp $ */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/bn.h>
63#include <openssl/objects.h>
64#include <openssl/ts.h>
65#include <openssl/x509v3.h>
66
67#include "bn_local.h"
68#include "x509_local.h"
69
70/* Local function declarations. */
71
72/* Function definitions. */
73
74int
75TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num)
76{
77 BIGNUM *bn = NULL;
78 char *hex = NULL;
79 int ret = 0;
80
81 /* XXX - OpenSSL decided to return -1 here for some stupid reason. */
82 if ((bn = ASN1_INTEGER_to_BN(num, NULL)) == NULL)
83 goto err;
84 if ((hex = BN_bn2hex(bn)) == NULL)
85 goto err;
86 if (BIO_printf(bio, "0x%s", hex) <= 0)
87 goto err;
88
89 ret = 1;
90
91 err:
92 BN_free(bn);
93 free(hex);
94
95 return ret;
96}
97LCRYPTO_ALIAS(TS_ASN1_INTEGER_print_bio);
98
99int
100TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
101{
102 char obj_txt[128];
103
104 int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
105 if (len >= sizeof(obj_txt))
106 len = sizeof(obj_txt) - 1;
107 BIO_write(bio, obj_txt, len);
108 BIO_write(bio, "\n", 1);
109 return 1;
110}
111LCRYPTO_ALIAS(TS_OBJ_print_bio);
112
113int
114TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions)
115{
116 int i, critical, n;
117 X509_EXTENSION *ex;
118 ASN1_OBJECT *obj;
119
120 BIO_printf(bio, "Extensions:\n");
121 n = X509v3_get_ext_count(extensions);
122 for (i = 0; i < n; i++) {
123 ex = X509v3_get_ext(extensions, i);
124 obj = X509_EXTENSION_get_object(ex);
125 i2a_ASN1_OBJECT(bio, obj);
126 critical = X509_EXTENSION_get_critical(ex);
127 BIO_printf(bio, ": %s\n", critical ? "critical" : "");
128 if (!X509V3_EXT_print(bio, ex, 0, 4)) {
129 BIO_printf(bio, "%4s", "");
130 ASN1_STRING_print(bio, ex->value);
131 }
132 BIO_write(bio, "\n", 1);
133 }
134
135 return 1;
136}
137LCRYPTO_ALIAS(TS_ext_print_bio);
138
139int
140TS_X509_ALGOR_print_bio(BIO *bio, const X509_ALGOR *alg)
141{
142 int i = OBJ_obj2nid(alg->algorithm);
143
144 return BIO_printf(bio, "Hash Algorithm: %s\n",
145 (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
146}
147LCRYPTO_ALIAS(TS_X509_ALGOR_print_bio);
148
149int
150TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a)
151{
152 ASN1_OCTET_STRING *msg;
153
154 TS_X509_ALGOR_print_bio(bio, TS_MSG_IMPRINT_get_algo(a));
155
156 BIO_printf(bio, "Message data:\n");
157 msg = TS_MSG_IMPRINT_get_msg(a);
158 BIO_dump_indent(bio, (const char *)ASN1_STRING_data(msg),
159 ASN1_STRING_length(msg), 4);
160
161 return 1;
162}
163LCRYPTO_ALIAS(TS_MSG_IMPRINT_print_bio);
diff --git a/src/lib/libcrypto/ts/ts_local.h b/src/lib/libcrypto/ts/ts_local.h
deleted file mode 100644
index 07c9861e02..0000000000
--- a/src/lib/libcrypto/ts/ts_local.h
+++ /dev/null
@@ -1,316 +0,0 @@
1/* $OpenBSD: ts_local.h,v 1.3 2022/11/26 17:23:18 tb Exp $ */
2/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
3 * project 2002, 2003, 2004.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#ifndef HEADER_TS_LOCAL_H
60#define HEADER_TS_LOCAL_H
61
62__BEGIN_HIDDEN_DECLS
63
64/*
65 * MessageImprint ::= SEQUENCE {
66 * hashAlgorithm AlgorithmIdentifier,
67 * hashedMessage OCTET STRING }
68 */
69
70struct TS_msg_imprint_st {
71 X509_ALGOR *hash_algo;
72 ASN1_OCTET_STRING *hashed_msg;
73};
74
75/*
76 * TimeStampReq ::= SEQUENCE {
77 * version INTEGER { v1(1) },
78 * messageImprint MessageImprint,
79 * --a hash algorithm OID and the hash value of the data to be
80 * --time-stamped
81 * reqPolicy TSAPolicyId OPTIONAL,
82 * nonce INTEGER OPTIONAL,
83 * certReq BOOLEAN DEFAULT FALSE,
84 * extensions [0] IMPLICIT Extensions OPTIONAL }
85 */
86
87struct TS_req_st {
88 ASN1_INTEGER *version;
89 TS_MSG_IMPRINT *msg_imprint;
90 ASN1_OBJECT *policy_id; /* OPTIONAL */
91 ASN1_INTEGER *nonce; /* OPTIONAL */
92 ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */
93 STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */
94};
95
96/*
97 * Accuracy ::= SEQUENCE {
98 * seconds INTEGER OPTIONAL,
99 * millis [0] INTEGER (1..999) OPTIONAL,
100 * micros [1] INTEGER (1..999) OPTIONAL }
101 */
102
103struct TS_accuracy_st {
104 ASN1_INTEGER *seconds;
105 ASN1_INTEGER *millis;
106 ASN1_INTEGER *micros;
107};
108
109/*
110 * TSTInfo ::= SEQUENCE {
111 * version INTEGER { v1(1) },
112 * policy TSAPolicyId,
113 * messageImprint MessageImprint,
114 * -- MUST have the same value as the similar field in
115 * -- TimeStampReq
116 * serialNumber INTEGER,
117 * -- Time-Stamping users MUST be ready to accommodate integers
118 * -- up to 160 bits.
119 * genTime GeneralizedTime,
120 * accuracy Accuracy OPTIONAL,
121 * ordering BOOLEAN DEFAULT FALSE,
122 * nonce INTEGER OPTIONAL,
123 * -- MUST be present if the similar field was present
124 * -- in TimeStampReq. In that case it MUST have the same value.
125 * tsa [0] GeneralName OPTIONAL,
126 * extensions [1] IMPLICIT Extensions OPTIONAL }
127 */
128
129struct TS_tst_info_st {
130 ASN1_INTEGER *version;
131 ASN1_OBJECT *policy_id;
132 TS_MSG_IMPRINT *msg_imprint;
133 ASN1_INTEGER *serial;
134 ASN1_GENERALIZEDTIME *time;
135 TS_ACCURACY *accuracy;
136 ASN1_BOOLEAN ordering;
137 ASN1_INTEGER *nonce;
138 GENERAL_NAME *tsa;
139 STACK_OF(X509_EXTENSION) *extensions;
140};
141
142/*
143 * PKIStatusInfo ::= SEQUENCE {
144 * status PKIStatus,
145 * statusString PKIFreeText OPTIONAL,
146 * failInfo PKIFailureInfo OPTIONAL }
147 *
148 * From RFC 1510 - section 3.1.1:
149 * PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String
150 * -- text encoded as UTF-8 String (note: each UTF8String SHOULD
151 * -- include an RFC 1766 language tag to indicate the language
152 * -- of the contained text)
153 */
154
155struct TS_status_info_st {
156 ASN1_INTEGER *status;
157 STACK_OF(ASN1_UTF8STRING) *text;
158 ASN1_BIT_STRING *failure_info;
159};
160
161/*
162 * TimeStampResp ::= SEQUENCE {
163 * status PKIStatusInfo,
164 * timeStampToken TimeStampToken OPTIONAL }
165 */
166
167struct TS_resp_st {
168 TS_STATUS_INFO *status_info;
169 PKCS7 *token;
170 TS_TST_INFO *tst_info;
171};
172
173/* The structure below would belong to the ESS component. */
174
175/*
176 * IssuerSerial ::= SEQUENCE {
177 * issuer GeneralNames,
178 * serialNumber CertificateSerialNumber
179 * }
180 */
181
182struct ESS_issuer_serial {
183 STACK_OF(GENERAL_NAME) *issuer;
184 ASN1_INTEGER *serial;
185};
186
187/*
188 * ESSCertID ::= SEQUENCE {
189 * certHash Hash,
190 * issuerSerial IssuerSerial OPTIONAL
191 * }
192 */
193
194struct ESS_cert_id {
195 ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */
196 ESS_ISSUER_SERIAL *issuer_serial;
197};
198
199/*
200 * SigningCertificate ::= SEQUENCE {
201 * certs SEQUENCE OF ESSCertID,
202 * policies SEQUENCE OF PolicyInformation OPTIONAL
203 * }
204 */
205
206struct ESS_signing_cert {
207 STACK_OF(ESS_CERT_ID) *cert_ids;
208 STACK_OF(POLICYINFO) *policy_info;
209};
210
211/*
212 * ESSCertIDv2 ::= SEQUENCE {
213 * hashAlgorithm AlgorithmIdentifier
214 * DEFAULT {algorithm id-sha256},
215 * certHash Hash,
216 * issuerSerial IssuerSerial OPTIONAL }
217 */
218
219struct ESS_cert_id_v2 {
220 X509_ALGOR *hash_alg; /* Default SHA-256. */
221 ASN1_OCTET_STRING *hash;
222 ESS_ISSUER_SERIAL *issuer_serial;
223};
224
225/*
226 * SigningCertificateV2 ::= SEQUENCE {
227 * certs SEQUENCE OF ESSCertIDv2,
228 * policies SEQUENCE OF PolicyInformation OPTIONAL }
229 */
230
231struct ESS_signing_cert_v2 {
232 STACK_OF(ESS_CERT_ID_V2) *cert_ids;
233 STACK_OF(POLICYINFO) *policy_info;
234};
235
236struct TS_resp_ctx {
237 X509 *signer_cert;
238 EVP_PKEY *signer_key;
239 STACK_OF(X509) *certs; /* Certs to include in signed data. */
240 STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */
241 ASN1_OBJECT *default_policy; /* It may appear in policies, too. */
242 STACK_OF(EVP_MD) *mds; /* Acceptable message digests. */
243 ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */
244 ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */
245 ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */
246 unsigned clock_precision_digits; /* fraction of seconds in
247 time stamp token. */
248 unsigned flags; /* Optional info, see values above. */
249
250 /* Callback functions. */
251 TS_serial_cb serial_cb;
252 void *serial_cb_data; /* User data for serial_cb. */
253
254 TS_time_cb time_cb;
255 void *time_cb_data; /* User data for time_cb. */
256
257 TS_extension_cb extension_cb;
258 void *extension_cb_data; /* User data for extension_cb. */
259
260 /* These members are used only while creating the response. */
261 TS_REQ *request;
262 TS_RESP *response;
263 TS_TST_INFO *tst_info;
264};
265
266/* Context structure for the generic verify method. */
267
268struct TS_verify_ctx {
269 /* Set this to the union of TS_VFY_... flags you want to carry out. */
270 unsigned flags;
271
272 /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */
273 X509_STORE *store;
274 STACK_OF(X509) *certs;
275
276 /* Must be set only with TS_VFY_POLICY. */
277 ASN1_OBJECT *policy;
278
279 /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL,
280 the algorithm from the response is used. */
281 X509_ALGOR *md_alg;
282 unsigned char *imprint;
283 unsigned imprint_len;
284
285 /* Must be set only with TS_VFY_DATA. */
286 BIO *data;
287
288 /* Must be set only with TS_VFY_TSA_NAME. */
289 ASN1_INTEGER *nonce;
290
291 /* Must be set only with TS_VFY_TSA_NAME. */
292 GENERAL_NAME *tsa_name;
293};
294
295/*
296 * Public OpenSSL API that we do not currently want to expose.
297 */
298
299ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void);
300void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a);
301int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp);
302ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **pp,
303 long length);
304ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a);
305
306ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void);
307void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a);
308int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a,
309 unsigned char **pp);
310ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a,
311 const unsigned char **pp, long length);
312ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a);
313
314__END_HIDDEN_DECLS
315
316#endif /* !HEADER_TS_LOCAL_H */
diff --git a/src/lib/libcrypto/ts/ts_req_print.c b/src/lib/libcrypto/ts/ts_req_print.c
deleted file mode 100644
index ddcdda97a3..0000000000
--- a/src/lib/libcrypto/ts/ts_req_print.c
+++ /dev/null
@@ -1,105 +0,0 @@
1/* $OpenBSD: ts_req_print.c,v 1.5 2023/07/07 07:25:21 beck Exp $ */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/bn.h>
62#include <openssl/objects.h>
63#include <openssl/ts.h>
64#include <openssl/x509v3.h>
65
66/* Function definitions. */
67
68int
69TS_REQ_print_bio(BIO *bio, TS_REQ *a)
70{
71 int v;
72 ASN1_OBJECT *policy_id;
73 const ASN1_INTEGER *nonce;
74
75 if (a == NULL)
76 return 0;
77
78 v = TS_REQ_get_version(a);
79 BIO_printf(bio, "Version: %d\n", v);
80
81 TS_MSG_IMPRINT_print_bio(bio, TS_REQ_get_msg_imprint(a));
82
83 BIO_printf(bio, "Policy OID: ");
84 policy_id = TS_REQ_get_policy_id(a);
85 if (policy_id == NULL)
86 BIO_printf(bio, "unspecified\n");
87 else
88 TS_OBJ_print_bio(bio, policy_id);
89
90 BIO_printf(bio, "Nonce: ");
91 nonce = TS_REQ_get_nonce(a);
92 if (nonce == NULL)
93 BIO_printf(bio, "unspecified");
94 else
95 TS_ASN1_INTEGER_print_bio(bio, nonce);
96 BIO_write(bio, "\n", 1);
97
98 BIO_printf(bio, "Certificate required: %s\n",
99 TS_REQ_get_cert_req(a) ? "yes" : "no");
100
101 TS_ext_print_bio(bio, TS_REQ_get_exts(a));
102
103 return 1;
104}
105LCRYPTO_ALIAS(TS_REQ_print_bio);
diff --git a/src/lib/libcrypto/ts/ts_req_utils.c b/src/lib/libcrypto/ts/ts_req_utils.c
deleted file mode 100644
index d679418060..0000000000
--- a/src/lib/libcrypto/ts/ts_req_utils.c
+++ /dev/null
@@ -1,281 +0,0 @@
1/* $OpenBSD: ts_req_utils.c,v 1.9 2023/07/07 19:37:54 beck Exp $ */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/err.h>
62#include <openssl/objects.h>
63#include <openssl/ts.h>
64#include <openssl/x509v3.h>
65
66#include "ts_local.h"
67
68int
69TS_REQ_set_version(TS_REQ *a, long version)
70{
71 return ASN1_INTEGER_set(a->version, version);
72}
73LCRYPTO_ALIAS(TS_REQ_set_version);
74
75long
76TS_REQ_get_version(const TS_REQ *a)
77{
78 return ASN1_INTEGER_get(a->version);
79}
80LCRYPTO_ALIAS(TS_REQ_get_version);
81
82int
83TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint)
84{
85 TS_MSG_IMPRINT *new_msg_imprint;
86
87 if (a->msg_imprint == msg_imprint)
88 return 1;
89 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint);
90 if (new_msg_imprint == NULL) {
91 TSerror(ERR_R_MALLOC_FAILURE);
92 return 0;
93 }
94 TS_MSG_IMPRINT_free(a->msg_imprint);
95 a->msg_imprint = new_msg_imprint;
96 return 1;
97}
98LCRYPTO_ALIAS(TS_REQ_set_msg_imprint);
99
100TS_MSG_IMPRINT *
101TS_REQ_get_msg_imprint(TS_REQ *a)
102{
103 return a->msg_imprint;
104}
105LCRYPTO_ALIAS(TS_REQ_get_msg_imprint);
106
107int
108TS_MSG_IMPRINT_set_algo(TS_MSG_IMPRINT *a, X509_ALGOR *alg)
109{
110 X509_ALGOR *new_alg;
111
112 if (a->hash_algo == alg)
113 return 1;
114 new_alg = X509_ALGOR_dup(alg);
115 if (new_alg == NULL) {
116 TSerror(ERR_R_MALLOC_FAILURE);
117 return 0;
118 }
119 X509_ALGOR_free(a->hash_algo);
120 a->hash_algo = new_alg;
121 return 1;
122}
123LCRYPTO_ALIAS(TS_MSG_IMPRINT_set_algo);
124
125X509_ALGOR *
126TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a)
127{
128 return a->hash_algo;
129}
130LCRYPTO_ALIAS(TS_MSG_IMPRINT_get_algo);
131
132int
133TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len)
134{
135 return ASN1_OCTET_STRING_set(a->hashed_msg, d, len);
136}
137LCRYPTO_ALIAS(TS_MSG_IMPRINT_set_msg);
138
139ASN1_OCTET_STRING *
140TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a)
141{
142 return a->hashed_msg;
143}
144LCRYPTO_ALIAS(TS_MSG_IMPRINT_get_msg);
145
146int
147TS_REQ_set_policy_id(TS_REQ *a, const ASN1_OBJECT *policy)
148{
149 ASN1_OBJECT *new_policy;
150
151 if (a->policy_id == policy)
152 return 1;
153 new_policy = OBJ_dup(policy);
154 if (new_policy == NULL) {
155 TSerror(ERR_R_MALLOC_FAILURE);
156 return 0;
157 }
158 ASN1_OBJECT_free(a->policy_id);
159 a->policy_id = new_policy;
160 return 1;
161}
162LCRYPTO_ALIAS(TS_REQ_set_policy_id);
163
164ASN1_OBJECT *
165TS_REQ_get_policy_id(TS_REQ *a)
166{
167 return a->policy_id;
168}
169LCRYPTO_ALIAS(TS_REQ_get_policy_id);
170
171int
172TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce)
173{
174 ASN1_INTEGER *new_nonce;
175
176 if (a->nonce == nonce)
177 return 1;
178 new_nonce = ASN1_INTEGER_dup(nonce);
179 if (new_nonce == NULL) {
180 TSerror(ERR_R_MALLOC_FAILURE);
181 return 0;
182 }
183 ASN1_INTEGER_free(a->nonce);
184 a->nonce = new_nonce;
185 return 1;
186}
187LCRYPTO_ALIAS(TS_REQ_set_nonce);
188
189const ASN1_INTEGER *
190TS_REQ_get_nonce(const TS_REQ *a)
191{
192 return a->nonce;
193}
194LCRYPTO_ALIAS(TS_REQ_get_nonce);
195
196int
197TS_REQ_set_cert_req(TS_REQ *a, int cert_req)
198{
199 a->cert_req = cert_req ? 0xFF : 0x00;
200 return 1;
201}
202LCRYPTO_ALIAS(TS_REQ_set_cert_req);
203
204int
205TS_REQ_get_cert_req(const TS_REQ *a)
206{
207 return a->cert_req ? 1 : 0;
208}
209LCRYPTO_ALIAS(TS_REQ_get_cert_req);
210
211STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a)
212{
213 return a->extensions;
214}
215LCRYPTO_ALIAS(TS_REQ_get_exts);
216
217void
218TS_REQ_ext_free(TS_REQ *a)
219{
220 if (!a)
221 return;
222 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free);
223 a->extensions = NULL;
224}
225LCRYPTO_ALIAS(TS_REQ_ext_free);
226
227int
228TS_REQ_get_ext_count(TS_REQ *a)
229{
230 return X509v3_get_ext_count(a->extensions);
231}
232LCRYPTO_ALIAS(TS_REQ_get_ext_count);
233
234int
235TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos)
236{
237 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos);
238}
239LCRYPTO_ALIAS(TS_REQ_get_ext_by_NID);
240
241int
242TS_REQ_get_ext_by_OBJ(TS_REQ *a, const ASN1_OBJECT *obj, int lastpos)
243{
244 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos);
245}
246LCRYPTO_ALIAS(TS_REQ_get_ext_by_OBJ);
247
248int
249TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos)
250{
251 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos);
252}
253LCRYPTO_ALIAS(TS_REQ_get_ext_by_critical);
254
255X509_EXTENSION *
256TS_REQ_get_ext(TS_REQ *a, int loc)
257{
258 return X509v3_get_ext(a->extensions, loc);
259}
260LCRYPTO_ALIAS(TS_REQ_get_ext);
261
262X509_EXTENSION *
263TS_REQ_delete_ext(TS_REQ *a, int loc)
264{
265 return X509v3_delete_ext(a->extensions, loc);
266}
267LCRYPTO_ALIAS(TS_REQ_delete_ext);
268
269int
270TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc)
271{
272 return X509v3_add_ext(&a->extensions, ex, loc) != NULL;
273}
274LCRYPTO_ALIAS(TS_REQ_add_ext);
275
276void *
277TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx)
278{
279 return X509V3_get_d2i(a->extensions, nid, crit, idx);
280}
281LCRYPTO_ALIAS(TS_REQ_get_ext_d2i);
diff --git a/src/lib/libcrypto/ts/ts_rsp_print.c b/src/lib/libcrypto/ts/ts_rsp_print.c
deleted file mode 100644
index c65d226686..0000000000
--- a/src/lib/libcrypto/ts/ts_rsp_print.c
+++ /dev/null
@@ -1,306 +0,0 @@
1/* $OpenBSD: ts_rsp_print.c,v 1.7 2023/07/07 07:25:21 beck Exp $ */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/bn.h>
62#include <openssl/objects.h>
63#include <openssl/ts.h>
64#include <openssl/x509v3.h>
65
66#include "ts_local.h"
67
68struct status_map_st {
69 int bit;
70 const char *text;
71};
72
73/* Local function declarations. */
74
75static int TS_status_map_print(BIO *bio, struct status_map_st *a,
76 ASN1_BIT_STRING *v);
77static int TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy);
78
79/* Function definitions. */
80
81int
82TS_RESP_print_bio(BIO *bio, TS_RESP *a)
83{
84 TS_TST_INFO *tst_info;
85
86 BIO_printf(bio, "Status info:\n");
87 TS_STATUS_INFO_print_bio(bio, TS_RESP_get_status_info(a));
88
89 BIO_printf(bio, "\nTST info:\n");
90 tst_info = TS_RESP_get_tst_info(a);
91 if (tst_info != NULL)
92 TS_TST_INFO_print_bio(bio, TS_RESP_get_tst_info(a));
93 else
94 BIO_printf(bio, "Not included.\n");
95
96 return 1;
97}
98LCRYPTO_ALIAS(TS_RESP_print_bio);
99
100int
101TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a)
102{
103 static const char *status_map[] = {
104 "Granted.",
105 "Granted with modifications.",
106 "Rejected.",
107 "Waiting.",
108 "Revocation warning.",
109 "Revoked."
110 };
111 static struct status_map_st failure_map[] = {
112 {
113 TS_INFO_BAD_ALG,
114 "unrecognized or unsupported algorithm identifier"
115 },
116 {
117 TS_INFO_BAD_REQUEST,
118 "transaction not permitted or supported"
119 },
120 {
121 TS_INFO_BAD_DATA_FORMAT,
122 "the data submitted has the wrong format"
123 },
124 {
125 TS_INFO_TIME_NOT_AVAILABLE,
126 "the TSA's time source is not available"
127 },
128 {
129 TS_INFO_UNACCEPTED_POLICY,
130 "the requested TSA policy is not supported by the TSA"
131 },
132 {
133 TS_INFO_UNACCEPTED_EXTENSION,
134 "the requested extension is not supported by the TSA"
135 },
136 {
137 TS_INFO_ADD_INFO_NOT_AVAILABLE,
138 "the additional information requested could not be understood "
139 "or is not available"
140 },
141 {
142 TS_INFO_SYSTEM_FAILURE,
143 "the request cannot be handled due to system failure"
144 },
145 { -1, NULL }
146 };
147 long status;
148 int i, lines = 0;
149
150 /* Printing status code. */
151 BIO_printf(bio, "Status: ");
152 status = ASN1_INTEGER_get(a->status);
153 if (0 <= status &&
154 status < (long)(sizeof(status_map) / sizeof(status_map[0])))
155 BIO_printf(bio, "%s\n", status_map[status]);
156 else
157 BIO_printf(bio, "out of bounds\n");
158
159 /* Printing status description. */
160 BIO_printf(bio, "Status description: ");
161 for (i = 0; i < sk_ASN1_UTF8STRING_num(a->text); ++i) {
162 if (i > 0)
163 BIO_puts(bio, "\t");
164 ASN1_STRING_print_ex(bio, sk_ASN1_UTF8STRING_value(a->text, i),
165 0);
166 BIO_puts(bio, "\n");
167 }
168 if (i == 0)
169 BIO_printf(bio, "unspecified\n");
170
171 /* Printing failure information. */
172 BIO_printf(bio, "Failure info: ");
173 if (a->failure_info != NULL)
174 lines = TS_status_map_print(bio, failure_map, a->failure_info);
175 if (lines == 0)
176 BIO_printf(bio, "unspecified");
177 BIO_printf(bio, "\n");
178
179 return 1;
180}
181LCRYPTO_ALIAS(TS_STATUS_INFO_print_bio);
182
183static int
184TS_status_map_print(BIO *bio, struct status_map_st *a, ASN1_BIT_STRING *v)
185{
186 int lines = 0;
187
188 for (; a->bit >= 0; ++a) {
189 if (ASN1_BIT_STRING_get_bit(v, a->bit)) {
190 if (++lines > 1)
191 BIO_printf(bio, ", ");
192 BIO_printf(bio, "%s", a->text);
193 }
194 }
195
196 return lines;
197}
198
199int
200TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
201{
202 int v;
203 ASN1_OBJECT *policy_id;
204 const ASN1_INTEGER *serial;
205 const ASN1_GENERALIZEDTIME *gtime;
206 TS_ACCURACY *accuracy;
207 const ASN1_INTEGER *nonce;
208 GENERAL_NAME *tsa_name;
209
210 if (a == NULL)
211 return 0;
212
213 /* Print version. */
214 v = TS_TST_INFO_get_version(a);
215 BIO_printf(bio, "Version: %d\n", v);
216
217 /* Print policy id. */
218 BIO_printf(bio, "Policy OID: ");
219 policy_id = TS_TST_INFO_get_policy_id(a);
220 TS_OBJ_print_bio(bio, policy_id);
221
222 /* Print message imprint. */
223 TS_MSG_IMPRINT_print_bio(bio, TS_TST_INFO_get_msg_imprint(a));
224
225 /* Print serial number. */
226 BIO_printf(bio, "Serial number: ");
227 serial = TS_TST_INFO_get_serial(a);
228 if (serial == NULL)
229 BIO_printf(bio, "unspecified");
230 else
231 TS_ASN1_INTEGER_print_bio(bio, serial);
232 BIO_write(bio, "\n", 1);
233
234 /* Print time stamp. */
235 BIO_printf(bio, "Time stamp: ");
236 gtime = TS_TST_INFO_get_time(a);
237 ASN1_GENERALIZEDTIME_print(bio, gtime);
238 BIO_write(bio, "\n", 1);
239
240 /* Print accuracy. */
241 BIO_printf(bio, "Accuracy: ");
242 accuracy = TS_TST_INFO_get_accuracy(a);
243 if (accuracy == NULL)
244 BIO_printf(bio, "unspecified");
245 else
246 TS_ACCURACY_print_bio(bio, accuracy);
247 BIO_write(bio, "\n", 1);
248
249 /* Print ordering. */
250 BIO_printf(bio, "Ordering: %s\n",
251 TS_TST_INFO_get_ordering(a) ? "yes" : "no");
252
253 /* Print nonce. */
254 BIO_printf(bio, "Nonce: ");
255 nonce = TS_TST_INFO_get_nonce(a);
256 if (nonce == NULL)
257 BIO_printf(bio, "unspecified");
258 else
259 TS_ASN1_INTEGER_print_bio(bio, nonce);
260 BIO_write(bio, "\n", 1);
261
262 /* Print TSA name. */
263 BIO_printf(bio, "TSA: ");
264 tsa_name = TS_TST_INFO_get_tsa(a);
265 if (tsa_name == NULL)
266 BIO_printf(bio, "unspecified");
267 else {
268 STACK_OF(CONF_VALUE) *nval;
269 if ((nval = i2v_GENERAL_NAME(NULL, tsa_name, NULL)))
270 X509V3_EXT_val_prn(bio, nval, 0, 0);
271 sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
272 }
273 BIO_write(bio, "\n", 1);
274
275 /* Print extensions. */
276 TS_ext_print_bio(bio, TS_TST_INFO_get_exts(a));
277
278 return 1;
279}
280LCRYPTO_ALIAS(TS_TST_INFO_print_bio);
281
282static int
283TS_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy)
284{
285 const ASN1_INTEGER *seconds = TS_ACCURACY_get_seconds(accuracy);
286 const ASN1_INTEGER *millis = TS_ACCURACY_get_millis(accuracy);
287 const ASN1_INTEGER *micros = TS_ACCURACY_get_micros(accuracy);
288
289 if (seconds != NULL)
290 TS_ASN1_INTEGER_print_bio(bio, seconds);
291 else
292 BIO_printf(bio, "unspecified");
293 BIO_printf(bio, " seconds, ");
294 if (millis != NULL)
295 TS_ASN1_INTEGER_print_bio(bio, millis);
296 else
297 BIO_printf(bio, "unspecified");
298 BIO_printf(bio, " millis, ");
299 if (micros != NULL)
300 TS_ASN1_INTEGER_print_bio(bio, micros);
301 else
302 BIO_printf(bio, "unspecified");
303 BIO_printf(bio, " micros");
304
305 return 1;
306}
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
deleted file mode 100644
index e3101340c5..0000000000
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ /dev/null
@@ -1,982 +0,0 @@
1/* $OpenBSD: ts_rsp_sign.c,v 1.35 2024/03/26 00:39:22 beck Exp $ */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <sys/time.h>
60
61#include <string.h>
62
63#include <openssl/err.h>
64#include <openssl/objects.h>
65#include <openssl/pkcs7.h>
66#include <openssl/ts.h>
67
68#include "evp_local.h"
69#include "ts_local.h"
70#include "x509_local.h"
71
72/* Private function declarations. */
73
74static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *);
75static int def_time_cb(struct TS_resp_ctx *, void *, time_t *sec, long *usec);
76static int def_extension_cb(struct TS_resp_ctx *, X509_EXTENSION *, void *);
77
78static void TS_RESP_CTX_init(TS_RESP_CTX *ctx);
79static void TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx);
80static int TS_RESP_check_request(TS_RESP_CTX *ctx);
81static ASN1_OBJECT *TS_RESP_get_policy(TS_RESP_CTX *ctx);
82static TS_TST_INFO *TS_RESP_create_tst_info(TS_RESP_CTX *ctx,
83 ASN1_OBJECT *policy);
84static int TS_RESP_process_extensions(TS_RESP_CTX *ctx);
85static int TS_RESP_sign(TS_RESP_CTX *ctx);
86
87static ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert,
88 STACK_OF(X509) *certs);
89static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
90static int TS_TST_INFO_content_new(PKCS7 *p7);
91static int ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
92
93/* Default callbacks for response generation. */
94
95static ASN1_INTEGER *
96def_serial_cb(struct TS_resp_ctx *ctx, void *data)
97{
98 ASN1_INTEGER *serial;
99
100 if ((serial = ASN1_INTEGER_new()) == NULL)
101 goto err;
102 if (!ASN1_INTEGER_set(serial, 1))
103 goto err;
104
105 return serial;
106
107 err:
108 ASN1_INTEGER_free(serial);
109 TSerror(ERR_R_MALLOC_FAILURE);
110 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
111 "Error during serial number generation.");
112
113 return NULL;
114}
115
116/* Use the gettimeofday function call. */
117static int
118def_time_cb(struct TS_resp_ctx *ctx, void *data, time_t *sec, long *usec)
119{
120 struct timeval tv;
121
122 if (gettimeofday(&tv, NULL) != 0) {
123 TSerror(TS_R_TIME_SYSCALL_ERROR);
124 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
125 "Time is not available.");
126 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE);
127 return 0;
128 }
129 /* Return time to caller. */
130 *sec = tv.tv_sec;
131 *usec = tv.tv_usec;
132
133 return 1;
134}
135
136static int
137def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext, void *data)
138{
139 /* No extensions are processed here. */
140 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
141 "Unsupported extension.");
142 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_EXTENSION);
143 return 0;
144}
145
146void
147TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data)
148{
149 ctx->time_cb = cb;
150 ctx->time_cb_data = data;
151}
152LCRYPTO_ALIAS(TS_RESP_CTX_set_time_cb);
153
154/* TS_RESP_CTX management functions. */
155
156TS_RESP_CTX *
157TS_RESP_CTX_new(void)
158{
159 TS_RESP_CTX *ctx;
160
161 if (!(ctx = calloc(1, sizeof(TS_RESP_CTX)))) {
162 TSerror(ERR_R_MALLOC_FAILURE);
163 return NULL;
164 }
165
166 /* Setting default callbacks. */
167 ctx->serial_cb = def_serial_cb;
168 ctx->time_cb = def_time_cb;
169 ctx->extension_cb = def_extension_cb;
170
171 return ctx;
172}
173LCRYPTO_ALIAS(TS_RESP_CTX_new);
174
175void
176TS_RESP_CTX_free(TS_RESP_CTX *ctx)
177{
178 if (!ctx)
179 return;
180
181 X509_free(ctx->signer_cert);
182 EVP_PKEY_free(ctx->signer_key);
183 sk_X509_pop_free(ctx->certs, X509_free);
184 sk_ASN1_OBJECT_pop_free(ctx->policies, ASN1_OBJECT_free);
185 ASN1_OBJECT_free(ctx->default_policy);
186 sk_EVP_MD_free(ctx->mds); /* No EVP_MD_free method exists. */
187 ASN1_INTEGER_free(ctx->seconds);
188 ASN1_INTEGER_free(ctx->millis);
189 ASN1_INTEGER_free(ctx->micros);
190 free(ctx);
191}
192LCRYPTO_ALIAS(TS_RESP_CTX_free);
193
194int
195TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer)
196{
197 if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1) {
198 TSerror(TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
199 return 0;
200 }
201 X509_free(ctx->signer_cert);
202 ctx->signer_cert = signer;
203 CRYPTO_add(&ctx->signer_cert->references, +1, CRYPTO_LOCK_X509);
204 return 1;
205}
206LCRYPTO_ALIAS(TS_RESP_CTX_set_signer_cert);
207
208int
209TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key)
210{
211 EVP_PKEY_free(ctx->signer_key);
212 ctx->signer_key = key;
213 CRYPTO_add(&ctx->signer_key->references, +1, CRYPTO_LOCK_EVP_PKEY);
214
215 return 1;
216}
217LCRYPTO_ALIAS(TS_RESP_CTX_set_signer_key);
218
219int
220TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *def_policy)
221{
222 if (ctx->default_policy)
223 ASN1_OBJECT_free(ctx->default_policy);
224 if (!(ctx->default_policy = OBJ_dup(def_policy)))
225 goto err;
226 return 1;
227
228err:
229 TSerror(ERR_R_MALLOC_FAILURE);
230 return 0;
231}
232LCRYPTO_ALIAS(TS_RESP_CTX_set_def_policy);
233
234int
235TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs)
236{
237 int i;
238
239 if (ctx->certs) {
240 sk_X509_pop_free(ctx->certs, X509_free);
241 ctx->certs = NULL;
242 }
243 if (!certs)
244 return 1;
245 if (!(ctx->certs = sk_X509_dup(certs))) {
246 TSerror(ERR_R_MALLOC_FAILURE);
247 return 0;
248 }
249 for (i = 0; i < sk_X509_num(ctx->certs); ++i) {
250 X509 *cert = sk_X509_value(ctx->certs, i);
251 CRYPTO_add(&cert->references, +1, CRYPTO_LOCK_X509);
252 }
253
254 return 1;
255}
256LCRYPTO_ALIAS(TS_RESP_CTX_set_certs);
257
258int
259TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *policy)
260{
261 ASN1_OBJECT *copy = NULL;
262
263 /* Create new policy stack if necessary. */
264 if (!ctx->policies && !(ctx->policies = sk_ASN1_OBJECT_new_null()))
265 goto err;
266 if (!(copy = OBJ_dup(policy)))
267 goto err;
268 if (!sk_ASN1_OBJECT_push(ctx->policies, copy))
269 goto err;
270
271 return 1;
272
273err:
274 TSerror(ERR_R_MALLOC_FAILURE);
275 ASN1_OBJECT_free(copy);
276 return 0;
277}
278LCRYPTO_ALIAS(TS_RESP_CTX_add_policy);
279
280int
281TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md)
282{
283 /* Create new md stack if necessary. */
284 if (!ctx->mds && !(ctx->mds = sk_EVP_MD_new_null()))
285 goto err;
286 /* Add the shared md, no copy needed. */
287 if (!sk_EVP_MD_push(ctx->mds, (EVP_MD *)md))
288 goto err;
289
290 return 1;
291
292err:
293 TSerror(ERR_R_MALLOC_FAILURE);
294 return 0;
295}
296LCRYPTO_ALIAS(TS_RESP_CTX_add_md);
297
298#define TS_RESP_CTX_accuracy_free(ctx) \
299 ASN1_INTEGER_free(ctx->seconds); \
300 ctx->seconds = NULL; \
301 ASN1_INTEGER_free(ctx->millis); \
302 ctx->millis = NULL; \
303 ASN1_INTEGER_free(ctx->micros); \
304 ctx->micros = NULL;
305
306int
307TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx, int secs, int millis, int micros)
308{
309 TS_RESP_CTX_accuracy_free(ctx);
310 if (secs && (!(ctx->seconds = ASN1_INTEGER_new()) ||
311 !ASN1_INTEGER_set(ctx->seconds, secs)))
312 goto err;
313 if (millis && (!(ctx->millis = ASN1_INTEGER_new()) ||
314 !ASN1_INTEGER_set(ctx->millis, millis)))
315 goto err;
316 if (micros && (!(ctx->micros = ASN1_INTEGER_new()) ||
317 !ASN1_INTEGER_set(ctx->micros, micros)))
318 goto err;
319
320 return 1;
321
322err:
323 TS_RESP_CTX_accuracy_free(ctx);
324 TSerror(ERR_R_MALLOC_FAILURE);
325 return 0;
326}
327LCRYPTO_ALIAS(TS_RESP_CTX_set_accuracy);
328
329void
330TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags)
331{
332 ctx->flags |= flags;
333}
334LCRYPTO_ALIAS(TS_RESP_CTX_add_flags);
335
336void
337TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data)
338{
339 ctx->serial_cb = cb;
340 ctx->serial_cb_data = data;
341}
342LCRYPTO_ALIAS(TS_RESP_CTX_set_serial_cb);
343
344void
345TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx, TS_extension_cb cb, void *data)
346{
347 ctx->extension_cb = cb;
348 ctx->extension_cb_data = data;
349}
350LCRYPTO_ALIAS(TS_RESP_CTX_set_extension_cb);
351
352int
353TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx, int status, const char *text)
354{
355 TS_STATUS_INFO *si = NULL;
356 ASN1_UTF8STRING *utf8_text = NULL;
357 int ret = 0;
358
359 if (!(si = TS_STATUS_INFO_new()))
360 goto err;
361 if (!ASN1_INTEGER_set(si->status, status))
362 goto err;
363 if (text) {
364 if (!(utf8_text = ASN1_UTF8STRING_new()) ||
365 !ASN1_STRING_set(utf8_text, text, strlen(text)))
366 goto err;
367 if (!si->text && !(si->text = sk_ASN1_UTF8STRING_new_null()))
368 goto err;
369 if (!sk_ASN1_UTF8STRING_push(si->text, utf8_text))
370 goto err;
371 utf8_text = NULL; /* Ownership is lost. */
372 }
373 if (!TS_RESP_set_status_info(ctx->response, si))
374 goto err;
375 ret = 1;
376
377err:
378 if (!ret)
379 TSerror(ERR_R_MALLOC_FAILURE);
380 TS_STATUS_INFO_free(si);
381 ASN1_UTF8STRING_free(utf8_text);
382 return ret;
383}
384LCRYPTO_ALIAS(TS_RESP_CTX_set_status_info);
385
386int
387TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, int status, const char *text)
388{
389 int ret = 1;
390 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response);
391
392 if (ASN1_INTEGER_get(si->status) == TS_STATUS_GRANTED) {
393 /* Status has not been set, set it now. */
394 ret = TS_RESP_CTX_set_status_info(ctx, status, text);
395 }
396 return ret;
397}
398LCRYPTO_ALIAS(TS_RESP_CTX_set_status_info_cond);
399
400int
401TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure)
402{
403 TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response);
404
405 if (!si->failure_info && !(si->failure_info = ASN1_BIT_STRING_new()))
406 goto err;
407 if (!ASN1_BIT_STRING_set_bit(si->failure_info, failure, 1))
408 goto err;
409 return 1;
410
411err:
412 TSerror(ERR_R_MALLOC_FAILURE);
413 return 0;
414}
415LCRYPTO_ALIAS(TS_RESP_CTX_add_failure_info);
416
417TS_REQ *
418TS_RESP_CTX_get_request(TS_RESP_CTX *ctx)
419{
420 return ctx->request;
421}
422LCRYPTO_ALIAS(TS_RESP_CTX_get_request);
423
424TS_TST_INFO *
425TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx)
426{
427 return ctx->tst_info;
428}
429LCRYPTO_ALIAS(TS_RESP_CTX_get_tst_info);
430
431int
432TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx, unsigned precision)
433{
434 if (precision > 0)
435 return 0;
436 ctx->clock_precision_digits = precision;
437 return 1;
438}
439LCRYPTO_ALIAS(TS_RESP_CTX_set_clock_precision_digits);
440
441/* Main entry method of the response generation. */
442TS_RESP *
443TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio)
444{
445 ASN1_OBJECT *policy;
446 TS_RESP *response;
447 int result = 0;
448
449 TS_RESP_CTX_init(ctx);
450
451 /* Creating the response object. */
452 if (!(ctx->response = TS_RESP_new())) {
453 TSerror(ERR_R_MALLOC_FAILURE);
454 goto end;
455 }
456
457 /* Parsing DER request. */
458 if (!(ctx->request = d2i_TS_REQ_bio(req_bio, NULL))) {
459 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
460 "Bad request format or "
461 "system error.");
462 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
463 goto end;
464 }
465
466 /* Setting default status info. */
467 if (!TS_RESP_CTX_set_status_info(ctx, TS_STATUS_GRANTED, NULL))
468 goto end;
469
470 /* Checking the request format. */
471 if (!TS_RESP_check_request(ctx))
472 goto end;
473
474 /* Checking acceptable policies. */
475 if (!(policy = TS_RESP_get_policy(ctx)))
476 goto end;
477
478 /* Creating the TS_TST_INFO object. */
479 if (!(ctx->tst_info = TS_RESP_create_tst_info(ctx, policy)))
480 goto end;
481
482 /* Processing extensions. */
483 if (!TS_RESP_process_extensions(ctx))
484 goto end;
485
486 /* Generating the signature. */
487 if (!TS_RESP_sign(ctx))
488 goto end;
489
490 /* Everything was successful. */
491 result = 1;
492
493end:
494 if (!result) {
495 TSerror(TS_R_RESPONSE_SETUP_ERROR);
496 if (ctx->response != NULL) {
497 if (TS_RESP_CTX_set_status_info_cond(ctx,
498 TS_STATUS_REJECTION, "Error during response "
499 "generation.") == 0) {
500 TS_RESP_free(ctx->response);
501 ctx->response = NULL;
502 }
503 }
504 }
505 response = ctx->response;
506 ctx->response = NULL; /* Ownership will be returned to caller. */
507 TS_RESP_CTX_cleanup(ctx);
508 return response;
509}
510LCRYPTO_ALIAS(TS_RESP_create_response);
511
512/* Initializes the variable part of the context. */
513static void
514TS_RESP_CTX_init(TS_RESP_CTX *ctx)
515{
516 ctx->request = NULL;
517 ctx->response = NULL;
518 ctx->tst_info = NULL;
519}
520
521/* Cleans up the variable part of the context. */
522static void
523TS_RESP_CTX_cleanup(TS_RESP_CTX *ctx)
524{
525 TS_REQ_free(ctx->request);
526 ctx->request = NULL;
527 TS_RESP_free(ctx->response);
528 ctx->response = NULL;
529 TS_TST_INFO_free(ctx->tst_info);
530 ctx->tst_info = NULL;
531}
532
533/* Checks the format and content of the request. */
534static int
535TS_RESP_check_request(TS_RESP_CTX *ctx)
536{
537 TS_REQ *request = ctx->request;
538 TS_MSG_IMPRINT *msg_imprint;
539 X509_ALGOR *md_alg;
540 int md_alg_id;
541 const ASN1_OCTET_STRING *digest;
542 EVP_MD *md = NULL;
543 int i;
544
545 /* Checking request version. */
546 if (TS_REQ_get_version(request) != 1) {
547 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
548 "Bad request version.");
549 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_REQUEST);
550 return 0;
551 }
552
553 /* Checking message digest algorithm. */
554 msg_imprint = TS_REQ_get_msg_imprint(request);
555 md_alg = TS_MSG_IMPRINT_get_algo(msg_imprint);
556 md_alg_id = OBJ_obj2nid(md_alg->algorithm);
557 for (i = 0; !md && i < sk_EVP_MD_num(ctx->mds); ++i) {
558 EVP_MD *current_md = sk_EVP_MD_value(ctx->mds, i);
559 if (md_alg_id == EVP_MD_type(current_md))
560 md = current_md;
561 }
562 if (!md) {
563 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
564 "Message digest algorithm is "
565 "not supported.");
566 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG);
567 return 0;
568 }
569
570 /* No message digest takes parameter. */
571 if (md_alg->parameter &&
572 ASN1_TYPE_get(md_alg->parameter) != V_ASN1_NULL) {
573 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
574 "Superfluous message digest "
575 "parameter.");
576 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG);
577 return 0;
578 }
579 /* Checking message digest size. */
580 digest = TS_MSG_IMPRINT_get_msg(msg_imprint);
581 if (digest->length != EVP_MD_size(md)) {
582 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
583 "Bad message digest.");
584 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
585 return 0;
586 }
587
588 return 1;
589}
590
591/* Returns the TSA policy based on the requested and acceptable policies. */
592static ASN1_OBJECT *
593TS_RESP_get_policy(TS_RESP_CTX *ctx)
594{
595 ASN1_OBJECT *requested = TS_REQ_get_policy_id(ctx->request);
596 ASN1_OBJECT *policy = NULL;
597 int i;
598
599 if (ctx->default_policy == NULL) {
600 TSerror(TS_R_INVALID_NULL_POINTER);
601 return NULL;
602 }
603 /* Return the default policy if none is requested or the default is
604 requested. */
605 if (!requested || !OBJ_cmp(requested, ctx->default_policy))
606 policy = ctx->default_policy;
607
608 /* Check if the policy is acceptable. */
609 for (i = 0; !policy && i < sk_ASN1_OBJECT_num(ctx->policies); ++i) {
610 ASN1_OBJECT *current = sk_ASN1_OBJECT_value(ctx->policies, i);
611 if (!OBJ_cmp(requested, current))
612 policy = current;
613 }
614 if (!policy) {
615 TSerror(TS_R_UNACCEPTABLE_POLICY);
616 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
617 "Requested policy is not "
618 "supported.");
619 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_POLICY);
620 }
621 return policy;
622}
623
624/* Creates the TS_TST_INFO object based on the settings of the context. */
625static TS_TST_INFO *
626TS_RESP_create_tst_info(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
627{
628 int result = 0;
629 TS_TST_INFO *tst_info = NULL;
630 ASN1_INTEGER *serial = NULL;
631 ASN1_GENERALIZEDTIME *asn1_time = NULL;
632 time_t sec;
633 long usec;
634 TS_ACCURACY *accuracy = NULL;
635 const ASN1_INTEGER *nonce;
636 GENERAL_NAME *tsa_name = NULL;
637
638 if (!(tst_info = TS_TST_INFO_new()))
639 goto end;
640 if (!TS_TST_INFO_set_version(tst_info, 1))
641 goto end;
642 if (!TS_TST_INFO_set_policy_id(tst_info, policy))
643 goto end;
644 if (!TS_TST_INFO_set_msg_imprint(tst_info, ctx->request->msg_imprint))
645 goto end;
646 if (!(serial = (*ctx->serial_cb)(ctx, ctx->serial_cb_data)) ||
647 !TS_TST_INFO_set_serial(tst_info, serial))
648 goto end;
649 if (!(*ctx->time_cb)(ctx, ctx->time_cb_data, &sec, &usec) ||
650 ((asn1_time = ASN1_GENERALIZEDTIME_set(NULL, sec)) == NULL) ||
651 !TS_TST_INFO_set_time(tst_info, asn1_time))
652 goto end;
653
654 /* Setting accuracy if needed. */
655 if ((ctx->seconds || ctx->millis || ctx->micros) &&
656 !(accuracy = TS_ACCURACY_new()))
657 goto end;
658
659 if (ctx->seconds && !TS_ACCURACY_set_seconds(accuracy, ctx->seconds))
660 goto end;
661 if (ctx->millis && !TS_ACCURACY_set_millis(accuracy, ctx->millis))
662 goto end;
663 if (ctx->micros && !TS_ACCURACY_set_micros(accuracy, ctx->micros))
664 goto end;
665 if (accuracy && !TS_TST_INFO_set_accuracy(tst_info, accuracy))
666 goto end;
667
668 /* Setting ordering. */
669 if ((ctx->flags & TS_ORDERING) &&
670 !TS_TST_INFO_set_ordering(tst_info, 1))
671 goto end;
672
673 /* Setting nonce if needed. */
674 if ((nonce = TS_REQ_get_nonce(ctx->request)) != NULL &&
675 !TS_TST_INFO_set_nonce(tst_info, nonce))
676 goto end;
677
678 /* Setting TSA name to subject of signer certificate. */
679 if (ctx->flags & TS_TSA_NAME) {
680 if (!(tsa_name = GENERAL_NAME_new()))
681 goto end;
682 tsa_name->type = GEN_DIRNAME;
683 tsa_name->d.dirn =
684 X509_NAME_dup(X509_get_subject_name(ctx->signer_cert));
685 if (!tsa_name->d.dirn)
686 goto end;
687 if (!TS_TST_INFO_set_tsa(tst_info, tsa_name))
688 goto end;
689 }
690
691 result = 1;
692
693end:
694 if (!result) {
695 TS_TST_INFO_free(tst_info);
696 tst_info = NULL;
697 TSerror(TS_R_TST_INFO_SETUP_ERROR);
698 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
699 "Error during TSTInfo "
700 "generation.");
701 }
702 GENERAL_NAME_free(tsa_name);
703 TS_ACCURACY_free(accuracy);
704 ASN1_GENERALIZEDTIME_free(asn1_time);
705 ASN1_INTEGER_free(serial);
706
707 return tst_info;
708}
709
710/* Processing the extensions of the request. */
711static int
712TS_RESP_process_extensions(TS_RESP_CTX *ctx)
713{
714 STACK_OF(X509_EXTENSION) *exts = TS_REQ_get_exts(ctx->request);
715 int i;
716 int ok = 1;
717
718 for (i = 0; ok && i < sk_X509_EXTENSION_num(exts); ++i) {
719 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
720 /* XXXXX The last argument was previously
721 (void *)ctx->extension_cb, but ISO C doesn't permit
722 converting a function pointer to void *. For lack of
723 better information, I'm placing a NULL there instead.
724 The callback can pick its own address out from the ctx
725 anyway...
726 */
727 ok = (*ctx->extension_cb)(ctx, ext, NULL);
728 }
729
730 return ok;
731}
732
733/* Functions for signing the TS_TST_INFO structure of the context. */
734static int
735TS_RESP_sign(TS_RESP_CTX *ctx)
736{
737 int ret = 0;
738 PKCS7 *p7 = NULL;
739 PKCS7_SIGNER_INFO *si;
740 STACK_OF(X509) *certs; /* Certificates to include in sc. */
741 ESS_SIGNING_CERT *sc = NULL;
742 ASN1_OBJECT *oid;
743 BIO *p7bio = NULL;
744 int i;
745
746 /* Check if signcert and pkey match. */
747 if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) {
748 TSerror(TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
749 goto err;
750 }
751
752 /* Create a new PKCS7 signed object. */
753 if (!(p7 = PKCS7_new())) {
754 TSerror(ERR_R_MALLOC_FAILURE);
755 goto err;
756 }
757 if (!PKCS7_set_type(p7, NID_pkcs7_signed))
758 goto err;
759
760 /* Force SignedData version to be 3 instead of the default 1. */
761 if (!ASN1_INTEGER_set(p7->d.sign->version, 3))
762 goto err;
763
764 /* Add signer certificate and optional certificate chain. */
765 if (TS_REQ_get_cert_req(ctx->request)) {
766 PKCS7_add_certificate(p7, ctx->signer_cert);
767 if (ctx->certs) {
768 for (i = 0; i < sk_X509_num(ctx->certs); ++i) {
769 X509 *cert = sk_X509_value(ctx->certs, i);
770 PKCS7_add_certificate(p7, cert);
771 }
772 }
773 }
774
775 /* Add a new signer info. */
776 if (!(si = PKCS7_add_signature(p7, ctx->signer_cert,
777 ctx->signer_key, EVP_sha1()))) {
778 TSerror(TS_R_PKCS7_ADD_SIGNATURE_ERROR);
779 goto err;
780 }
781
782 /* Add content type signed attribute to the signer info. */
783 oid = OBJ_nid2obj(NID_id_smime_ct_TSTInfo);
784 if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
785 V_ASN1_OBJECT, oid)) {
786 TSerror(TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR);
787 goto err;
788 }
789
790 /* Create the ESS SigningCertificate attribute which contains
791 the signer certificate id and optionally the certificate chain. */
792 certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
793 if (!(sc = ESS_SIGNING_CERT_new_init(ctx->signer_cert, certs)))
794 goto err;
795
796 /* Add SigningCertificate signed attribute to the signer info. */
797 if (!ESS_add_signing_cert(si, sc)) {
798 TSerror(TS_R_ESS_ADD_SIGNING_CERT_ERROR);
799 goto err;
800 }
801
802 /* Add a new empty NID_id_smime_ct_TSTInfo encapsulated content. */
803 if (!TS_TST_INFO_content_new(p7))
804 goto err;
805
806 /* Add the DER encoded tst_info to the PKCS7 structure. */
807 if (!(p7bio = PKCS7_dataInit(p7, NULL))) {
808 TSerror(ERR_R_MALLOC_FAILURE);
809 goto err;
810 }
811
812 /* Convert tst_info to DER. */
813 if (!i2d_TS_TST_INFO_bio(p7bio, ctx->tst_info)) {
814 TSerror(TS_R_TS_DATASIGN);
815 goto err;
816 }
817
818 /* Create the signature and add it to the signer info. */
819 if (!PKCS7_dataFinal(p7, p7bio)) {
820 TSerror(TS_R_TS_DATASIGN);
821 goto err;
822 }
823
824 /* Set new PKCS7 and TST_INFO objects. */
825 TS_RESP_set_tst_info(ctx->response, p7, ctx->tst_info);
826 p7 = NULL; /* Ownership is lost. */
827 ctx->tst_info = NULL; /* Ownership is lost. */
828
829 ret = 1;
830
831err:
832 if (!ret)
833 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
834 "Error during signature "
835 "generation.");
836 BIO_free_all(p7bio);
837 ESS_SIGNING_CERT_free(sc);
838 PKCS7_free(p7);
839 return ret;
840}
841
842static ESS_SIGNING_CERT *
843ESS_SIGNING_CERT_new_init(X509 *signcert, STACK_OF(X509) *certs)
844{
845 ESS_CERT_ID *cid;
846 ESS_SIGNING_CERT *sc = NULL;
847 int i;
848
849 /* Creating the ESS_CERT_ID stack. */
850 if (!(sc = ESS_SIGNING_CERT_new()))
851 goto err;
852 if (!sc->cert_ids && !(sc->cert_ids = sk_ESS_CERT_ID_new_null()))
853 goto err;
854
855 /* Adding the signing certificate id. */
856 if (!(cid = ESS_CERT_ID_new_init(signcert, 0)) ||
857 !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
858 goto err;
859 /* Adding the certificate chain ids. */
860 for (i = 0; i < sk_X509_num(certs); ++i) {
861 X509 *cert = sk_X509_value(certs, i);
862 if (!(cid = ESS_CERT_ID_new_init(cert, 1)) ||
863 !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
864 goto err;
865 }
866
867 return sc;
868
869err:
870 ESS_SIGNING_CERT_free(sc);
871 TSerror(ERR_R_MALLOC_FAILURE);
872 return NULL;
873}
874
875static ESS_CERT_ID *
876ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
877{
878 ESS_CERT_ID *cid = NULL;
879 GENERAL_NAME *name = NULL;
880 unsigned char cert_hash[TS_HASH_LEN];
881
882 /* Recompute SHA1 hash of certificate if necessary (side effect). */
883 X509_check_purpose(cert, -1, 0);
884
885 if (!(cid = ESS_CERT_ID_new()))
886 goto err;
887
888 if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
889 goto err;
890
891 if (!ASN1_OCTET_STRING_set(cid->hash, cert_hash, sizeof(cert_hash)))
892 goto err;
893
894 /* Setting the issuer/serial if requested. */
895 if (issuer_needed) {
896 /* Creating issuer/serial structure. */
897 if (!cid->issuer_serial &&
898 !(cid->issuer_serial = ESS_ISSUER_SERIAL_new()))
899 goto err;
900 /* Creating general name from the certificate issuer. */
901 if (!(name = GENERAL_NAME_new()))
902 goto err;
903 name->type = GEN_DIRNAME;
904 if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
905 goto err;
906 if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
907 goto err;
908 name = NULL; /* Ownership is lost. */
909 /* Setting the serial number. */
910 ASN1_INTEGER_free(cid->issuer_serial->serial);
911 if (!(cid->issuer_serial->serial =
912 ASN1_INTEGER_dup(X509_get_serialNumber(cert))))
913 goto err;
914 }
915
916 return cid;
917
918err:
919 GENERAL_NAME_free(name);
920 ESS_CERT_ID_free(cid);
921 TSerror(ERR_R_MALLOC_FAILURE);
922 return NULL;
923}
924
925static int
926TS_TST_INFO_content_new(PKCS7 *p7)
927{
928 PKCS7 *ret = NULL;
929 ASN1_OCTET_STRING *octet_string = NULL;
930
931 /* Create new encapsulated NID_id_smime_ct_TSTInfo content. */
932 if (!(ret = PKCS7_new()))
933 goto err;
934 if (!(ret->d.other = ASN1_TYPE_new()))
935 goto err;
936 ret->type = OBJ_nid2obj(NID_id_smime_ct_TSTInfo);
937 if (!(octet_string = ASN1_OCTET_STRING_new()))
938 goto err;
939 ASN1_TYPE_set(ret->d.other, V_ASN1_OCTET_STRING, octet_string);
940 octet_string = NULL;
941
942 /* Add encapsulated content to signed PKCS7 structure. */
943 if (!PKCS7_set_content(p7, ret))
944 goto err;
945
946 return 1;
947
948err:
949 ASN1_OCTET_STRING_free(octet_string);
950 PKCS7_free(ret);
951 return 0;
952}
953
954static int
955ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
956{
957 ASN1_STRING *seq = NULL;
958 unsigned char *p, *pp = NULL;
959 int len;
960
961 len = i2d_ESS_SIGNING_CERT(sc, NULL);
962 if (!(pp = malloc(len))) {
963 TSerror(ERR_R_MALLOC_FAILURE);
964 goto err;
965 }
966 p = pp;
967 i2d_ESS_SIGNING_CERT(sc, &p);
968 if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) {
969 TSerror(ERR_R_MALLOC_FAILURE);
970 goto err;
971 }
972 free(pp);
973 pp = NULL;
974 return PKCS7_add_signed_attribute(si,
975 NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq);
976
977err:
978 ASN1_STRING_free(seq);
979 free(pp);
980
981 return 0;
982}
diff --git a/src/lib/libcrypto/ts/ts_rsp_utils.c b/src/lib/libcrypto/ts/ts_rsp_utils.c
deleted file mode 100644
index 34994adce8..0000000000
--- a/src/lib/libcrypto/ts/ts_rsp_utils.c
+++ /dev/null
@@ -1,503 +0,0 @@
1/* $OpenBSD: ts_rsp_utils.c,v 1.11 2023/07/07 19:37:54 beck Exp $ */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/err.h>
62#include <openssl/objects.h>
63#include <openssl/pkcs7.h>
64#include <openssl/ts.h>
65
66#include "ts_local.h"
67
68/* Function definitions. */
69
70int
71TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *status_info)
72{
73 TS_STATUS_INFO *new_status_info;
74
75 if (a->status_info == status_info)
76 return 1;
77 new_status_info = TS_STATUS_INFO_dup(status_info);
78 if (new_status_info == NULL) {
79 TSerror(ERR_R_MALLOC_FAILURE);
80 return 0;
81 }
82 TS_STATUS_INFO_free(a->status_info);
83 a->status_info = new_status_info;
84
85 return 1;
86}
87LCRYPTO_ALIAS(TS_RESP_set_status_info);
88
89TS_STATUS_INFO *
90TS_RESP_get_status_info(TS_RESP *a)
91{
92 return a->status_info;
93}
94LCRYPTO_ALIAS(TS_RESP_get_status_info);
95
96const ASN1_UTF8STRING *
97TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO *si)
98{
99 return si->failure_info;
100}
101LCRYPTO_ALIAS(TS_STATUS_INFO_get0_failure_info);
102
103const STACK_OF(ASN1_UTF8STRING) *
104TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si)
105{
106 return si->text;
107}
108LCRYPTO_ALIAS(TS_STATUS_INFO_get0_text);
109
110const ASN1_INTEGER *
111TS_STATUS_INFO_get0_status(const TS_STATUS_INFO *si)
112{
113 return si->status;
114}
115LCRYPTO_ALIAS(TS_STATUS_INFO_get0_status);
116
117int
118TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i)
119{
120 return ASN1_INTEGER_set(si->status, i);
121}
122LCRYPTO_ALIAS(TS_STATUS_INFO_set_status);
123
124/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
125void
126TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info)
127{
128 /* Set new PKCS7 and TST_INFO objects. */
129 PKCS7_free(a->token);
130 a->token = p7;
131 TS_TST_INFO_free(a->tst_info);
132 a->tst_info = tst_info;
133}
134LCRYPTO_ALIAS(TS_RESP_set_tst_info);
135
136PKCS7 *
137TS_RESP_get_token(TS_RESP *a)
138{
139 return a->token;
140}
141LCRYPTO_ALIAS(TS_RESP_get_token);
142
143TS_TST_INFO *
144TS_RESP_get_tst_info(TS_RESP *a)
145{
146 return a->tst_info;
147}
148LCRYPTO_ALIAS(TS_RESP_get_tst_info);
149
150int
151TS_TST_INFO_set_version(TS_TST_INFO *a, long version)
152{
153 return ASN1_INTEGER_set(a->version, version);
154}
155LCRYPTO_ALIAS(TS_TST_INFO_set_version);
156
157long
158TS_TST_INFO_get_version(const TS_TST_INFO *a)
159{
160 return ASN1_INTEGER_get(a->version);
161}
162LCRYPTO_ALIAS(TS_TST_INFO_get_version);
163
164int
165TS_TST_INFO_set_policy_id(TS_TST_INFO *a, ASN1_OBJECT *policy)
166{
167 ASN1_OBJECT *new_policy;
168
169 if (a->policy_id == policy)
170 return 1;
171 new_policy = OBJ_dup(policy);
172 if (new_policy == NULL) {
173 TSerror(ERR_R_MALLOC_FAILURE);
174 return 0;
175 }
176 ASN1_OBJECT_free(a->policy_id);
177 a->policy_id = new_policy;
178 return 1;
179}
180LCRYPTO_ALIAS(TS_TST_INFO_set_policy_id);
181
182ASN1_OBJECT *
183TS_TST_INFO_get_policy_id(TS_TST_INFO *a)
184{
185 return a->policy_id;
186}
187LCRYPTO_ALIAS(TS_TST_INFO_get_policy_id);
188
189int
190TS_TST_INFO_set_msg_imprint(TS_TST_INFO *a, TS_MSG_IMPRINT *msg_imprint)
191{
192 TS_MSG_IMPRINT *new_msg_imprint;
193
194 if (a->msg_imprint == msg_imprint)
195 return 1;
196 new_msg_imprint = TS_MSG_IMPRINT_dup(msg_imprint);
197 if (new_msg_imprint == NULL) {
198 TSerror(ERR_R_MALLOC_FAILURE);
199 return 0;
200 }
201 TS_MSG_IMPRINT_free(a->msg_imprint);
202 a->msg_imprint = new_msg_imprint;
203 return 1;
204}
205LCRYPTO_ALIAS(TS_TST_INFO_set_msg_imprint);
206
207TS_MSG_IMPRINT *
208TS_TST_INFO_get_msg_imprint(TS_TST_INFO *a)
209{
210 return a->msg_imprint;
211}
212LCRYPTO_ALIAS(TS_TST_INFO_get_msg_imprint);
213
214int
215TS_TST_INFO_set_serial(TS_TST_INFO *a, const ASN1_INTEGER *serial)
216{
217 ASN1_INTEGER *new_serial;
218
219 if (a->serial == serial)
220 return 1;
221 new_serial = ASN1_INTEGER_dup(serial);
222 if (new_serial == NULL) {
223 TSerror(ERR_R_MALLOC_FAILURE);
224 return 0;
225 }
226 ASN1_INTEGER_free(a->serial);
227 a->serial = new_serial;
228 return 1;
229}
230LCRYPTO_ALIAS(TS_TST_INFO_set_serial);
231
232const ASN1_INTEGER *
233TS_TST_INFO_get_serial(const TS_TST_INFO *a)
234{
235 return a->serial;
236}
237LCRYPTO_ALIAS(TS_TST_INFO_get_serial);
238
239int
240TS_TST_INFO_set_time(TS_TST_INFO *a, const ASN1_GENERALIZEDTIME *gtime)
241{
242 ASN1_GENERALIZEDTIME *new_time;
243
244 if (a->time == gtime)
245 return 1;
246 new_time = ASN1_STRING_dup(gtime);
247 if (new_time == NULL) {
248 TSerror(ERR_R_MALLOC_FAILURE);
249 return 0;
250 }
251 ASN1_GENERALIZEDTIME_free(a->time);
252 a->time = new_time;
253 return 1;
254}
255LCRYPTO_ALIAS(TS_TST_INFO_set_time);
256
257const ASN1_GENERALIZEDTIME *
258TS_TST_INFO_get_time(const TS_TST_INFO *a)
259{
260 return a->time;
261}
262LCRYPTO_ALIAS(TS_TST_INFO_get_time);
263
264int
265TS_TST_INFO_set_accuracy(TS_TST_INFO *a, TS_ACCURACY *accuracy)
266{
267 TS_ACCURACY *new_accuracy;
268
269 if (a->accuracy == accuracy)
270 return 1;
271 new_accuracy = TS_ACCURACY_dup(accuracy);
272 if (new_accuracy == NULL) {
273 TSerror(ERR_R_MALLOC_FAILURE);
274 return 0;
275 }
276 TS_ACCURACY_free(a->accuracy);
277 a->accuracy = new_accuracy;
278 return 1;
279}
280LCRYPTO_ALIAS(TS_TST_INFO_set_accuracy);
281
282TS_ACCURACY *
283TS_TST_INFO_get_accuracy(TS_TST_INFO *a)
284{
285 return a->accuracy;
286}
287LCRYPTO_ALIAS(TS_TST_INFO_get_accuracy);
288
289int
290TS_ACCURACY_set_seconds(TS_ACCURACY *a, const ASN1_INTEGER *seconds)
291{
292 ASN1_INTEGER *new_seconds;
293
294 if (a->seconds == seconds)
295 return 1;
296 new_seconds = ASN1_INTEGER_dup(seconds);
297 if (new_seconds == NULL) {
298 TSerror(ERR_R_MALLOC_FAILURE);
299 return 0;
300 }
301 ASN1_INTEGER_free(a->seconds);
302 a->seconds = new_seconds;
303 return 1;
304}
305LCRYPTO_ALIAS(TS_ACCURACY_set_seconds);
306
307const ASN1_INTEGER *
308TS_ACCURACY_get_seconds(const TS_ACCURACY *a)
309{
310 return a->seconds;
311}
312LCRYPTO_ALIAS(TS_ACCURACY_get_seconds);
313
314int
315TS_ACCURACY_set_millis(TS_ACCURACY *a, const ASN1_INTEGER *millis)
316{
317 ASN1_INTEGER *new_millis = NULL;
318
319 if (a->millis == millis)
320 return 1;
321 if (millis != NULL) {
322 new_millis = ASN1_INTEGER_dup(millis);
323 if (new_millis == NULL) {
324 TSerror(ERR_R_MALLOC_FAILURE);
325 return 0;
326 }
327 }
328 ASN1_INTEGER_free(a->millis);
329 a->millis = new_millis;
330 return 1;
331}
332LCRYPTO_ALIAS(TS_ACCURACY_set_millis);
333
334const ASN1_INTEGER *
335TS_ACCURACY_get_millis(const TS_ACCURACY *a)
336{
337 return a->millis;
338}
339LCRYPTO_ALIAS(TS_ACCURACY_get_millis);
340
341int
342TS_ACCURACY_set_micros(TS_ACCURACY *a, const ASN1_INTEGER *micros)
343{
344 ASN1_INTEGER *new_micros = NULL;
345
346 if (a->micros == micros)
347 return 1;
348 if (micros != NULL) {
349 new_micros = ASN1_INTEGER_dup(micros);
350 if (new_micros == NULL) {
351 TSerror(ERR_R_MALLOC_FAILURE);
352 return 0;
353 }
354 }
355 ASN1_INTEGER_free(a->micros);
356 a->micros = new_micros;
357 return 1;
358}
359LCRYPTO_ALIAS(TS_ACCURACY_set_micros);
360
361const ASN1_INTEGER *
362TS_ACCURACY_get_micros(const TS_ACCURACY *a)
363{
364 return a->micros;
365}
366LCRYPTO_ALIAS(TS_ACCURACY_get_micros);
367
368int
369TS_TST_INFO_set_ordering(TS_TST_INFO *a, int ordering)
370{
371 a->ordering = ordering ? 0xFF : 0x00;
372 return 1;
373}
374LCRYPTO_ALIAS(TS_TST_INFO_set_ordering);
375
376int
377TS_TST_INFO_get_ordering(const TS_TST_INFO *a)
378{
379 return a->ordering ? 1 : 0;
380}
381LCRYPTO_ALIAS(TS_TST_INFO_get_ordering);
382
383int
384TS_TST_INFO_set_nonce(TS_TST_INFO *a, const ASN1_INTEGER *nonce)
385{
386 ASN1_INTEGER *new_nonce;
387
388 if (a->nonce == nonce)
389 return 1;
390 new_nonce = ASN1_INTEGER_dup(nonce);
391 if (new_nonce == NULL) {
392 TSerror(ERR_R_MALLOC_FAILURE);
393 return 0;
394 }
395 ASN1_INTEGER_free(a->nonce);
396 a->nonce = new_nonce;
397 return 1;
398}
399LCRYPTO_ALIAS(TS_TST_INFO_set_nonce);
400
401const ASN1_INTEGER *
402TS_TST_INFO_get_nonce(const TS_TST_INFO *a)
403{
404 return a->nonce;
405}
406LCRYPTO_ALIAS(TS_TST_INFO_get_nonce);
407
408int
409TS_TST_INFO_set_tsa(TS_TST_INFO *a, GENERAL_NAME *tsa)
410{
411 GENERAL_NAME *new_tsa;
412
413 if (a->tsa == tsa)
414 return 1;
415 new_tsa = GENERAL_NAME_dup(tsa);
416 if (new_tsa == NULL) {
417 TSerror(ERR_R_MALLOC_FAILURE);
418 return 0;
419 }
420 GENERAL_NAME_free(a->tsa);
421 a->tsa = new_tsa;
422 return 1;
423}
424LCRYPTO_ALIAS(TS_TST_INFO_set_tsa);
425
426GENERAL_NAME *
427TS_TST_INFO_get_tsa(TS_TST_INFO *a)
428{
429 return a->tsa;
430}
431LCRYPTO_ALIAS(TS_TST_INFO_get_tsa);
432
433STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a)
434{
435 return a->extensions;
436}
437LCRYPTO_ALIAS(TS_TST_INFO_get_exts);
438
439void
440TS_TST_INFO_ext_free(TS_TST_INFO *a)
441{
442 if (!a)
443 return;
444 sk_X509_EXTENSION_pop_free(a->extensions, X509_EXTENSION_free);
445 a->extensions = NULL;
446}
447LCRYPTO_ALIAS(TS_TST_INFO_ext_free);
448
449int
450TS_TST_INFO_get_ext_count(TS_TST_INFO *a)
451{
452 return X509v3_get_ext_count(a->extensions);
453}
454LCRYPTO_ALIAS(TS_TST_INFO_get_ext_count);
455
456int
457TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos)
458{
459 return X509v3_get_ext_by_NID(a->extensions, nid, lastpos);
460}
461LCRYPTO_ALIAS(TS_TST_INFO_get_ext_by_NID);
462
463int
464TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, const ASN1_OBJECT *obj, int lastpos)
465{
466 return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos);
467}
468LCRYPTO_ALIAS(TS_TST_INFO_get_ext_by_OBJ);
469
470int
471TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos)
472{
473 return X509v3_get_ext_by_critical(a->extensions, crit, lastpos);
474}
475LCRYPTO_ALIAS(TS_TST_INFO_get_ext_by_critical);
476
477X509_EXTENSION *
478TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc)
479{
480 return X509v3_get_ext(a->extensions, loc);
481}
482LCRYPTO_ALIAS(TS_TST_INFO_get_ext);
483
484X509_EXTENSION *
485TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc)
486{
487 return X509v3_delete_ext(a->extensions, loc);
488}
489LCRYPTO_ALIAS(TS_TST_INFO_delete_ext);
490
491int
492TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc)
493{
494 return X509v3_add_ext(&a->extensions, ex, loc) != NULL;
495}
496LCRYPTO_ALIAS(TS_TST_INFO_add_ext);
497
498void *
499TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx)
500{
501 return X509V3_get_d2i(a->extensions, nid, crit, idx);
502}
503LCRYPTO_ALIAS(TS_TST_INFO_get_ext_d2i);
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
deleted file mode 100644
index 69236f68ab..0000000000
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ /dev/null
@@ -1,847 +0,0 @@
1/* $OpenBSD: ts_rsp_verify.c,v 1.30 2023/07/07 07:25:21 beck Exp $ */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2002.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <string.h>
61
62#include <openssl/err.h>
63#include <openssl/objects.h>
64#include <openssl/pkcs7.h>
65#include <openssl/ts.h>
66
67#include "evp_local.h"
68#include "ts_local.h"
69#include "x509_local.h"
70
71/* Private function declarations. */
72
73static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
74 X509 *signer, STACK_OF(X509) **chain);
75static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain);
76static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si);
77static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert);
78static ESS_SIGNING_CERT_V2 *ESS_get_signing_cert_v2(PKCS7_SIGNER_INFO *si);
79static int TS_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert);
80static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert);
81static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx,
82 PKCS7 *token, TS_TST_INFO *tst_info);
83static int TS_check_status_info(TS_RESP *response);
84static char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text);
85static int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info);
86static int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
87 X509_ALGOR **md_alg,
88 unsigned char **imprint, unsigned *imprint_len);
89static int TS_check_imprints(X509_ALGOR *algor_a,
90 unsigned char *imprint_a, unsigned len_a,
91 TS_TST_INFO *tst_info);
92static int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info);
93static int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer);
94static int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name);
95
96/*
97 * Local mapping between response codes and descriptions.
98 * Don't forget to change TS_STATUS_BUF_SIZE when modifying
99 * the elements of this array.
100 */
101static const char *TS_status_text[] = {
102 "granted",
103 "grantedWithMods",
104 "rejection",
105 "waiting",
106 "revocationWarning",
107 "revocationNotification"
108};
109
110#define TS_STATUS_TEXT_SIZE (sizeof(TS_status_text)/sizeof(*TS_status_text))
111
112/*
113 * This must be greater or equal to the sum of the strings in TS_status_text
114 * plus the number of its elements.
115 */
116#define TS_STATUS_BUF_SIZE 256
117
118static struct {
119 int code;
120 const char *text;
121} TS_failure_info[] = {
122 { TS_INFO_BAD_ALG, "badAlg" },
123 { TS_INFO_BAD_REQUEST, "badRequest" },
124 { TS_INFO_BAD_DATA_FORMAT, "badDataFormat" },
125 { TS_INFO_TIME_NOT_AVAILABLE, "timeNotAvailable" },
126 { TS_INFO_UNACCEPTED_POLICY, "unacceptedPolicy" },
127 { TS_INFO_UNACCEPTED_EXTENSION, "unacceptedExtension" },
128 { TS_INFO_ADD_INFO_NOT_AVAILABLE, "addInfoNotAvailable" },
129 { TS_INFO_SYSTEM_FAILURE, "systemFailure" }
130};
131
132#define TS_FAILURE_INFO_SIZE (sizeof(TS_failure_info) / \
133 sizeof(*TS_failure_info))
134
135/* Functions for verifying a signed TS_TST_INFO structure. */
136
137/*
138 * This function carries out the following tasks:
139 * - Checks if there is one and only one signer.
140 * - Search for the signing certificate in 'certs' and in the response.
141 * - Check the extended key usage and key usage fields of the signer
142 * certificate (done by the path validation).
143 * - Build and validate the certificate path.
144 * - Check if the certificate path meets the requirements of the
145 * SigningCertificate ESS signed attribute.
146 * - Verify the signature value.
147 * - Returns the signer certificate in 'signer', if 'signer' is not NULL.
148 */
149int
150TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
151 X509_STORE *store, X509 **signer_out)
152{
153 STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL;
154 PKCS7_SIGNER_INFO *si;
155 STACK_OF(X509) *signers = NULL;
156 X509 *signer;
157 STACK_OF(X509) *chain = NULL;
158 char buf[4096];
159 int i, j = 0, ret = 0;
160 BIO *p7bio = NULL;
161
162 /* Some sanity checks first. */
163 if (!token) {
164 TSerror(TS_R_INVALID_NULL_POINTER);
165 goto err;
166 }
167
168 /* Check for the correct content type */
169 if (!PKCS7_type_is_signed(token)) {
170 TSerror(TS_R_WRONG_CONTENT_TYPE);
171 goto err;
172 }
173
174 /* Check if there is one and only one signer. */
175 sinfos = PKCS7_get_signer_info(token);
176 if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) {
177 TSerror(TS_R_THERE_MUST_BE_ONE_SIGNER);
178 goto err;
179 }
180 si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0);
181
182 /* Check for no content: no data to verify signature. */
183 if (PKCS7_get_detached(token)) {
184 TSerror(TS_R_NO_CONTENT);
185 goto err;
186 }
187
188 /* Get hold of the signer certificate, search only internal
189 certificates if it was requested. */
190 signers = PKCS7_get0_signers(token, certs, 0);
191 if (!signers || sk_X509_num(signers) != 1)
192 goto err;
193 signer = sk_X509_value(signers, 0);
194
195 /* Now verify the certificate. */
196 if (!TS_verify_cert(store, certs, signer, &chain))
197 goto err;
198
199 /* Check if the signer certificate is consistent with the
200 ESS extension. */
201 if (!TS_check_signing_certs(si, chain))
202 goto err;
203
204 /* Creating the message digest. */
205 p7bio = PKCS7_dataInit(token, NULL);
206
207 /* We now have to 'read' from p7bio to calculate digests etc. */
208 while ((i = BIO_read(p7bio, buf, sizeof(buf))) > 0)
209 ;
210
211 /* Verifying the signature. */
212 j = PKCS7_signatureVerify(p7bio, token, si, signer);
213 if (j <= 0) {
214 TSerror(TS_R_SIGNATURE_FAILURE);
215 goto err;
216 }
217
218 /* Return the signer certificate if needed. */
219 if (signer_out) {
220 *signer_out = signer;
221 CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509);
222 }
223
224 ret = 1;
225
226err:
227 BIO_free_all(p7bio);
228 sk_X509_pop_free(chain, X509_free);
229 sk_X509_free(signers);
230
231 return ret;
232}
233LCRYPTO_ALIAS(TS_RESP_verify_signature);
234
235/*
236 * The certificate chain is returned in chain. Caller is responsible for
237 * freeing the vector.
238 */
239static int
240TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer,
241 STACK_OF(X509) **chain)
242{
243 X509_STORE_CTX cert_ctx;
244 int i;
245 int ret = 0;
246
247 /* chain is an out argument. */
248 *chain = NULL;
249 if (X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted) == 0) {
250 TSerror(ERR_R_X509_LIB);
251 goto err;
252 }
253 if (X509_STORE_CTX_set_purpose(&cert_ctx,
254 X509_PURPOSE_TIMESTAMP_SIGN) == 0)
255 goto err;
256 i = X509_verify_cert(&cert_ctx);
257 if (i <= 0) {
258 int j = X509_STORE_CTX_get_error(&cert_ctx);
259
260 TSerror(TS_R_CERTIFICATE_VERIFY_ERROR);
261 ERR_asprintf_error_data("Verify error:%s",
262 X509_verify_cert_error_string(j));
263 goto err;
264 } else {
265 /* Get a copy of the certificate chain. */
266 *chain = X509_STORE_CTX_get1_chain(&cert_ctx);
267 ret = 1;
268 }
269
270err:
271 X509_STORE_CTX_cleanup(&cert_ctx);
272
273 return ret;
274}
275
276static int
277TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain)
278{
279 ESS_SIGNING_CERT *ss = NULL;
280 STACK_OF(ESS_CERT_ID) *cert_ids;
281 ESS_SIGNING_CERT_V2 *ssv2 = NULL;
282 STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2;
283 X509 *cert;
284 int i = 0;
285 int ret = 0;
286
287 if ((ss = ESS_get_signing_cert(si)) != NULL) {
288 cert_ids = ss->cert_ids;
289 /* The signer certificate must be the first in cert_ids. */
290 cert = sk_X509_value(chain, 0);
291
292 if (TS_find_cert(cert_ids, cert) != 0)
293 goto err;
294
295 /*
296 * Check the other certificates of the chain if there are more
297 * than one certificate ids in cert_ids.
298 */
299 if (sk_ESS_CERT_ID_num(cert_ids) > 1) {
300 /* All the certificates of the chain must be in cert_ids. */
301 for (i = 1; i < sk_X509_num(chain); i++) {
302 cert = sk_X509_value(chain, i);
303
304 if (TS_find_cert(cert_ids, cert) < 0)
305 goto err;
306 }
307 }
308 }
309
310 if ((ssv2 = ESS_get_signing_cert_v2(si)) != NULL) {
311 cert_ids_v2 = ssv2->cert_ids;
312 /* The signer certificate must be the first in cert_ids_v2. */
313 cert = sk_X509_value(chain, 0);
314
315 if (TS_find_cert_v2(cert_ids_v2, cert) != 0)
316 goto err;
317
318 /*
319 * Check the other certificates of the chain if there are more
320 * than one certificate ids in cert_ids_v2.
321 */
322 if (sk_ESS_CERT_ID_V2_num(cert_ids_v2) > 1) {
323 /* All the certificates of the chain must be in cert_ids_v2. */
324 for (i = 1; i < sk_X509_num(chain); i++) {
325 cert = sk_X509_value(chain, i);
326
327 if (TS_find_cert_v2(cert_ids_v2, cert) < 0)
328 goto err;
329 }
330 }
331 }
332
333 ret = 1;
334
335err:
336 if (!ret)
337 TSerror(TS_R_ESS_SIGNING_CERTIFICATE_ERROR);
338 ESS_SIGNING_CERT_free(ss);
339 ESS_SIGNING_CERT_V2_free(ssv2);
340 return ret;
341}
342
343static ESS_SIGNING_CERT *
344ESS_get_signing_cert(PKCS7_SIGNER_INFO *si)
345{
346 ASN1_TYPE *attr;
347 const unsigned char *p;
348
349 attr = PKCS7_get_signed_attribute(si,
350 NID_id_smime_aa_signingCertificate);
351 if (!attr)
352 return NULL;
353 if (attr->type != V_ASN1_SEQUENCE)
354 return NULL;
355 p = attr->value.sequence->data;
356 return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
357}
358
359static ESS_SIGNING_CERT_V2 *
360ESS_get_signing_cert_v2(PKCS7_SIGNER_INFO *si)
361{
362 ASN1_TYPE *attr;
363 const unsigned char *p;
364
365 attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
366 if (attr == NULL)
367 return NULL;
368 p = attr->value.sequence->data;
369 return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
370}
371
372/* Returns < 0 if certificate is not found, certificate index otherwise. */
373static int
374TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
375{
376 int i;
377 unsigned char cert_hash[TS_HASH_LEN];
378
379 if (!cert_ids || !cert)
380 return -1;
381
382 if (!X509_digest(cert, TS_HASH_EVP, cert_hash, NULL))
383 return -1;
384
385 /* Recompute SHA1 hash of certificate if necessary (side effect). */
386 if (X509_check_purpose(cert, -1, 0) == -1)
387 return -1;
388
389 /* Look for cert in the cert_ids vector. */
390 for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) {
391 ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
392
393 /* Check the SHA-1 hash first. */
394 if (cid->hash->length == TS_HASH_LEN && !memcmp(cid->hash->data,
395 cert_hash, TS_HASH_LEN)) {
396 /* Check the issuer/serial as well if specified. */
397 ESS_ISSUER_SERIAL *is = cid->issuer_serial;
398
399 if (is == NULL || TS_issuer_serial_cmp(is, cert) == 0)
400 return i;
401 }
402 }
403
404 return -1;
405}
406
407/* Returns < 0 if certificate is not found, certificate index otherwise. */
408static int
409TS_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert)
410{
411 int i;
412 unsigned char cert_digest[EVP_MAX_MD_SIZE];
413 unsigned int len;
414
415 /* Look for cert in the cert_ids vector. */
416 for (i = 0; i < sk_ESS_CERT_ID_V2_num(cert_ids); ++i) {
417 ESS_CERT_ID_V2 *cid = sk_ESS_CERT_ID_V2_value(cert_ids, i);
418 const EVP_MD *md = EVP_sha256();
419
420 if (cid->hash_alg != NULL)
421 md = EVP_get_digestbyobj(cid->hash_alg->algorithm);
422 if (md == NULL)
423 return -1;
424
425 if (!X509_digest(cert, md, cert_digest, &len))
426 return -1;
427
428 if ((unsigned int)cid->hash->length != len)
429 return -1;
430
431 if (memcmp(cid->hash->data, cert_digest, cid->hash->length) == 0) {
432 ESS_ISSUER_SERIAL *is = cid->issuer_serial;
433
434 if (is == NULL || TS_issuer_serial_cmp(is, cert) == 0)
435 return i;
436 }
437 }
438
439 return -1;
440}
441
442static int
443TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert)
444{
445 GENERAL_NAME *issuer;
446
447 if (is == NULL || cert == NULL || sk_GENERAL_NAME_num(is->issuer) != 1)
448 return -1;
449
450 /* Check the issuer first. It must be a directory name. */
451 issuer = sk_GENERAL_NAME_value(is->issuer, 0);
452 if (issuer->type != GEN_DIRNAME ||
453 X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert)))
454 return -1;
455
456 /* Check the serial number, too. */
457 if (ASN1_INTEGER_cmp(is->serial, X509_get_serialNumber(cert)))
458 return -1;
459
460 return 0;
461}
462
463/*
464 * Verifies whether 'response' contains a valid response with regards
465 * to the settings of the context:
466 * - Gives an error message if the TS_TST_INFO is not present.
467 * - Calls _TS_RESP_verify_token to verify the token content.
468 */
469int
470TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response)
471{
472 PKCS7 *token = TS_RESP_get_token(response);
473 TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
474 int ret = 0;
475
476 /* Check if we have a successful TS_TST_INFO object in place. */
477 if (!TS_check_status_info(response))
478 goto err;
479
480 /* Check the contents of the time stamp token. */
481 if (!int_TS_RESP_verify_token(ctx, token, tst_info))
482 goto err;
483
484 ret = 1;
485
486err:
487 return ret;
488}
489LCRYPTO_ALIAS(TS_RESP_verify_response);
490
491/*
492 * Tries to extract a TS_TST_INFO structure from the PKCS7 token and
493 * calls the internal int_TS_RESP_verify_token function for verifying it.
494 */
495int
496TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token)
497{
498 TS_TST_INFO *tst_info = PKCS7_to_TS_TST_INFO(token);
499 int ret = 0;
500
501 if (tst_info) {
502 ret = int_TS_RESP_verify_token(ctx, token, tst_info);
503 TS_TST_INFO_free(tst_info);
504 }
505 return ret;
506}
507LCRYPTO_ALIAS(TS_RESP_verify_token);
508
509/*
510 * Verifies whether the 'token' contains a valid time stamp token
511 * with regards to the settings of the context. Only those checks are
512 * carried out that are specified in the context:
513 * - Verifies the signature of the TS_TST_INFO.
514 * - Checks the version number of the response.
515 * - Check if the requested and returned policies math.
516 * - Check if the message imprints are the same.
517 * - Check if the nonces are the same.
518 * - Check if the TSA name matches the signer.
519 * - Check if the TSA name is the expected TSA.
520 */
521static int
522int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token,
523 TS_TST_INFO *tst_info)
524{
525 X509 *signer = NULL;
526 GENERAL_NAME *tsa_name = TS_TST_INFO_get_tsa(tst_info);
527 X509_ALGOR *md_alg = NULL;
528 unsigned char *imprint = NULL;
529 unsigned imprint_len = 0;
530 int ret = 0;
531
532 /* Verify the signature. */
533 if ((ctx->flags & TS_VFY_SIGNATURE) &&
534 !TS_RESP_verify_signature(token, ctx->certs, ctx->store, &signer))
535 goto err;
536
537 /* Check version number of response. */
538 if ((ctx->flags & TS_VFY_VERSION) &&
539 TS_TST_INFO_get_version(tst_info) != 1) {
540 TSerror(TS_R_UNSUPPORTED_VERSION);
541 goto err;
542 }
543
544 /* Check policies. */
545 if ((ctx->flags & TS_VFY_POLICY) &&
546 !TS_check_policy(ctx->policy, tst_info))
547 goto err;
548
549 /* Check message imprints. */
550 if ((ctx->flags & TS_VFY_IMPRINT) &&
551 !TS_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len,
552 tst_info))
553 goto err;
554
555 /* Compute and check message imprints. */
556 if ((ctx->flags & TS_VFY_DATA) &&
557 (!TS_compute_imprint(ctx->data, tst_info,
558 &md_alg, &imprint, &imprint_len) ||
559 !TS_check_imprints(md_alg, imprint, imprint_len, tst_info)))
560 goto err;
561
562 /* Check nonces. */
563 if ((ctx->flags & TS_VFY_NONCE) &&
564 !TS_check_nonces(ctx->nonce, tst_info))
565 goto err;
566
567 /* Check whether TSA name and signer certificate match. */
568 if ((ctx->flags & TS_VFY_SIGNER) &&
569 tsa_name && !TS_check_signer_name(tsa_name, signer)) {
570 TSerror(TS_R_TSA_NAME_MISMATCH);
571 goto err;
572 }
573
574 /* Check whether the TSA is the expected one. */
575 if ((ctx->flags & TS_VFY_TSA_NAME) &&
576 !TS_check_signer_name(ctx->tsa_name, signer)) {
577 TSerror(TS_R_TSA_UNTRUSTED);
578 goto err;
579 }
580
581 ret = 1;
582
583err:
584 X509_free(signer);
585 X509_ALGOR_free(md_alg);
586 free(imprint);
587 return ret;
588}
589
590static int
591TS_check_status_info(TS_RESP *response)
592{
593 TS_STATUS_INFO *info = TS_RESP_get_status_info(response);
594 long status = ASN1_INTEGER_get(info->status);
595 const char *status_text = NULL;
596 char *embedded_status_text = NULL;
597 char failure_text[TS_STATUS_BUF_SIZE] = "";
598
599 /* Check if everything went fine. */
600 if (status == 0 || status == 1)
601 return 1;
602
603 /* There was an error, get the description in status_text. */
604 if (0 <= status && status < (long)TS_STATUS_TEXT_SIZE)
605 status_text = TS_status_text[status];
606 else
607 status_text = "unknown code";
608
609 /* Set the embedded_status_text to the returned description. */
610 if (sk_ASN1_UTF8STRING_num(info->text) > 0 &&
611 !(embedded_status_text = TS_get_status_text(info->text)))
612 return 0;
613
614 /* Filling in failure_text with the failure information. */
615 if (info->failure_info) {
616 int i;
617 int first = 1;
618 for (i = 0; i < (int)TS_FAILURE_INFO_SIZE; ++i) {
619 if (ASN1_BIT_STRING_get_bit(info->failure_info,
620 TS_failure_info[i].code)) {
621 if (!first)
622 strlcat(failure_text, ",",
623 TS_STATUS_BUF_SIZE);
624 else
625 first = 0;
626 strlcat(failure_text, TS_failure_info[i].text,
627 TS_STATUS_BUF_SIZE);
628 }
629 }
630 }
631 if (failure_text[0] == '\0')
632 strlcpy(failure_text, "unspecified", TS_STATUS_BUF_SIZE);
633
634 /* Making up the error string. */
635 TSerror(TS_R_NO_TIME_STAMP_TOKEN);
636 ERR_asprintf_error_data
637 ("status code: %s, status text: %s, failure codes: %s",
638 status_text,
639 embedded_status_text ? embedded_status_text : "unspecified",
640 failure_text);
641 free(embedded_status_text);
642
643 return 0;
644}
645
646static char *
647TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
648{
649 int i;
650 unsigned int length = 0;
651 char *result = NULL;
652
653 /* Determine length first. */
654 for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) {
655 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
656 length += ASN1_STRING_length(current);
657 length += 1; /* separator character */
658 }
659 /* Allocate memory (closing '\0' included). */
660 if (!(result = malloc(length))) {
661 TSerror(ERR_R_MALLOC_FAILURE);
662 return NULL;
663 }
664 /* Concatenate the descriptions. */
665 result[0] = '\0';
666 for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) {
667 ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
668 if (i > 0)
669 strlcat(result, "/", length);
670 strlcat(result, (const char *)ASN1_STRING_data(current), length);
671 }
672 return result;
673}
674
675static int
676TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info)
677{
678 ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info);
679
680 if (OBJ_cmp(req_oid, resp_oid) != 0) {
681 TSerror(TS_R_POLICY_MISMATCH);
682 return 0;
683 }
684
685 return 1;
686}
687
688static int
689TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **out_md_alg,
690 unsigned char **out_imprint, unsigned int *out_imprint_len)
691{
692 TS_MSG_IMPRINT *msg_imprint;
693 X509_ALGOR *md_alg_resp;
694 X509_ALGOR *md_alg = NULL;
695 unsigned char *imprint = NULL;
696 unsigned int imprint_len = 0;
697 const EVP_MD *md;
698 EVP_MD_CTX md_ctx;
699 unsigned char buffer[4096];
700 int length;
701
702 *out_md_alg = NULL;
703 *out_imprint = NULL;
704 *out_imprint_len = 0;
705
706 /* Retrieve the MD algorithm of the response. */
707 msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info);
708 md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint);
709 if ((md_alg = X509_ALGOR_dup(md_alg_resp)) == NULL)
710 goto err;
711
712 /* Getting the MD object. */
713 if ((md = EVP_get_digestbyobj((md_alg)->algorithm)) == NULL) {
714 TSerror(TS_R_UNSUPPORTED_MD_ALGORITHM);
715 goto err;
716 }
717
718 /* Compute message digest. */
719 if ((length = EVP_MD_size(md)) < 0)
720 goto err;
721 imprint_len = length;
722 if ((imprint = malloc(imprint_len)) == NULL) {
723 TSerror(ERR_R_MALLOC_FAILURE);
724 goto err;
725 }
726
727 if (!EVP_DigestInit(&md_ctx, md))
728 goto err;
729 while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) {
730 if (!EVP_DigestUpdate(&md_ctx, buffer, length))
731 goto err;
732 }
733 if (!EVP_DigestFinal(&md_ctx, imprint, NULL))
734 goto err;
735
736 *out_md_alg = md_alg;
737 md_alg = NULL;
738 *out_imprint = imprint;
739 imprint = NULL;
740 *out_imprint_len = imprint_len;
741
742 return 1;
743
744err:
745 X509_ALGOR_free(md_alg);
746 free(imprint);
747 return 0;
748}
749
750static int
751TS_check_imprints(X509_ALGOR *algor_a, unsigned char *imprint_a, unsigned len_a,
752 TS_TST_INFO *tst_info)
753{
754 TS_MSG_IMPRINT *b = TS_TST_INFO_get_msg_imprint(tst_info);
755 X509_ALGOR *algor_b = TS_MSG_IMPRINT_get_algo(b);
756 int ret = 0;
757
758 /* algor_a is optional. */
759 if (algor_a) {
760 /* Compare algorithm OIDs. */
761 if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm))
762 goto err;
763
764 /* The parameter must be NULL in both. */
765 if ((algor_a->parameter &&
766 ASN1_TYPE_get(algor_a->parameter) != V_ASN1_NULL) ||
767 (algor_b->parameter &&
768 ASN1_TYPE_get(algor_b->parameter) != V_ASN1_NULL))
769 goto err;
770 }
771
772 /* Compare octet strings. */
773 ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) &&
774 memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0;
775
776err:
777 if (!ret)
778 TSerror(TS_R_MESSAGE_IMPRINT_MISMATCH);
779 return ret;
780}
781
782static int
783TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info)
784{
785 const ASN1_INTEGER *b = TS_TST_INFO_get_nonce(tst_info);
786
787 /* Error if nonce is missing. */
788 if (!b) {
789 TSerror(TS_R_NONCE_NOT_RETURNED);
790 return 0;
791 }
792
793 /* No error if a nonce is returned without being requested. */
794 if (ASN1_INTEGER_cmp(a, b) != 0) {
795 TSerror(TS_R_NONCE_MISMATCH);
796 return 0;
797 }
798
799 return 1;
800}
801
802/* Check if the specified TSA name matches either the subject
803 or one of the subject alternative names of the TSA certificate. */
804static int
805TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer)
806{
807 STACK_OF(GENERAL_NAME) *gen_names = NULL;
808 int idx = -1;
809 int found = 0;
810
811 if (signer == NULL)
812 return 0;
813
814 /* Check the subject name first. */
815 if (tsa_name->type == GEN_DIRNAME &&
816 X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer)) == 0)
817 return 1;
818
819 /* Check all the alternative names. */
820 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name,
821 NULL, &idx);
822 while (gen_names != NULL &&
823 !(found = (TS_find_name(gen_names, tsa_name) >= 0))) {
824 /* Get the next subject alternative name,
825 although there should be no more than one. */
826 GENERAL_NAMES_free(gen_names);
827 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name,
828 NULL, &idx);
829 }
830 if (gen_names)
831 GENERAL_NAMES_free(gen_names);
832
833 return found;
834}
835
836/* Returns 1 if name is in gen_names, 0 otherwise. */
837static int
838TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name)
839{
840 int i, found;
841 for (i = 0, found = 0; !found && i < sk_GENERAL_NAME_num(gen_names);
842 ++i) {
843 GENERAL_NAME *current = sk_GENERAL_NAME_value(gen_names, i);
844 found = GENERAL_NAME_cmp(current, name) == 0;
845 }
846 return found ? i - 1 : -1;
847}
diff --git a/src/lib/libcrypto/ts/ts_verify_ctx.c b/src/lib/libcrypto/ts/ts_verify_ctx.c
deleted file mode 100644
index 5a2d95c680..0000000000
--- a/src/lib/libcrypto/ts/ts_verify_ctx.c
+++ /dev/null
@@ -1,236 +0,0 @@
1/* $OpenBSD: ts_verify_ctx.c,v 1.14 2023/07/07 07:25:21 beck Exp $ */
2/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3 * project 2003.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <string.h>
60
61#include <openssl/err.h>
62#include <openssl/objects.h>
63#include <openssl/ts.h>
64
65#include "ts_local.h"
66
67TS_VERIFY_CTX *
68TS_VERIFY_CTX_new(void)
69{
70 TS_VERIFY_CTX *ctx = calloc(1, sizeof(TS_VERIFY_CTX));
71
72 if (!ctx)
73 TSerror(ERR_R_MALLOC_FAILURE);
74
75 return ctx;
76}
77LCRYPTO_ALIAS(TS_VERIFY_CTX_new);
78
79void
80TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx)
81{
82 if (!ctx)
83 return;
84
85 TS_VERIFY_CTX_cleanup(ctx);
86 free(ctx);
87}
88LCRYPTO_ALIAS(TS_VERIFY_CTX_free);
89
90void
91TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
92{
93 if (!ctx)
94 return;
95
96 X509_STORE_free(ctx->store);
97 sk_X509_pop_free(ctx->certs, X509_free);
98
99 ASN1_OBJECT_free(ctx->policy);
100
101 X509_ALGOR_free(ctx->md_alg);
102 free(ctx->imprint);
103
104 BIO_free_all(ctx->data);
105
106 ASN1_INTEGER_free(ctx->nonce);
107
108 GENERAL_NAME_free(ctx->tsa_name);
109
110 memset(ctx, 0, sizeof(*ctx));
111}
112LCRYPTO_ALIAS(TS_VERIFY_CTX_cleanup);
113
114/*
115 * XXX: The following accessors demonstrate the amount of care and thought that
116 * went into OpenSSL 1.1 API design and the review thereof: for whatever reason
117 * these functions return what was passed in. Correct memory management is left
118 * as an exercise for the reader... Unfortunately, careful consumers like
119 * openssl-ruby assume this behavior, so we're stuck with this insanity. The
120 * cherry on top is the TS_VERIFY_CTS_set_certs() [sic!] function that made it
121 * into the public API.
122 *
123 * Outstanding job, R$ and tjh, A+.
124 */
125
126int
127TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags)
128{
129 ctx->flags |= flags;
130
131 return ctx->flags;
132}
133LCRYPTO_ALIAS(TS_VERIFY_CTX_add_flags);
134
135int
136TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags)
137{
138 ctx->flags = flags;
139
140 return ctx->flags;
141}
142LCRYPTO_ALIAS(TS_VERIFY_CTX_set_flags);
143
144BIO *
145TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio)
146{
147 ctx->data = bio;
148
149 return ctx->data;
150}
151LCRYPTO_ALIAS(TS_VERIFY_CTX_set_data);
152
153X509_STORE *
154TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *store)
155{
156 ctx->store = store;
157
158 return ctx->store;
159}
160LCRYPTO_ALIAS(TS_VERIFY_CTX_set_store);
161
162STACK_OF(X509) *
163TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs)
164{
165 ctx->certs = certs;
166
167 return ctx->certs;
168}
169LCRYPTO_ALIAS(TS_VERIFY_CTX_set_certs);
170
171unsigned char *
172TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, unsigned char *imprint,
173 long imprint_len)
174{
175 free(ctx->imprint);
176
177 ctx->imprint = imprint;
178 ctx->imprint_len = imprint_len;
179
180 return ctx->imprint;
181}
182LCRYPTO_ALIAS(TS_VERIFY_CTX_set_imprint);
183
184TS_VERIFY_CTX *
185TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
186{
187 TS_VERIFY_CTX *ret = ctx;
188 ASN1_OBJECT *policy;
189 TS_MSG_IMPRINT *imprint;
190 X509_ALGOR *md_alg;
191 ASN1_OCTET_STRING *msg;
192 const ASN1_INTEGER *nonce;
193
194 if (ret)
195 TS_VERIFY_CTX_cleanup(ret);
196 else if (!(ret = TS_VERIFY_CTX_new()))
197 return NULL;
198
199 /* Setting flags. */
200 ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE);
201
202 /* Setting policy. */
203 if ((policy = TS_REQ_get_policy_id(req)) != NULL) {
204 if (!(ret->policy = OBJ_dup(policy)))
205 goto err;
206 } else
207 ret->flags &= ~TS_VFY_POLICY;
208
209 /* Setting md_alg, imprint and imprint_len. */
210 imprint = TS_REQ_get_msg_imprint(req);
211 md_alg = TS_MSG_IMPRINT_get_algo(imprint);
212 if (!(ret->md_alg = X509_ALGOR_dup(md_alg)))
213 goto err;
214 msg = TS_MSG_IMPRINT_get_msg(imprint);
215 ret->imprint_len = ASN1_STRING_length(msg);
216 if (!(ret->imprint = malloc(ret->imprint_len)))
217 goto err;
218 memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len);
219
220 /* Setting nonce. */
221 if ((nonce = TS_REQ_get_nonce(req)) != NULL) {
222 if (!(ret->nonce = ASN1_INTEGER_dup(nonce)))
223 goto err;
224 } else
225 ret->flags &= ~TS_VFY_NONCE;
226
227 return ret;
228
229err:
230 if (ctx)
231 TS_VERIFY_CTX_cleanup(ctx);
232 else
233 TS_VERIFY_CTX_free(ret);
234 return NULL;
235}
236LCRYPTO_ALIAS(TS_REQ_to_TS_VERIFY_CTX);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-06 22:50:34 +0000