summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ocsp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/ocsp')
-rw-r--r--src/lib/libcrypto/ocsp/ocsp.h623
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_asn.c182
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_cl.c371
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_err.c142
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ext.c518
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ht.c504
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_lib.c266
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_prn.c290
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_srv.c264
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_vfy.c449
10 files changed, 0 insertions, 3609 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h
deleted file mode 100644
index 31e45744ba..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp.h
+++ /dev/null
@@ -1,623 +0,0 @@
1/* ocsp.h */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#ifndef HEADER_OCSP_H
65#define HEADER_OCSP_H
66
67#include <openssl/ossl_typ.h>
68#include <openssl/x509.h>
69#include <openssl/x509v3.h>
70#include <openssl/safestack.h>
71
72#ifdef __cplusplus
73extern "C" {
74#endif
75
76/* Various flags and values */
77
78#define OCSP_DEFAULT_NONCE_LENGTH 16
79
80#define OCSP_NOCERTS 0x1
81#define OCSP_NOINTERN 0x2
82#define OCSP_NOSIGS 0x4
83#define OCSP_NOCHAIN 0x8
84#define OCSP_NOVERIFY 0x10
85#define OCSP_NOEXPLICIT 0x20
86#define OCSP_NOCASIGN 0x40
87#define OCSP_NODELEGATED 0x80
88#define OCSP_NOCHECKS 0x100
89#define OCSP_TRUSTOTHER 0x200
90#define OCSP_RESPID_KEY 0x400
91#define OCSP_NOTIME 0x800
92
93/* CertID ::= SEQUENCE {
94 * hashAlgorithm AlgorithmIdentifier,
95 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
96 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
97 * serialNumber CertificateSerialNumber }
98 */
99typedef struct ocsp_cert_id_st
100 {
101 X509_ALGOR *hashAlgorithm;
102 ASN1_OCTET_STRING *issuerNameHash;
103 ASN1_OCTET_STRING *issuerKeyHash;
104 ASN1_INTEGER *serialNumber;
105 } OCSP_CERTID;
106
107DECLARE_STACK_OF(OCSP_CERTID)
108
109/* Request ::= SEQUENCE {
110 * reqCert CertID,
111 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
112 */
113typedef struct ocsp_one_request_st
114 {
115 OCSP_CERTID *reqCert;
116 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
117 } OCSP_ONEREQ;
118
119DECLARE_STACK_OF(OCSP_ONEREQ)
120DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
121
122
123/* TBSRequest ::= SEQUENCE {
124 * version [0] EXPLICIT Version DEFAULT v1,
125 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
126 * requestList SEQUENCE OF Request,
127 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
128 */
129typedef struct ocsp_req_info_st
130 {
131 ASN1_INTEGER *version;
132 GENERAL_NAME *requestorName;
133 STACK_OF(OCSP_ONEREQ) *requestList;
134 STACK_OF(X509_EXTENSION) *requestExtensions;
135 } OCSP_REQINFO;
136
137/* Signature ::= SEQUENCE {
138 * signatureAlgorithm AlgorithmIdentifier,
139 * signature BIT STRING,
140 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
141 */
142typedef struct ocsp_signature_st
143 {
144 X509_ALGOR *signatureAlgorithm;
145 ASN1_BIT_STRING *signature;
146 STACK_OF(X509) *certs;
147 } OCSP_SIGNATURE;
148
149/* OCSPRequest ::= SEQUENCE {
150 * tbsRequest TBSRequest,
151 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
152 */
153typedef struct ocsp_request_st
154 {
155 OCSP_REQINFO *tbsRequest;
156 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
157 } OCSP_REQUEST;
158
159/* OCSPResponseStatus ::= ENUMERATED {
160 * successful (0), --Response has valid confirmations
161 * malformedRequest (1), --Illegal confirmation request
162 * internalError (2), --Internal error in issuer
163 * tryLater (3), --Try again later
164 * --(4) is not used
165 * sigRequired (5), --Must sign the request
166 * unauthorized (6) --Request unauthorized
167 * }
168 */
169#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
170#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1
171#define OCSP_RESPONSE_STATUS_INTERNALERROR 2
172#define OCSP_RESPONSE_STATUS_TRYLATER 3
173#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5
174#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6
175
176/* ResponseBytes ::= SEQUENCE {
177 * responseType OBJECT IDENTIFIER,
178 * response OCTET STRING }
179 */
180typedef struct ocsp_resp_bytes_st
181 {
182 ASN1_OBJECT *responseType;
183 ASN1_OCTET_STRING *response;
184 } OCSP_RESPBYTES;
185
186/* OCSPResponse ::= SEQUENCE {
187 * responseStatus OCSPResponseStatus,
188 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
189 */
190struct ocsp_response_st
191 {
192 ASN1_ENUMERATED *responseStatus;
193 OCSP_RESPBYTES *responseBytes;
194 };
195
196/* ResponderID ::= CHOICE {
197 * byName [1] Name,
198 * byKey [2] KeyHash }
199 */
200#define V_OCSP_RESPID_NAME 0
201#define V_OCSP_RESPID_KEY 1
202struct ocsp_responder_id_st
203 {
204 int type;
205 union {
206 X509_NAME* byName;
207 ASN1_OCTET_STRING *byKey;
208 } value;
209 };
210
211DECLARE_STACK_OF(OCSP_RESPID)
212DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
213
214/* KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
215 * --(excluding the tag and length fields)
216 */
217
218/* RevokedInfo ::= SEQUENCE {
219 * revocationTime GeneralizedTime,
220 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
221 */
222typedef struct ocsp_revoked_info_st
223 {
224 ASN1_GENERALIZEDTIME *revocationTime;
225 ASN1_ENUMERATED *revocationReason;
226 } OCSP_REVOKEDINFO;
227
228/* CertStatus ::= CHOICE {
229 * good [0] IMPLICIT NULL,
230 * revoked [1] IMPLICIT RevokedInfo,
231 * unknown [2] IMPLICIT UnknownInfo }
232 */
233#define V_OCSP_CERTSTATUS_GOOD 0
234#define V_OCSP_CERTSTATUS_REVOKED 1
235#define V_OCSP_CERTSTATUS_UNKNOWN 2
236typedef struct ocsp_cert_status_st
237 {
238 int type;
239 union {
240 ASN1_NULL *good;
241 OCSP_REVOKEDINFO *revoked;
242 ASN1_NULL *unknown;
243 } value;
244 } OCSP_CERTSTATUS;
245
246/* SingleResponse ::= SEQUENCE {
247 * certID CertID,
248 * certStatus CertStatus,
249 * thisUpdate GeneralizedTime,
250 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
251 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
252 */
253typedef struct ocsp_single_response_st
254 {
255 OCSP_CERTID *certId;
256 OCSP_CERTSTATUS *certStatus;
257 ASN1_GENERALIZEDTIME *thisUpdate;
258 ASN1_GENERALIZEDTIME *nextUpdate;
259 STACK_OF(X509_EXTENSION) *singleExtensions;
260 } OCSP_SINGLERESP;
261
262DECLARE_STACK_OF(OCSP_SINGLERESP)
263DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
264
265/* ResponseData ::= SEQUENCE {
266 * version [0] EXPLICIT Version DEFAULT v1,
267 * responderID ResponderID,
268 * producedAt GeneralizedTime,
269 * responses SEQUENCE OF SingleResponse,
270 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
271 */
272typedef struct ocsp_response_data_st
273 {
274 ASN1_INTEGER *version;
275 OCSP_RESPID *responderId;
276 ASN1_GENERALIZEDTIME *producedAt;
277 STACK_OF(OCSP_SINGLERESP) *responses;
278 STACK_OF(X509_EXTENSION) *responseExtensions;
279 } OCSP_RESPDATA;
280
281/* BasicOCSPResponse ::= SEQUENCE {
282 * tbsResponseData ResponseData,
283 * signatureAlgorithm AlgorithmIdentifier,
284 * signature BIT STRING,
285 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
286 */
287 /* Note 1:
288 The value for "signature" is specified in the OCSP rfc2560 as follows:
289 "The value for the signature SHALL be computed on the hash of the DER
290 encoding ResponseData." This means that you must hash the DER-encoded
291 tbsResponseData, and then run it through a crypto-signing function, which
292 will (at least w/RSA) do a hash-'n'-private-encrypt operation. This seems
293 a bit odd, but that's the spec. Also note that the data structures do not
294 leave anywhere to independently specify the algorithm used for the initial
295 hash. So, we look at the signature-specification algorithm, and try to do
296 something intelligent. -- Kathy Weinhold, CertCo */
297 /* Note 2:
298 It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
299 for interpretation. I've done tests against another responder, and found
300 that it doesn't do the double hashing that the RFC seems to say one
301 should. Therefore, all relevant functions take a flag saying which
302 variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */
303typedef struct ocsp_basic_response_st
304 {
305 OCSP_RESPDATA *tbsResponseData;
306 X509_ALGOR *signatureAlgorithm;
307 ASN1_BIT_STRING *signature;
308 STACK_OF(X509) *certs;
309 } OCSP_BASICRESP;
310
311/*
312 * CRLReason ::= ENUMERATED {
313 * unspecified (0),
314 * keyCompromise (1),
315 * cACompromise (2),
316 * affiliationChanged (3),
317 * superseded (4),
318 * cessationOfOperation (5),
319 * certificateHold (6),
320 * removeFromCRL (8) }
321 */
322#define OCSP_REVOKED_STATUS_NOSTATUS -1
323#define OCSP_REVOKED_STATUS_UNSPECIFIED 0
324#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
325#define OCSP_REVOKED_STATUS_CACOMPROMISE 2
326#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3
327#define OCSP_REVOKED_STATUS_SUPERSEDED 4
328#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
329#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
330#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
331
332/* CrlID ::= SEQUENCE {
333 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
334 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
335 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
336 */
337typedef struct ocsp_crl_id_st
338 {
339 ASN1_IA5STRING *crlUrl;
340 ASN1_INTEGER *crlNum;
341 ASN1_GENERALIZEDTIME *crlTime;
342 } OCSP_CRLID;
343
344/* ServiceLocator ::= SEQUENCE {
345 * issuer Name,
346 * locator AuthorityInfoAccessSyntax OPTIONAL }
347 */
348typedef struct ocsp_service_locator_st
349 {
350 X509_NAME* issuer;
351 STACK_OF(ACCESS_DESCRIPTION) *locator;
352 } OCSP_SERVICELOC;
353
354#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
355#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
356
357#define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
358
359#define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
360
361#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
362 (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
363
364#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
365 (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
366
367#define PEM_write_bio_OCSP_REQUEST(bp,o) \
368 PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
369 bp,(char *)o, NULL,NULL,0,NULL,NULL)
370
371#define PEM_write_bio_OCSP_RESPONSE(bp,o) \
372 PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
373 bp,(char *)o, NULL,NULL,0,NULL,NULL)
374
375#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
376
377#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
378
379#define OCSP_REQUEST_sign(o,pkey,md) \
380 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
381 o->optionalSignature->signatureAlgorithm,NULL,\
382 o->optionalSignature->signature,o->tbsRequest,pkey,md)
383
384#define OCSP_BASICRESP_sign(o,pkey,md,d) \
385 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
386 o->signature,o->tbsResponseData,pkey,md)
387
388#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
389 a->optionalSignature->signatureAlgorithm,\
390 a->optionalSignature->signature,a->tbsRequest,r)
391
392#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
393 a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
394
395#define ASN1_BIT_STRING_digest(data,type,md,len) \
396 ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
397
398#define OCSP_CERTSTATUS_dup(cs)\
399 (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
400 (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
401
402OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id);
403
404OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
405OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
406 int maxline);
407int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
408void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
409int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
410int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
411 const char *name, const char *value);
412
413OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
414
415OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
416 X509_NAME *issuerName,
417 ASN1_BIT_STRING* issuerKey,
418 ASN1_INTEGER *serialNumber);
419
420OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
421
422int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
423int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
424int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
425int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
426
427int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
428int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
429
430int OCSP_request_sign(OCSP_REQUEST *req,
431 X509 *signer,
432 EVP_PKEY *key,
433 const EVP_MD *dgst,
434 STACK_OF(X509) *certs,
435 unsigned long flags);
436
437int OCSP_response_status(OCSP_RESPONSE *resp);
438OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
439
440int OCSP_resp_count(OCSP_BASICRESP *bs);
441OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
442int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
443int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
444 ASN1_GENERALIZEDTIME **revtime,
445 ASN1_GENERALIZEDTIME **thisupd,
446 ASN1_GENERALIZEDTIME **nextupd);
447int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
448 int *reason,
449 ASN1_GENERALIZEDTIME **revtime,
450 ASN1_GENERALIZEDTIME **thisupd,
451 ASN1_GENERALIZEDTIME **nextupd);
452int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
453 ASN1_GENERALIZEDTIME *nextupd,
454 long sec, long maxsec);
455
456int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags);
457
458int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl);
459
460int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
461int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
462
463int OCSP_request_onereq_count(OCSP_REQUEST *req);
464OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
465OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
466int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
467 ASN1_OCTET_STRING **pikeyHash,
468 ASN1_INTEGER **pserial, OCSP_CERTID *cid);
469int OCSP_request_is_signed(OCSP_REQUEST *req);
470OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
471OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
472 OCSP_CERTID *cid,
473 int status, int reason,
474 ASN1_TIME *revtime,
475 ASN1_TIME *thisupd, ASN1_TIME *nextupd);
476int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
477int OCSP_basic_sign(OCSP_BASICRESP *brsp,
478 X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
479 STACK_OF(X509) *certs, unsigned long flags);
480
481X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
482
483X509_EXTENSION *OCSP_accept_responses_new(char **oids);
484
485X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
486
487X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
488
489int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
490int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
491int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos);
492int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
493X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
494X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
495void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
496int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
497 unsigned long flags);
498int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
499
500int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
501int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
502int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos);
503int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
504X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
505X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
506void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
507int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
508 unsigned long flags);
509int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
510
511int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
512int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
513int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos);
514int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos);
515X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
516X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
517void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx);
518int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
519 unsigned long flags);
520int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
521
522int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
523int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
524int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos);
525int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos);
526X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
527X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
528void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx);
529int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
530 unsigned long flags);
531int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
532
533DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
534DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
535DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
536DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP)
537DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
538DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
539DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
540DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES)
541DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
542DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
543DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
544DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
545DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
546DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
547DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
548
549const char *OCSP_response_status_str(long s);
550const char *OCSP_cert_status_str(long s);
551const char *OCSP_crl_reason_str(long s);
552
553int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
554int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
555
556int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
557 X509_STORE *st, unsigned long flags);
558
559/* BEGIN ERROR CODES */
560/* The following lines are auto generated by the script mkerr.pl. Any changes
561 * made after this point may be overwritten when the script is next run.
562 */
563void ERR_load_OCSP_strings(void);
564
565/* Error codes for the OCSP functions. */
566
567/* Function codes. */
568#define OCSP_F_ASN1_STRING_ENCODE 100
569#define OCSP_F_D2I_OCSP_NONCE 102
570#define OCSP_F_OCSP_BASIC_ADD1_STATUS 103
571#define OCSP_F_OCSP_BASIC_SIGN 104
572#define OCSP_F_OCSP_BASIC_VERIFY 105
573#define OCSP_F_OCSP_CERT_ID_NEW 101
574#define OCSP_F_OCSP_CHECK_DELEGATED 106
575#define OCSP_F_OCSP_CHECK_IDS 107
576#define OCSP_F_OCSP_CHECK_ISSUER 108
577#define OCSP_F_OCSP_CHECK_VALIDITY 115
578#define OCSP_F_OCSP_MATCH_ISSUERID 109
579#define OCSP_F_OCSP_PARSE_URL 114
580#define OCSP_F_OCSP_REQUEST_SIGN 110
581#define OCSP_F_OCSP_REQUEST_VERIFY 116
582#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
583#define OCSP_F_OCSP_SENDREQ_BIO 112
584#define OCSP_F_OCSP_SENDREQ_NBIO 117
585#define OCSP_F_PARSE_HTTP_LINE1 118
586#define OCSP_F_REQUEST_VERIFY 113
587
588/* Reason codes. */
589#define OCSP_R_BAD_DATA 100
590#define OCSP_R_CERTIFICATE_VERIFY_ERROR 101
591#define OCSP_R_DIGEST_ERR 102
592#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122
593#define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123
594#define OCSP_R_ERROR_PARSING_URL 121
595#define OCSP_R_MISSING_OCSPSIGNING_USAGE 103
596#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE 124
597#define OCSP_R_NOT_BASIC_RESPONSE 104
598#define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105
599#define OCSP_R_NO_CONTENT 106
600#define OCSP_R_NO_PUBLIC_KEY 107
601#define OCSP_R_NO_RESPONSE_DATA 108
602#define OCSP_R_NO_REVOKED_TIME 109
603#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110
604#define OCSP_R_REQUEST_NOT_SIGNED 128
605#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111
606#define OCSP_R_ROOT_CA_NOT_TRUSTED 112
607#define OCSP_R_SERVER_READ_ERROR 113
608#define OCSP_R_SERVER_RESPONSE_ERROR 114
609#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 115
610#define OCSP_R_SERVER_WRITE_ERROR 116
611#define OCSP_R_SIGNATURE_FAILURE 117
612#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 118
613#define OCSP_R_STATUS_EXPIRED 125
614#define OCSP_R_STATUS_NOT_YET_VALID 126
615#define OCSP_R_STATUS_TOO_OLD 127
616#define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119
617#define OCSP_R_UNKNOWN_NID 120
618#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE 129
619
620#ifdef __cplusplus
621}
622#endif
623#endif
diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c
deleted file mode 100644
index bfe892ac70..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_asn.c
+++ /dev/null
@@ -1,182 +0,0 @@
1/* ocsp_asn.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#include <openssl/asn1.h>
59#include <openssl/asn1t.h>
60#include <openssl/ocsp.h>
61
62ASN1_SEQUENCE(OCSP_SIGNATURE) = {
63 ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
64 ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
65 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SIGNATURE, certs, X509, 0)
66} ASN1_SEQUENCE_END(OCSP_SIGNATURE)
67
68IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE)
69
70ASN1_SEQUENCE(OCSP_CERTID) = {
71 ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
72 ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
73 ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
74 ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER)
75} ASN1_SEQUENCE_END(OCSP_CERTID)
76
77IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTID)
78
79ASN1_SEQUENCE(OCSP_ONEREQ) = {
80 ASN1_SIMPLE(OCSP_ONEREQ, reqCert, OCSP_CERTID),
81 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_ONEREQ, singleRequestExtensions, X509_EXTENSION, 0)
82} ASN1_SEQUENCE_END(OCSP_ONEREQ)
83
84IMPLEMENT_ASN1_FUNCTIONS(OCSP_ONEREQ)
85
86ASN1_SEQUENCE(OCSP_REQINFO) = {
87 ASN1_EXP_OPT(OCSP_REQINFO, version, ASN1_INTEGER, 0),
88 ASN1_EXP_OPT(OCSP_REQINFO, requestorName, GENERAL_NAME, 1),
89 ASN1_SEQUENCE_OF(OCSP_REQINFO, requestList, OCSP_ONEREQ),
90 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_REQINFO, requestExtensions, X509_EXTENSION, 2)
91} ASN1_SEQUENCE_END(OCSP_REQINFO)
92
93IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQINFO)
94
95ASN1_SEQUENCE(OCSP_REQUEST) = {
96 ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
97 ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0)
98} ASN1_SEQUENCE_END(OCSP_REQUEST)
99
100IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQUEST)
101
102/* OCSP_RESPONSE templates */
103
104ASN1_SEQUENCE(OCSP_RESPBYTES) = {
105 ASN1_SIMPLE(OCSP_RESPBYTES, responseType, ASN1_OBJECT),
106 ASN1_SIMPLE(OCSP_RESPBYTES, response, ASN1_OCTET_STRING)
107} ASN1_SEQUENCE_END(OCSP_RESPBYTES)
108
109IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPBYTES)
110
111ASN1_SEQUENCE(OCSP_RESPONSE) = {
112 ASN1_SIMPLE(OCSP_RESPONSE, responseStatus, ASN1_ENUMERATED),
113 ASN1_EXP_OPT(OCSP_RESPONSE, responseBytes, OCSP_RESPBYTES, 0)
114} ASN1_SEQUENCE_END(OCSP_RESPONSE)
115
116IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPONSE)
117
118ASN1_CHOICE(OCSP_RESPID) = {
119 ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1),
120 ASN1_EXP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
121} ASN1_CHOICE_END(OCSP_RESPID)
122
123IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPID)
124
125ASN1_SEQUENCE(OCSP_REVOKEDINFO) = {
126 ASN1_SIMPLE(OCSP_REVOKEDINFO, revocationTime, ASN1_GENERALIZEDTIME),
127 ASN1_EXP_OPT(OCSP_REVOKEDINFO, revocationReason, ASN1_ENUMERATED, 0)
128} ASN1_SEQUENCE_END(OCSP_REVOKEDINFO)
129
130IMPLEMENT_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
131
132ASN1_CHOICE(OCSP_CERTSTATUS) = {
133 ASN1_IMP(OCSP_CERTSTATUS, value.good, ASN1_NULL, 0),
134 ASN1_IMP(OCSP_CERTSTATUS, value.revoked, OCSP_REVOKEDINFO, 1),
135 ASN1_IMP(OCSP_CERTSTATUS, value.unknown, ASN1_NULL, 2)
136} ASN1_CHOICE_END(OCSP_CERTSTATUS)
137
138IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
139
140ASN1_SEQUENCE(OCSP_SINGLERESP) = {
141 ASN1_SIMPLE(OCSP_SINGLERESP, certId, OCSP_CERTID),
142 ASN1_SIMPLE(OCSP_SINGLERESP, certStatus, OCSP_CERTSTATUS),
143 ASN1_SIMPLE(OCSP_SINGLERESP, thisUpdate, ASN1_GENERALIZEDTIME),
144 ASN1_EXP_OPT(OCSP_SINGLERESP, nextUpdate, ASN1_GENERALIZEDTIME, 0),
145 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SINGLERESP, singleExtensions, X509_EXTENSION, 1)
146} ASN1_SEQUENCE_END(OCSP_SINGLERESP)
147
148IMPLEMENT_ASN1_FUNCTIONS(OCSP_SINGLERESP)
149
150ASN1_SEQUENCE(OCSP_RESPDATA) = {
151 ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0),
152 ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID),
153 ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME),
154 ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP),
155 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1)
156} ASN1_SEQUENCE_END(OCSP_RESPDATA)
157
158IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPDATA)
159
160ASN1_SEQUENCE(OCSP_BASICRESP) = {
161 ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
162 ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
163 ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING),
164 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0)
165} ASN1_SEQUENCE_END(OCSP_BASICRESP)
166
167IMPLEMENT_ASN1_FUNCTIONS(OCSP_BASICRESP)
168
169ASN1_SEQUENCE(OCSP_CRLID) = {
170 ASN1_EXP_OPT(OCSP_CRLID, crlUrl, ASN1_IA5STRING, 0),
171 ASN1_EXP_OPT(OCSP_CRLID, crlNum, ASN1_INTEGER, 1),
172 ASN1_EXP_OPT(OCSP_CRLID, crlTime, ASN1_GENERALIZEDTIME, 2)
173} ASN1_SEQUENCE_END(OCSP_CRLID)
174
175IMPLEMENT_ASN1_FUNCTIONS(OCSP_CRLID)
176
177ASN1_SEQUENCE(OCSP_SERVICELOC) = {
178 ASN1_SIMPLE(OCSP_SERVICELOC, issuer, X509_NAME),
179 ASN1_SEQUENCE_OF_OPT(OCSP_SERVICELOC, locator, ACCESS_DESCRIPTION)
180} ASN1_SEQUENCE_END(OCSP_SERVICELOC)
181
182IMPLEMENT_ASN1_FUNCTIONS(OCSP_SERVICELOC)
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
deleted file mode 100644
index 9c14d9da27..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ /dev/null
@@ -1,371 +0,0 @@
1/* ocsp_cl.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <time.h>
66#include <cryptlib.h>
67#include <openssl/objects.h>
68#include <openssl/rand.h>
69#include <openssl/x509.h>
70#include <openssl/pem.h>
71#include <openssl/x509v3.h>
72#include <openssl/ocsp.h>
73
74/* Utility functions related to sending OCSP requests and extracting
75 * relevant information from the response.
76 */
77
78/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ
79 * pointer: useful if we want to add extensions.
80 */
81
82OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
83 {
84 OCSP_ONEREQ *one = NULL;
85
86 if (!(one = OCSP_ONEREQ_new())) goto err;
87 if (one->reqCert) OCSP_CERTID_free(one->reqCert);
88 one->reqCert = cid;
89 if (req &&
90 !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
91 goto err;
92 return one;
93err:
94 OCSP_ONEREQ_free(one);
95 return NULL;
96 }
97
98/* Set requestorName from an X509_NAME structure */
99
100int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
101 {
102 GENERAL_NAME *gen;
103 gen = GENERAL_NAME_new();
104 if (gen == NULL)
105 return 0;
106 if (!X509_NAME_set(&gen->d.directoryName, nm))
107 {
108 GENERAL_NAME_free(gen);
109 return 0;
110 }
111 gen->type = GEN_DIRNAME;
112 if (req->tbsRequest->requestorName)
113 GENERAL_NAME_free(req->tbsRequest->requestorName);
114 req->tbsRequest->requestorName = gen;
115 return 1;
116 }
117
118
119/* Add a certificate to an OCSP request */
120
121int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
122 {
123 OCSP_SIGNATURE *sig;
124 if (!req->optionalSignature)
125 req->optionalSignature = OCSP_SIGNATURE_new();
126 sig = req->optionalSignature;
127 if (!sig) return 0;
128 if (!cert) return 1;
129 if (!sig->certs && !(sig->certs = sk_X509_new_null()))
130 return 0;
131
132 if(!sk_X509_push(sig->certs, cert)) return 0;
133 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
134 return 1;
135 }
136
137/* Sign an OCSP request set the requestorName to the subjec
138 * name of an optional signers certificate and include one
139 * or more optional certificates in the request. Behaves
140 * like PKCS7_sign().
141 */
142
143int OCSP_request_sign(OCSP_REQUEST *req,
144 X509 *signer,
145 EVP_PKEY *key,
146 const EVP_MD *dgst,
147 STACK_OF(X509) *certs,
148 unsigned long flags)
149 {
150 int i;
151 OCSP_SIGNATURE *sig;
152 X509 *x;
153
154 if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
155 goto err;
156
157 if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
158 if (key)
159 {
160 if (!X509_check_private_key(signer, key))
161 {
162 OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
163 goto err;
164 }
165 if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
166 }
167
168 if (!(flags & OCSP_NOCERTS))
169 {
170 if(!OCSP_request_add1_cert(req, signer)) goto err;
171 for (i = 0; i < sk_X509_num(certs); i++)
172 {
173 x = sk_X509_value(certs, i);
174 if (!OCSP_request_add1_cert(req, x)) goto err;
175 }
176 }
177
178 return 1;
179err:
180 OCSP_SIGNATURE_free(req->optionalSignature);
181 req->optionalSignature = NULL;
182 return 0;
183 }
184
185/* Get response status */
186
187int OCSP_response_status(OCSP_RESPONSE *resp)
188 {
189 return ASN1_ENUMERATED_get(resp->responseStatus);
190 }
191
192/* Extract basic response from OCSP_RESPONSE or NULL if
193 * no basic response present.
194 */
195
196
197OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
198 {
199 OCSP_RESPBYTES *rb;
200 rb = resp->responseBytes;
201 if (!rb)
202 {
203 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
204 return NULL;
205 }
206 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
207 {
208 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
209 return NULL;
210 }
211
212 return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
213 }
214
215/* Return number of OCSP_SINGLERESP reponses present in
216 * a basic response.
217 */
218
219int OCSP_resp_count(OCSP_BASICRESP *bs)
220 {
221 if (!bs) return -1;
222 return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
223 }
224
225/* Extract an OCSP_SINGLERESP response with a given index */
226
227OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
228 {
229 if (!bs) return NULL;
230 return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
231 }
232
233/* Look single response matching a given certificate ID */
234
235int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
236 {
237 int i;
238 STACK_OF(OCSP_SINGLERESP) *sresp;
239 OCSP_SINGLERESP *single;
240 if (!bs) return -1;
241 if (last < 0) last = 0;
242 else last++;
243 sresp = bs->tbsResponseData->responses;
244 for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
245 {
246 single = sk_OCSP_SINGLERESP_value(sresp, i);
247 if (!OCSP_id_cmp(id, single->certId)) return i;
248 }
249 return -1;
250 }
251
252/* Extract status information from an OCSP_SINGLERESP structure.
253 * Note: the revtime and reason values are only set if the
254 * certificate status is revoked. Returns numerical value of
255 * status.
256 */
257
258int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
259 ASN1_GENERALIZEDTIME **revtime,
260 ASN1_GENERALIZEDTIME **thisupd,
261 ASN1_GENERALIZEDTIME **nextupd)
262 {
263 int ret;
264 OCSP_CERTSTATUS *cst;
265 if(!single) return -1;
266 cst = single->certStatus;
267 ret = cst->type;
268 if (ret == V_OCSP_CERTSTATUS_REVOKED)
269 {
270 OCSP_REVOKEDINFO *rev = cst->value.revoked;
271 if (revtime) *revtime = rev->revocationTime;
272 if (reason)
273 {
274 if(rev->revocationReason)
275 *reason = ASN1_ENUMERATED_get(rev->revocationReason);
276 else *reason = -1;
277 }
278 }
279 if(thisupd) *thisupd = single->thisUpdate;
280 if(nextupd) *nextupd = single->nextUpdate;
281 return ret;
282 }
283
284/* This function combines the previous ones: look up a certificate ID and
285 * if found extract status information. Return 0 is successful.
286 */
287
288int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
289 int *reason,
290 ASN1_GENERALIZEDTIME **revtime,
291 ASN1_GENERALIZEDTIME **thisupd,
292 ASN1_GENERALIZEDTIME **nextupd)
293 {
294 int i;
295 OCSP_SINGLERESP *single;
296 i = OCSP_resp_find(bs, id, -1);
297 /* Maybe check for multiple responses and give an error? */
298 if(i < 0) return 0;
299 single = OCSP_resp_get0(bs, i);
300 i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
301 if(status) *status = i;
302 return 1;
303 }
304
305/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
306 * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
307 * rejecting otherwise valid time we allow the times to be within 'nsec' of the current time.
308 * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
309 * parameter specifies the maximum age the thisUpdate field can be.
310 */
311
312int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
313 {
314 int ret = 1;
315 time_t t_now, t_tmp;
316 time(&t_now);
317 /* Check thisUpdate is valid and not more than nsec in the future */
318 if (!ASN1_GENERALIZEDTIME_check(thisupd))
319 {
320 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
321 ret = 0;
322 }
323 else
324 {
325 t_tmp = t_now + nsec;
326 if (X509_cmp_time(thisupd, &t_tmp) > 0)
327 {
328 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
329 ret = 0;
330 }
331
332 /* If maxsec specified check thisUpdate is not more than maxsec in the past */
333 if (maxsec >= 0)
334 {
335 t_tmp = t_now - maxsec;
336 if (X509_cmp_time(thisupd, &t_tmp) < 0)
337 {
338 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
339 ret = 0;
340 }
341 }
342 }
343
344
345 if (!nextupd) return ret;
346
347 /* Check nextUpdate is valid and not more than nsec in the past */
348 if (!ASN1_GENERALIZEDTIME_check(nextupd))
349 {
350 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
351 ret = 0;
352 }
353 else
354 {
355 t_tmp = t_now - nsec;
356 if (X509_cmp_time(nextupd, &t_tmp) < 0)
357 {
358 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
359 ret = 0;
360 }
361 }
362
363 /* Also don't allow nextUpdate to precede thisUpdate */
364 if (ASN1_STRING_cmp(nextupd, thisupd) < 0)
365 {
366 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
367 ret = 0;
368 }
369
370 return ret;
371 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c
deleted file mode 100644
index 0cedcea682..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_err.c
+++ /dev/null
@@ -1,142 +0,0 @@
1/* crypto/ocsp/ocsp_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/ocsp.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
70
71static ERR_STRING_DATA OCSP_str_functs[]=
72 {
73{ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE), "ASN1_STRING_encode"},
74{ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "D2I_OCSP_NONCE"},
75{ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS), "OCSP_basic_add1_status"},
76{ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN), "OCSP_basic_sign"},
77{ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY), "OCSP_basic_verify"},
78{ERR_FUNC(OCSP_F_OCSP_CERT_ID_NEW), "OCSP_cert_id_new"},
79{ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "OCSP_CHECK_DELEGATED"},
80{ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "OCSP_CHECK_IDS"},
81{ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "OCSP_CHECK_ISSUER"},
82{ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY), "OCSP_check_validity"},
83{ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "OCSP_MATCH_ISSUERID"},
84{ERR_FUNC(OCSP_F_OCSP_PARSE_URL), "OCSP_parse_url"},
85{ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN), "OCSP_request_sign"},
86{ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"},
87{ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"},
88{ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"},
89{ERR_FUNC(OCSP_F_OCSP_SENDREQ_NBIO), "OCSP_sendreq_nbio"},
90{ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "PARSE_HTTP_LINE1"},
91{ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"},
92{0,NULL}
93 };
94
95static ERR_STRING_DATA OCSP_str_reasons[]=
96 {
97{ERR_REASON(OCSP_R_BAD_DATA) ,"bad data"},
98{ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"},
99{ERR_REASON(OCSP_R_DIGEST_ERR) ,"digest err"},
100{ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD),"error in nextupdate field"},
101{ERR_REASON(OCSP_R_ERROR_IN_THISUPDATE_FIELD),"error in thisupdate field"},
102{ERR_REASON(OCSP_R_ERROR_PARSING_URL) ,"error parsing url"},
103{ERR_REASON(OCSP_R_MISSING_OCSPSIGNING_USAGE),"missing ocspsigning usage"},
104{ERR_REASON(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE),"nextupdate before thisupdate"},
105{ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE) ,"not basic response"},
106{ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN),"no certificates in chain"},
107{ERR_REASON(OCSP_R_NO_CONTENT) ,"no content"},
108{ERR_REASON(OCSP_R_NO_PUBLIC_KEY) ,"no public key"},
109{ERR_REASON(OCSP_R_NO_RESPONSE_DATA) ,"no response data"},
110{ERR_REASON(OCSP_R_NO_REVOKED_TIME) ,"no revoked time"},
111{ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"},
112{ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED) ,"request not signed"},
113{ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA),"response contains no revocation data"},
114{ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED) ,"root ca not trusted"},
115{ERR_REASON(OCSP_R_SERVER_READ_ERROR) ,"server read error"},
116{ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR),"server response error"},
117{ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR),"server response parse error"},
118{ERR_REASON(OCSP_R_SERVER_WRITE_ERROR) ,"server write error"},
119{ERR_REASON(OCSP_R_SIGNATURE_FAILURE) ,"signature failure"},
120{ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND),"signer certificate not found"},
121{ERR_REASON(OCSP_R_STATUS_EXPIRED) ,"status expired"},
122{ERR_REASON(OCSP_R_STATUS_NOT_YET_VALID) ,"status not yet valid"},
123{ERR_REASON(OCSP_R_STATUS_TOO_OLD) ,"status too old"},
124{ERR_REASON(OCSP_R_UNKNOWN_MESSAGE_DIGEST),"unknown message digest"},
125{ERR_REASON(OCSP_R_UNKNOWN_NID) ,"unknown nid"},
126{ERR_REASON(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE),"unsupported requestorname type"},
127{0,NULL}
128 };
129
130#endif
131
132void ERR_load_OCSP_strings(void)
133 {
134#ifndef OPENSSL_NO_ERR
135
136 if (ERR_func_error_string(OCSP_str_functs[0].error) == NULL)
137 {
138 ERR_load_strings(0,OCSP_str_functs);
139 ERR_load_strings(0,OCSP_str_reasons);
140 }
141#endif
142 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
deleted file mode 100644
index ec884cb08f..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_ext.c
+++ /dev/null
@@ -1,518 +0,0 @@
1/* ocsp_ext.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <cryptlib.h>
66#include <openssl/objects.h>
67#include <openssl/x509.h>
68#include <openssl/ocsp.h>
69#include <openssl/rand.h>
70#include <openssl/x509v3.h>
71
72/* Standard wrapper functions for extensions */
73
74/* OCSP request extensions */
75
76int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
77 {
78 return(X509v3_get_ext_count(x->tbsRequest->requestExtensions));
79 }
80
81int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
82 {
83 return(X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions,nid,lastpos));
84 }
85
86int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
87 {
88 return(X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions,obj,lastpos));
89 }
90
91int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
92 {
93 return(X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,crit,lastpos));
94 }
95
96X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
97 {
98 return(X509v3_get_ext(x->tbsRequest->requestExtensions,loc));
99 }
100
101X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
102 {
103 return(X509v3_delete_ext(x->tbsRequest->requestExtensions,loc));
104 }
105
106void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
107 {
108 return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
109 }
110
111int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
112 unsigned long flags)
113 {
114 return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags);
115 }
116
117int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
118 {
119 return(X509v3_add_ext(&(x->tbsRequest->requestExtensions),ex,loc) != NULL);
120 }
121
122/* Single extensions */
123
124int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
125 {
126 return(X509v3_get_ext_count(x->singleRequestExtensions));
127 }
128
129int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
130 {
131 return(X509v3_get_ext_by_NID(x->singleRequestExtensions,nid,lastpos));
132 }
133
134int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
135 {
136 return(X509v3_get_ext_by_OBJ(x->singleRequestExtensions,obj,lastpos));
137 }
138
139int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
140 {
141 return(X509v3_get_ext_by_critical(x->singleRequestExtensions,crit,lastpos));
142 }
143
144X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
145 {
146 return(X509v3_get_ext(x->singleRequestExtensions,loc));
147 }
148
149X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
150 {
151 return(X509v3_delete_ext(x->singleRequestExtensions,loc));
152 }
153
154void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
155 {
156 return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
157 }
158
159int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
160 unsigned long flags)
161 {
162 return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, flags);
163 }
164
165int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
166 {
167 return(X509v3_add_ext(&(x->singleRequestExtensions),ex,loc) != NULL);
168 }
169
170/* OCSP Basic response */
171
172int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
173 {
174 return(X509v3_get_ext_count(x->tbsResponseData->responseExtensions));
175 }
176
177int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
178 {
179 return(X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,nid,lastpos));
180 }
181
182int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
183 {
184 return(X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,obj,lastpos));
185 }
186
187int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
188 {
189 return(X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,crit,lastpos));
190 }
191
192X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
193 {
194 return(X509v3_get_ext(x->tbsResponseData->responseExtensions,loc));
195 }
196
197X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
198 {
199 return(X509v3_delete_ext(x->tbsResponseData->responseExtensions,loc));
200 }
201
202void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
203 {
204 return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx);
205 }
206
207int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
208 unsigned long flags)
209 {
210 return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags);
211 }
212
213int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
214 {
215 return(X509v3_add_ext(&(x->tbsResponseData->responseExtensions),ex,loc) != NULL);
216 }
217
218/* OCSP single response extensions */
219
220int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
221 {
222 return(X509v3_get_ext_count(x->singleExtensions));
223 }
224
225int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
226 {
227 return(X509v3_get_ext_by_NID(x->singleExtensions,nid,lastpos));
228 }
229
230int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos)
231 {
232 return(X509v3_get_ext_by_OBJ(x->singleExtensions,obj,lastpos));
233 }
234
235int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
236 {
237 return(X509v3_get_ext_by_critical(x->singleExtensions,crit,lastpos));
238 }
239
240X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
241 {
242 return(X509v3_get_ext(x->singleExtensions,loc));
243 }
244
245X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
246 {
247 return(X509v3_delete_ext(x->singleExtensions,loc));
248 }
249
250void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
251 {
252 return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
253 }
254
255int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
256 unsigned long flags)
257 {
258 return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
259 }
260
261int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
262 {
263 return(X509v3_add_ext(&(x->singleExtensions),ex,loc) != NULL);
264 }
265
266/* also CRL Entry Extensions */
267#if 0
268ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
269 void *data, STACK_OF(ASN1_OBJECT) *sk)
270 {
271 int i;
272 unsigned char *p, *b = NULL;
273
274 if (data)
275 {
276 if ((i=i2d(data,NULL)) <= 0) goto err;
277 if (!(b=p=OPENSSL_malloc((unsigned int)i)))
278 goto err;
279 if (i2d(data, &p) <= 0) goto err;
280 }
281 else if (sk)
282 {
283 if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,
284 (I2D_OF(ASN1_OBJECT))i2d,
285 V_ASN1_SEQUENCE,
286 V_ASN1_UNIVERSAL,
287 IS_SEQUENCE))<=0) goto err;
288 if (!(b=p=OPENSSL_malloc((unsigned int)i)))
289 goto err;
290 if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,(I2D_OF(ASN1_OBJECT))i2d,
291 V_ASN1_SEQUENCE,
292 V_ASN1_UNIVERSAL,
293 IS_SEQUENCE)<=0) goto err;
294 }
295 else
296 {
297 OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA);
298 goto err;
299 }
300 if (!s && !(s = ASN1_STRING_new())) goto err;
301 if (!(ASN1_STRING_set(s, b, i))) goto err;
302 OPENSSL_free(b);
303 return s;
304err:
305 if (b) OPENSSL_free(b);
306 return NULL;
307 }
308#endif
309
310/* Nonce handling functions */
311
312/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
313 * a random nonce will be generated.
314 * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the
315 * nonce, previous versions used the raw nonce.
316 */
317
318static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
319 {
320 unsigned char *tmpval;
321 ASN1_OCTET_STRING os;
322 int ret = 0;
323 if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
324 /* Create the OCTET STRING manually by writing out the header and
325 * appending the content octets. This avoids an extra memory allocation
326 * operation in some cases. Applications should *NOT* do this because
327 * it relies on library internals.
328 */
329 os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
330 os.data = OPENSSL_malloc(os.length);
331 if (os.data == NULL)
332 goto err;
333 tmpval = os.data;
334 ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
335 if (val)
336 memcpy(tmpval, val, len);
337 else
338 RAND_pseudo_bytes(tmpval, len);
339 if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
340 &os, 0, X509V3_ADD_REPLACE))
341 goto err;
342 ret = 1;
343 err:
344 if (os.data)
345 OPENSSL_free(os.data);
346 return ret;
347 }
348
349
350/* Add nonce to an OCSP request */
351
352int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
353 {
354 return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
355 }
356
357/* Same as above but for a response */
358
359int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
360 {
361 return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len);
362 }
363
364/* Check nonce validity in a request and response.
365 * Return value reflects result:
366 * 1: nonces present and equal.
367 * 2: nonces both absent.
368 * 3: nonce present in response only.
369 * 0: nonces both present and not equal.
370 * -1: nonce in request only.
371 *
372 * For most responders clients can check return > 0.
373 * If responder doesn't handle nonces return != 0 may be
374 * necessary. return == 0 is always an error.
375 */
376
377int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
378 {
379 /*
380 * Since we are only interested in the presence or absence of
381 * the nonce and comparing its value there is no need to use
382 * the X509V3 routines: this way we can avoid them allocating an
383 * ASN1_OCTET_STRING structure for the value which would be
384 * freed immediately anyway.
385 */
386
387 int req_idx, resp_idx;
388 X509_EXTENSION *req_ext, *resp_ext;
389 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
390 resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
391 /* Check both absent */
392 if((req_idx < 0) && (resp_idx < 0))
393 return 2;
394 /* Check in request only */
395 if((req_idx >= 0) && (resp_idx < 0))
396 return -1;
397 /* Check in response but not request */
398 if((req_idx < 0) && (resp_idx >= 0))
399 return 3;
400 /* Otherwise nonce in request and response so retrieve the extensions */
401 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
402 resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
403 if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
404 return 0;
405 return 1;
406 }
407
408/* Copy the nonce value (if any) from an OCSP request to
409 * a response.
410 */
411
412int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
413 {
414 X509_EXTENSION *req_ext;
415 int req_idx;
416 /* Check for nonce in request */
417 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
418 /* If no nonce that's OK */
419 if (req_idx < 0) return 2;
420 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
421 return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
422 }
423
424X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
425 {
426 X509_EXTENSION *x = NULL;
427 OCSP_CRLID *cid = NULL;
428
429 if (!(cid = OCSP_CRLID_new())) goto err;
430 if (url)
431 {
432 if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err;
433 if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err;
434 }
435 if (n)
436 {
437 if (!(cid->crlNum = ASN1_INTEGER_new())) goto err;
438 if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err;
439 }
440 if (tim)
441 {
442 if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err;
443 if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
444 goto err;
445 }
446 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
447err:
448 if (cid) OCSP_CRLID_free(cid);
449 return x;
450 }
451
452/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
453X509_EXTENSION *OCSP_accept_responses_new(char **oids)
454 {
455 int nid;
456 STACK_OF(ASN1_OBJECT) *sk = NULL;
457 ASN1_OBJECT *o = NULL;
458 X509_EXTENSION *x = NULL;
459
460 if (!(sk = sk_ASN1_OBJECT_new_null())) goto err;
461 while (oids && *oids)
462 {
463 if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid)))
464 sk_ASN1_OBJECT_push(sk, o);
465 oids++;
466 }
467 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
468err:
469 if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
470 return x;
471 }
472
473/* ArchiveCutoff ::= GeneralizedTime */
474X509_EXTENSION *OCSP_archive_cutoff_new(char* tim)
475 {
476 X509_EXTENSION *x=NULL;
477 ASN1_GENERALIZEDTIME *gt = NULL;
478
479 if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err;
480 if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err;
481 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
482err:
483 if (gt) ASN1_GENERALIZEDTIME_free(gt);
484 return x;
485 }
486
487/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
488 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This
489 * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
490 */
491X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
492 {
493 X509_EXTENSION *x = NULL;
494 ASN1_IA5STRING *ia5 = NULL;
495 OCSP_SERVICELOC *sloc = NULL;
496 ACCESS_DESCRIPTION *ad = NULL;
497
498 if (!(sloc = OCSP_SERVICELOC_new())) goto err;
499 if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err;
500 if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err;
501 while (urls && *urls)
502 {
503 if (!(ad = ACCESS_DESCRIPTION_new())) goto err;
504 if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err;
505 if (!(ad->location = GENERAL_NAME_new())) goto err;
506 if (!(ia5 = ASN1_IA5STRING_new())) goto err;
507 if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err;
508 ad->location->type = GEN_URI;
509 ad->location->d.ia5 = ia5;
510 if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err;
511 urls++;
512 }
513 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
514err:
515 if (sloc) OCSP_SERVICELOC_free(sloc);
516 return x;
517 }
518
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
deleted file mode 100644
index af5fc16691..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ /dev/null
@@ -1,504 +0,0 @@
1/* ocsp_ht.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <ctype.h>
62#include <string.h>
63#include "e_os.h"
64#include <openssl/asn1.h>
65#include <openssl/ocsp.h>
66#include <openssl/err.h>
67#include <openssl/buffer.h>
68#ifdef OPENSSL_SYS_SUNOS
69#define strtoul (unsigned long)strtol
70#endif /* OPENSSL_SYS_SUNOS */
71
72/* Stateful OCSP request code, supporting non-blocking I/O */
73
74/* Opaque OCSP request status structure */
75
76struct ocsp_req_ctx_st {
77 int state; /* Current I/O state */
78 unsigned char *iobuf; /* Line buffer */
79 int iobuflen; /* Line buffer length */
80 BIO *io; /* BIO to perform I/O with */
81 BIO *mem; /* Memory BIO response is built into */
82 unsigned long asn1_len; /* ASN1 length of response */
83 };
84
85#define OCSP_MAX_REQUEST_LENGTH (100 * 1024)
86#define OCSP_MAX_LINE_LEN 4096;
87
88/* OCSP states */
89
90/* If set no reading should be performed */
91#define OHS_NOREAD 0x1000
92/* Error condition */
93#define OHS_ERROR (0 | OHS_NOREAD)
94/* First line being read */
95#define OHS_FIRSTLINE 1
96/* MIME headers being read */
97#define OHS_HEADERS 2
98/* OCSP initial header (tag + length) being read */
99#define OHS_ASN1_HEADER 3
100/* OCSP content octets being read */
101#define OHS_ASN1_CONTENT 4
102/* Request being sent */
103#define OHS_ASN1_WRITE (6 | OHS_NOREAD)
104/* Request being flushed */
105#define OHS_ASN1_FLUSH (7 | OHS_NOREAD)
106/* Completed */
107#define OHS_DONE (8 | OHS_NOREAD)
108
109
110static int parse_http_line1(char *line);
111
112void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
113 {
114 if (rctx->mem)
115 BIO_free(rctx->mem);
116 if (rctx->iobuf)
117 OPENSSL_free(rctx->iobuf);
118 OPENSSL_free(rctx);
119 }
120
121int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
122 {
123 static const char req_hdr[] =
124 "Content-Type: application/ocsp-request\r\n"
125 "Content-Length: %d\r\n\r\n";
126 if (BIO_printf(rctx->mem, req_hdr, i2d_OCSP_REQUEST(req, NULL)) <= 0)
127 return 0;
128 if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
129 return 0;
130 rctx->state = OHS_ASN1_WRITE;
131 rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
132 return 1;
133 }
134
135int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
136 const char *name, const char *value)
137 {
138 if (!name)
139 return 0;
140 if (BIO_puts(rctx->mem, name) <= 0)
141 return 0;
142 if (value)
143 {
144 if (BIO_write(rctx->mem, ": ", 2) != 2)
145 return 0;
146 if (BIO_puts(rctx->mem, value) <= 0)
147 return 0;
148 }
149 if (BIO_write(rctx->mem, "\r\n", 2) != 2)
150 return 0;
151 return 1;
152 }
153
154OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
155 int maxline)
156 {
157 static const char post_hdr[] = "POST %s HTTP/1.0\r\n";
158
159 OCSP_REQ_CTX *rctx;
160 rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
161 rctx->state = OHS_ERROR;
162 rctx->mem = BIO_new(BIO_s_mem());
163 rctx->io = io;
164 rctx->asn1_len = 0;
165 if (maxline > 0)
166 rctx->iobuflen = maxline;
167 else
168 rctx->iobuflen = OCSP_MAX_LINE_LEN;
169 rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
170 if (!rctx->iobuf)
171 return 0;
172 if (!path)
173 path = "/";
174
175 if (BIO_printf(rctx->mem, post_hdr, path) <= 0)
176 return 0;
177
178 if (req && !OCSP_REQ_CTX_set1_req(rctx, req))
179 return 0;
180
181 return rctx;
182 }
183
184/* Parse the HTTP response. This will look like this:
185 * "HTTP/1.0 200 OK". We need to obtain the numeric code and
186 * (optional) informational message.
187 */
188
189static int parse_http_line1(char *line)
190 {
191 int retcode;
192 char *p, *q, *r;
193 /* Skip to first white space (passed protocol info) */
194
195 for(p = line; *p && !isspace((unsigned char)*p); p++)
196 continue;
197 if(!*p)
198 {
199 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
200 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
201 return 0;
202 }
203
204 /* Skip past white space to start of response code */
205 while(*p && isspace((unsigned char)*p))
206 p++;
207
208 if(!*p)
209 {
210 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
211 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
212 return 0;
213 }
214
215 /* Find end of response code: first whitespace after start of code */
216 for(q = p; *q && !isspace((unsigned char)*q); q++)
217 continue;
218
219 if(!*q)
220 {
221 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
222 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
223 return 0;
224 }
225
226 /* Set end of response code and start of message */
227 *q++ = 0;
228
229 /* Attempt to parse numeric code */
230 retcode = strtoul(p, &r, 10);
231
232 if(*r)
233 return 0;
234
235 /* Skip over any leading white space in message */
236 while(*q && isspace((unsigned char)*q))
237 q++;
238
239 if(*q)
240 {
241 /* Finally zap any trailing white space in message (include
242 * CRLF) */
243
244 /* We know q has a non white space character so this is OK */
245 for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
246 *r = 0;
247 }
248 if(retcode != 200)
249 {
250 OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR);
251 if(!*q)
252 ERR_add_error_data(2, "Code=", p);
253 else
254 ERR_add_error_data(4, "Code=", p, ",Reason=", q);
255 return 0;
256 }
257
258
259 return 1;
260
261 }
262
263int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
264 {
265 int i, n;
266 const unsigned char *p;
267 next_io:
268 if (!(rctx->state & OHS_NOREAD))
269 {
270 n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen);
271
272 if (n <= 0)
273 {
274 if (BIO_should_retry(rctx->io))
275 return -1;
276 return 0;
277 }
278
279 /* Write data to memory BIO */
280
281 if (BIO_write(rctx->mem, rctx->iobuf, n) != n)
282 return 0;
283 }
284
285 switch(rctx->state)
286 {
287
288 case OHS_ASN1_WRITE:
289 n = BIO_get_mem_data(rctx->mem, &p);
290
291 i = BIO_write(rctx->io,
292 p + (n - rctx->asn1_len), rctx->asn1_len);
293
294 if (i <= 0)
295 {
296 if (BIO_should_retry(rctx->io))
297 return -1;
298 rctx->state = OHS_ERROR;
299 return 0;
300 }
301
302 rctx->asn1_len -= i;
303
304 if (rctx->asn1_len > 0)
305 goto next_io;
306
307 rctx->state = OHS_ASN1_FLUSH;
308
309 (void)BIO_reset(rctx->mem);
310
311 case OHS_ASN1_FLUSH:
312
313 i = BIO_flush(rctx->io);
314
315 if (i > 0)
316 {
317 rctx->state = OHS_FIRSTLINE;
318 goto next_io;
319 }
320
321 if (BIO_should_retry(rctx->io))
322 return -1;
323
324 rctx->state = OHS_ERROR;
325 return 0;
326
327 case OHS_ERROR:
328 return 0;
329
330 case OHS_FIRSTLINE:
331 case OHS_HEADERS:
332
333 /* Attempt to read a line in */
334
335 next_line:
336 /* Due to &%^*$" memory BIO behaviour with BIO_gets we
337 * have to check there's a complete line in there before
338 * calling BIO_gets or we'll just get a partial read.
339 */
340 n = BIO_get_mem_data(rctx->mem, &p);
341 if ((n <= 0) || !memchr(p, '\n', n))
342 {
343 if (n >= rctx->iobuflen)
344 {
345 rctx->state = OHS_ERROR;
346 return 0;
347 }
348 goto next_io;
349 }
350 n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen);
351
352 if (n <= 0)
353 {
354 if (BIO_should_retry(rctx->mem))
355 goto next_io;
356 rctx->state = OHS_ERROR;
357 return 0;
358 }
359
360 /* Don't allow excessive lines */
361 if (n == rctx->iobuflen)
362 {
363 rctx->state = OHS_ERROR;
364 return 0;
365 }
366
367 /* First line */
368 if (rctx->state == OHS_FIRSTLINE)
369 {
370 if (parse_http_line1((char *)rctx->iobuf))
371 {
372 rctx->state = OHS_HEADERS;
373 goto next_line;
374 }
375 else
376 {
377 rctx->state = OHS_ERROR;
378 return 0;
379 }
380 }
381 else
382 {
383 /* Look for blank line: end of headers */
384 for (p = rctx->iobuf; *p; p++)
385 {
386 if ((*p != '\r') && (*p != '\n'))
387 break;
388 }
389 if (*p)
390 goto next_line;
391
392 rctx->state = OHS_ASN1_HEADER;
393
394 }
395
396 /* Fall thru */
397
398
399 case OHS_ASN1_HEADER:
400 /* Now reading ASN1 header: can read at least 2 bytes which
401 * is enough for ASN1 SEQUENCE header and either length field
402 * or at least the length of the length field.
403 */
404 n = BIO_get_mem_data(rctx->mem, &p);
405 if (n < 2)
406 goto next_io;
407
408 /* Check it is an ASN1 SEQUENCE */
409 if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED))
410 {
411 rctx->state = OHS_ERROR;
412 return 0;
413 }
414
415 /* Check out length field */
416 if (*p & 0x80)
417 {
418 /* If MSB set on initial length octet we can now
419 * always read 6 octets: make sure we have them.
420 */
421 if (n < 6)
422 goto next_io;
423 n = *p & 0x7F;
424 /* Not NDEF or excessive length */
425 if (!n || (n > 4))
426 {
427 rctx->state = OHS_ERROR;
428 return 0;
429 }
430 p++;
431 rctx->asn1_len = 0;
432 for (i = 0; i < n; i++)
433 {
434 rctx->asn1_len <<= 8;
435 rctx->asn1_len |= *p++;
436 }
437
438 if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH)
439 {
440 rctx->state = OHS_ERROR;
441 return 0;
442 }
443
444 rctx->asn1_len += n + 2;
445 }
446 else
447 rctx->asn1_len = *p + 2;
448
449 rctx->state = OHS_ASN1_CONTENT;
450
451 /* Fall thru */
452
453 case OHS_ASN1_CONTENT:
454 n = BIO_get_mem_data(rctx->mem, &p);
455 if (n < (int)rctx->asn1_len)
456 goto next_io;
457
458
459 *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len);
460 if (*presp)
461 {
462 rctx->state = OHS_DONE;
463 return 1;
464 }
465
466 rctx->state = OHS_ERROR;
467 return 0;
468
469 break;
470
471 case OHS_DONE:
472 return 1;
473
474 }
475
476
477
478 return 0;
479
480
481 }
482
483/* Blocking OCSP request handler: now a special case of non-blocking I/O */
484
485OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
486 {
487 OCSP_RESPONSE *resp = NULL;
488 OCSP_REQ_CTX *ctx;
489 int rv;
490
491 ctx = OCSP_sendreq_new(b, path, req, -1);
492
493 do
494 {
495 rv = OCSP_sendreq_nbio(&resp, ctx);
496 } while ((rv == -1) && BIO_should_retry(b));
497
498 OCSP_REQ_CTX_free(ctx);
499
500 if (rv)
501 return resp;
502
503 return NULL;
504 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
deleted file mode 100644
index a94dc838ee..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ /dev/null
@@ -1,266 +0,0 @@
1/* ocsp_lib.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <cryptlib.h>
66#include <openssl/objects.h>
67#include <openssl/rand.h>
68#include <openssl/x509.h>
69#include <openssl/pem.h>
70#include <openssl/x509v3.h>
71#include <openssl/ocsp.h>
72#include <openssl/asn1t.h>
73
74/* Convert a certificate and its issuer to an OCSP_CERTID */
75
76OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
77{
78 X509_NAME *iname;
79 ASN1_INTEGER *serial;
80 ASN1_BIT_STRING *ikey;
81#ifndef OPENSSL_NO_SHA1
82 if(!dgst) dgst = EVP_sha1();
83#endif
84 if (subject)
85 {
86 iname = X509_get_issuer_name(subject);
87 serial = X509_get_serialNumber(subject);
88 }
89 else
90 {
91 iname = X509_get_subject_name(issuer);
92 serial = NULL;
93 }
94 ikey = X509_get0_pubkey_bitstr(issuer);
95 return OCSP_cert_id_new(dgst, iname, ikey, serial);
96}
97
98
99OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
100 X509_NAME *issuerName,
101 ASN1_BIT_STRING* issuerKey,
102 ASN1_INTEGER *serialNumber)
103 {
104 int nid;
105 unsigned int i;
106 X509_ALGOR *alg;
107 OCSP_CERTID *cid = NULL;
108 unsigned char md[EVP_MAX_MD_SIZE];
109
110 if (!(cid = OCSP_CERTID_new())) goto err;
111
112 alg = cid->hashAlgorithm;
113 if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm);
114 if ((nid = EVP_MD_type(dgst)) == NID_undef)
115 {
116 OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_UNKNOWN_NID);
117 goto err;
118 }
119 if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err;
120 if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err;
121 alg->parameter->type=V_ASN1_NULL;
122
123 if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr;
124 if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err;
125
126 /* Calculate the issuerKey hash, excluding tag and length */
127 if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
128 goto err;
129
130 if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
131
132 if (serialNumber)
133 {
134 ASN1_INTEGER_free(cid->serialNumber);
135 if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
136 }
137 return cid;
138digerr:
139 OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
140err:
141 if (cid) OCSP_CERTID_free(cid);
142 return NULL;
143 }
144
145int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
146 {
147 int ret;
148 ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
149 if (ret) return ret;
150 ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
151 if (ret) return ret;
152 return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
153 }
154
155int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
156 {
157 int ret;
158 ret = OCSP_id_issuer_cmp(a, b);
159 if (ret) return ret;
160 return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
161 }
162
163
164/* Parse a URL and split it up into host, port and path components and whether
165 * it is SSL.
166 */
167
168int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
169 {
170 char *p, *buf;
171
172 char *host, *port;
173
174 *phost = NULL;
175 *pport = NULL;
176 *ppath = NULL;
177
178 /* dup the buffer since we are going to mess with it */
179 buf = BUF_strdup(url);
180 if (!buf) goto mem_err;
181
182 /* Check for initial colon */
183 p = strchr(buf, ':');
184
185 if (!p) goto parse_err;
186
187 *(p++) = '\0';
188
189 if (!strcmp(buf, "http"))
190 {
191 *pssl = 0;
192 port = "80";
193 }
194 else if (!strcmp(buf, "https"))
195 {
196 *pssl = 1;
197 port = "443";
198 }
199 else
200 goto parse_err;
201
202 /* Check for double slash */
203 if ((p[0] != '/') || (p[1] != '/'))
204 goto parse_err;
205
206 p += 2;
207
208 host = p;
209
210 /* Check for trailing part of path */
211
212 p = strchr(p, '/');
213
214 if (!p)
215 *ppath = BUF_strdup("/");
216 else
217 {
218 *ppath = BUF_strdup(p);
219 /* Set start of path to 0 so hostname is valid */
220 *p = '\0';
221 }
222
223 if (!*ppath) goto mem_err;
224
225 /* Look for optional ':' for port number */
226 if ((p = strchr(host, ':')))
227 {
228 *p = 0;
229 port = p + 1;
230 }
231 else
232 {
233 /* Not found: set default port */
234 if (*pssl) port = "443";
235 else port = "80";
236 }
237
238 *pport = BUF_strdup(port);
239 if (!*pport) goto mem_err;
240
241 *phost = BUF_strdup(host);
242
243 if (!*phost) goto mem_err;
244
245 OPENSSL_free(buf);
246
247 return 1;
248
249 mem_err:
250 OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
251 goto err;
252
253 parse_err:
254 OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
255
256
257 err:
258 if (buf) OPENSSL_free(buf);
259 if (*ppath) OPENSSL_free(*ppath);
260 if (*pport) OPENSSL_free(*pport);
261 if (*phost) OPENSSL_free(*phost);
262 return 0;
263
264 }
265
266IMPLEMENT_ASN1_DUP_FUNCTION(OCSP_CERTID)
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
deleted file mode 100644
index 87608ff399..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_prn.c
+++ /dev/null
@@ -1,290 +0,0 @@
1/* ocsp_prn.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was originally part of ocsp.c and was transfered to Richard
7 Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included
8 in OpenSSL or released as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <openssl/bio.h>
65#include <openssl/err.h>
66#include <openssl/ocsp.h>
67#include <openssl/pem.h>
68
69static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
70 {
71 BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
72 indent += 2;
73 BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
74 i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm);
75 BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
76 i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
77 BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
78 i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING);
79 BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
80 i2a_ASN1_INTEGER(bp, a->serialNumber);
81 BIO_printf(bp, "\n");
82 return 1;
83 }
84
85typedef struct
86 {
87 long t;
88 const char *m;
89 } OCSP_TBLSTR;
90
91static const char *table2string(long s, const OCSP_TBLSTR *ts, int len)
92{
93 const OCSP_TBLSTR *p;
94 for (p=ts; p < ts + len; p++)
95 if (p->t == s)
96 return p->m;
97 return "(UNKNOWN)";
98}
99
100const char *OCSP_response_status_str(long s)
101 {
102 static const OCSP_TBLSTR rstat_tbl[] = {
103 { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
104 { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
105 { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
106 { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
107 { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
108 { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } };
109 return table2string(s, rstat_tbl, 6);
110 }
111
112const char *OCSP_cert_status_str(long s)
113 {
114 static const OCSP_TBLSTR cstat_tbl[] = {
115 { V_OCSP_CERTSTATUS_GOOD, "good" },
116 { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
117 { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } };
118 return table2string(s, cstat_tbl, 3);
119 }
120
121const char *OCSP_crl_reason_str(long s)
122 {
123 static const OCSP_TBLSTR reason_tbl[] = {
124 { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
125 { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
126 { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
127 { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
128 { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
129 { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
130 { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
131 { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } };
132 return table2string(s, reason_tbl, 8);
133 }
134
135int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
136 {
137 int i;
138 long l;
139 OCSP_CERTID* cid = NULL;
140 OCSP_ONEREQ *one = NULL;
141 OCSP_REQINFO *inf = o->tbsRequest;
142 OCSP_SIGNATURE *sig = o->optionalSignature;
143
144 if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err;
145 l=ASN1_INTEGER_get(inf->version);
146 if (BIO_printf(bp," Version: %lu (0x%lx)",l+1,l) <= 0) goto err;
147 if (inf->requestorName != NULL)
148 {
149 if (BIO_write(bp,"\n Requestor Name: ",21) <= 0)
150 goto err;
151 GENERAL_NAME_print(bp, inf->requestorName);
152 }
153 if (BIO_write(bp,"\n Requestor List:\n",21) <= 0) goto err;
154 for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++)
155 {
156 one = sk_OCSP_ONEREQ_value(inf->requestList, i);
157 cid = one->reqCert;
158 ocsp_certid_print(bp, cid, 8);
159 if (!X509V3_extensions_print(bp,
160 "Request Single Extensions",
161 one->singleRequestExtensions, flags, 8))
162 goto err;
163 }
164 if (!X509V3_extensions_print(bp, "Request Extensions",
165 inf->requestExtensions, flags, 4))
166 goto err;
167 if (sig)
168 {
169 X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
170 for (i=0; i<sk_X509_num(sig->certs); i++)
171 {
172 X509_print(bp, sk_X509_value(sig->certs,i));
173 PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i));
174 }
175 }
176 return 1;
177err:
178 return 0;
179 }
180
181int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
182 {
183 int i, ret = 0;
184 long l;
185 OCSP_CERTID *cid = NULL;
186 OCSP_BASICRESP *br = NULL;
187 OCSP_RESPID *rid = NULL;
188 OCSP_RESPDATA *rd = NULL;
189 OCSP_CERTSTATUS *cst = NULL;
190 OCSP_REVOKEDINFO *rev = NULL;
191 OCSP_SINGLERESP *single = NULL;
192 OCSP_RESPBYTES *rb = o->responseBytes;
193
194 if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
195 l=ASN1_ENUMERATED_get(o->responseStatus);
196 if (BIO_printf(bp," OCSP Response Status: %s (0x%lx)\n",
197 OCSP_response_status_str(l), l) <= 0) goto err;
198 if (rb == NULL) return 1;
199 if (BIO_puts(bp," Response Type: ") <= 0)
200 goto err;
201 if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
202 goto err;
203 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
204 {
205 BIO_puts(bp," (unknown response type)\n");
206 return 1;
207 }
208
209 i = ASN1_STRING_length(rb->response);
210 if (!(br = OCSP_response_get1_basic(o))) goto err;
211 rd = br->tbsResponseData;
212 l=ASN1_INTEGER_get(rd->version);
213 if (BIO_printf(bp,"\n Version: %lu (0x%lx)\n",
214 l+1,l) <= 0) goto err;
215 if (BIO_puts(bp," Responder Id: ") <= 0) goto err;
216
217 rid = rd->responderId;
218 switch (rid->type)
219 {
220 case V_OCSP_RESPID_NAME:
221 X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
222 break;
223 case V_OCSP_RESPID_KEY:
224 i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
225 break;
226 }
227
228 if (BIO_printf(bp,"\n Produced At: ")<=0) goto err;
229 if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err;
230 if (BIO_printf(bp,"\n Responses:\n") <= 0) goto err;
231 for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++)
232 {
233 if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue;
234 single = sk_OCSP_SINGLERESP_value(rd->responses, i);
235 cid = single->certId;
236 if(ocsp_certid_print(bp, cid, 4) <= 0) goto err;
237 cst = single->certStatus;
238 if (BIO_printf(bp," Cert Status: %s",
239 OCSP_cert_status_str(cst->type)) <= 0)
240 goto err;
241 if (cst->type == V_OCSP_CERTSTATUS_REVOKED)
242 {
243 rev = cst->value.revoked;
244 if (BIO_printf(bp, "\n Revocation Time: ") <= 0)
245 goto err;
246 if (!ASN1_GENERALIZEDTIME_print(bp,
247 rev->revocationTime))
248 goto err;
249 if (rev->revocationReason)
250 {
251 l=ASN1_ENUMERATED_get(rev->revocationReason);
252 if (BIO_printf(bp,
253 "\n Revocation Reason: %s (0x%lx)",
254 OCSP_crl_reason_str(l), l) <= 0)
255 goto err;
256 }
257 }
258 if (BIO_printf(bp,"\n This Update: ") <= 0) goto err;
259 if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate))
260 goto err;
261 if (single->nextUpdate)
262 {
263 if (BIO_printf(bp,"\n Next Update: ") <= 0)goto err;
264 if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
265 goto err;
266 }
267 if (BIO_write(bp,"\n",1) <= 0) goto err;
268 if (!X509V3_extensions_print(bp,
269 "Response Single Extensions",
270 single->singleExtensions, flags, 8))
271 goto err;
272 if (BIO_write(bp,"\n",1) <= 0) goto err;
273 }
274 if (!X509V3_extensions_print(bp, "Response Extensions",
275 rd->responseExtensions, flags, 4))
276 goto err;
277 if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
278 goto err;
279
280 for (i=0; i<sk_X509_num(br->certs); i++)
281 {
282 X509_print(bp, sk_X509_value(br->certs,i));
283 PEM_write_bio_X509(bp,sk_X509_value(br->certs,i));
284 }
285
286 ret = 1;
287err:
288 OCSP_BASICRESP_free(br);
289 return ret;
290 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
deleted file mode 100644
index 1c606dd0b6..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ /dev/null
@@ -1,264 +0,0 @@
1/* ocsp_srv.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <cryptlib.h>
61#include <openssl/objects.h>
62#include <openssl/rand.h>
63#include <openssl/x509.h>
64#include <openssl/pem.h>
65#include <openssl/x509v3.h>
66#include <openssl/ocsp.h>
67
68/* Utility functions related to sending OCSP responses and extracting
69 * relevant information from the request.
70 */
71
72int OCSP_request_onereq_count(OCSP_REQUEST *req)
73 {
74 return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
75 }
76
77OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
78 {
79 return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
80 }
81
82OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
83 {
84 return one->reqCert;
85 }
86
87int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
88 ASN1_OCTET_STRING **pikeyHash,
89 ASN1_INTEGER **pserial, OCSP_CERTID *cid)
90 {
91 if (!cid) return 0;
92 if (pmd) *pmd = cid->hashAlgorithm->algorithm;
93 if(piNameHash) *piNameHash = cid->issuerNameHash;
94 if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
95 if (pserial) *pserial = cid->serialNumber;
96 return 1;
97 }
98
99int OCSP_request_is_signed(OCSP_REQUEST *req)
100 {
101 if(req->optionalSignature) return 1;
102 return 0;
103 }
104
105/* Create an OCSP response and encode an optional basic response */
106OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
107 {
108 OCSP_RESPONSE *rsp = NULL;
109
110 if (!(rsp = OCSP_RESPONSE_new())) goto err;
111 if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
112 if (!bs) return rsp;
113 if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
114 rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
115 if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
116 goto err;
117 return rsp;
118err:
119 if (rsp) OCSP_RESPONSE_free(rsp);
120 return NULL;
121 }
122
123
124OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
125 OCSP_CERTID *cid,
126 int status, int reason,
127 ASN1_TIME *revtime,
128 ASN1_TIME *thisupd, ASN1_TIME *nextupd)
129 {
130 OCSP_SINGLERESP *single = NULL;
131 OCSP_CERTSTATUS *cs;
132 OCSP_REVOKEDINFO *ri;
133
134 if(!rsp->tbsResponseData->responses &&
135 !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
136 goto err;
137
138 if (!(single = OCSP_SINGLERESP_new()))
139 goto err;
140
141
142
143 if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
144 goto err;
145 if (nextupd &&
146 !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
147 goto err;
148
149 OCSP_CERTID_free(single->certId);
150
151 if(!(single->certId = OCSP_CERTID_dup(cid)))
152 goto err;
153
154 cs = single->certStatus;
155 switch(cs->type = status)
156 {
157 case V_OCSP_CERTSTATUS_REVOKED:
158 if (!revtime)
159 {
160 OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
161 goto err;
162 }
163 if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
164 if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
165 goto err;
166 if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
167 {
168 if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
169 goto err;
170 if (!(ASN1_ENUMERATED_set(ri->revocationReason,
171 reason)))
172 goto err;
173 }
174 break;
175
176 case V_OCSP_CERTSTATUS_GOOD:
177 cs->value.good = ASN1_NULL_new();
178 break;
179
180 case V_OCSP_CERTSTATUS_UNKNOWN:
181 cs->value.unknown = ASN1_NULL_new();
182 break;
183
184 default:
185 goto err;
186
187 }
188 if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
189 goto err;
190 return single;
191err:
192 OCSP_SINGLERESP_free(single);
193 return NULL;
194 }
195
196/* Add a certificate to an OCSP request */
197
198int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
199 {
200 if (!resp->certs && !(resp->certs = sk_X509_new_null()))
201 return 0;
202
203 if(!sk_X509_push(resp->certs, cert)) return 0;
204 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
205 return 1;
206 }
207
208int OCSP_basic_sign(OCSP_BASICRESP *brsp,
209 X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
210 STACK_OF(X509) *certs, unsigned long flags)
211 {
212 int i;
213 OCSP_RESPID *rid;
214
215 if (!X509_check_private_key(signer, key))
216 {
217 OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
218 goto err;
219 }
220
221 if(!(flags & OCSP_NOCERTS))
222 {
223 if(!OCSP_basic_add1_cert(brsp, signer))
224 goto err;
225 for (i = 0; i < sk_X509_num(certs); i++)
226 {
227 X509 *tmpcert = sk_X509_value(certs, i);
228 if(!OCSP_basic_add1_cert(brsp, tmpcert))
229 goto err;
230 }
231 }
232
233 rid = brsp->tbsResponseData->responderId;
234 if (flags & OCSP_RESPID_KEY)
235 {
236 unsigned char md[SHA_DIGEST_LENGTH];
237 X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
238 if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
239 goto err;
240 if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
241 goto err;
242 rid->type = V_OCSP_RESPID_KEY;
243 }
244 else
245 {
246 if (!X509_NAME_set(&rid->value.byName,
247 X509_get_subject_name(signer)))
248 goto err;
249 rid->type = V_OCSP_RESPID_NAME;
250 }
251
252 if (!(flags & OCSP_NOTIME) &&
253 !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
254 goto err;
255
256 /* Right now, I think that not doing double hashing is the right
257 thing. -- Richard Levitte */
258
259 if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
260
261 return 1;
262err:
263 return 0;
264 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
deleted file mode 100644
index 91a45c9133..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ /dev/null
@@ -1,449 +0,0 @@
1/* ocsp_vfy.c */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/ocsp.h>
60#include <openssl/err.h>
61#include <string.h>
62
63static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
64 X509_STORE *st, unsigned long flags);
65static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
66static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
67static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
68static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
69static int ocsp_check_delegated(X509 *x, int flags);
70static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
71 X509_STORE *st, unsigned long flags);
72
73/* Verify a basic response message */
74
75int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
76 X509_STORE *st, unsigned long flags)
77 {
78 X509 *signer, *x;
79 STACK_OF(X509) *chain = NULL;
80 X509_STORE_CTX ctx;
81 int i, ret = 0;
82 ret = ocsp_find_signer(&signer, bs, certs, st, flags);
83 if (!ret)
84 {
85 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
86 goto end;
87 }
88 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
89 flags |= OCSP_NOVERIFY;
90 if (!(flags & OCSP_NOSIGS))
91 {
92 EVP_PKEY *skey;
93 skey = X509_get_pubkey(signer);
94 if (skey)
95 {
96 ret = OCSP_BASICRESP_verify(bs, skey, 0);
97 EVP_PKEY_free(skey);
98 }
99 if(!skey || ret <= 0)
100 {
101 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
102 goto end;
103 }
104 }
105 if (!(flags & OCSP_NOVERIFY))
106 {
107 int init_res;
108 if(flags & OCSP_NOCHAIN)
109 init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
110 else
111 init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
112 if(!init_res)
113 {
114 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
115 goto end;
116 }
117
118 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
119 ret = X509_verify_cert(&ctx);
120 chain = X509_STORE_CTX_get1_chain(&ctx);
121 X509_STORE_CTX_cleanup(&ctx);
122 if (ret <= 0)
123 {
124 i = X509_STORE_CTX_get_error(&ctx);
125 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
126 ERR_add_error_data(2, "Verify error:",
127 X509_verify_cert_error_string(i));
128 goto end;
129 }
130 if(flags & OCSP_NOCHECKS)
131 {
132 ret = 1;
133 goto end;
134 }
135 /* At this point we have a valid certificate chain
136 * need to verify it against the OCSP issuer criteria.
137 */
138 ret = ocsp_check_issuer(bs, chain, flags);
139
140 /* If fatal error or valid match then finish */
141 if (ret != 0) goto end;
142
143 /* Easy case: explicitly trusted. Get root CA and
144 * check for explicit trust
145 */
146 if(flags & OCSP_NOEXPLICIT) goto end;
147
148 x = sk_X509_value(chain, sk_X509_num(chain) - 1);
149 if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED)
150 {
151 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED);
152 goto end;
153 }
154 ret = 1;
155 }
156
157
158
159 end:
160 if(chain) sk_X509_pop_free(chain, X509_free);
161 return ret;
162 }
163
164
165static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
166 X509_STORE *st, unsigned long flags)
167 {
168 X509 *signer;
169 OCSP_RESPID *rid = bs->tbsResponseData->responderId;
170 if ((signer = ocsp_find_signer_sk(certs, rid)))
171 {
172 *psigner = signer;
173 return 2;
174 }
175 if(!(flags & OCSP_NOINTERN) &&
176 (signer = ocsp_find_signer_sk(bs->certs, rid)))
177 {
178 *psigner = signer;
179 return 1;
180 }
181 /* Maybe lookup from store if by subject name */
182
183 *psigner = NULL;
184 return 0;
185 }
186
187
188static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
189 {
190 int i;
191 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
192 X509 *x;
193
194 /* Easy if lookup by name */
195 if (id->type == V_OCSP_RESPID_NAME)
196 return X509_find_by_subject(certs, id->value.byName);
197
198 /* Lookup by key hash */
199
200 /* If key hash isn't SHA1 length then forget it */
201 if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL;
202 keyhash = id->value.byKey->data;
203 /* Calculate hash of each key and compare */
204 for (i = 0; i < sk_X509_num(certs); i++)
205 {
206 x = sk_X509_value(certs, i);
207 X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
208 if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
209 return x;
210 }
211 return NULL;
212 }
213
214
215static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags)
216 {
217 STACK_OF(OCSP_SINGLERESP) *sresp;
218 X509 *signer, *sca;
219 OCSP_CERTID *caid = NULL;
220 int i;
221 sresp = bs->tbsResponseData->responses;
222
223 if (sk_X509_num(chain) <= 0)
224 {
225 OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
226 return -1;
227 }
228
229 /* See if the issuer IDs match. */
230 i = ocsp_check_ids(sresp, &caid);
231
232 /* If ID mismatch or other error then return */
233 if (i <= 0) return i;
234
235 signer = sk_X509_value(chain, 0);
236 /* Check to see if OCSP responder CA matches request CA */
237 if (sk_X509_num(chain) > 1)
238 {
239 sca = sk_X509_value(chain, 1);
240 i = ocsp_match_issuerid(sca, caid, sresp);
241 if (i < 0) return i;
242 if (i)
243 {
244 /* We have a match, if extensions OK then success */
245 if (ocsp_check_delegated(signer, flags)) return 1;
246 return 0;
247 }
248 }
249
250 /* Otherwise check if OCSP request signed directly by request CA */
251 return ocsp_match_issuerid(signer, caid, sresp);
252 }
253
254
255/* Check the issuer certificate IDs for equality. If there is a mismatch with the same
256 * algorithm then there's no point trying to match any certificates against the issuer.
257 * If the issuer IDs all match then we just need to check equality against one of them.
258 */
259
260static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
261 {
262 OCSP_CERTID *tmpid, *cid;
263 int i, idcount;
264
265 idcount = sk_OCSP_SINGLERESP_num(sresp);
266 if (idcount <= 0)
267 {
268 OCSPerr(OCSP_F_OCSP_CHECK_IDS, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
269 return -1;
270 }
271
272 cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
273
274 *ret = NULL;
275
276 for (i = 1; i < idcount; i++)
277 {
278 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
279 /* Check to see if IDs match */
280 if (OCSP_id_issuer_cmp(cid, tmpid))
281 {
282 /* If algoritm mismatch let caller deal with it */
283 if (OBJ_cmp(tmpid->hashAlgorithm->algorithm,
284 cid->hashAlgorithm->algorithm))
285 return 2;
286 /* Else mismatch */
287 return 0;
288 }
289 }
290
291 /* All IDs match: only need to check one ID */
292 *ret = cid;
293 return 1;
294 }
295
296
297static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
298 STACK_OF(OCSP_SINGLERESP) *sresp)
299 {
300 /* If only one ID to match then do it */
301 if(cid)
302 {
303 const EVP_MD *dgst;
304 X509_NAME *iname;
305 int mdlen;
306 unsigned char md[EVP_MAX_MD_SIZE];
307 if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
308 {
309 OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
310 return -1;
311 }
312
313 mdlen = EVP_MD_size(dgst);
314 if (mdlen < 0)
315 return -1;
316 if ((cid->issuerNameHash->length != mdlen) ||
317 (cid->issuerKeyHash->length != mdlen))
318 return 0;
319 iname = X509_get_subject_name(cert);
320 if (!X509_NAME_digest(iname, dgst, md, NULL))
321 return -1;
322 if (memcmp(md, cid->issuerNameHash->data, mdlen))
323 return 0;
324 X509_pubkey_digest(cert, dgst, md, NULL);
325 if (memcmp(md, cid->issuerKeyHash->data, mdlen))
326 return 0;
327
328 return 1;
329
330 }
331 else
332 {
333 /* We have to match the whole lot */
334 int i, ret;
335 OCSP_CERTID *tmpid;
336 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
337 {
338 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
339 ret = ocsp_match_issuerid(cert, tmpid, NULL);
340 if (ret <= 0) return ret;
341 }
342 return 1;
343 }
344
345 }
346
347static int ocsp_check_delegated(X509 *x, int flags)
348 {
349 X509_check_purpose(x, -1, 0);
350 if ((x->ex_flags & EXFLAG_XKUSAGE) &&
351 (x->ex_xkusage & XKU_OCSP_SIGN))
352 return 1;
353 OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
354 return 0;
355 }
356
357/* Verify an OCSP request. This is fortunately much easier than OCSP
358 * response verify. Just find the signers certificate and verify it
359 * against a given trust value.
360 */
361
362int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
363 {
364 X509 *signer;
365 X509_NAME *nm;
366 GENERAL_NAME *gen;
367 int ret;
368 X509_STORE_CTX ctx;
369 if (!req->optionalSignature)
370 {
371 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
372 return 0;
373 }
374 gen = req->tbsRequest->requestorName;
375 if (!gen || gen->type != GEN_DIRNAME)
376 {
377 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
378 return 0;
379 }
380 nm = gen->d.directoryName;
381 ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
382 if (ret <= 0)
383 {
384 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
385 return 0;
386 }
387 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
388 flags |= OCSP_NOVERIFY;
389 if (!(flags & OCSP_NOSIGS))
390 {
391 EVP_PKEY *skey;
392 skey = X509_get_pubkey(signer);
393 ret = OCSP_REQUEST_verify(req, skey);
394 EVP_PKEY_free(skey);
395 if(ret <= 0)
396 {
397 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
398 return 0;
399 }
400 }
401 if (!(flags & OCSP_NOVERIFY))
402 {
403 int init_res;
404 if(flags & OCSP_NOCHAIN)
405 init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
406 else
407 init_res = X509_STORE_CTX_init(&ctx, store, signer,
408 req->optionalSignature->certs);
409 if(!init_res)
410 {
411 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
412 return 0;
413 }
414
415 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
416 X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
417 ret = X509_verify_cert(&ctx);
418 X509_STORE_CTX_cleanup(&ctx);
419 if (ret <= 0)
420 {
421 ret = X509_STORE_CTX_get_error(&ctx);
422 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
423 ERR_add_error_data(2, "Verify error:",
424 X509_verify_cert_error_string(ret));
425 return 0;
426 }
427 }
428 return 1;
429 }
430
431static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
432 X509_STORE *st, unsigned long flags)
433 {
434 X509 *signer;
435 if(!(flags & OCSP_NOINTERN))
436 {
437 signer = X509_find_by_subject(req->optionalSignature->certs, nm);
438 *psigner = signer;
439 return 1;
440 }
441
442 signer = X509_find_by_subject(certs, nm);
443 if (signer)
444 {
445 *psigner = signer;
446 return 2;
447 }
448 return 0;
449 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 20:16:23 +0000