summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ocsp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/ocsp')
-rw-r--r--src/lib/libcrypto/ocsp/ocsp.h619
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_asn.c182
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_cl.c370
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_err.c139
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ext.c528
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ht.c173
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_lib.c261
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_prn.c291
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_srv.c264
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_vfy.c444
10 files changed, 0 insertions, 3271 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h
deleted file mode 100644
index fab3c03182..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp.h
+++ /dev/null
@@ -1,619 +0,0 @@
1/* ocsp.h */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#ifndef HEADER_OCSP_H
65#define HEADER_OCSP_H
66
67#include <openssl/x509.h>
68#include <openssl/x509v3.h>
69#include <openssl/safestack.h>
70
71#ifdef __cplusplus
72extern "C" {
73#endif
74
75/* Various flags and values */
76
77#define OCSP_DEFAULT_NONCE_LENGTH 16
78
79#define OCSP_NOCERTS 0x1
80#define OCSP_NOINTERN 0x2
81#define OCSP_NOSIGS 0x4
82#define OCSP_NOCHAIN 0x8
83#define OCSP_NOVERIFY 0x10
84#define OCSP_NOEXPLICIT 0x20
85#define OCSP_NOCASIGN 0x40
86#define OCSP_NODELEGATED 0x80
87#define OCSP_NOCHECKS 0x100
88#define OCSP_TRUSTOTHER 0x200
89#define OCSP_RESPID_KEY 0x400
90#define OCSP_NOTIME 0x800
91
92/* CertID ::= SEQUENCE {
93 * hashAlgorithm AlgorithmIdentifier,
94 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
95 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
96 * serialNumber CertificateSerialNumber }
97 */
98typedef struct ocsp_cert_id_st
99 {
100 X509_ALGOR *hashAlgorithm;
101 ASN1_OCTET_STRING *issuerNameHash;
102 ASN1_OCTET_STRING *issuerKeyHash;
103 ASN1_INTEGER *serialNumber;
104 } OCSP_CERTID;
105
106DECLARE_STACK_OF(OCSP_CERTID)
107
108/* Request ::= SEQUENCE {
109 * reqCert CertID,
110 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
111 */
112typedef struct ocsp_one_request_st
113 {
114 OCSP_CERTID *reqCert;
115 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
116 } OCSP_ONEREQ;
117
118DECLARE_STACK_OF(OCSP_ONEREQ)
119DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
120
121
122/* TBSRequest ::= SEQUENCE {
123 * version [0] EXPLICIT Version DEFAULT v1,
124 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
125 * requestList SEQUENCE OF Request,
126 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
127 */
128typedef struct ocsp_req_info_st
129 {
130 ASN1_INTEGER *version;
131 GENERAL_NAME *requestorName;
132 STACK_OF(OCSP_ONEREQ) *requestList;
133 STACK_OF(X509_EXTENSION) *requestExtensions;
134 } OCSP_REQINFO;
135
136/* Signature ::= SEQUENCE {
137 * signatureAlgorithm AlgorithmIdentifier,
138 * signature BIT STRING,
139 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
140 */
141typedef struct ocsp_signature_st
142 {
143 X509_ALGOR *signatureAlgorithm;
144 ASN1_BIT_STRING *signature;
145 STACK_OF(X509) *certs;
146 } OCSP_SIGNATURE;
147
148/* OCSPRequest ::= SEQUENCE {
149 * tbsRequest TBSRequest,
150 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
151 */
152typedef struct ocsp_request_st
153 {
154 OCSP_REQINFO *tbsRequest;
155 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
156 } OCSP_REQUEST;
157
158/* OCSPResponseStatus ::= ENUMERATED {
159 * successful (0), --Response has valid confirmations
160 * malformedRequest (1), --Illegal confirmation request
161 * internalError (2), --Internal error in issuer
162 * tryLater (3), --Try again later
163 * --(4) is not used
164 * sigRequired (5), --Must sign the request
165 * unauthorized (6) --Request unauthorized
166 * }
167 */
168#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
169#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1
170#define OCSP_RESPONSE_STATUS_INTERNALERROR 2
171#define OCSP_RESPONSE_STATUS_TRYLATER 3
172#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5
173#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6
174
175/* ResponseBytes ::= SEQUENCE {
176 * responseType OBJECT IDENTIFIER,
177 * response OCTET STRING }
178 */
179typedef struct ocsp_resp_bytes_st
180 {
181 ASN1_OBJECT *responseType;
182 ASN1_OCTET_STRING *response;
183 } OCSP_RESPBYTES;
184
185/* OCSPResponse ::= SEQUENCE {
186 * responseStatus OCSPResponseStatus,
187 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
188 */
189typedef struct ocsp_response_st
190 {
191 ASN1_ENUMERATED *responseStatus;
192 OCSP_RESPBYTES *responseBytes;
193 } OCSP_RESPONSE;
194
195/* ResponderID ::= CHOICE {
196 * byName [1] Name,
197 * byKey [2] KeyHash }
198 */
199#define V_OCSP_RESPID_NAME 0
200#define V_OCSP_RESPID_KEY 1
201typedef struct ocsp_responder_id_st
202 {
203 int type;
204 union {
205 X509_NAME* byName;
206 ASN1_OCTET_STRING *byKey;
207 } value;
208 } OCSP_RESPID;
209/* KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
210 * --(excluding the tag and length fields)
211 */
212
213/* RevokedInfo ::= SEQUENCE {
214 * revocationTime GeneralizedTime,
215 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
216 */
217typedef struct ocsp_revoked_info_st
218 {
219 ASN1_GENERALIZEDTIME *revocationTime;
220 ASN1_ENUMERATED *revocationReason;
221 } OCSP_REVOKEDINFO;
222
223/* CertStatus ::= CHOICE {
224 * good [0] IMPLICIT NULL,
225 * revoked [1] IMPLICIT RevokedInfo,
226 * unknown [2] IMPLICIT UnknownInfo }
227 */
228#define V_OCSP_CERTSTATUS_GOOD 0
229#define V_OCSP_CERTSTATUS_REVOKED 1
230#define V_OCSP_CERTSTATUS_UNKNOWN 2
231typedef struct ocsp_cert_status_st
232 {
233 int type;
234 union {
235 ASN1_NULL *good;
236 OCSP_REVOKEDINFO *revoked;
237 ASN1_NULL *unknown;
238 } value;
239 } OCSP_CERTSTATUS;
240
241/* SingleResponse ::= SEQUENCE {
242 * certID CertID,
243 * certStatus CertStatus,
244 * thisUpdate GeneralizedTime,
245 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
246 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
247 */
248typedef struct ocsp_single_response_st
249 {
250 OCSP_CERTID *certId;
251 OCSP_CERTSTATUS *certStatus;
252 ASN1_GENERALIZEDTIME *thisUpdate;
253 ASN1_GENERALIZEDTIME *nextUpdate;
254 STACK_OF(X509_EXTENSION) *singleExtensions;
255 } OCSP_SINGLERESP;
256
257DECLARE_STACK_OF(OCSP_SINGLERESP)
258DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
259
260/* ResponseData ::= SEQUENCE {
261 * version [0] EXPLICIT Version DEFAULT v1,
262 * responderID ResponderID,
263 * producedAt GeneralizedTime,
264 * responses SEQUENCE OF SingleResponse,
265 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
266 */
267typedef struct ocsp_response_data_st
268 {
269 ASN1_INTEGER *version;
270 OCSP_RESPID *responderId;
271 ASN1_GENERALIZEDTIME *producedAt;
272 STACK_OF(OCSP_SINGLERESP) *responses;
273 STACK_OF(X509_EXTENSION) *responseExtensions;
274 } OCSP_RESPDATA;
275
276/* BasicOCSPResponse ::= SEQUENCE {
277 * tbsResponseData ResponseData,
278 * signatureAlgorithm AlgorithmIdentifier,
279 * signature BIT STRING,
280 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
281 */
282 /* Note 1:
283 The value for "signature" is specified in the OCSP rfc2560 as follows:
284 "The value for the signature SHALL be computed on the hash of the DER
285 encoding ResponseData." This means that you must hash the DER-encoded
286 tbsResponseData, and then run it through a crypto-signing function, which
287 will (at least w/RSA) do a hash-'n'-private-encrypt operation. This seems
288 a bit odd, but that's the spec. Also note that the data structures do not
289 leave anywhere to independently specify the algorithm used for the initial
290 hash. So, we look at the signature-specification algorithm, and try to do
291 something intelligent. -- Kathy Weinhold, CertCo */
292 /* Note 2:
293 It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
294 for interpretation. I've done tests against another responder, and found
295 that it doesn't do the double hashing that the RFC seems to say one
296 should. Therefore, all relevant functions take a flag saying which
297 variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */
298typedef struct ocsp_basic_response_st
299 {
300 OCSP_RESPDATA *tbsResponseData;
301 X509_ALGOR *signatureAlgorithm;
302 ASN1_BIT_STRING *signature;
303 STACK_OF(X509) *certs;
304 } OCSP_BASICRESP;
305
306/*
307 * CRLReason ::= ENUMERATED {
308 * unspecified (0),
309 * keyCompromise (1),
310 * cACompromise (2),
311 * affiliationChanged (3),
312 * superseded (4),
313 * cessationOfOperation (5),
314 * certificateHold (6),
315 * removeFromCRL (8) }
316 */
317#define OCSP_REVOKED_STATUS_NOSTATUS -1
318#define OCSP_REVOKED_STATUS_UNSPECIFIED 0
319#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
320#define OCSP_REVOKED_STATUS_CACOMPROMISE 2
321#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3
322#define OCSP_REVOKED_STATUS_SUPERSEDED 4
323#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
324#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
325#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
326
327/* CrlID ::= SEQUENCE {
328 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
329 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
330 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
331 */
332typedef struct ocsp_crl_id_st
333 {
334 ASN1_IA5STRING *crlUrl;
335 ASN1_INTEGER *crlNum;
336 ASN1_GENERALIZEDTIME *crlTime;
337 } OCSP_CRLID;
338
339/* ServiceLocator ::= SEQUENCE {
340 * issuer Name,
341 * locator AuthorityInfoAccessSyntax OPTIONAL }
342 */
343typedef struct ocsp_service_locator_st
344 {
345 X509_NAME* issuer;
346 STACK_OF(ACCESS_DESCRIPTION) *locator;
347 } OCSP_SERVICELOC;
348
349#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
350#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
351
352#define d2i_OCSP_REQUEST_bio(bp,p) (OCSP_REQUEST*)ASN1_d2i_bio((char*(*)()) \
353 OCSP_REQUEST_new,(char *(*)())d2i_OCSP_REQUEST, (bp),\
354 (unsigned char **)(p))
355
356#define d2i_OCSP_RESPONSE_bio(bp,p) (OCSP_RESPONSE*)ASN1_d2i_bio((char*(*)())\
357 OCSP_REQUEST_new,(char *(*)())d2i_OCSP_RESPONSE, (bp),\
358 (unsigned char **)(p))
359
360#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
361 (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
362
363#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
364 (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
365
366#define PEM_write_bio_OCSP_REQUEST(bp,o) \
367 PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
368 bp,(char *)o, NULL,NULL,0,NULL,NULL)
369
370#define PEM_write_bio_OCSP_RESPONSE(bp,o) \
371 PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
372 bp,(char *)o, NULL,NULL,0,NULL,NULL)
373
374#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio(i2d_OCSP_RESPONSE,bp,\
375 (unsigned char *)o)
376
377#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio(i2d_OCSP_REQUEST,bp,\
378 (unsigned char *)o)
379
380#define OCSP_REQUEST_sign(o,pkey,md) \
381 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
382 o->optionalSignature->signatureAlgorithm,NULL,\
383 o->optionalSignature->signature,o->tbsRequest,pkey,md)
384
385#define OCSP_BASICRESP_sign(o,pkey,md,d) \
386 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
387 o->signature,o->tbsResponseData,pkey,md)
388
389#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
390 a->optionalSignature->signatureAlgorithm,\
391 a->optionalSignature->signature,a->tbsRequest,r)
392
393#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
394 a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
395
396#define ASN1_BIT_STRING_digest(data,type,md,len) \
397 ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
398
399#define OCSP_CERTID_dup(cid) (OCSP_CERTID*)ASN1_dup((int(*)())i2d_OCSP_CERTID,\
400 (char *(*)())d2i_OCSP_CERTID,(char *)(cid))
401
402#define OCSP_CERTSTATUS_dup(cs)\
403 (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
404 (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
405
406OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
407
408OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
409
410OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
411 X509_NAME *issuerName,
412 ASN1_BIT_STRING* issuerKey,
413 ASN1_INTEGER *serialNumber);
414
415OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
416
417int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
418int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
419int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
420int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
421
422int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
423int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
424
425int OCSP_request_sign(OCSP_REQUEST *req,
426 X509 *signer,
427 EVP_PKEY *key,
428 const EVP_MD *dgst,
429 STACK_OF(X509) *certs,
430 unsigned long flags);
431
432int OCSP_response_status(OCSP_RESPONSE *resp);
433OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
434
435int OCSP_resp_count(OCSP_BASICRESP *bs);
436OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
437int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
438int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
439 ASN1_GENERALIZEDTIME **revtime,
440 ASN1_GENERALIZEDTIME **thisupd,
441 ASN1_GENERALIZEDTIME **nextupd);
442int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
443 int *reason,
444 ASN1_GENERALIZEDTIME **revtime,
445 ASN1_GENERALIZEDTIME **thisupd,
446 ASN1_GENERALIZEDTIME **nextupd);
447int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
448 ASN1_GENERALIZEDTIME *nextupd,
449 long sec, long maxsec);
450
451int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags);
452
453int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl);
454
455int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
456int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
457
458int OCSP_request_onereq_count(OCSP_REQUEST *req);
459OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
460OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
461int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
462 ASN1_OCTET_STRING **pikeyHash,
463 ASN1_INTEGER **pserial, OCSP_CERTID *cid);
464int OCSP_request_is_signed(OCSP_REQUEST *req);
465OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
466OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
467 OCSP_CERTID *cid,
468 int status, int reason,
469 ASN1_TIME *revtime,
470 ASN1_TIME *thisupd, ASN1_TIME *nextupd);
471int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
472int OCSP_basic_sign(OCSP_BASICRESP *brsp,
473 X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
474 STACK_OF(X509) *certs, unsigned long flags);
475
476ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(),
477 char *data, STACK_OF(ASN1_OBJECT) *sk);
478
479X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
480
481X509_EXTENSION *OCSP_accept_responses_new(char **oids);
482
483X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
484
485X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
486
487int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
488int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
489int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos);
490int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
491X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
492X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
493void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
494int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
495 unsigned long flags);
496int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
497
498int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
499int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
500int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos);
501int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
502X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
503X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
504void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
505int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
506 unsigned long flags);
507int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
508
509int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
510int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
511int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos);
512int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos);
513X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
514X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
515void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx);
516int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
517 unsigned long flags);
518int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
519
520int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
521int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
522int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos);
523int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos);
524X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
525X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
526void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx);
527int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
528 unsigned long flags);
529int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
530
531DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
532DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
533DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
534DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP)
535DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
536DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
537DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
538DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES)
539DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
540DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
541DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
542DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
543DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
544DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
545DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
546
547char *OCSP_response_status_str(long s);
548char *OCSP_cert_status_str(long s);
549char *OCSP_crl_reason_str(long s);
550
551int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
552int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
553
554int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
555 X509_STORE *st, unsigned long flags);
556
557/* BEGIN ERROR CODES */
558/* The following lines are auto generated by the script mkerr.pl. Any changes
559 * made after this point may be overwritten when the script is next run.
560 */
561void ERR_load_OCSP_strings(void);
562
563/* Error codes for the OCSP functions. */
564
565/* Function codes. */
566#define OCSP_F_ASN1_STRING_ENCODE 100
567#define OCSP_F_CERT_ID_NEW 101
568#define OCSP_F_D2I_OCSP_NONCE 102
569#define OCSP_F_OCSP_BASIC_ADD1_STATUS 103
570#define OCSP_F_OCSP_BASIC_SIGN 104
571#define OCSP_F_OCSP_BASIC_VERIFY 105
572#define OCSP_F_OCSP_CHECK_DELEGATED 106
573#define OCSP_F_OCSP_CHECK_IDS 107
574#define OCSP_F_OCSP_CHECK_ISSUER 108
575#define OCSP_F_OCSP_CHECK_VALIDITY 115
576#define OCSP_F_OCSP_MATCH_ISSUERID 109
577#define OCSP_F_OCSP_PARSE_URL 114
578#define OCSP_F_OCSP_REQUEST_SIGN 110
579#define OCSP_F_OCSP_REQUEST_VERIFY 116
580#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
581#define OCSP_F_OCSP_SENDREQ_BIO 112
582#define OCSP_F_REQUEST_VERIFY 113
583
584/* Reason codes. */
585#define OCSP_R_BAD_DATA 100
586#define OCSP_R_CERTIFICATE_VERIFY_ERROR 101
587#define OCSP_R_DIGEST_ERR 102
588#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122
589#define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123
590#define OCSP_R_ERROR_PARSING_URL 121
591#define OCSP_R_MISSING_OCSPSIGNING_USAGE 103
592#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE 124
593#define OCSP_R_NOT_BASIC_RESPONSE 104
594#define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105
595#define OCSP_R_NO_CONTENT 106
596#define OCSP_R_NO_PUBLIC_KEY 107
597#define OCSP_R_NO_RESPONSE_DATA 108
598#define OCSP_R_NO_REVOKED_TIME 109
599#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110
600#define OCSP_R_REQUEST_NOT_SIGNED 128
601#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111
602#define OCSP_R_ROOT_CA_NOT_TRUSTED 112
603#define OCSP_R_SERVER_READ_ERROR 113
604#define OCSP_R_SERVER_RESPONSE_ERROR 114
605#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 115
606#define OCSP_R_SERVER_WRITE_ERROR 116
607#define OCSP_R_SIGNATURE_FAILURE 117
608#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 118
609#define OCSP_R_STATUS_EXPIRED 125
610#define OCSP_R_STATUS_NOT_YET_VALID 126
611#define OCSP_R_STATUS_TOO_OLD 127
612#define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119
613#define OCSP_R_UNKNOWN_NID 120
614#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE 129
615
616#ifdef __cplusplus
617}
618#endif
619#endif
diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c
deleted file mode 100644
index 6a3a360d54..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_asn.c
+++ /dev/null
@@ -1,182 +0,0 @@
1/* ocsp_asn.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#include <openssl/asn1.h>
59#include <openssl/asn1t.h>
60#include <openssl/ocsp.h>
61
62ASN1_SEQUENCE(OCSP_SIGNATURE) = {
63 ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
64 ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
65 ASN1_EXP_SEQUENCE_OF(OCSP_SIGNATURE, certs, X509, 0)
66} ASN1_SEQUENCE_END(OCSP_SIGNATURE)
67
68IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE)
69
70ASN1_SEQUENCE(OCSP_CERTID) = {
71 ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
72 ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
73 ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
74 ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER)
75} ASN1_SEQUENCE_END(OCSP_CERTID)
76
77IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTID)
78
79ASN1_SEQUENCE(OCSP_ONEREQ) = {
80 ASN1_SIMPLE(OCSP_ONEREQ, reqCert, OCSP_CERTID),
81 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_ONEREQ, singleRequestExtensions, X509_EXTENSION, 0)
82} ASN1_SEQUENCE_END(OCSP_ONEREQ)
83
84IMPLEMENT_ASN1_FUNCTIONS(OCSP_ONEREQ)
85
86ASN1_SEQUENCE(OCSP_REQINFO) = {
87 ASN1_EXP_OPT(OCSP_REQINFO, version, ASN1_INTEGER, 0),
88 ASN1_EXP_OPT(OCSP_REQINFO, requestorName, GENERAL_NAME, 1),
89 ASN1_SEQUENCE_OF(OCSP_REQINFO, requestList, OCSP_ONEREQ),
90 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_REQINFO, requestExtensions, X509_EXTENSION, 2)
91} ASN1_SEQUENCE_END(OCSP_REQINFO)
92
93IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQINFO)
94
95ASN1_SEQUENCE(OCSP_REQUEST) = {
96 ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
97 ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0)
98} ASN1_SEQUENCE_END(OCSP_REQUEST)
99
100IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQUEST)
101
102/* OCSP_RESPONSE templates */
103
104ASN1_SEQUENCE(OCSP_RESPBYTES) = {
105 ASN1_SIMPLE(OCSP_RESPBYTES, responseType, ASN1_OBJECT),
106 ASN1_SIMPLE(OCSP_RESPBYTES, response, ASN1_OCTET_STRING)
107} ASN1_SEQUENCE_END(OCSP_RESPBYTES)
108
109IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPBYTES)
110
111ASN1_SEQUENCE(OCSP_RESPONSE) = {
112 ASN1_SIMPLE(OCSP_RESPONSE, responseStatus, ASN1_ENUMERATED),
113 ASN1_EXP_OPT(OCSP_RESPONSE, responseBytes, OCSP_RESPBYTES, 0)
114} ASN1_SEQUENCE_END(OCSP_RESPONSE)
115
116IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPONSE)
117
118ASN1_CHOICE(OCSP_RESPID) = {
119 ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1),
120 ASN1_EXP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
121} ASN1_CHOICE_END(OCSP_RESPID)
122
123IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPID)
124
125ASN1_SEQUENCE(OCSP_REVOKEDINFO) = {
126 ASN1_SIMPLE(OCSP_REVOKEDINFO, revocationTime, ASN1_GENERALIZEDTIME),
127 ASN1_EXP_OPT(OCSP_REVOKEDINFO, revocationReason, ASN1_ENUMERATED, 0)
128} ASN1_SEQUENCE_END(OCSP_REVOKEDINFO)
129
130IMPLEMENT_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
131
132ASN1_CHOICE(OCSP_CERTSTATUS) = {
133 ASN1_IMP(OCSP_CERTSTATUS, value.good, ASN1_NULL, 0),
134 ASN1_IMP(OCSP_CERTSTATUS, value.revoked, OCSP_REVOKEDINFO, 1),
135 ASN1_IMP(OCSP_CERTSTATUS, value.unknown, ASN1_NULL, 2)
136} ASN1_CHOICE_END(OCSP_CERTSTATUS)
137
138IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
139
140ASN1_SEQUENCE(OCSP_SINGLERESP) = {
141 ASN1_SIMPLE(OCSP_SINGLERESP, certId, OCSP_CERTID),
142 ASN1_SIMPLE(OCSP_SINGLERESP, certStatus, OCSP_CERTSTATUS),
143 ASN1_SIMPLE(OCSP_SINGLERESP, thisUpdate, ASN1_GENERALIZEDTIME),
144 ASN1_EXP_OPT(OCSP_SINGLERESP, nextUpdate, ASN1_GENERALIZEDTIME, 0),
145 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SINGLERESP, singleExtensions, X509_EXTENSION, 1)
146} ASN1_SEQUENCE_END(OCSP_SINGLERESP)
147
148IMPLEMENT_ASN1_FUNCTIONS(OCSP_SINGLERESP)
149
150ASN1_SEQUENCE(OCSP_RESPDATA) = {
151 ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0),
152 ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID),
153 ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME),
154 ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP),
155 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1)
156} ASN1_SEQUENCE_END(OCSP_RESPDATA)
157
158IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPDATA)
159
160ASN1_SEQUENCE(OCSP_BASICRESP) = {
161 ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
162 ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
163 ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING),
164 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0)
165} ASN1_SEQUENCE_END(OCSP_BASICRESP)
166
167IMPLEMENT_ASN1_FUNCTIONS(OCSP_BASICRESP)
168
169ASN1_SEQUENCE(OCSP_CRLID) = {
170 ASN1_EXP_OPT(OCSP_CRLID, crlUrl, ASN1_IA5STRING, 0),
171 ASN1_EXP_OPT(OCSP_CRLID, crlNum, ASN1_INTEGER, 1),
172 ASN1_EXP_OPT(OCSP_CRLID, crlTime, ASN1_GENERALIZEDTIME, 2)
173} ASN1_SEQUENCE_END(OCSP_CRLID)
174
175IMPLEMENT_ASN1_FUNCTIONS(OCSP_CRLID)
176
177ASN1_SEQUENCE(OCSP_SERVICELOC) = {
178 ASN1_SIMPLE(OCSP_SERVICELOC, issuer, X509_NAME),
179 ASN1_SEQUENCE_OF_OPT(OCSP_SERVICELOC, locator, ACCESS_DESCRIPTION)
180} ASN1_SEQUENCE_END(OCSP_SERVICELOC)
181
182IMPLEMENT_ASN1_FUNCTIONS(OCSP_SERVICELOC)
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
deleted file mode 100644
index 9b3e6dd8ca..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ /dev/null
@@ -1,370 +0,0 @@
1/* ocsp_cl.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <time.h>
66#include <cryptlib.h>
67#include <openssl/objects.h>
68#include <openssl/rand.h>
69#include <openssl/x509.h>
70#include <openssl/pem.h>
71#include <openssl/x509v3.h>
72#include <openssl/ocsp.h>
73
74/* Utility functions related to sending OCSP requests and extracting
75 * relevant information from the response.
76 */
77
78/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ
79 * pointer: useful if we want to add extensions.
80 */
81
82OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
83 {
84 OCSP_ONEREQ *one = NULL;
85
86 if (!(one = OCSP_ONEREQ_new())) goto err;
87 if (one->reqCert) OCSP_CERTID_free(one->reqCert);
88 one->reqCert = cid;
89 if (req &&
90 !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
91 goto err;
92 return one;
93err:
94 OCSP_ONEREQ_free(one);
95 return NULL;
96 }
97
98/* Set requestorName from an X509_NAME structure */
99
100int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
101 {
102 GENERAL_NAME *gen;
103 gen = GENERAL_NAME_new();
104 if (!X509_NAME_set(&gen->d.directoryName, nm))
105 {
106 GENERAL_NAME_free(gen);
107 return 0;
108 }
109 gen->type = GEN_DIRNAME;
110 if (req->tbsRequest->requestorName)
111 GENERAL_NAME_free(req->tbsRequest->requestorName);
112 req->tbsRequest->requestorName = gen;
113 return 1;
114 }
115
116
117/* Add a certificate to an OCSP request */
118
119int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
120 {
121 OCSP_SIGNATURE *sig;
122 if (!req->optionalSignature)
123 req->optionalSignature = OCSP_SIGNATURE_new();
124 sig = req->optionalSignature;
125 if (!sig) return 0;
126 if (!cert) return 1;
127 if (!sig->certs && !(sig->certs = sk_X509_new_null()))
128 return 0;
129
130 if(!sk_X509_push(sig->certs, cert)) return 0;
131 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
132 return 1;
133 }
134
135/* Sign an OCSP request set the requestorName to the subjec
136 * name of an optional signers certificate and include one
137 * or more optional certificates in the request. Behaves
138 * like PKCS7_sign().
139 */
140
141int OCSP_request_sign(OCSP_REQUEST *req,
142 X509 *signer,
143 EVP_PKEY *key,
144 const EVP_MD *dgst,
145 STACK_OF(X509) *certs,
146 unsigned long flags)
147 {
148 int i;
149 OCSP_SIGNATURE *sig;
150 X509 *x;
151
152 if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
153 goto err;
154
155 if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
156 if (!dgst) dgst = EVP_sha1();
157 if (key)
158 {
159 if (!X509_check_private_key(signer, key))
160 {
161 OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
162 goto err;
163 }
164 if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
165 }
166
167 if (!(flags & OCSP_NOCERTS))
168 {
169 if(!OCSP_request_add1_cert(req, signer)) goto err;
170 for (i = 0; i < sk_X509_num(certs); i++)
171 {
172 x = sk_X509_value(certs, i);
173 if (!OCSP_request_add1_cert(req, x)) goto err;
174 }
175 }
176
177 return 1;
178err:
179 OCSP_SIGNATURE_free(req->optionalSignature);
180 req->optionalSignature = NULL;
181 return 0;
182 }
183
184/* Get response status */
185
186int OCSP_response_status(OCSP_RESPONSE *resp)
187 {
188 return ASN1_ENUMERATED_get(resp->responseStatus);
189 }
190
191/* Extract basic response from OCSP_RESPONSE or NULL if
192 * no basic response present.
193 */
194
195
196OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
197 {
198 OCSP_RESPBYTES *rb;
199 rb = resp->responseBytes;
200 if (!rb)
201 {
202 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
203 return NULL;
204 }
205 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
206 {
207 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
208 return NULL;
209 }
210
211 return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
212 }
213
214/* Return number of OCSP_SINGLERESP reponses present in
215 * a basic response.
216 */
217
218int OCSP_resp_count(OCSP_BASICRESP *bs)
219 {
220 if (!bs) return -1;
221 return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
222 }
223
224/* Extract an OCSP_SINGLERESP response with a given index */
225
226OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
227 {
228 if (!bs) return NULL;
229 return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
230 }
231
232/* Look single response matching a given certificate ID */
233
234int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
235 {
236 int i;
237 STACK_OF(OCSP_SINGLERESP) *sresp;
238 OCSP_SINGLERESP *single;
239 if (!bs) return -1;
240 if (last < 0) last = 0;
241 else last++;
242 sresp = bs->tbsResponseData->responses;
243 for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
244 {
245 single = sk_OCSP_SINGLERESP_value(sresp, i);
246 if (!OCSP_id_cmp(id, single->certId)) return i;
247 }
248 return -1;
249 }
250
251/* Extract status information from an OCSP_SINGLERESP structure.
252 * Note: the revtime and reason values are only set if the
253 * certificate status is revoked. Returns numerical value of
254 * status.
255 */
256
257int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
258 ASN1_GENERALIZEDTIME **revtime,
259 ASN1_GENERALIZEDTIME **thisupd,
260 ASN1_GENERALIZEDTIME **nextupd)
261 {
262 int ret;
263 OCSP_CERTSTATUS *cst;
264 if(!single) return -1;
265 cst = single->certStatus;
266 ret = cst->type;
267 if (ret == V_OCSP_CERTSTATUS_REVOKED)
268 {
269 OCSP_REVOKEDINFO *rev = cst->value.revoked;
270 if (revtime) *revtime = rev->revocationTime;
271 if (reason)
272 {
273 if(rev->revocationReason)
274 *reason = ASN1_ENUMERATED_get(rev->revocationReason);
275 else *reason = -1;
276 }
277 }
278 if(thisupd) *thisupd = single->thisUpdate;
279 if(nextupd) *nextupd = single->nextUpdate;
280 return ret;
281 }
282
283/* This function combines the previous ones: look up a certificate ID and
284 * if found extract status information. Return 0 is successful.
285 */
286
287int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
288 int *reason,
289 ASN1_GENERALIZEDTIME **revtime,
290 ASN1_GENERALIZEDTIME **thisupd,
291 ASN1_GENERALIZEDTIME **nextupd)
292 {
293 int i;
294 OCSP_SINGLERESP *single;
295 i = OCSP_resp_find(bs, id, -1);
296 /* Maybe check for multiple responses and give an error? */
297 if(i < 0) return 0;
298 single = OCSP_resp_get0(bs, i);
299 i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
300 if(status) *status = i;
301 return 1;
302 }
303
304/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
305 * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
306 * rejecting otherwise valid time we allow the times to be within 'nsec' of the current time.
307 * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
308 * parameter specifies the maximum age the thisUpdate field can be.
309 */
310
311int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
312 {
313 int ret = 1;
314 time_t t_now, t_tmp;
315 time(&t_now);
316 /* Check thisUpdate is valid and not more than nsec in the future */
317 if (!ASN1_GENERALIZEDTIME_check(thisupd))
318 {
319 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
320 ret = 0;
321 }
322 else
323 {
324 t_tmp = t_now + nsec;
325 if (X509_cmp_time(thisupd, &t_tmp) > 0)
326 {
327 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
328 ret = 0;
329 }
330
331 /* If maxsec specified check thisUpdate is not more than maxsec in the past */
332 if (maxsec >= 0)
333 {
334 t_tmp = t_now - maxsec;
335 if (X509_cmp_time(thisupd, &t_tmp) < 0)
336 {
337 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
338 ret = 0;
339 }
340 }
341 }
342
343
344 if (!nextupd) return ret;
345
346 /* Check nextUpdate is valid and not more than nsec in the past */
347 if (!ASN1_GENERALIZEDTIME_check(nextupd))
348 {
349 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
350 ret = 0;
351 }
352 else
353 {
354 t_tmp = t_now - nsec;
355 if (X509_cmp_time(nextupd, &t_tmp) < 0)
356 {
357 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
358 ret = 0;
359 }
360 }
361
362 /* Also don't allow nextUpdate to precede thisUpdate */
363 if (ASN1_STRING_cmp(nextupd, thisupd) < 0)
364 {
365 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
366 ret = 0;
367 }
368
369 return ret;
370 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c
deleted file mode 100644
index 4c4d8306f8..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_err.c
+++ /dev/null
@@ -1,139 +0,0 @@
1/* crypto/ocsp/ocsp_err.c */
2/* ====================================================================
3 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/ocsp.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67static ERR_STRING_DATA OCSP_str_functs[]=
68 {
69{ERR_PACK(0,OCSP_F_ASN1_STRING_ENCODE,0), "ASN1_STRING_encode"},
70{ERR_PACK(0,OCSP_F_CERT_ID_NEW,0), "CERT_ID_NEW"},
71{ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0), "D2I_OCSP_NONCE"},
72{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0), "OCSP_basic_add1_status"},
73{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0), "OCSP_basic_sign"},
74{ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0), "OCSP_basic_verify"},
75{ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0), "OCSP_CHECK_DELEGATED"},
76{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0), "OCSP_CHECK_IDS"},
77{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0), "OCSP_CHECK_ISSUER"},
78{ERR_PACK(0,OCSP_F_OCSP_CHECK_VALIDITY,0), "OCSP_check_validity"},
79{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0), "OCSP_MATCH_ISSUERID"},
80{ERR_PACK(0,OCSP_F_OCSP_PARSE_URL,0), "OCSP_parse_url"},
81{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0), "OCSP_request_sign"},
82{ERR_PACK(0,OCSP_F_OCSP_REQUEST_VERIFY,0), "OCSP_request_verify"},
83{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"},
84{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"},
85{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0), "REQUEST_VERIFY"},
86{0,NULL}
87 };
88
89static ERR_STRING_DATA OCSP_str_reasons[]=
90 {
91{OCSP_R_BAD_DATA ,"bad data"},
92{OCSP_R_CERTIFICATE_VERIFY_ERROR ,"certificate verify error"},
93{OCSP_R_DIGEST_ERR ,"digest err"},
94{OCSP_R_ERROR_IN_NEXTUPDATE_FIELD ,"error in nextupdate field"},
95{OCSP_R_ERROR_IN_THISUPDATE_FIELD ,"error in thisupdate field"},
96{OCSP_R_ERROR_PARSING_URL ,"error parsing url"},
97{OCSP_R_MISSING_OCSPSIGNING_USAGE ,"missing ocspsigning usage"},
98{OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE ,"nextupdate before thisupdate"},
99{OCSP_R_NOT_BASIC_RESPONSE ,"not basic response"},
100{OCSP_R_NO_CERTIFICATES_IN_CHAIN ,"no certificates in chain"},
101{OCSP_R_NO_CONTENT ,"no content"},
102{OCSP_R_NO_PUBLIC_KEY ,"no public key"},
103{OCSP_R_NO_RESPONSE_DATA ,"no response data"},
104{OCSP_R_NO_REVOKED_TIME ,"no revoked time"},
105{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
106{OCSP_R_REQUEST_NOT_SIGNED ,"request not signed"},
107{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
108{OCSP_R_ROOT_CA_NOT_TRUSTED ,"root ca not trusted"},
109{OCSP_R_SERVER_READ_ERROR ,"server read error"},
110{OCSP_R_SERVER_RESPONSE_ERROR ,"server response error"},
111{OCSP_R_SERVER_RESPONSE_PARSE_ERROR ,"server response parse error"},
112{OCSP_R_SERVER_WRITE_ERROR ,"server write error"},
113{OCSP_R_SIGNATURE_FAILURE ,"signature failure"},
114{OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND ,"signer certificate not found"},
115{OCSP_R_STATUS_EXPIRED ,"status expired"},
116{OCSP_R_STATUS_NOT_YET_VALID ,"status not yet valid"},
117{OCSP_R_STATUS_TOO_OLD ,"status too old"},
118{OCSP_R_UNKNOWN_MESSAGE_DIGEST ,"unknown message digest"},
119{OCSP_R_UNKNOWN_NID ,"unknown nid"},
120{OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE ,"unsupported requestorname type"},
121{0,NULL}
122 };
123
124#endif
125
126void ERR_load_OCSP_strings(void)
127 {
128 static int init=1;
129
130 if (init)
131 {
132 init=0;
133#ifndef OPENSSL_NO_ERR
134 ERR_load_strings(ERR_LIB_OCSP,OCSP_str_functs);
135 ERR_load_strings(ERR_LIB_OCSP,OCSP_str_reasons);
136#endif
137
138 }
139 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
deleted file mode 100644
index d6c8899f58..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_ext.c
+++ /dev/null
@@ -1,528 +0,0 @@
1/* ocsp_ext.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <cryptlib.h>
66#include <openssl/objects.h>
67#include <openssl/x509.h>
68#include <openssl/ocsp.h>
69#include <openssl/rand.h>
70#include <openssl/x509v3.h>
71
72/* Standard wrapper functions for extensions */
73
74/* OCSP request extensions */
75
76int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
77 {
78 return(X509v3_get_ext_count(x->tbsRequest->requestExtensions));
79 }
80
81int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
82 {
83 return(X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions,nid,lastpos));
84 }
85
86int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
87 {
88 return(X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions,obj,lastpos));
89 }
90
91int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
92 {
93 return(X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,crit,lastpos));
94 }
95
96X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
97 {
98 return(X509v3_get_ext(x->tbsRequest->requestExtensions,loc));
99 }
100
101X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
102 {
103 return(X509v3_delete_ext(x->tbsRequest->requestExtensions,loc));
104 }
105
106void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
107 {
108 return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
109 }
110
111int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
112 unsigned long flags)
113 {
114 return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags);
115 }
116
117int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
118 {
119 return(X509v3_add_ext(&(x->tbsRequest->requestExtensions),ex,loc) != NULL);
120 }
121
122/* Single extensions */
123
124int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
125 {
126 return(X509v3_get_ext_count(x->singleRequestExtensions));
127 }
128
129int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
130 {
131 return(X509v3_get_ext_by_NID(x->singleRequestExtensions,nid,lastpos));
132 }
133
134int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
135 {
136 return(X509v3_get_ext_by_OBJ(x->singleRequestExtensions,obj,lastpos));
137 }
138
139int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
140 {
141 return(X509v3_get_ext_by_critical(x->singleRequestExtensions,crit,lastpos));
142 }
143
144X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
145 {
146 return(X509v3_get_ext(x->singleRequestExtensions,loc));
147 }
148
149X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
150 {
151 return(X509v3_delete_ext(x->singleRequestExtensions,loc));
152 }
153
154void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
155 {
156 return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
157 }
158
159int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
160 unsigned long flags)
161 {
162 return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, flags);
163 }
164
165int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
166 {
167 return(X509v3_add_ext(&(x->singleRequestExtensions),ex,loc) != NULL);
168 }
169
170/* OCSP Basic response */
171
172int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
173 {
174 return(X509v3_get_ext_count(x->tbsResponseData->responseExtensions));
175 }
176
177int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
178 {
179 return(X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,nid,lastpos));
180 }
181
182int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
183 {
184 return(X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,obj,lastpos));
185 }
186
187int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
188 {
189 return(X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,crit,lastpos));
190 }
191
192X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
193 {
194 return(X509v3_get_ext(x->tbsResponseData->responseExtensions,loc));
195 }
196
197X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
198 {
199 return(X509v3_delete_ext(x->tbsResponseData->responseExtensions,loc));
200 }
201
202void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
203 {
204 return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx);
205 }
206
207int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
208 unsigned long flags)
209 {
210 return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags);
211 }
212
213int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
214 {
215 return(X509v3_add_ext(&(x->tbsResponseData->responseExtensions),ex,loc) != NULL);
216 }
217
218/* OCSP single response extensions */
219
220int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
221 {
222 return(X509v3_get_ext_count(x->singleExtensions));
223 }
224
225int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
226 {
227 return(X509v3_get_ext_by_NID(x->singleExtensions,nid,lastpos));
228 }
229
230int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos)
231 {
232 return(X509v3_get_ext_by_OBJ(x->singleExtensions,obj,lastpos));
233 }
234
235int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
236 {
237 return(X509v3_get_ext_by_critical(x->singleExtensions,crit,lastpos));
238 }
239
240X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
241 {
242 return(X509v3_get_ext(x->singleExtensions,loc));
243 }
244
245X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
246 {
247 return(X509v3_delete_ext(x->singleExtensions,loc));
248 }
249
250void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
251 {
252 return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
253 }
254
255int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
256 unsigned long flags)
257 {
258 return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
259 }
260
261int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
262 {
263 return(X509v3_add_ext(&(x->singleExtensions),ex,loc) != NULL);
264 }
265
266/* also CRL Entry Extensions */
267
268ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(),
269 char *data, STACK_OF(ASN1_OBJECT) *sk)
270 {
271 int i;
272 unsigned char *p, *b = NULL;
273
274 if (data)
275 {
276 if ((i=i2d(data,NULL)) <= 0) goto err;
277 if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
278 goto err;
279 if (i2d(data, &p) <= 0) goto err;
280 }
281 else if (sk)
282 {
283 if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,i2d,V_ASN1_SEQUENCE,
284 V_ASN1_UNIVERSAL,IS_SEQUENCE))<=0) goto err;
285 if (!(b=p=(unsigned char*)OPENSSL_malloc((unsigned int)i)))
286 goto err;
287 if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,i2d,V_ASN1_SEQUENCE,
288 V_ASN1_UNIVERSAL,IS_SEQUENCE)<=0) goto err;
289 }
290 else
291 {
292 OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA);
293 goto err;
294 }
295 if (!s && !(s = ASN1_STRING_new())) goto err;
296 if (!(ASN1_STRING_set(s, b, i))) goto err;
297 OPENSSL_free(b);
298 return s;
299err:
300 if (b) OPENSSL_free(b);
301 return NULL;
302 }
303
304/* Nonce handling functions */
305
306/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
307 * a random nonce will be generated.
308 */
309
310static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
311 {
312 unsigned char *tmpval;
313 ASN1_OCTET_STRING os;
314 int ret = 0;
315 if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
316 if (val) tmpval = val;
317 else
318 {
319 if (!(tmpval = OPENSSL_malloc(len))) goto err;
320 RAND_pseudo_bytes(tmpval, len);
321 }
322 os.data = tmpval;
323 os.length = len;
324 if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
325 &os, 0, X509V3_ADD_REPLACE))
326 goto err;
327 ret = 1;
328 err:
329 if(!val) OPENSSL_free(tmpval);
330 return ret;
331 }
332
333
334/* Add nonce to an OCSP request */
335
336int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
337 {
338 return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
339 }
340
341/* Same as above but for a response */
342
343int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
344 {
345 return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len);
346 }
347
348/* Check nonce validity in a request and response.
349 * Return value reflects result:
350 * 1: nonces present and equal.
351 * 2: nonces both absent.
352 * 3: nonce present in response only.
353 * 0: nonces both present and not equal.
354 * -1: nonce in request only.
355 *
356 * For most responders clients can check return > 0.
357 * If responder doesn't handle nonces return != 0 may be
358 * necessary. return == 0 is always an error.
359 */
360
361int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
362 {
363 /*
364 * Since we are only interested in the presence or absence of
365 * the nonce and comparing its value there is no need to use
366 * the X509V3 routines: this way we can avoid them allocating an
367 * ASN1_OCTET_STRING structure for the value which would be
368 * freed immediately anyway.
369 */
370
371 int req_idx, resp_idx;
372 X509_EXTENSION *req_ext, *resp_ext;
373 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
374 resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
375 /* Check both absent */
376 if((req_idx < 0) && (resp_idx < 0))
377 return 2;
378 /* Check in request only */
379 if((req_idx >= 0) && (resp_idx < 0))
380 return -1;
381 /* Check in response but not request */
382 if((req_idx < 0) && (resp_idx >= 0))
383 return 3;
384 /* Otherwise nonce in request and response so retrieve the extensions */
385 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
386 resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
387 if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
388 return 0;
389 return 1;
390 }
391
392/* Copy the nonce value (if any) from an OCSP request to
393 * a response.
394 */
395
396int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
397 {
398 X509_EXTENSION *req_ext;
399 int req_idx;
400 /* Check for nonce in request */
401 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
402 /* If no nonce that's OK */
403 if (req_idx < 0) return 2;
404 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
405 return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
406 }
407
408X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
409 {
410 X509_EXTENSION *x = NULL;
411 OCSP_CRLID *cid = NULL;
412
413 if (!(cid = OCSP_CRLID_new())) goto err;
414 if (url)
415 {
416 if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err;
417 if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err;
418 }
419 if (n)
420 {
421 if (!(cid->crlNum = ASN1_INTEGER_new())) goto err;
422 if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err;
423 }
424 if (tim)
425 {
426 if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err;
427 if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
428 goto err;
429 }
430 if (!(x = X509_EXTENSION_new())) goto err;
431 if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_CrlID))) goto err;
432 if (!(ASN1_STRING_encode(x->value,i2d_OCSP_CRLID,(char*)cid,NULL)))
433 goto err;
434 OCSP_CRLID_free(cid);
435 return x;
436err:
437 if (x) X509_EXTENSION_free(x);
438 if (cid) OCSP_CRLID_free(cid);
439 return NULL;
440 }
441
442/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
443X509_EXTENSION *OCSP_accept_responses_new(char **oids)
444 {
445 int nid;
446 STACK_OF(ASN1_OBJECT) *sk = NULL;
447 ASN1_OBJECT *o = NULL;
448 X509_EXTENSION *x = NULL;
449
450 if (!(sk = sk_ASN1_OBJECT_new_null())) goto err;
451 while (oids && *oids)
452 {
453 if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid)))
454 sk_ASN1_OBJECT_push(sk, o);
455 oids++;
456 }
457 if (!(x = X509_EXTENSION_new())) goto err;
458 if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_acceptableResponses)))
459 goto err;
460 if (!(ASN1_STRING_encode(x->value,i2d_ASN1_OBJECT,NULL,sk)))
461 goto err;
462 sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
463 return x;
464err:
465 if (x) X509_EXTENSION_free(x);
466 if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
467 return NULL;
468 }
469
470/* ArchiveCutoff ::= GeneralizedTime */
471X509_EXTENSION *OCSP_archive_cutoff_new(char* tim)
472 {
473 X509_EXTENSION *x=NULL;
474 ASN1_GENERALIZEDTIME *gt = NULL;
475
476 if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err;
477 if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err;
478 if (!(x = X509_EXTENSION_new())) goto err;
479 if (!(x->object=OBJ_nid2obj(NID_id_pkix_OCSP_archiveCutoff)))goto err;
480 if (!(ASN1_STRING_encode(x->value,i2d_ASN1_GENERALIZEDTIME,
481 (char*)gt,NULL))) goto err;
482 ASN1_GENERALIZEDTIME_free(gt);
483 return x;
484err:
485 if (gt) ASN1_GENERALIZEDTIME_free(gt);
486 if (x) X509_EXTENSION_free(x);
487 return NULL;
488 }
489
490/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
491 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This
492 * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
493 */
494X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
495 {
496 X509_EXTENSION *x = NULL;
497 ASN1_IA5STRING *ia5 = NULL;
498 OCSP_SERVICELOC *sloc = NULL;
499 ACCESS_DESCRIPTION *ad = NULL;
500
501 if (!(sloc = OCSP_SERVICELOC_new())) goto err;
502 if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err;
503 if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err;
504 while (urls && *urls)
505 {
506 if (!(ad = ACCESS_DESCRIPTION_new())) goto err;
507 if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err;
508 if (!(ad->location = GENERAL_NAME_new())) goto err;
509 if (!(ia5 = ASN1_IA5STRING_new())) goto err;
510 if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err;
511 ad->location->type = GEN_URI;
512 ad->location->d.ia5 = ia5;
513 if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err;
514 urls++;
515 }
516 if (!(x = X509_EXTENSION_new())) goto err;
517 if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_serviceLocator)))
518 goto err;
519 if (!(ASN1_STRING_encode(x->value, i2d_OCSP_SERVICELOC,
520 (char*)sloc, NULL))) goto err;
521 OCSP_SERVICELOC_free(sloc);
522 return x;
523err:
524 if (x) X509_EXTENSION_free(x);
525 if (sloc) OCSP_SERVICELOC_free(sloc);
526 return NULL;
527 }
528
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
deleted file mode 100644
index 9213e58ae4..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ /dev/null
@@ -1,173 +0,0 @@
1/* ocsp_ht.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/asn1.h>
60#include <stdio.h>
61#include <stdlib.h>
62#include <ctype.h>
63#include <string.h>
64#include <openssl/ocsp.h>
65#include <openssl/err.h>
66#include <openssl/buffer.h>
67#ifdef OPENSSL_SYS_SUNOS
68#define strtoul (unsigned long)strtol
69#endif /* OPENSSL_SYS_SUNOS */
70
71/* Quick and dirty HTTP OCSP request handler.
72 * Could make this a bit cleverer by adding
73 * support for non blocking BIOs and a few
74 * other refinements.
75 */
76
77OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
78{
79 BIO *mem = NULL;
80 char tmpbuf[1024];
81 OCSP_RESPONSE *resp = NULL;
82 char *p, *q, *r;
83 int len, retcode;
84 static char req_txt[] =
85"POST %s HTTP/1.0\r\n\
86Content-Type: application/ocsp-request\r\n\
87Content-Length: %d\r\n\r\n";
88
89 len = i2d_OCSP_REQUEST(req, NULL);
90 if(BIO_printf(b, req_txt, path, len) < 0) {
91 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR);
92 goto err;
93 }
94 if(i2d_OCSP_REQUEST_bio(b, req) <= 0) {
95 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_WRITE_ERROR);
96 goto err;
97 }
98 if(!(mem = BIO_new(BIO_s_mem()))) goto err;
99 /* Copy response to a memory BIO: socket bios can't do gets! */
100 while ((len = BIO_read(b, tmpbuf, sizeof tmpbuf))) {
101 if(len < 0) {
102 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_READ_ERROR);
103 goto err;
104 }
105 BIO_write(mem, tmpbuf, len);
106 }
107 if(BIO_gets(mem, tmpbuf, 512) <= 0) {
108 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
109 goto err;
110 }
111 /* Parse the HTTP response. This will look like this:
112 * "HTTP/1.0 200 OK". We need to obtain the numeric code and
113 * (optional) informational message.
114 */
115
116 /* Skip to first white space (passed protocol info) */
117 for(p = tmpbuf; *p && !isspace((unsigned char)*p); p++) continue;
118 if(!*p) {
119 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
120 goto err;
121 }
122 /* Skip past white space to start of response code */
123 while(*p && isspace((unsigned char)*p)) p++;
124 if(!*p) {
125 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
126 goto err;
127 }
128 /* Find end of response code: first whitespace after start of code */
129 for(q = p; *q && !isspace((unsigned char)*q); q++) continue;
130 if(!*q) {
131 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
132 goto err;
133 }
134 /* Set end of response code and start of message */
135 *q++ = 0;
136 /* Attempt to parse numeric code */
137 retcode = strtoul(p, &r, 10);
138 if(*r) goto err;
139 /* Skip over any leading white space in message */
140 while(*q && isspace((unsigned char)*q)) q++;
141 if(*q) {
142 /* Finally zap any trailing white space in message (include CRLF) */
143 /* We know q has a non white space character so this is OK */
144 for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--) *r = 0;
145 }
146 if(retcode != 200) {
147 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_SERVER_RESPONSE_ERROR);
148 if(!*q) {
149 ERR_add_error_data(2, "Code=", p);
150 }
151 else {
152 ERR_add_error_data(4, "Code=", p, ",Reason=", q);
153 }
154 goto err;
155 }
156 /* Find blank line marking beginning of content */
157 while(BIO_gets(mem, tmpbuf, 512) > 0)
158 {
159 for(p = tmpbuf; *p && isspace((unsigned char)*p); p++) continue;
160 if(!*p) break;
161 }
162 if(*p) {
163 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,OCSP_R_NO_CONTENT);
164 goto err;
165 }
166 if(!(resp = d2i_OCSP_RESPONSE_bio(mem, NULL))) {
167 OCSPerr(OCSP_F_OCSP_SENDREQ_BIO,ERR_R_NESTED_ASN1_ERROR);
168 goto err;
169 }
170 err:
171 BIO_free(mem);
172 return resp;
173}
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
deleted file mode 100644
index 3875af165c..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ /dev/null
@@ -1,261 +0,0 @@
1/* ocsp_lib.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <cryptlib.h>
66#include <openssl/objects.h>
67#include <openssl/rand.h>
68#include <openssl/x509.h>
69#include <openssl/pem.h>
70#include <openssl/x509v3.h>
71#include <openssl/ocsp.h>
72
73/* Convert a certificate and its issuer to an OCSP_CERTID */
74
75OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
76{
77 X509_NAME *iname;
78 ASN1_INTEGER *serial;
79 ASN1_BIT_STRING *ikey;
80#ifndef OPENSSL_NO_SHA1
81 if(!dgst) dgst = EVP_sha1();
82#endif
83 if (subject)
84 {
85 iname = X509_get_issuer_name(subject);
86 serial = X509_get_serialNumber(subject);
87 }
88 else
89 {
90 iname = X509_get_subject_name(issuer);
91 serial = NULL;
92 }
93 ikey = X509_get0_pubkey_bitstr(issuer);
94 return OCSP_cert_id_new(dgst, iname, ikey, serial);
95}
96
97
98OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
99 X509_NAME *issuerName,
100 ASN1_BIT_STRING* issuerKey,
101 ASN1_INTEGER *serialNumber)
102 {
103 int nid;
104 unsigned int i;
105 X509_ALGOR *alg;
106 OCSP_CERTID *cid = NULL;
107 unsigned char md[EVP_MAX_MD_SIZE];
108
109 if (!(cid = OCSP_CERTID_new())) goto err;
110
111 alg = cid->hashAlgorithm;
112 if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm);
113 if ((nid = EVP_MD_type(dgst)) == NID_undef)
114 {
115 OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_UNKNOWN_NID);
116 goto err;
117 }
118 if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err;
119 if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err;
120 alg->parameter->type=V_ASN1_NULL;
121
122 if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr;
123 if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err;
124
125 /* Calculate the issuerKey hash, excluding tag and length */
126 EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL);
127
128 if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
129
130 if (serialNumber)
131 {
132 ASN1_INTEGER_free(cid->serialNumber);
133 if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
134 }
135 return cid;
136digerr:
137 OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
138err:
139 if (cid) OCSP_CERTID_free(cid);
140 return NULL;
141 }
142
143int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
144 {
145 int ret;
146 ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
147 if (ret) return ret;
148 ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
149 if (ret) return ret;
150 return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
151 }
152
153int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
154 {
155 int ret;
156 ret = OCSP_id_issuer_cmp(a, b);
157 if (ret) return ret;
158 return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
159 }
160
161
162/* Parse a URL and split it up into host, port and path components and whether
163 * it is SSL.
164 */
165
166int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
167 {
168 char *p, *buf;
169
170 char *host, *port;
171
172 /* dup the buffer since we are going to mess with it */
173 buf = BUF_strdup(url);
174 if (!buf) goto mem_err;
175
176 *phost = NULL;
177 *pport = NULL;
178 *ppath = NULL;
179
180 /* Check for initial colon */
181 p = strchr(buf, ':');
182
183 if (!p) goto parse_err;
184
185 *(p++) = '\0';
186
187 if (!strcmp(buf, "http"))
188 {
189 *pssl = 0;
190 port = "80";
191 }
192 else if (!strcmp(buf, "https"))
193 {
194 *pssl = 1;
195 port = "443";
196 }
197 else
198 goto parse_err;
199
200 /* Check for double slash */
201 if ((p[0] != '/') || (p[1] != '/'))
202 goto parse_err;
203
204 p += 2;
205
206 host = p;
207
208 /* Check for trailing part of path */
209
210 p = strchr(p, '/');
211
212 if (!p)
213 *ppath = BUF_strdup("/");
214 else
215 {
216 *ppath = BUF_strdup(p);
217 /* Set start of path to 0 so hostname is valid */
218 *p = '\0';
219 }
220
221 if (!*ppath) goto mem_err;
222
223 /* Look for optional ':' for port number */
224 if ((p = strchr(host, ':')))
225 {
226 *p = 0;
227 port = p + 1;
228 }
229 else
230 {
231 /* Not found: set default port */
232 if (*pssl) port = "443";
233 else port = "80";
234 }
235
236 *pport = BUF_strdup(port);
237 if (!*pport) goto mem_err;
238
239 *phost = BUF_strdup(host);
240
241 if (!*phost) goto mem_err;
242
243 OPENSSL_free(buf);
244
245 return 1;
246
247 mem_err:
248 OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
249 goto err;
250
251 parse_err:
252 OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
253
254
255 err:
256 if (*ppath) OPENSSL_free(*ppath);
257 if (*pport) OPENSSL_free(*pport);
258 if (*phost) OPENSSL_free(*phost);
259 return 0;
260
261 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
deleted file mode 100644
index 4b7bc28769..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_prn.c
+++ /dev/null
@@ -1,291 +0,0 @@
1/* ocsp_prn.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was originally part of ocsp.c and was transfered to Richard
7 Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included
8 in OpenSSL or released as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <openssl/bio.h>
65#include <openssl/err.h>
66#include <openssl/ocsp.h>
67#include <openssl/pem.h>
68
69static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
70 {
71 BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
72 indent += 2;
73 BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
74 i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm);
75 BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
76 i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
77 BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
78 i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING);
79 BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
80 i2a_ASN1_INTEGER(bp, a->serialNumber);
81 BIO_printf(bp, "\n");
82 return 1;
83 }
84
85typedef struct
86 {
87 long t;
88 char *m;
89 } OCSP_TBLSTR;
90
91static char *table2string(long s, OCSP_TBLSTR *ts, int len)
92{
93 OCSP_TBLSTR *p;
94 for (p=ts; p < ts + len; p++)
95 if (p->t == s)
96 return p->m;
97 return "(UNKNOWN)";
98}
99
100char *OCSP_response_status_str(long s)
101 {
102 static OCSP_TBLSTR rstat_tbl[] = {
103 { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
104 { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
105 { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
106 { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
107 { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
108 { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } };
109 return table2string(s, rstat_tbl, 6);
110 }
111
112char *OCSP_cert_status_str(long s)
113 {
114 static OCSP_TBLSTR cstat_tbl[] = {
115 { V_OCSP_CERTSTATUS_GOOD, "good" },
116 { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
117 { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } };
118 return table2string(s, cstat_tbl, 3);
119 }
120
121char *OCSP_crl_reason_str(long s)
122 {
123 OCSP_TBLSTR reason_tbl[] = {
124 { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
125 { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
126 { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
127 { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
128 { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
129 { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
130 { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
131 { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } };
132 return table2string(s, reason_tbl, 8);
133 }
134
135int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
136 {
137 int i;
138 long l;
139 OCSP_CERTID* cid = NULL;
140 OCSP_ONEREQ *one = NULL;
141 OCSP_REQINFO *inf = o->tbsRequest;
142 OCSP_SIGNATURE *sig = o->optionalSignature;
143
144 if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err;
145 l=ASN1_INTEGER_get(inf->version);
146 if (BIO_printf(bp," Version: %lu (0x%lx)",l+1,l) <= 0) goto err;
147 if (inf->requestorName != NULL)
148 {
149 if (BIO_write(bp,"\n Requestor Name: ",21) <= 0)
150 goto err;
151 GENERAL_NAME_print(bp, inf->requestorName);
152 }
153 if (BIO_write(bp,"\n Requestor List:\n",21) <= 0) goto err;
154 for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++)
155 {
156 one = sk_OCSP_ONEREQ_value(inf->requestList, i);
157 cid = one->reqCert;
158 ocsp_certid_print(bp, cid, 8);
159 if (!X509V3_extensions_print(bp,
160 "Request Single Extensions",
161 one->singleRequestExtensions, flags, 8))
162 goto err;
163 }
164 if (!X509V3_extensions_print(bp, "Request Extensions",
165 inf->requestExtensions, flags, 4))
166 goto err;
167 if (sig)
168 {
169 X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
170 for (i=0; i<sk_X509_num(sig->certs); i++)
171 {
172 X509_print(bp, sk_X509_value(sig->certs,i));
173 PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i));
174 }
175 }
176 return 1;
177err:
178 return 0;
179 }
180
181int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
182 {
183 int i, ret = 0;
184 long l;
185 unsigned char *p;
186 OCSP_CERTID *cid = NULL;
187 OCSP_BASICRESP *br = NULL;
188 OCSP_RESPID *rid = NULL;
189 OCSP_RESPDATA *rd = NULL;
190 OCSP_CERTSTATUS *cst = NULL;
191 OCSP_REVOKEDINFO *rev = NULL;
192 OCSP_SINGLERESP *single = NULL;
193 OCSP_RESPBYTES *rb = o->responseBytes;
194
195 if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
196 l=ASN1_ENUMERATED_get(o->responseStatus);
197 if (BIO_printf(bp," OCSP Response Status: %s (0x%x)\n",
198 OCSP_response_status_str(l), l) <= 0) goto err;
199 if (rb == NULL) return 1;
200 if (BIO_puts(bp," Response Type: ") <= 0)
201 goto err;
202 if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
203 goto err;
204 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
205 {
206 BIO_puts(bp," (unknown response type)\n");
207 return 1;
208 }
209
210 p = ASN1_STRING_data(rb->response);
211 i = ASN1_STRING_length(rb->response);
212 if (!(br = OCSP_response_get1_basic(o))) goto err;
213 rd = br->tbsResponseData;
214 l=ASN1_INTEGER_get(rd->version);
215 if (BIO_printf(bp,"\n Version: %lu (0x%lx)\n",
216 l+1,l) <= 0) goto err;
217 if (BIO_puts(bp," Responder Id: ") <= 0) goto err;
218
219 rid = rd->responderId;
220 switch (rid->type)
221 {
222 case V_OCSP_RESPID_NAME:
223 X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
224 break;
225 case V_OCSP_RESPID_KEY:
226 i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
227 break;
228 }
229
230 if (BIO_printf(bp,"\n Produced At: ")<=0) goto err;
231 if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err;
232 if (BIO_printf(bp,"\n Responses:\n") <= 0) goto err;
233 for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++)
234 {
235 if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue;
236 single = sk_OCSP_SINGLERESP_value(rd->responses, i);
237 cid = single->certId;
238 if(ocsp_certid_print(bp, cid, 4) <= 0) goto err;
239 cst = single->certStatus;
240 if (BIO_printf(bp," Cert Status: %s",
241 OCSP_cert_status_str(cst->type)) <= 0)
242 goto err;
243 if (cst->type == V_OCSP_CERTSTATUS_REVOKED)
244 {
245 rev = cst->value.revoked;
246 if (BIO_printf(bp, "\n Revocation Time: ") <= 0)
247 goto err;
248 if (!ASN1_GENERALIZEDTIME_print(bp,
249 rev->revocationTime))
250 goto err;
251 if (rev->revocationReason)
252 {
253 l=ASN1_ENUMERATED_get(rev->revocationReason);
254 if (BIO_printf(bp,
255 "\n Revocation Reason: %s (0x%x)",
256 OCSP_crl_reason_str(l), l) <= 0)
257 goto err;
258 }
259 }
260 if (BIO_printf(bp,"\n This Update: ") <= 0) goto err;
261 if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate))
262 goto err;
263 if (single->nextUpdate)
264 {
265 if (BIO_printf(bp,"\n Next Update: ") <= 0)goto err;
266 if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
267 goto err;
268 }
269 if (!BIO_write(bp,"\n",1)) goto err;
270 if (!X509V3_extensions_print(bp,
271 "Response Single Extensions",
272 single->singleExtensions, flags, 8))
273 goto err;
274 if (!BIO_write(bp,"\n",1)) goto err;
275 }
276 if (!X509V3_extensions_print(bp, "Response Extensions",
277 rd->responseExtensions, flags, 4))
278 if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
279 goto err;
280
281 for (i=0; i<sk_X509_num(br->certs); i++)
282 {
283 X509_print(bp, sk_X509_value(br->certs,i));
284 PEM_write_bio_X509(bp,sk_X509_value(br->certs,i));
285 }
286
287 ret = 1;
288err:
289 OCSP_BASICRESP_free(br);
290 return ret;
291 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
deleted file mode 100644
index fffa134e75..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ /dev/null
@@ -1,264 +0,0 @@
1/* ocsp_srv.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <cryptlib.h>
61#include <openssl/objects.h>
62#include <openssl/rand.h>
63#include <openssl/x509.h>
64#include <openssl/pem.h>
65#include <openssl/x509v3.h>
66#include <openssl/ocsp.h>
67
68/* Utility functions related to sending OCSP responses and extracting
69 * relevant information from the request.
70 */
71
72int OCSP_request_onereq_count(OCSP_REQUEST *req)
73 {
74 return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
75 }
76
77OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
78 {
79 return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
80 }
81
82OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
83 {
84 return one->reqCert;
85 }
86
87int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
88 ASN1_OCTET_STRING **pikeyHash,
89 ASN1_INTEGER **pserial, OCSP_CERTID *cid)
90 {
91 if (!cid) return 0;
92 if (pmd) *pmd = cid->hashAlgorithm->algorithm;
93 if(piNameHash) *piNameHash = cid->issuerNameHash;
94 if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
95 if (pserial) *pserial = cid->serialNumber;
96 return 1;
97 }
98
99int OCSP_request_is_signed(OCSP_REQUEST *req)
100 {
101 if(req->optionalSignature) return 1;
102 return 0;
103 }
104
105/* Create an OCSP response and encode an optional basic response */
106OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
107 {
108 OCSP_RESPONSE *rsp = NULL;
109
110 if (!(rsp = OCSP_RESPONSE_new())) goto err;
111 if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
112 if (!bs) return rsp;
113 if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
114 rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
115 if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
116 goto err;
117 return rsp;
118err:
119 if (rsp) OCSP_RESPONSE_free(rsp);
120 return NULL;
121 }
122
123
124OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
125 OCSP_CERTID *cid,
126 int status, int reason,
127 ASN1_TIME *revtime,
128 ASN1_TIME *thisupd, ASN1_TIME *nextupd)
129 {
130 OCSP_SINGLERESP *single = NULL;
131 OCSP_CERTSTATUS *cs;
132 OCSP_REVOKEDINFO *ri;
133
134 if(!rsp->tbsResponseData->responses &&
135 !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
136 goto err;
137
138 if (!(single = OCSP_SINGLERESP_new()))
139 goto err;
140
141
142
143 if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
144 goto err;
145 if (nextupd &&
146 !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
147 goto err;
148
149 OCSP_CERTID_free(single->certId);
150
151 if(!(single->certId = OCSP_CERTID_dup(cid)))
152 goto err;
153
154 cs = single->certStatus;
155 switch(cs->type = status)
156 {
157 case V_OCSP_CERTSTATUS_REVOKED:
158 if (!revtime)
159 {
160 OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
161 goto err;
162 }
163 if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
164 if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
165 goto err;
166 if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
167 {
168 if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
169 goto err;
170 if (!(ASN1_ENUMERATED_set(ri->revocationReason,
171 reason)))
172 goto err;
173 }
174 break;
175
176 case V_OCSP_CERTSTATUS_GOOD:
177 cs->value.good = ASN1_NULL_new();
178 break;
179
180 case V_OCSP_CERTSTATUS_UNKNOWN:
181 cs->value.unknown = ASN1_NULL_new();
182 break;
183
184 default:
185 goto err;
186
187 }
188 if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
189 goto err;
190 return single;
191err:
192 OCSP_SINGLERESP_free(single);
193 return NULL;
194 }
195
196/* Add a certificate to an OCSP request */
197
198int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
199 {
200 if (!resp->certs && !(resp->certs = sk_X509_new_null()))
201 return 0;
202
203 if(!sk_X509_push(resp->certs, cert)) return 0;
204 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
205 return 1;
206 }
207
208int OCSP_basic_sign(OCSP_BASICRESP *brsp,
209 X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
210 STACK_OF(X509) *certs, unsigned long flags)
211 {
212 int i;
213 OCSP_RESPID *rid;
214
215 if (!X509_check_private_key(signer, key))
216 {
217 OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
218 goto err;
219 }
220
221 if(!(flags & OCSP_NOCERTS))
222 {
223 if(!OCSP_basic_add1_cert(brsp, signer))
224 goto err;
225 for (i = 0; i < sk_X509_num(certs); i++)
226 {
227 X509 *tmpcert = sk_X509_value(certs, i);
228 if(!OCSP_basic_add1_cert(brsp, tmpcert))
229 goto err;
230 }
231 }
232
233 rid = brsp->tbsResponseData->responderId;
234 if (flags & OCSP_RESPID_KEY)
235 {
236 unsigned char md[SHA_DIGEST_LENGTH];
237 X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
238 if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
239 goto err;
240 if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
241 goto err;
242 rid->type = V_OCSP_RESPID_KEY;
243 }
244 else
245 {
246 if (!X509_NAME_set(&rid->value.byName,
247 X509_get_subject_name(signer)))
248 goto err;
249 rid->type = V_OCSP_RESPID_NAME;
250 }
251
252 if (!(flags & OCSP_NOTIME) &&
253 !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
254 goto err;
255
256 /* Right now, I think that not doing double hashing is the right
257 thing. -- Richard Levitte */
258
259 if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
260
261 return 1;
262err:
263 return 0;
264 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
deleted file mode 100644
index 1f5fda7ca3..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ /dev/null
@@ -1,444 +0,0 @@
1/* ocsp_vfy.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/ocsp.h>
60#include <openssl/err.h>
61#include <string.h>
62
63static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
64 X509_STORE *st, unsigned long flags);
65static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
66static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
67static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
68static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
69static int ocsp_check_delegated(X509 *x, int flags);
70static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
71 X509_STORE *st, unsigned long flags);
72
73/* Verify a basic response message */
74
75int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
76 X509_STORE *st, unsigned long flags)
77 {
78 X509 *signer, *x;
79 STACK_OF(X509) *chain = NULL;
80 X509_STORE_CTX ctx;
81 int i, ret = 0;
82 ret = ocsp_find_signer(&signer, bs, certs, st, flags);
83 if (!ret)
84 {
85 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
86 goto end;
87 }
88 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
89 flags |= OCSP_NOVERIFY;
90 if (!(flags & OCSP_NOSIGS))
91 {
92 EVP_PKEY *skey;
93 skey = X509_get_pubkey(signer);
94 ret = OCSP_BASICRESP_verify(bs, skey, 0);
95 EVP_PKEY_free(skey);
96 if(ret <= 0)
97 {
98 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
99 goto end;
100 }
101 }
102 if (!(flags & OCSP_NOVERIFY))
103 {
104 int init_res;
105 if(flags & OCSP_NOCHAIN)
106 init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
107 else
108 init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
109 if(!init_res)
110 {
111 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
112 goto end;
113 }
114
115 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
116 ret = X509_verify_cert(&ctx);
117 chain = X509_STORE_CTX_get1_chain(&ctx);
118 X509_STORE_CTX_cleanup(&ctx);
119 if (ret <= 0)
120 {
121 i = X509_STORE_CTX_get_error(&ctx);
122 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
123 ERR_add_error_data(2, "Verify error:",
124 X509_verify_cert_error_string(i));
125 goto end;
126 }
127 if(flags & OCSP_NOCHECKS)
128 {
129 ret = 1;
130 goto end;
131 }
132 /* At this point we have a valid certificate chain
133 * need to verify it against the OCSP issuer criteria.
134 */
135 ret = ocsp_check_issuer(bs, chain, flags);
136
137 /* If fatal error or valid match then finish */
138 if (ret != 0) goto end;
139
140 /* Easy case: explicitly trusted. Get root CA and
141 * check for explicit trust
142 */
143 if(flags & OCSP_NOEXPLICIT) goto end;
144
145 x = sk_X509_value(chain, sk_X509_num(chain) - 1);
146 if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED)
147 {
148 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED);
149 goto end;
150 }
151 ret = 1;
152 }
153
154
155
156 end:
157 if(chain) sk_X509_pop_free(chain, X509_free);
158 return ret;
159 }
160
161
162static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
163 X509_STORE *st, unsigned long flags)
164 {
165 X509 *signer;
166 OCSP_RESPID *rid = bs->tbsResponseData->responderId;
167 if ((signer = ocsp_find_signer_sk(certs, rid)))
168 {
169 *psigner = signer;
170 return 2;
171 }
172 if(!(flags & OCSP_NOINTERN) &&
173 (signer = ocsp_find_signer_sk(bs->certs, rid)))
174 {
175 *psigner = signer;
176 return 1;
177 }
178 /* Maybe lookup from store if by subject name */
179
180 *psigner = NULL;
181 return 0;
182 }
183
184
185static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
186 {
187 int i;
188 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
189 X509 *x;
190
191 /* Easy if lookup by name */
192 if (id->type == V_OCSP_RESPID_NAME)
193 return X509_find_by_subject(certs, id->value.byName);
194
195 /* Lookup by key hash */
196
197 /* If key hash isn't SHA1 length then forget it */
198 if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL;
199 keyhash = id->value.byKey->data;
200 /* Calculate hash of each key and compare */
201 for (i = 0; i < sk_X509_num(certs); i++)
202 {
203 x = sk_X509_value(certs, i);
204 X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
205 if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
206 return x;
207 }
208 return NULL;
209 }
210
211
212static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags)
213 {
214 STACK_OF(OCSP_SINGLERESP) *sresp;
215 X509 *signer, *sca;
216 OCSP_CERTID *caid = NULL;
217 int i;
218 sresp = bs->tbsResponseData->responses;
219
220 if (sk_X509_num(chain) <= 0)
221 {
222 OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
223 return -1;
224 }
225
226 /* See if the issuer IDs match. */
227 i = ocsp_check_ids(sresp, &caid);
228
229 /* If ID mismatch or other error then return */
230 if (i <= 0) return i;
231
232 signer = sk_X509_value(chain, 0);
233 /* Check to see if OCSP responder CA matches request CA */
234 if (sk_X509_num(chain) > 1)
235 {
236 sca = sk_X509_value(chain, 1);
237 i = ocsp_match_issuerid(sca, caid, sresp);
238 if (i < 0) return i;
239 if (i)
240 {
241 /* We have a match, if extensions OK then success */
242 if (ocsp_check_delegated(signer, flags)) return 1;
243 return 0;
244 }
245 }
246
247 /* Otherwise check if OCSP request signed directly by request CA */
248 return ocsp_match_issuerid(signer, caid, sresp);
249 }
250
251
252/* Check the issuer certificate IDs for equality. If there is a mismatch with the same
253 * algorithm then there's no point trying to match any certificates against the issuer.
254 * If the issuer IDs all match then we just need to check equality against one of them.
255 */
256
257static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
258 {
259 OCSP_CERTID *tmpid, *cid;
260 int i, idcount;
261
262 idcount = sk_OCSP_SINGLERESP_num(sresp);
263 if (idcount <= 0)
264 {
265 OCSPerr(OCSP_F_OCSP_CHECK_IDS, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
266 return -1;
267 }
268
269 cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
270
271 *ret = NULL;
272
273 for (i = 1; i < idcount; i++)
274 {
275 tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
276 /* Check to see if IDs match */
277 if (OCSP_id_issuer_cmp(cid, tmpid))
278 {
279 /* If algoritm mismatch let caller deal with it */
280 if (OBJ_cmp(tmpid->hashAlgorithm->algorithm,
281 cid->hashAlgorithm->algorithm))
282 return 2;
283 /* Else mismatch */
284 return 0;
285 }
286 }
287
288 /* All IDs match: only need to check one ID */
289 *ret = cid;
290 return 1;
291 }
292
293
294static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
295 STACK_OF(OCSP_SINGLERESP) *sresp)
296 {
297 /* If only one ID to match then do it */
298 if(cid)
299 {
300 const EVP_MD *dgst;
301 X509_NAME *iname;
302 int mdlen;
303 unsigned char md[EVP_MAX_MD_SIZE];
304 if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
305 {
306 OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
307 return -1;
308 }
309
310 mdlen = EVP_MD_size(dgst);
311 if ((cid->issuerNameHash->length != mdlen) ||
312 (cid->issuerKeyHash->length != mdlen))
313 return 0;
314 iname = X509_get_subject_name(cert);
315 if (!X509_NAME_digest(iname, dgst, md, NULL))
316 return -1;
317 if (memcmp(md, cid->issuerNameHash->data, mdlen))
318 return 0;
319 X509_pubkey_digest(cert, EVP_sha1(), md, NULL);
320 if (memcmp(md, cid->issuerKeyHash->data, mdlen))
321 return 0;
322
323 return 1;
324
325 }
326 else
327 {
328 /* We have to match the whole lot */
329 int i, ret;
330 OCSP_CERTID *tmpid;
331 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
332 {
333 tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
334 ret = ocsp_match_issuerid(cert, tmpid, NULL);
335 if (ret <= 0) return ret;
336 }
337 return 1;
338 }
339
340 }
341
342static int ocsp_check_delegated(X509 *x, int flags)
343 {
344 X509_check_purpose(x, -1, 0);
345 if ((x->ex_flags & EXFLAG_XKUSAGE) &&
346 (x->ex_xkusage & XKU_OCSP_SIGN))
347 return 1;
348 OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
349 return 0;
350 }
351
352/* Verify an OCSP request. This is fortunately much easier than OCSP
353 * response verify. Just find the signers certificate and verify it
354 * against a given trust value.
355 */
356
357int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
358 {
359 X509 *signer;
360 X509_NAME *nm;
361 GENERAL_NAME *gen;
362 int ret;
363 X509_STORE_CTX ctx;
364 if (!req->optionalSignature)
365 {
366 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
367 return 0;
368 }
369 gen = req->tbsRequest->requestorName;
370 if (gen->type != GEN_DIRNAME)
371 {
372 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
373 return 0;
374 }
375 nm = gen->d.directoryName;
376 ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
377 if (ret <= 0)
378 {
379 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
380 return 0;
381 }
382 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
383 flags |= OCSP_NOVERIFY;
384 if (!(flags & OCSP_NOSIGS))
385 {
386 EVP_PKEY *skey;
387 skey = X509_get_pubkey(signer);
388 ret = OCSP_REQUEST_verify(req, skey);
389 EVP_PKEY_free(skey);
390 if(ret <= 0)
391 {
392 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
393 return 0;
394 }
395 }
396 if (!(flags & OCSP_NOVERIFY))
397 {
398 int init_res;
399 if(flags & OCSP_NOCHAIN)
400 init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
401 else
402 init_res = X509_STORE_CTX_init(&ctx, store, signer,
403 req->optionalSignature->certs);
404 if(!init_res)
405 {
406 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
407 return 0;
408 }
409
410 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
411 X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
412 ret = X509_verify_cert(&ctx);
413 X509_STORE_CTX_cleanup(&ctx);
414 if (ret <= 0)
415 {
416 ret = X509_STORE_CTX_get_error(&ctx);
417 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
418 ERR_add_error_data(2, "Verify error:",
419 X509_verify_cert_error_string(ret));
420 return 0;
421 }
422 }
423 return 1;
424 }
425
426static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
427 X509_STORE *st, unsigned long flags)
428 {
429 X509 *signer;
430 if(!(flags & OCSP_NOINTERN))
431 {
432 signer = X509_find_by_subject(req->optionalSignature->certs, nm);
433 *psigner = signer;
434 return 1;
435 }
436
437 signer = X509_find_by_subject(certs, nm);
438 if (signer)
439 {
440 *psigner = signer;
441 return 2;
442 }
443 return 0;
444 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 06:20:32 +0000