summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ocsp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/ocsp')
-rw-r--r--src/lib/libcrypto/ocsp/ocsp.h484
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_asn.c1066
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_cl.c463
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_err.c121
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ext.c612
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ht.c469
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_lib.c249
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_local.h291
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_prn.c323
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_srv.c285
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_vfy.c475
11 files changed, 0 insertions, 4838 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h
deleted file mode 100644
index 691ee4a3dc..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp.h
+++ /dev/null
@@ -1,484 +0,0 @@
1/* $OpenBSD: ocsp.h,v 1.20 2022/07/12 14:42:49 kn Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#ifndef HEADER_OCSP_H
65#define HEADER_OCSP_H
66
67#include <openssl/ossl_typ.h>
68#include <openssl/x509.h>
69#include <openssl/x509v3.h>
70#include <openssl/safestack.h>
71
72#ifdef __cplusplus
73extern "C" {
74#endif
75
76/*
77 * CRLReason ::= ENUMERATED {
78 * unspecified (0),
79 * keyCompromise (1),
80 * cACompromise (2),
81 * affiliationChanged (3),
82 * superseded (4),
83 * cessationOfOperation (5),
84 * certificateHold (6),
85 * removeFromCRL (8) }
86 */
87#define OCSP_REVOKED_STATUS_NOSTATUS -1
88#define OCSP_REVOKED_STATUS_UNSPECIFIED 0
89#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
90#define OCSP_REVOKED_STATUS_CACOMPROMISE 2
91#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3
92#define OCSP_REVOKED_STATUS_SUPERSEDED 4
93#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
94#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
95#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
96
97
98/* Various flags and values */
99
100#define OCSP_DEFAULT_NONCE_LENGTH 16
101
102#define OCSP_NOCERTS 0x1
103#define OCSP_NOINTERN 0x2
104#define OCSP_NOSIGS 0x4
105#define OCSP_NOCHAIN 0x8
106#define OCSP_NOVERIFY 0x10
107#define OCSP_NOEXPLICIT 0x20
108#define OCSP_NOCASIGN 0x40
109#define OCSP_NODELEGATED 0x80
110#define OCSP_NOCHECKS 0x100
111#define OCSP_TRUSTOTHER 0x200
112#define OCSP_RESPID_KEY 0x400
113#define OCSP_NOTIME 0x800
114
115typedef struct ocsp_cert_id_st OCSP_CERTID;
116
117DECLARE_STACK_OF(OCSP_CERTID)
118
119typedef struct ocsp_one_request_st OCSP_ONEREQ;
120
121DECLARE_STACK_OF(OCSP_ONEREQ)
122
123typedef struct ocsp_req_info_st OCSP_REQINFO;
124typedef struct ocsp_signature_st OCSP_SIGNATURE;
125typedef struct ocsp_request_st OCSP_REQUEST;
126
127#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
128#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1
129#define OCSP_RESPONSE_STATUS_INTERNALERROR 2
130#define OCSP_RESPONSE_STATUS_TRYLATER 3
131#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5
132#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6
133
134typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES;
135
136#define V_OCSP_RESPID_NAME 0
137#define V_OCSP_RESPID_KEY 1
138
139DECLARE_STACK_OF(OCSP_RESPID)
140
141OCSP_RESPID *OCSP_RESPID_new(void);
142void OCSP_RESPID_free(OCSP_RESPID *a);
143OCSP_RESPID *d2i_OCSP_RESPID(OCSP_RESPID **a, const unsigned char **in, long len);
144int i2d_OCSP_RESPID(OCSP_RESPID *a, unsigned char **out);
145extern const ASN1_ITEM OCSP_RESPID_it;
146
147typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO;
148
149#define V_OCSP_CERTSTATUS_GOOD 0
150#define V_OCSP_CERTSTATUS_REVOKED 1
151#define V_OCSP_CERTSTATUS_UNKNOWN 2
152
153typedef struct ocsp_cert_status_st OCSP_CERTSTATUS;
154typedef struct ocsp_single_response_st OCSP_SINGLERESP;
155
156DECLARE_STACK_OF(OCSP_SINGLERESP)
157
158typedef struct ocsp_response_data_st OCSP_RESPDATA;
159
160typedef struct ocsp_basic_response_st OCSP_BASICRESP;
161
162typedef struct ocsp_crl_id_st OCSP_CRLID;
163typedef struct ocsp_service_locator_st OCSP_SERVICELOC;
164
165#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
166#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
167
168#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) \
169 (OCSP_REQUEST *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_REQUEST, \
170 PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
171
172#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) \
173 (OCSP_RESPONSE *)PEM_ASN1_read_bio((char *(*)())d2i_OCSP_RESPONSE, \
174 PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
175
176#define PEM_write_bio_OCSP_REQUEST(bp,o) \
177 PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
178 bp,(char *)o, NULL,NULL,0,NULL,NULL)
179
180#define PEM_write_bio_OCSP_RESPONSE(bp,o) \
181 PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
182 bp,(char *)o, NULL,NULL,0,NULL,NULL)
183
184#define ASN1_BIT_STRING_digest(data,type,md,len) \
185 ASN1_item_digest(&ASN1_BIT_STRING_it,type,data,md,len)
186
187#define OCSP_CERTSTATUS_dup(cs) \
188 ASN1_item_dup(&OCSP_CERTSTATUS_it, cs)
189
190OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id);
191
192OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req);
193OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req,
194 int maxline);
195int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
196void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
197int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
198int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
199 const char *value);
200
201OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject,
202 const X509 *issuer);
203
204OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, const X509_NAME *issuerName,
205 const ASN1_BIT_STRING *issuerKey, const ASN1_INTEGER *serialNumber);
206
207OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
208
209int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
210int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
211int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
212int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
213
214int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
215int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
216
217int OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
218 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
219
220int OCSP_response_status(OCSP_RESPONSE *resp);
221OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
222
223const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
224const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
225const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
226int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
227 STACK_OF(X509) *extra_certs);
228
229int OCSP_resp_count(OCSP_BASICRESP *bs);
230OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
231const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP *bs);
232const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
233int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
234 const ASN1_OCTET_STRING **pid, const X509_NAME **pname);
235
236int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
237int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
238 ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
239 ASN1_GENERALIZEDTIME **nextupd);
240int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
241 int *reason, ASN1_GENERALIZEDTIME **revtime,
242 ASN1_GENERALIZEDTIME **thisupd, ASN1_GENERALIZEDTIME **nextupd);
243int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
244 ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);
245
246int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
247 X509_STORE *store, unsigned long flags);
248
249int OCSP_parse_url(const char *url, char **phost, char **pport,
250 char **ppath, int *pssl);
251
252int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
253int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
254
255int OCSP_request_onereq_count(OCSP_REQUEST *req);
256OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
257OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
258int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
259 ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial,
260 OCSP_CERTID *cid);
261int OCSP_request_is_signed(OCSP_REQUEST *req);
262OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
263OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid,
264 int status, int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd,
265 ASN1_TIME *nextupd);
266int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
267int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
268 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags);
269
270X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim);
271
272X509_EXTENSION *OCSP_accept_responses_new(char **oids);
273
274X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
275
276X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, const char **urls);
277
278int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
279int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
280int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj,
281 int lastpos);
282int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit,
283 int lastpos);
284X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
285X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
286void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
287int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value,
288 int crit, unsigned long flags);
289int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
290
291int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
292int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
293int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj,
294 int lastpos);
295int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
296X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
297X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
298void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
299int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
300 unsigned long flags);
301int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
302
303int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
304int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
305int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj,
306 int lastpos);
307int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
308 int lastpos);
309X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
310X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
311void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
312 int *idx);
313int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
314 int crit, unsigned long flags);
315int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
316
317int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
318int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid,
319 int lastpos);
320int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x,
321 const ASN1_OBJECT *obj, int lastpos);
322int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
323 int lastpos);
324X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
325X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
326void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
327 int *idx);
328int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
329 int crit, unsigned long flags);
330int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex,
331 int loc);
332const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *x);
333
334OCSP_SINGLERESP *OCSP_SINGLERESP_new(void);
335void OCSP_SINGLERESP_free(OCSP_SINGLERESP *a);
336OCSP_SINGLERESP *d2i_OCSP_SINGLERESP(OCSP_SINGLERESP **a, const unsigned char **in, long len);
337int i2d_OCSP_SINGLERESP(OCSP_SINGLERESP *a, unsigned char **out);
338extern const ASN1_ITEM OCSP_SINGLERESP_it;
339OCSP_CERTSTATUS *OCSP_CERTSTATUS_new(void);
340void OCSP_CERTSTATUS_free(OCSP_CERTSTATUS *a);
341OCSP_CERTSTATUS *d2i_OCSP_CERTSTATUS(OCSP_CERTSTATUS **a, const unsigned char **in, long len);
342int i2d_OCSP_CERTSTATUS(OCSP_CERTSTATUS *a, unsigned char **out);
343extern const ASN1_ITEM OCSP_CERTSTATUS_it;
344OCSP_REVOKEDINFO *OCSP_REVOKEDINFO_new(void);
345void OCSP_REVOKEDINFO_free(OCSP_REVOKEDINFO *a);
346OCSP_REVOKEDINFO *d2i_OCSP_REVOKEDINFO(OCSP_REVOKEDINFO **a, const unsigned char **in, long len);
347int i2d_OCSP_REVOKEDINFO(OCSP_REVOKEDINFO *a, unsigned char **out);
348extern const ASN1_ITEM OCSP_REVOKEDINFO_it;
349OCSP_BASICRESP *OCSP_BASICRESP_new(void);
350void OCSP_BASICRESP_free(OCSP_BASICRESP *a);
351OCSP_BASICRESP *d2i_OCSP_BASICRESP(OCSP_BASICRESP **a, const unsigned char **in, long len);
352int i2d_OCSP_BASICRESP(OCSP_BASICRESP *a, unsigned char **out);
353extern const ASN1_ITEM OCSP_BASICRESP_it;
354OCSP_RESPDATA *OCSP_RESPDATA_new(void);
355void OCSP_RESPDATA_free(OCSP_RESPDATA *a);
356OCSP_RESPDATA *d2i_OCSP_RESPDATA(OCSP_RESPDATA **a, const unsigned char **in, long len);
357int i2d_OCSP_RESPDATA(OCSP_RESPDATA *a, unsigned char **out);
358extern const ASN1_ITEM OCSP_RESPDATA_it;
359OCSP_RESPID *OCSP_RESPID_new(void);
360void OCSP_RESPID_free(OCSP_RESPID *a);
361OCSP_RESPID *d2i_OCSP_RESPID(OCSP_RESPID **a, const unsigned char **in, long len);
362int i2d_OCSP_RESPID(OCSP_RESPID *a, unsigned char **out);
363extern const ASN1_ITEM OCSP_RESPID_it;
364OCSP_RESPONSE *OCSP_RESPONSE_new(void);
365void OCSP_RESPONSE_free(OCSP_RESPONSE *a);
366OCSP_RESPONSE *d2i_OCSP_RESPONSE(OCSP_RESPONSE **a, const unsigned char **in, long len);
367int i2d_OCSP_RESPONSE(OCSP_RESPONSE *a, unsigned char **out);
368OCSP_RESPONSE *d2i_OCSP_RESPONSE_bio(BIO *bp, OCSP_RESPONSE **a);
369int i2d_OCSP_RESPONSE_bio(BIO *bp, OCSP_RESPONSE *a);
370extern const ASN1_ITEM OCSP_RESPONSE_it;
371OCSP_RESPBYTES *OCSP_RESPBYTES_new(void);
372void OCSP_RESPBYTES_free(OCSP_RESPBYTES *a);
373OCSP_RESPBYTES *d2i_OCSP_RESPBYTES(OCSP_RESPBYTES **a, const unsigned char **in, long len);
374int i2d_OCSP_RESPBYTES(OCSP_RESPBYTES *a, unsigned char **out);
375extern const ASN1_ITEM OCSP_RESPBYTES_it;
376OCSP_ONEREQ *OCSP_ONEREQ_new(void);
377void OCSP_ONEREQ_free(OCSP_ONEREQ *a);
378OCSP_ONEREQ *d2i_OCSP_ONEREQ(OCSP_ONEREQ **a, const unsigned char **in, long len);
379int i2d_OCSP_ONEREQ(OCSP_ONEREQ *a, unsigned char **out);
380extern const ASN1_ITEM OCSP_ONEREQ_it;
381OCSP_CERTID *OCSP_CERTID_new(void);
382void OCSP_CERTID_free(OCSP_CERTID *a);
383OCSP_CERTID *d2i_OCSP_CERTID(OCSP_CERTID **a, const unsigned char **in, long len);
384int i2d_OCSP_CERTID(OCSP_CERTID *a, unsigned char **out);
385extern const ASN1_ITEM OCSP_CERTID_it;
386OCSP_REQUEST *OCSP_REQUEST_new(void);
387void OCSP_REQUEST_free(OCSP_REQUEST *a);
388OCSP_REQUEST *d2i_OCSP_REQUEST(OCSP_REQUEST **a, const unsigned char **in, long len);
389int i2d_OCSP_REQUEST(OCSP_REQUEST *a, unsigned char **out);
390OCSP_REQUEST *d2i_OCSP_REQUEST_bio(BIO *bp, OCSP_REQUEST **a);
391int i2d_OCSP_REQUEST_bio(BIO *bp, OCSP_REQUEST *a);
392extern const ASN1_ITEM OCSP_REQUEST_it;
393OCSP_SIGNATURE *OCSP_SIGNATURE_new(void);
394void OCSP_SIGNATURE_free(OCSP_SIGNATURE *a);
395OCSP_SIGNATURE *d2i_OCSP_SIGNATURE(OCSP_SIGNATURE **a, const unsigned char **in, long len);
396int i2d_OCSP_SIGNATURE(OCSP_SIGNATURE *a, unsigned char **out);
397extern const ASN1_ITEM OCSP_SIGNATURE_it;
398OCSP_REQINFO *OCSP_REQINFO_new(void);
399void OCSP_REQINFO_free(OCSP_REQINFO *a);
400OCSP_REQINFO *d2i_OCSP_REQINFO(OCSP_REQINFO **a, const unsigned char **in, long len);
401int i2d_OCSP_REQINFO(OCSP_REQINFO *a, unsigned char **out);
402extern const ASN1_ITEM OCSP_REQINFO_it;
403OCSP_CRLID *OCSP_CRLID_new(void);
404void OCSP_CRLID_free(OCSP_CRLID *a);
405OCSP_CRLID *d2i_OCSP_CRLID(OCSP_CRLID **a, const unsigned char **in, long len);
406int i2d_OCSP_CRLID(OCSP_CRLID *a, unsigned char **out);
407extern const ASN1_ITEM OCSP_CRLID_it;
408OCSP_SERVICELOC *OCSP_SERVICELOC_new(void);
409void OCSP_SERVICELOC_free(OCSP_SERVICELOC *a);
410OCSP_SERVICELOC *d2i_OCSP_SERVICELOC(OCSP_SERVICELOC **a, const unsigned char **in, long len);
411int i2d_OCSP_SERVICELOC(OCSP_SERVICELOC *a, unsigned char **out);
412extern const ASN1_ITEM OCSP_SERVICELOC_it;
413
414const char *OCSP_response_status_str(long s);
415const char *OCSP_cert_status_str(long s);
416const char *OCSP_crl_reason_str(long s);
417
418int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
419int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
420
421int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
422 X509_STORE *st, unsigned long flags);
423
424void ERR_load_OCSP_strings(void);
425
426/* Error codes for the OCSP functions. */
427
428/* Function codes. */
429#define OCSP_F_ASN1_STRING_ENCODE 100
430#define OCSP_F_D2I_OCSP_NONCE 102
431#define OCSP_F_OCSP_BASIC_ADD1_STATUS 103
432#define OCSP_F_OCSP_BASIC_SIGN 104
433#define OCSP_F_OCSP_BASIC_VERIFY 105
434#define OCSP_F_OCSP_CERT_ID_NEW 101
435#define OCSP_F_OCSP_CHECK_DELEGATED 106
436#define OCSP_F_OCSP_CHECK_IDS 107
437#define OCSP_F_OCSP_CHECK_ISSUER 108
438#define OCSP_F_OCSP_CHECK_VALIDITY 115
439#define OCSP_F_OCSP_MATCH_ISSUERID 109
440#define OCSP_F_OCSP_PARSE_URL 114
441#define OCSP_F_OCSP_REQUEST_SIGN 110
442#define OCSP_F_OCSP_REQUEST_VERIFY 116
443#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
444#define OCSP_F_OCSP_SENDREQ_BIO 112
445#define OCSP_F_OCSP_SENDREQ_NBIO 117
446#define OCSP_F_PARSE_HTTP_LINE1 118
447#define OCSP_F_REQUEST_VERIFY 113
448
449/* Reason codes. */
450#define OCSP_R_BAD_DATA 100
451#define OCSP_R_CERTIFICATE_VERIFY_ERROR 101
452#define OCSP_R_DIGEST_ERR 102
453#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122
454#define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123
455#define OCSP_R_ERROR_PARSING_URL 121
456#define OCSP_R_MISSING_OCSPSIGNING_USAGE 103
457#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE 124
458#define OCSP_R_NOT_BASIC_RESPONSE 104
459#define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105
460#define OCSP_R_NO_CONTENT 106
461#define OCSP_R_NO_PUBLIC_KEY 107
462#define OCSP_R_NO_RESPONSE_DATA 108
463#define OCSP_R_NO_REVOKED_TIME 109
464#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110
465#define OCSP_R_REQUEST_NOT_SIGNED 128
466#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111
467#define OCSP_R_ROOT_CA_NOT_TRUSTED 112
468#define OCSP_R_SERVER_READ_ERROR 113
469#define OCSP_R_SERVER_RESPONSE_ERROR 114
470#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 115
471#define OCSP_R_SERVER_WRITE_ERROR 116
472#define OCSP_R_SIGNATURE_FAILURE 117
473#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 118
474#define OCSP_R_STATUS_EXPIRED 125
475#define OCSP_R_STATUS_NOT_YET_VALID 126
476#define OCSP_R_STATUS_TOO_OLD 127
477#define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119
478#define OCSP_R_UNKNOWN_NID 120
479#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE 129
480
481#ifdef __cplusplus
482}
483#endif
484#endif
diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c
deleted file mode 100644
index abceaac832..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_asn.c
+++ /dev/null
@@ -1,1066 +0,0 @@
1/* $OpenBSD: ocsp_asn.c,v 1.12 2024/07/08 14:53:11 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#include <openssl/asn1.h>
59#include <openssl/asn1t.h>
60#include <openssl/ocsp.h>
61
62#include "ocsp_local.h"
63
64static const ASN1_TEMPLATE OCSP_SIGNATURE_seq_tt[] = {
65 {
66 .flags = 0,
67 .tag = 0,
68 .offset = offsetof(OCSP_SIGNATURE, signatureAlgorithm),
69 .field_name = "signatureAlgorithm",
70 .item = &X509_ALGOR_it,
71 },
72 {
73 .flags = 0,
74 .tag = 0,
75 .offset = offsetof(OCSP_SIGNATURE, signature),
76 .field_name = "signature",
77 .item = &ASN1_BIT_STRING_it,
78 },
79 {
80 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
81 .tag = 0,
82 .offset = offsetof(OCSP_SIGNATURE, certs),
83 .field_name = "certs",
84 .item = &X509_it,
85 },
86};
87
88const ASN1_ITEM OCSP_SIGNATURE_it = {
89 .itype = ASN1_ITYPE_SEQUENCE,
90 .utype = V_ASN1_SEQUENCE,
91 .templates = OCSP_SIGNATURE_seq_tt,
92 .tcount = sizeof(OCSP_SIGNATURE_seq_tt) / sizeof(ASN1_TEMPLATE),
93 .funcs = NULL,
94 .size = sizeof(OCSP_SIGNATURE),
95 .sname = "OCSP_SIGNATURE",
96};
97LCRYPTO_ALIAS(OCSP_SIGNATURE_it);
98
99
100OCSP_SIGNATURE *
101d2i_OCSP_SIGNATURE(OCSP_SIGNATURE **a, const unsigned char **in, long len)
102{
103 return (OCSP_SIGNATURE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
104 &OCSP_SIGNATURE_it);
105}
106LCRYPTO_ALIAS(d2i_OCSP_SIGNATURE);
107
108int
109i2d_OCSP_SIGNATURE(OCSP_SIGNATURE *a, unsigned char **out)
110{
111 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SIGNATURE_it);
112}
113LCRYPTO_ALIAS(i2d_OCSP_SIGNATURE);
114
115OCSP_SIGNATURE *
116OCSP_SIGNATURE_new(void)
117{
118 return (OCSP_SIGNATURE *)ASN1_item_new(&OCSP_SIGNATURE_it);
119}
120LCRYPTO_ALIAS(OCSP_SIGNATURE_new);
121
122void
123OCSP_SIGNATURE_free(OCSP_SIGNATURE *a)
124{
125 ASN1_item_free((ASN1_VALUE *)a, &OCSP_SIGNATURE_it);
126}
127LCRYPTO_ALIAS(OCSP_SIGNATURE_free);
128
129static const ASN1_TEMPLATE OCSP_CERTID_seq_tt[] = {
130 {
131 .flags = 0,
132 .tag = 0,
133 .offset = offsetof(OCSP_CERTID, hashAlgorithm),
134 .field_name = "hashAlgorithm",
135 .item = &X509_ALGOR_it,
136 },
137 {
138 .flags = 0,
139 .tag = 0,
140 .offset = offsetof(OCSP_CERTID, issuerNameHash),
141 .field_name = "issuerNameHash",
142 .item = &ASN1_OCTET_STRING_it,
143 },
144 {
145 .flags = 0,
146 .tag = 0,
147 .offset = offsetof(OCSP_CERTID, issuerKeyHash),
148 .field_name = "issuerKeyHash",
149 .item = &ASN1_OCTET_STRING_it,
150 },
151 {
152 .flags = 0,
153 .tag = 0,
154 .offset = offsetof(OCSP_CERTID, serialNumber),
155 .field_name = "serialNumber",
156 .item = &ASN1_INTEGER_it,
157 },
158};
159
160const ASN1_ITEM OCSP_CERTID_it = {
161 .itype = ASN1_ITYPE_SEQUENCE,
162 .utype = V_ASN1_SEQUENCE,
163 .templates = OCSP_CERTID_seq_tt,
164 .tcount = sizeof(OCSP_CERTID_seq_tt) / sizeof(ASN1_TEMPLATE),
165 .funcs = NULL,
166 .size = sizeof(OCSP_CERTID),
167 .sname = "OCSP_CERTID",
168};
169LCRYPTO_ALIAS(OCSP_CERTID_it);
170
171
172OCSP_CERTID *
173d2i_OCSP_CERTID(OCSP_CERTID **a, const unsigned char **in, long len)
174{
175 return (OCSP_CERTID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
176 &OCSP_CERTID_it);
177}
178LCRYPTO_ALIAS(d2i_OCSP_CERTID);
179
180int
181i2d_OCSP_CERTID(OCSP_CERTID *a, unsigned char **out)
182{
183 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CERTID_it);
184}
185LCRYPTO_ALIAS(i2d_OCSP_CERTID);
186
187OCSP_CERTID *
188OCSP_CERTID_new(void)
189{
190 return (OCSP_CERTID *)ASN1_item_new(&OCSP_CERTID_it);
191}
192LCRYPTO_ALIAS(OCSP_CERTID_new);
193
194void
195OCSP_CERTID_free(OCSP_CERTID *a)
196{
197 ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTID_it);
198}
199LCRYPTO_ALIAS(OCSP_CERTID_free);
200
201static const ASN1_TEMPLATE OCSP_ONEREQ_seq_tt[] = {
202 {
203 .flags = 0,
204 .tag = 0,
205 .offset = offsetof(OCSP_ONEREQ, reqCert),
206 .field_name = "reqCert",
207 .item = &OCSP_CERTID_it,
208 },
209 {
210 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
211 .tag = 0,
212 .offset = offsetof(OCSP_ONEREQ, singleRequestExtensions),
213 .field_name = "singleRequestExtensions",
214 .item = &X509_EXTENSION_it,
215 },
216};
217
218const ASN1_ITEM OCSP_ONEREQ_it = {
219 .itype = ASN1_ITYPE_SEQUENCE,
220 .utype = V_ASN1_SEQUENCE,
221 .templates = OCSP_ONEREQ_seq_tt,
222 .tcount = sizeof(OCSP_ONEREQ_seq_tt) / sizeof(ASN1_TEMPLATE),
223 .funcs = NULL,
224 .size = sizeof(OCSP_ONEREQ),
225 .sname = "OCSP_ONEREQ",
226};
227LCRYPTO_ALIAS(OCSP_ONEREQ_it);
228
229
230OCSP_ONEREQ *
231d2i_OCSP_ONEREQ(OCSP_ONEREQ **a, const unsigned char **in, long len)
232{
233 return (OCSP_ONEREQ *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
234 &OCSP_ONEREQ_it);
235}
236LCRYPTO_ALIAS(d2i_OCSP_ONEREQ);
237
238int
239i2d_OCSP_ONEREQ(OCSP_ONEREQ *a, unsigned char **out)
240{
241 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_ONEREQ_it);
242}
243LCRYPTO_ALIAS(i2d_OCSP_ONEREQ);
244
245OCSP_ONEREQ *
246OCSP_ONEREQ_new(void)
247{
248 return (OCSP_ONEREQ *)ASN1_item_new(&OCSP_ONEREQ_it);
249}
250LCRYPTO_ALIAS(OCSP_ONEREQ_new);
251
252void
253OCSP_ONEREQ_free(OCSP_ONEREQ *a)
254{
255 ASN1_item_free((ASN1_VALUE *)a, &OCSP_ONEREQ_it);
256}
257LCRYPTO_ALIAS(OCSP_ONEREQ_free);
258
259static const ASN1_TEMPLATE OCSP_REQINFO_seq_tt[] = {
260 {
261 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
262 .tag = 0,
263 .offset = offsetof(OCSP_REQINFO, version),
264 .field_name = "version",
265 .item = &ASN1_INTEGER_it,
266 },
267 {
268 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
269 .tag = 1,
270 .offset = offsetof(OCSP_REQINFO, requestorName),
271 .field_name = "requestorName",
272 .item = &GENERAL_NAME_it,
273 },
274 {
275 .flags = ASN1_TFLG_SEQUENCE_OF,
276 .tag = 0,
277 .offset = offsetof(OCSP_REQINFO, requestList),
278 .field_name = "requestList",
279 .item = &OCSP_ONEREQ_it,
280 },
281 {
282 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
283 .tag = 2,
284 .offset = offsetof(OCSP_REQINFO, requestExtensions),
285 .field_name = "requestExtensions",
286 .item = &X509_EXTENSION_it,
287 },
288};
289
290const ASN1_ITEM OCSP_REQINFO_it = {
291 .itype = ASN1_ITYPE_SEQUENCE,
292 .utype = V_ASN1_SEQUENCE,
293 .templates = OCSP_REQINFO_seq_tt,
294 .tcount = sizeof(OCSP_REQINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
295 .funcs = NULL,
296 .size = sizeof(OCSP_REQINFO),
297 .sname = "OCSP_REQINFO",
298};
299LCRYPTO_ALIAS(OCSP_REQINFO_it);
300
301
302OCSP_REQINFO *
303d2i_OCSP_REQINFO(OCSP_REQINFO **a, const unsigned char **in, long len)
304{
305 return (OCSP_REQINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
306 &OCSP_REQINFO_it);
307}
308LCRYPTO_ALIAS(d2i_OCSP_REQINFO);
309
310int
311i2d_OCSP_REQINFO(OCSP_REQINFO *a, unsigned char **out)
312{
313 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REQINFO_it);
314}
315LCRYPTO_ALIAS(i2d_OCSP_REQINFO);
316
317OCSP_REQINFO *
318OCSP_REQINFO_new(void)
319{
320 return (OCSP_REQINFO *)ASN1_item_new(&OCSP_REQINFO_it);
321}
322LCRYPTO_ALIAS(OCSP_REQINFO_new);
323
324void
325OCSP_REQINFO_free(OCSP_REQINFO *a)
326{
327 ASN1_item_free((ASN1_VALUE *)a, &OCSP_REQINFO_it);
328}
329LCRYPTO_ALIAS(OCSP_REQINFO_free);
330
331static const ASN1_TEMPLATE OCSP_REQUEST_seq_tt[] = {
332 {
333 .flags = 0,
334 .tag = 0,
335 .offset = offsetof(OCSP_REQUEST, tbsRequest),
336 .field_name = "tbsRequest",
337 .item = &OCSP_REQINFO_it,
338 },
339 {
340 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
341 .tag = 0,
342 .offset = offsetof(OCSP_REQUEST, optionalSignature),
343 .field_name = "optionalSignature",
344 .item = &OCSP_SIGNATURE_it,
345 },
346};
347
348const ASN1_ITEM OCSP_REQUEST_it = {
349 .itype = ASN1_ITYPE_SEQUENCE,
350 .utype = V_ASN1_SEQUENCE,
351 .templates = OCSP_REQUEST_seq_tt,
352 .tcount = sizeof(OCSP_REQUEST_seq_tt) / sizeof(ASN1_TEMPLATE),
353 .funcs = NULL,
354 .size = sizeof(OCSP_REQUEST),
355 .sname = "OCSP_REQUEST",
356};
357LCRYPTO_ALIAS(OCSP_REQUEST_it);
358
359OCSP_REQUEST *
360d2i_OCSP_REQUEST(OCSP_REQUEST **a, const unsigned char **in, long len)
361{
362 return (OCSP_REQUEST *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
363 &OCSP_REQUEST_it);
364}
365LCRYPTO_ALIAS(d2i_OCSP_REQUEST);
366
367int
368i2d_OCSP_REQUEST(OCSP_REQUEST *a, unsigned char **out)
369{
370 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REQUEST_it);
371}
372LCRYPTO_ALIAS(i2d_OCSP_REQUEST);
373
374OCSP_REQUEST *
375d2i_OCSP_REQUEST_bio(BIO *bp, OCSP_REQUEST **a)
376{
377 return ASN1_item_d2i_bio(&OCSP_REQUEST_it, bp, a);
378}
379LCRYPTO_ALIAS(d2i_OCSP_REQUEST_bio);
380
381int
382i2d_OCSP_REQUEST_bio(BIO *bp, OCSP_REQUEST *a)
383{
384 return ASN1_item_i2d_bio(&OCSP_REQUEST_it, bp, a);
385}
386LCRYPTO_ALIAS(i2d_OCSP_REQUEST_bio);
387
388OCSP_REQUEST *
389OCSP_REQUEST_new(void)
390{
391 return (OCSP_REQUEST *)ASN1_item_new(&OCSP_REQUEST_it);
392}
393LCRYPTO_ALIAS(OCSP_REQUEST_new);
394
395void
396OCSP_REQUEST_free(OCSP_REQUEST *a)
397{
398 ASN1_item_free((ASN1_VALUE *)a, &OCSP_REQUEST_it);
399}
400LCRYPTO_ALIAS(OCSP_REQUEST_free);
401
402/* OCSP_RESPONSE templates */
403
404static const ASN1_TEMPLATE OCSP_RESPBYTES_seq_tt[] = {
405 {
406 .flags = 0,
407 .tag = 0,
408 .offset = offsetof(OCSP_RESPBYTES, responseType),
409 .field_name = "responseType",
410 .item = &ASN1_OBJECT_it,
411 },
412 {
413 .flags = 0,
414 .tag = 0,
415 .offset = offsetof(OCSP_RESPBYTES, response),
416 .field_name = "response",
417 .item = &ASN1_OCTET_STRING_it,
418 },
419};
420
421const ASN1_ITEM OCSP_RESPBYTES_it = {
422 .itype = ASN1_ITYPE_SEQUENCE,
423 .utype = V_ASN1_SEQUENCE,
424 .templates = OCSP_RESPBYTES_seq_tt,
425 .tcount = sizeof(OCSP_RESPBYTES_seq_tt) / sizeof(ASN1_TEMPLATE),
426 .funcs = NULL,
427 .size = sizeof(OCSP_RESPBYTES),
428 .sname = "OCSP_RESPBYTES",
429};
430LCRYPTO_ALIAS(OCSP_RESPBYTES_it);
431
432
433OCSP_RESPBYTES *
434d2i_OCSP_RESPBYTES(OCSP_RESPBYTES **a, const unsigned char **in, long len)
435{
436 return (OCSP_RESPBYTES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
437 &OCSP_RESPBYTES_it);
438}
439LCRYPTO_ALIAS(d2i_OCSP_RESPBYTES);
440
441int
442i2d_OCSP_RESPBYTES(OCSP_RESPBYTES *a, unsigned char **out)
443{
444 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPBYTES_it);
445}
446LCRYPTO_ALIAS(i2d_OCSP_RESPBYTES);
447
448OCSP_RESPBYTES *
449OCSP_RESPBYTES_new(void)
450{
451 return (OCSP_RESPBYTES *)ASN1_item_new(&OCSP_RESPBYTES_it);
452}
453LCRYPTO_ALIAS(OCSP_RESPBYTES_new);
454
455void
456OCSP_RESPBYTES_free(OCSP_RESPBYTES *a)
457{
458 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPBYTES_it);
459}
460LCRYPTO_ALIAS(OCSP_RESPBYTES_free);
461
462static const ASN1_TEMPLATE OCSP_RESPONSE_seq_tt[] = {
463 {
464 .flags = 0,
465 .tag = 0,
466 .offset = offsetof(OCSP_RESPONSE, responseStatus),
467 .field_name = "responseStatus",
468 .item = &ASN1_ENUMERATED_it,
469 },
470 {
471 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
472 .tag = 0,
473 .offset = offsetof(OCSP_RESPONSE, responseBytes),
474 .field_name = "responseBytes",
475 .item = &OCSP_RESPBYTES_it,
476 },
477};
478
479const ASN1_ITEM OCSP_RESPONSE_it = {
480 .itype = ASN1_ITYPE_SEQUENCE,
481 .utype = V_ASN1_SEQUENCE,
482 .templates = OCSP_RESPONSE_seq_tt,
483 .tcount = sizeof(OCSP_RESPONSE_seq_tt) / sizeof(ASN1_TEMPLATE),
484 .funcs = NULL,
485 .size = sizeof(OCSP_RESPONSE),
486 .sname = "OCSP_RESPONSE",
487};
488LCRYPTO_ALIAS(OCSP_RESPONSE_it);
489
490
491OCSP_RESPONSE *
492d2i_OCSP_RESPONSE(OCSP_RESPONSE **a, const unsigned char **in, long len)
493{
494 return (OCSP_RESPONSE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
495 &OCSP_RESPONSE_it);
496}
497LCRYPTO_ALIAS(d2i_OCSP_RESPONSE);
498
499int
500i2d_OCSP_RESPONSE(OCSP_RESPONSE *a, unsigned char **out)
501{
502 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPONSE_it);
503}
504LCRYPTO_ALIAS(i2d_OCSP_RESPONSE);
505
506OCSP_RESPONSE *
507d2i_OCSP_RESPONSE_bio(BIO *bp, OCSP_RESPONSE **a)
508{
509 return ASN1_item_d2i_bio(&OCSP_RESPONSE_it, bp, a);
510}
511LCRYPTO_ALIAS(d2i_OCSP_RESPONSE_bio);
512
513int
514i2d_OCSP_RESPONSE_bio(BIO *bp, OCSP_RESPONSE *a)
515{
516 return ASN1_item_i2d_bio(&OCSP_RESPONSE_it, bp, a);
517}
518LCRYPTO_ALIAS(i2d_OCSP_RESPONSE_bio);
519
520OCSP_RESPONSE *
521OCSP_RESPONSE_new(void)
522{
523 return (OCSP_RESPONSE *)ASN1_item_new(&OCSP_RESPONSE_it);
524}
525LCRYPTO_ALIAS(OCSP_RESPONSE_new);
526
527void
528OCSP_RESPONSE_free(OCSP_RESPONSE *a)
529{
530 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPONSE_it);
531}
532LCRYPTO_ALIAS(OCSP_RESPONSE_free);
533
534static const ASN1_TEMPLATE OCSP_RESPID_ch_tt[] = {
535 {
536 .flags = ASN1_TFLG_EXPLICIT,
537 .tag = 1,
538 .offset = offsetof(OCSP_RESPID, value.byName),
539 .field_name = "value.byName",
540 .item = &X509_NAME_it,
541 },
542 {
543 .flags = ASN1_TFLG_EXPLICIT,
544 .tag = 2,
545 .offset = offsetof(OCSP_RESPID, value.byKey),
546 .field_name = "value.byKey",
547 .item = &ASN1_OCTET_STRING_it,
548 },
549};
550
551const ASN1_ITEM OCSP_RESPID_it = {
552 .itype = ASN1_ITYPE_CHOICE,
553 .utype = offsetof(OCSP_RESPID, type),
554 .templates = OCSP_RESPID_ch_tt,
555 .tcount = sizeof(OCSP_RESPID_ch_tt) / sizeof(ASN1_TEMPLATE),
556 .funcs = NULL,
557 .size = sizeof(OCSP_RESPID),
558 .sname = "OCSP_RESPID",
559};
560LCRYPTO_ALIAS(OCSP_RESPID_it);
561
562
563OCSP_RESPID *
564d2i_OCSP_RESPID(OCSP_RESPID **a, const unsigned char **in, long len)
565{
566 return (OCSP_RESPID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
567 &OCSP_RESPID_it);
568}
569LCRYPTO_ALIAS(d2i_OCSP_RESPID);
570
571int
572i2d_OCSP_RESPID(OCSP_RESPID *a, unsigned char **out)
573{
574 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPID_it);
575}
576LCRYPTO_ALIAS(i2d_OCSP_RESPID);
577
578OCSP_RESPID *
579OCSP_RESPID_new(void)
580{
581 return (OCSP_RESPID *)ASN1_item_new(&OCSP_RESPID_it);
582}
583LCRYPTO_ALIAS(OCSP_RESPID_new);
584
585void
586OCSP_RESPID_free(OCSP_RESPID *a)
587{
588 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPID_it);
589}
590LCRYPTO_ALIAS(OCSP_RESPID_free);
591
592static const ASN1_TEMPLATE OCSP_REVOKEDINFO_seq_tt[] = {
593 {
594 .flags = 0,
595 .tag = 0,
596 .offset = offsetof(OCSP_REVOKEDINFO, revocationTime),
597 .field_name = "revocationTime",
598 .item = &ASN1_GENERALIZEDTIME_it,
599 },
600 {
601 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
602 .tag = 0,
603 .offset = offsetof(OCSP_REVOKEDINFO, revocationReason),
604 .field_name = "revocationReason",
605 .item = &ASN1_ENUMERATED_it,
606 },
607};
608
609const ASN1_ITEM OCSP_REVOKEDINFO_it = {
610 .itype = ASN1_ITYPE_SEQUENCE,
611 .utype = V_ASN1_SEQUENCE,
612 .templates = OCSP_REVOKEDINFO_seq_tt,
613 .tcount = sizeof(OCSP_REVOKEDINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
614 .funcs = NULL,
615 .size = sizeof(OCSP_REVOKEDINFO),
616 .sname = "OCSP_REVOKEDINFO",
617};
618LCRYPTO_ALIAS(OCSP_REVOKEDINFO_it);
619
620
621OCSP_REVOKEDINFO *
622d2i_OCSP_REVOKEDINFO(OCSP_REVOKEDINFO **a, const unsigned char **in, long len)
623{
624 return (OCSP_REVOKEDINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
625 &OCSP_REVOKEDINFO_it);
626}
627LCRYPTO_ALIAS(d2i_OCSP_REVOKEDINFO);
628
629int
630i2d_OCSP_REVOKEDINFO(OCSP_REVOKEDINFO *a, unsigned char **out)
631{
632 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_REVOKEDINFO_it);
633}
634LCRYPTO_ALIAS(i2d_OCSP_REVOKEDINFO);
635
636OCSP_REVOKEDINFO *
637OCSP_REVOKEDINFO_new(void)
638{
639 return (OCSP_REVOKEDINFO *)ASN1_item_new(&OCSP_REVOKEDINFO_it);
640}
641LCRYPTO_ALIAS(OCSP_REVOKEDINFO_new);
642
643void
644OCSP_REVOKEDINFO_free(OCSP_REVOKEDINFO *a)
645{
646 ASN1_item_free((ASN1_VALUE *)a, &OCSP_REVOKEDINFO_it);
647}
648LCRYPTO_ALIAS(OCSP_REVOKEDINFO_free);
649
650static const ASN1_TEMPLATE OCSP_CERTSTATUS_ch_tt[] = {
651 {
652 .flags = ASN1_TFLG_IMPLICIT,
653 .tag = 0,
654 .offset = offsetof(OCSP_CERTSTATUS, value.good),
655 .field_name = "value.good",
656 .item = &ASN1_NULL_it,
657 },
658 {
659 .flags = ASN1_TFLG_IMPLICIT,
660 .tag = 1,
661 .offset = offsetof(OCSP_CERTSTATUS, value.revoked),
662 .field_name = "value.revoked",
663 .item = &OCSP_REVOKEDINFO_it,
664 },
665 {
666 .flags = ASN1_TFLG_IMPLICIT,
667 .tag = 2,
668 .offset = offsetof(OCSP_CERTSTATUS, value.unknown),
669 .field_name = "value.unknown",
670 .item = &ASN1_NULL_it,
671 },
672};
673
674const ASN1_ITEM OCSP_CERTSTATUS_it = {
675 .itype = ASN1_ITYPE_CHOICE,
676 .utype = offsetof(OCSP_CERTSTATUS, type),
677 .templates = OCSP_CERTSTATUS_ch_tt,
678 .tcount = sizeof(OCSP_CERTSTATUS_ch_tt) / sizeof(ASN1_TEMPLATE),
679 .funcs = NULL,
680 .size = sizeof(OCSP_CERTSTATUS),
681 .sname = "OCSP_CERTSTATUS",
682};
683LCRYPTO_ALIAS(OCSP_CERTSTATUS_it);
684
685
686OCSP_CERTSTATUS *
687d2i_OCSP_CERTSTATUS(OCSP_CERTSTATUS **a, const unsigned char **in, long len)
688{
689 return (OCSP_CERTSTATUS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
690 &OCSP_CERTSTATUS_it);
691}
692LCRYPTO_ALIAS(d2i_OCSP_CERTSTATUS);
693
694int
695i2d_OCSP_CERTSTATUS(OCSP_CERTSTATUS *a, unsigned char **out)
696{
697 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CERTSTATUS_it);
698}
699LCRYPTO_ALIAS(i2d_OCSP_CERTSTATUS);
700
701OCSP_CERTSTATUS *
702OCSP_CERTSTATUS_new(void)
703{
704 return (OCSP_CERTSTATUS *)ASN1_item_new(&OCSP_CERTSTATUS_it);
705}
706LCRYPTO_ALIAS(OCSP_CERTSTATUS_new);
707
708void
709OCSP_CERTSTATUS_free(OCSP_CERTSTATUS *a)
710{
711 ASN1_item_free((ASN1_VALUE *)a, &OCSP_CERTSTATUS_it);
712}
713LCRYPTO_ALIAS(OCSP_CERTSTATUS_free);
714
715static const ASN1_TEMPLATE OCSP_SINGLERESP_seq_tt[] = {
716 {
717 .flags = 0,
718 .tag = 0,
719 .offset = offsetof(OCSP_SINGLERESP, certId),
720 .field_name = "certId",
721 .item = &OCSP_CERTID_it,
722 },
723 {
724 .flags = 0,
725 .tag = 0,
726 .offset = offsetof(OCSP_SINGLERESP, certStatus),
727 .field_name = "certStatus",
728 .item = &OCSP_CERTSTATUS_it,
729 },
730 {
731 .flags = 0,
732 .tag = 0,
733 .offset = offsetof(OCSP_SINGLERESP, thisUpdate),
734 .field_name = "thisUpdate",
735 .item = &ASN1_GENERALIZEDTIME_it,
736 },
737 {
738 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
739 .tag = 0,
740 .offset = offsetof(OCSP_SINGLERESP, nextUpdate),
741 .field_name = "nextUpdate",
742 .item = &ASN1_GENERALIZEDTIME_it,
743 },
744 {
745 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
746 .tag = 1,
747 .offset = offsetof(OCSP_SINGLERESP, singleExtensions),
748 .field_name = "singleExtensions",
749 .item = &X509_EXTENSION_it,
750 },
751};
752
753const ASN1_ITEM OCSP_SINGLERESP_it = {
754 .itype = ASN1_ITYPE_SEQUENCE,
755 .utype = V_ASN1_SEQUENCE,
756 .templates = OCSP_SINGLERESP_seq_tt,
757 .tcount = sizeof(OCSP_SINGLERESP_seq_tt) / sizeof(ASN1_TEMPLATE),
758 .funcs = NULL,
759 .size = sizeof(OCSP_SINGLERESP),
760 .sname = "OCSP_SINGLERESP",
761};
762LCRYPTO_ALIAS(OCSP_SINGLERESP_it);
763
764
765OCSP_SINGLERESP *
766d2i_OCSP_SINGLERESP(OCSP_SINGLERESP **a, const unsigned char **in, long len)
767{
768 return (OCSP_SINGLERESP *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
769 &OCSP_SINGLERESP_it);
770}
771LCRYPTO_ALIAS(d2i_OCSP_SINGLERESP);
772
773int
774i2d_OCSP_SINGLERESP(OCSP_SINGLERESP *a, unsigned char **out)
775{
776 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SINGLERESP_it);
777}
778LCRYPTO_ALIAS(i2d_OCSP_SINGLERESP);
779
780OCSP_SINGLERESP *
781OCSP_SINGLERESP_new(void)
782{
783 return (OCSP_SINGLERESP *)ASN1_item_new(&OCSP_SINGLERESP_it);
784}
785LCRYPTO_ALIAS(OCSP_SINGLERESP_new);
786
787void
788OCSP_SINGLERESP_free(OCSP_SINGLERESP *a)
789{
790 ASN1_item_free((ASN1_VALUE *)a, &OCSP_SINGLERESP_it);
791}
792LCRYPTO_ALIAS(OCSP_SINGLERESP_free);
793
794static const ASN1_TEMPLATE OCSP_RESPDATA_seq_tt[] = {
795 {
796 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
797 .tag = 0,
798 .offset = offsetof(OCSP_RESPDATA, version),
799 .field_name = "version",
800 .item = &ASN1_INTEGER_it,
801 },
802 {
803 .flags = 0,
804 .tag = 0,
805 .offset = offsetof(OCSP_RESPDATA, responderId),
806 .field_name = "responderId",
807 .item = &OCSP_RESPID_it,
808 },
809 {
810 .flags = 0,
811 .tag = 0,
812 .offset = offsetof(OCSP_RESPDATA, producedAt),
813 .field_name = "producedAt",
814 .item = &ASN1_GENERALIZEDTIME_it,
815 },
816 {
817 .flags = ASN1_TFLG_SEQUENCE_OF,
818 .tag = 0,
819 .offset = offsetof(OCSP_RESPDATA, responses),
820 .field_name = "responses",
821 .item = &OCSP_SINGLERESP_it,
822 },
823 {
824 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
825 .tag = 1,
826 .offset = offsetof(OCSP_RESPDATA, responseExtensions),
827 .field_name = "responseExtensions",
828 .item = &X509_EXTENSION_it,
829 },
830};
831
832const ASN1_ITEM OCSP_RESPDATA_it = {
833 .itype = ASN1_ITYPE_SEQUENCE,
834 .utype = V_ASN1_SEQUENCE,
835 .templates = OCSP_RESPDATA_seq_tt,
836 .tcount = sizeof(OCSP_RESPDATA_seq_tt) / sizeof(ASN1_TEMPLATE),
837 .funcs = NULL,
838 .size = sizeof(OCSP_RESPDATA),
839 .sname = "OCSP_RESPDATA",
840};
841LCRYPTO_ALIAS(OCSP_RESPDATA_it);
842
843
844OCSP_RESPDATA *
845d2i_OCSP_RESPDATA(OCSP_RESPDATA **a, const unsigned char **in, long len)
846{
847 return (OCSP_RESPDATA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
848 &OCSP_RESPDATA_it);
849}
850LCRYPTO_ALIAS(d2i_OCSP_RESPDATA);
851
852int
853i2d_OCSP_RESPDATA(OCSP_RESPDATA *a, unsigned char **out)
854{
855 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_RESPDATA_it);
856}
857LCRYPTO_ALIAS(i2d_OCSP_RESPDATA);
858
859OCSP_RESPDATA *
860OCSP_RESPDATA_new(void)
861{
862 return (OCSP_RESPDATA *)ASN1_item_new(&OCSP_RESPDATA_it);
863}
864LCRYPTO_ALIAS(OCSP_RESPDATA_new);
865
866void
867OCSP_RESPDATA_free(OCSP_RESPDATA *a)
868{
869 ASN1_item_free((ASN1_VALUE *)a, &OCSP_RESPDATA_it);
870}
871LCRYPTO_ALIAS(OCSP_RESPDATA_free);
872
873static const ASN1_TEMPLATE OCSP_BASICRESP_seq_tt[] = {
874 {
875 .flags = 0,
876 .tag = 0,
877 .offset = offsetof(OCSP_BASICRESP, tbsResponseData),
878 .field_name = "tbsResponseData",
879 .item = &OCSP_RESPDATA_it,
880 },
881 {
882 .flags = 0,
883 .tag = 0,
884 .offset = offsetof(OCSP_BASICRESP, signatureAlgorithm),
885 .field_name = "signatureAlgorithm",
886 .item = &X509_ALGOR_it,
887 },
888 {
889 .flags = 0,
890 .tag = 0,
891 .offset = offsetof(OCSP_BASICRESP, signature),
892 .field_name = "signature",
893 .item = &ASN1_BIT_STRING_it,
894 },
895 {
896 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
897 .tag = 0,
898 .offset = offsetof(OCSP_BASICRESP, certs),
899 .field_name = "certs",
900 .item = &X509_it,
901 },
902};
903
904const ASN1_ITEM OCSP_BASICRESP_it = {
905 .itype = ASN1_ITYPE_SEQUENCE,
906 .utype = V_ASN1_SEQUENCE,
907 .templates = OCSP_BASICRESP_seq_tt,
908 .tcount = sizeof(OCSP_BASICRESP_seq_tt) / sizeof(ASN1_TEMPLATE),
909 .funcs = NULL,
910 .size = sizeof(OCSP_BASICRESP),
911 .sname = "OCSP_BASICRESP",
912};
913LCRYPTO_ALIAS(OCSP_BASICRESP_it);
914
915
916OCSP_BASICRESP *
917d2i_OCSP_BASICRESP(OCSP_BASICRESP **a, const unsigned char **in, long len)
918{
919 return (OCSP_BASICRESP *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
920 &OCSP_BASICRESP_it);
921}
922LCRYPTO_ALIAS(d2i_OCSP_BASICRESP);
923
924int
925i2d_OCSP_BASICRESP(OCSP_BASICRESP *a, unsigned char **out)
926{
927 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_BASICRESP_it);
928}
929LCRYPTO_ALIAS(i2d_OCSP_BASICRESP);
930
931OCSP_BASICRESP *
932OCSP_BASICRESP_new(void)
933{
934 return (OCSP_BASICRESP *)ASN1_item_new(&OCSP_BASICRESP_it);
935}
936LCRYPTO_ALIAS(OCSP_BASICRESP_new);
937
938void
939OCSP_BASICRESP_free(OCSP_BASICRESP *a)
940{
941 ASN1_item_free((ASN1_VALUE *)a, &OCSP_BASICRESP_it);
942}
943LCRYPTO_ALIAS(OCSP_BASICRESP_free);
944
945static const ASN1_TEMPLATE OCSP_CRLID_seq_tt[] = {
946 {
947 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
948 .tag = 0,
949 .offset = offsetof(OCSP_CRLID, crlUrl),
950 .field_name = "crlUrl",
951 .item = &ASN1_IA5STRING_it,
952 },
953 {
954 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
955 .tag = 1,
956 .offset = offsetof(OCSP_CRLID, crlNum),
957 .field_name = "crlNum",
958 .item = &ASN1_INTEGER_it,
959 },
960 {
961 .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
962 .tag = 2,
963 .offset = offsetof(OCSP_CRLID, crlTime),
964 .field_name = "crlTime",
965 .item = &ASN1_GENERALIZEDTIME_it,
966 },
967};
968
969const ASN1_ITEM OCSP_CRLID_it = {
970 .itype = ASN1_ITYPE_SEQUENCE,
971 .utype = V_ASN1_SEQUENCE,
972 .templates = OCSP_CRLID_seq_tt,
973 .tcount = sizeof(OCSP_CRLID_seq_tt) / sizeof(ASN1_TEMPLATE),
974 .funcs = NULL,
975 .size = sizeof(OCSP_CRLID),
976 .sname = "OCSP_CRLID",
977};
978LCRYPTO_ALIAS(OCSP_CRLID_it);
979
980
981OCSP_CRLID *
982d2i_OCSP_CRLID(OCSP_CRLID **a, const unsigned char **in, long len)
983{
984 return (OCSP_CRLID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
985 &OCSP_CRLID_it);
986}
987LCRYPTO_ALIAS(d2i_OCSP_CRLID);
988
989int
990i2d_OCSP_CRLID(OCSP_CRLID *a, unsigned char **out)
991{
992 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_CRLID_it);
993}
994LCRYPTO_ALIAS(i2d_OCSP_CRLID);
995
996OCSP_CRLID *
997OCSP_CRLID_new(void)
998{
999 return (OCSP_CRLID *)ASN1_item_new(&OCSP_CRLID_it);
1000}
1001LCRYPTO_ALIAS(OCSP_CRLID_new);
1002
1003void
1004OCSP_CRLID_free(OCSP_CRLID *a)
1005{
1006 ASN1_item_free((ASN1_VALUE *)a, &OCSP_CRLID_it);
1007}
1008LCRYPTO_ALIAS(OCSP_CRLID_free);
1009
1010static const ASN1_TEMPLATE OCSP_SERVICELOC_seq_tt[] = {
1011 {
1012 .flags = 0,
1013 .tag = 0,
1014 .offset = offsetof(OCSP_SERVICELOC, issuer),
1015 .field_name = "issuer",
1016 .item = &X509_NAME_it,
1017 },
1018 {
1019 .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
1020 .tag = 0,
1021 .offset = offsetof(OCSP_SERVICELOC, locator),
1022 .field_name = "locator",
1023 .item = &ACCESS_DESCRIPTION_it,
1024 },
1025};
1026
1027const ASN1_ITEM OCSP_SERVICELOC_it = {
1028 .itype = ASN1_ITYPE_SEQUENCE,
1029 .utype = V_ASN1_SEQUENCE,
1030 .templates = OCSP_SERVICELOC_seq_tt,
1031 .tcount = sizeof(OCSP_SERVICELOC_seq_tt) / sizeof(ASN1_TEMPLATE),
1032 .funcs = NULL,
1033 .size = sizeof(OCSP_SERVICELOC),
1034 .sname = "OCSP_SERVICELOC",
1035};
1036LCRYPTO_ALIAS(OCSP_SERVICELOC_it);
1037
1038
1039OCSP_SERVICELOC *
1040d2i_OCSP_SERVICELOC(OCSP_SERVICELOC **a, const unsigned char **in, long len)
1041{
1042 return (OCSP_SERVICELOC *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
1043 &OCSP_SERVICELOC_it);
1044}
1045LCRYPTO_ALIAS(d2i_OCSP_SERVICELOC);
1046
1047int
1048i2d_OCSP_SERVICELOC(OCSP_SERVICELOC *a, unsigned char **out)
1049{
1050 return ASN1_item_i2d((ASN1_VALUE *)a, out, &OCSP_SERVICELOC_it);
1051}
1052LCRYPTO_ALIAS(i2d_OCSP_SERVICELOC);
1053
1054OCSP_SERVICELOC *
1055OCSP_SERVICELOC_new(void)
1056{
1057 return (OCSP_SERVICELOC *)ASN1_item_new(&OCSP_SERVICELOC_it);
1058}
1059LCRYPTO_ALIAS(OCSP_SERVICELOC_new);
1060
1061void
1062OCSP_SERVICELOC_free(OCSP_SERVICELOC *a)
1063{
1064 ASN1_item_free((ASN1_VALUE *)a, &OCSP_SERVICELOC_it);
1065}
1066LCRYPTO_ALIAS(OCSP_SERVICELOC_free);
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
deleted file mode 100644
index d8ee33c391..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ /dev/null
@@ -1,463 +0,0 @@
1/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <time.h>
66
67#include <openssl/err.h>
68#include <openssl/ocsp.h>
69#include <openssl/objects.h>
70#include <openssl/pem.h>
71#include <openssl/posix_time.h>
72#include <openssl/x509.h>
73#include <openssl/x509v3.h>
74
75#include "asn1_local.h"
76#include "ocsp_local.h"
77
78/* Utility functions related to sending OCSP requests and extracting
79 * relevant information from the response.
80 */
81
82/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ
83 * pointer: useful if we want to add extensions.
84 */
85OCSP_ONEREQ *
86OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
87{
88 OCSP_ONEREQ *one;
89
90 if ((one = OCSP_ONEREQ_new()) == NULL)
91 goto err;
92 if (req != NULL) {
93 if (!sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
94 goto err;
95 }
96 OCSP_CERTID_free(one->reqCert);
97 one->reqCert = cid;
98 return one;
99
100 err:
101 OCSP_ONEREQ_free(one);
102 return NULL;
103}
104LCRYPTO_ALIAS(OCSP_request_add0_id);
105
106/* Set requestorName from an X509_NAME structure */
107int
108OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
109{
110 GENERAL_NAME *gen;
111
112 gen = GENERAL_NAME_new();
113 if (gen == NULL)
114 return 0;
115 if (!X509_NAME_set(&gen->d.directoryName, nm)) {
116 GENERAL_NAME_free(gen);
117 return 0;
118 }
119 gen->type = GEN_DIRNAME;
120 if (req->tbsRequest->requestorName)
121 GENERAL_NAME_free(req->tbsRequest->requestorName);
122 req->tbsRequest->requestorName = gen;
123 return 1;
124}
125LCRYPTO_ALIAS(OCSP_request_set1_name);
126
127/* Add a certificate to an OCSP request */
128int
129OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
130{
131 OCSP_SIGNATURE *sig;
132
133 if (!req->optionalSignature)
134 req->optionalSignature = OCSP_SIGNATURE_new();
135 sig = req->optionalSignature;
136 if (!sig)
137 return 0;
138 if (!cert)
139 return 1;
140 if (!sig->certs && !(sig->certs = sk_X509_new_null()))
141 return 0;
142
143 if (!sk_X509_push(sig->certs, cert))
144 return 0;
145 X509_up_ref(cert);
146 return 1;
147}
148LCRYPTO_ALIAS(OCSP_request_add1_cert);
149
150/* Sign an OCSP request set the requestorName to the subject
151 * name of an optional signers certificate and include one
152 * or more optional certificates in the request. Behaves
153 * like PKCS7_sign().
154 */
155int
156OCSP_request_sign(OCSP_REQUEST *req, X509 *signer, EVP_PKEY *key,
157 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
158{
159 int i;
160 OCSP_SIGNATURE *sig;
161 X509 *x;
162
163 if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
164 goto err;
165
166 if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new()))
167 goto err;
168 if (key) {
169 if (!X509_check_private_key(signer, key)) {
170 OCSPerror(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
171 goto err;
172 }
173 if (!OCSP_REQUEST_sign(req, key, dgst))
174 goto err;
175 }
176
177 if (!(flags & OCSP_NOCERTS)) {
178 if (!OCSP_request_add1_cert(req, signer))
179 goto err;
180 for (i = 0; i < sk_X509_num(certs); i++) {
181 x = sk_X509_value(certs, i);
182 if (!OCSP_request_add1_cert(req, x))
183 goto err;
184 }
185 }
186
187 return 1;
188
189err:
190 OCSP_SIGNATURE_free(req->optionalSignature);
191 req->optionalSignature = NULL;
192 return 0;
193}
194LCRYPTO_ALIAS(OCSP_request_sign);
195
196/* Get response status */
197int
198OCSP_response_status(OCSP_RESPONSE *resp)
199{
200 return ASN1_ENUMERATED_get(resp->responseStatus);
201}
202LCRYPTO_ALIAS(OCSP_response_status);
203
204/* Extract basic response from OCSP_RESPONSE or NULL if
205 * no basic response present.
206 */
207OCSP_BASICRESP *
208OCSP_response_get1_basic(OCSP_RESPONSE *resp)
209{
210 OCSP_RESPBYTES *rb;
211
212 rb = resp->responseBytes;
213 if (!rb) {
214 OCSPerror(OCSP_R_NO_RESPONSE_DATA);
215 return NULL;
216 }
217 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
218 OCSPerror(OCSP_R_NOT_BASIC_RESPONSE);
219 return NULL;
220 }
221
222 return ASN1_item_unpack(rb->response, &OCSP_BASICRESP_it);
223}
224LCRYPTO_ALIAS(OCSP_response_get1_basic);
225
226/* Return number of OCSP_SINGLERESP responses present in
227 * a basic response.
228 */
229int
230OCSP_resp_count(OCSP_BASICRESP *bs)
231{
232 if (!bs)
233 return -1;
234 return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
235}
236LCRYPTO_ALIAS(OCSP_resp_count);
237
238/* Extract an OCSP_SINGLERESP response with a given index */
239OCSP_SINGLERESP *
240OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
241{
242 if (!bs)
243 return NULL;
244 return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
245}
246LCRYPTO_ALIAS(OCSP_resp_get0);
247
248const ASN1_GENERALIZEDTIME *
249OCSP_resp_get0_produced_at(const OCSP_BASICRESP *bs)
250{
251 return bs->tbsResponseData->producedAt;
252}
253LCRYPTO_ALIAS(OCSP_resp_get0_produced_at);
254
255const STACK_OF(X509) *
256OCSP_resp_get0_certs(const OCSP_BASICRESP *bs)
257{
258 return bs->certs;
259}
260LCRYPTO_ALIAS(OCSP_resp_get0_certs);
261
262int
263OCSP_resp_get0_id(const OCSP_BASICRESP *bs, const ASN1_OCTET_STRING **pid,
264 const X509_NAME **pname)
265{
266 const OCSP_RESPID *rid = bs->tbsResponseData->responderId;
267
268 if (rid->type == V_OCSP_RESPID_NAME) {
269 *pname = rid->value.byName;
270 *pid = NULL;
271 } else if (rid->type == V_OCSP_RESPID_KEY) {
272 *pid = rid->value.byKey;
273 *pname = NULL;
274 } else {
275 return 0;
276 }
277
278 return 1;
279}
280LCRYPTO_ALIAS(OCSP_resp_get0_id);
281
282const ASN1_OCTET_STRING *
283OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
284{
285 return bs->signature;
286}
287LCRYPTO_ALIAS(OCSP_resp_get0_signature);
288
289const X509_ALGOR *
290OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
291{
292 return bs->signatureAlgorithm;
293}
294LCRYPTO_ALIAS(OCSP_resp_get0_tbs_sigalg);
295
296const OCSP_RESPDATA *
297OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
298{
299 return bs->tbsResponseData;
300}
301LCRYPTO_ALIAS(OCSP_resp_get0_respdata);
302
303/* Look single response matching a given certificate ID */
304int
305OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
306{
307 int i;
308 STACK_OF(OCSP_SINGLERESP) *sresp;
309 OCSP_SINGLERESP *single;
310
311 if (!bs)
312 return -1;
313 if (last < 0)
314 last = 0;
315 else
316 last++;
317 sresp = bs->tbsResponseData->responses;
318 for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
319 single = sk_OCSP_SINGLERESP_value(sresp, i);
320 if (!OCSP_id_cmp(id, single->certId))
321 return i;
322 }
323 return -1;
324}
325LCRYPTO_ALIAS(OCSP_resp_find);
326
327/* Extract status information from an OCSP_SINGLERESP structure.
328 * Note: the revtime and reason values are only set if the
329 * certificate status is revoked. Returns numerical value of
330 * status.
331 */
332int
333OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
334 ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
335 ASN1_GENERALIZEDTIME **nextupd)
336{
337 int ret;
338 OCSP_CERTSTATUS *cst;
339
340 if (!single)
341 return -1;
342 cst = single->certStatus;
343 ret = cst->type;
344 if (ret == V_OCSP_CERTSTATUS_REVOKED) {
345 OCSP_REVOKEDINFO *rev = cst->value.revoked;
346
347 if (revtime)
348 *revtime = rev->revocationTime;
349 if (reason) {
350 if (rev->revocationReason)
351 *reason = ASN1_ENUMERATED_get(
352 rev->revocationReason);
353 else
354 *reason = -1;
355 }
356 }
357 if (thisupd)
358 *thisupd = single->thisUpdate;
359 if (nextupd)
360 *nextupd = single->nextUpdate;
361 return ret;
362}
363LCRYPTO_ALIAS(OCSP_single_get0_status);
364
365/* This function combines the previous ones: look up a certificate ID and
366 * if found extract status information. Return 0 is successful.
367 */
368int
369OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
370 int *reason, ASN1_GENERALIZEDTIME **revtime, ASN1_GENERALIZEDTIME **thisupd,
371 ASN1_GENERALIZEDTIME **nextupd)
372{
373 int i;
374 OCSP_SINGLERESP *single;
375
376 i = OCSP_resp_find(bs, id, -1);
377 /* Maybe check for multiple responses and give an error? */
378 if (i < 0)
379 return 0;
380 single = OCSP_resp_get0(bs, i);
381 i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
382 if (status)
383 *status = i;
384 return 1;
385}
386LCRYPTO_ALIAS(OCSP_resp_find_status);
387
388/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
389 * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
390 * rejecting otherwise valid time we allow the times to be within 'nsec' of the current time.
391 * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
392 * parameter specifies the maximum age the thisUpdate field can be.
393 */
394int
395OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
396 ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
397{
398 int64_t posix_next, posix_this, posix_now;
399 struct tm tm_this, tm_next;
400
401 /* Negative values of nsec make no sense */
402 if (nsec < 0)
403 return 0;
404
405 posix_now = time(NULL);
406
407 /*
408 * Times must explicitly be a GENERALIZEDTIME as per section
409 * 4.2.2.1 of RFC 6960 - It is invalid to accept other times
410 * (such as UTCTIME permitted/required by RFC 5280 for certificates)
411 */
412 /* Check that thisUpdate is valid. */
413 if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
414 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
415 OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
416 return 0;
417 }
418 if (!OPENSSL_tm_to_posix(&tm_this, &posix_this))
419 return 0;
420 /* thisUpdate must not be more than nsec in the future. */
421 if (posix_this - nsec > posix_now) {
422 OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
423 return 0;
424 }
425 /* thisUpdate must not be more than maxsec seconds in the past. */
426 if (maxsec >= 0 && posix_this < posix_now - maxsec) {
427 OCSPerror(OCSP_R_STATUS_TOO_OLD);
428 return 0;
429 }
430
431 /* RFC 6960 section 4.2.2.1 allows for servers to not set nextUpdate */
432 if (nextupd == NULL)
433 return 1;
434
435 /* Check that nextUpdate is valid. */
436 if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
437 V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
438 OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
439 return 0;
440 }
441 if (!OPENSSL_tm_to_posix(&tm_next, &posix_next))
442 return 0;
443 /* Don't allow nextUpdate to precede thisUpdate. */
444 if (posix_next < posix_this) {
445 OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
446 return 0;
447 }
448 /* nextUpdate must not be more than nsec seconds in the past. */
449 if (posix_next + nsec < posix_now) {
450 OCSPerror(OCSP_R_STATUS_EXPIRED);
451 return 0;
452 }
453
454 return 1;
455}
456LCRYPTO_ALIAS(OCSP_check_validity);
457
458const OCSP_CERTID *
459OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
460{
461 return single->certId;
462}
463LCRYPTO_ALIAS(OCSP_SINGLERESP_get0_id);
diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c
deleted file mode 100644
index ca8f8f22b2..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_err.c
+++ /dev/null
@@ -1,121 +0,0 @@
1/* $OpenBSD: ocsp_err.c,v 1.11 2024/06/24 06:43:22 tb Exp $ */
2/* ====================================================================
3 * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56#include <stdio.h>
57
58#include <openssl/opensslconf.h>
59
60#include <openssl/err.h>
61#include <openssl/ocsp.h>
62
63#include "err_local.h"
64
65#ifndef OPENSSL_NO_ERR
66
67#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0)
68#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
69
70static const ERR_STRING_DATA OCSP_str_functs[] = {
71 {ERR_FUNC(0xfff), "CRYPTO_internal"},
72 {0, NULL}
73};
74
75static const ERR_STRING_DATA OCSP_str_reasons[] = {
76 {ERR_REASON(OCSP_R_BAD_DATA) , "bad data"},
77 {ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
78 {ERR_REASON(OCSP_R_DIGEST_ERR) , "digest err"},
79 {ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD), "error in nextupdate field"},
80 {ERR_REASON(OCSP_R_ERROR_IN_THISUPDATE_FIELD), "error in thisupdate field"},
81 {ERR_REASON(OCSP_R_ERROR_PARSING_URL) , "error parsing url"},
82 {ERR_REASON(OCSP_R_MISSING_OCSPSIGNING_USAGE), "missing ocspsigning usage"},
83 {ERR_REASON(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE), "nextupdate before thisupdate"},
84 {ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE) , "not basic response"},
85 {ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN), "no certificates in chain"},
86 {ERR_REASON(OCSP_R_NO_CONTENT) , "no content"},
87 {ERR_REASON(OCSP_R_NO_PUBLIC_KEY) , "no public key"},
88 {ERR_REASON(OCSP_R_NO_RESPONSE_DATA) , "no response data"},
89 {ERR_REASON(OCSP_R_NO_REVOKED_TIME) , "no revoked time"},
90 {ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), "private key does not match certificate"},
91 {ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED) , "request not signed"},
92 {ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA), "response contains no revocation data"},
93 {ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED) , "root ca not trusted"},
94 {ERR_REASON(OCSP_R_SERVER_READ_ERROR) , "server read error"},
95 {ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR), "server response error"},
96 {ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR), "server response parse error"},
97 {ERR_REASON(OCSP_R_SERVER_WRITE_ERROR) , "server write error"},
98 {ERR_REASON(OCSP_R_SIGNATURE_FAILURE) , "signature failure"},
99 {ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND), "signer certificate not found"},
100 {ERR_REASON(OCSP_R_STATUS_EXPIRED) , "status expired"},
101 {ERR_REASON(OCSP_R_STATUS_NOT_YET_VALID) , "status not yet valid"},
102 {ERR_REASON(OCSP_R_STATUS_TOO_OLD) , "status too old"},
103 {ERR_REASON(OCSP_R_UNKNOWN_MESSAGE_DIGEST), "unknown message digest"},
104 {ERR_REASON(OCSP_R_UNKNOWN_NID) , "unknown nid"},
105 {ERR_REASON(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE), "unsupported requestorname type"},
106 {0, NULL}
107};
108
109#endif
110
111void
112ERR_load_OCSP_strings(void)
113{
114#ifndef OPENSSL_NO_ERR
115 if (ERR_func_error_string(OCSP_str_functs[0].error) == NULL) {
116 ERR_load_const_strings(OCSP_str_functs);
117 ERR_load_const_strings(OCSP_str_reasons);
118 }
119#endif
120}
121LCRYPTO_ALIAS(ERR_load_OCSP_strings);
diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
deleted file mode 100644
index 9f8cb74b6a..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_ext.c
+++ /dev/null
@@ -1,612 +0,0 @@
1/* $OpenBSD: ocsp_ext.c,v 1.23 2023/07/08 10:44:00 beck Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <stdlib.h>
66#include <string.h>
67
68#include <openssl/objects.h>
69#include <openssl/ocsp.h>
70#include <openssl/x509.h>
71#include <openssl/x509v3.h>
72
73#include "ocsp_local.h"
74#include "x509_local.h"
75
76/* Standard wrapper functions for extensions */
77
78/* OCSP request extensions */
79
80int
81OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
82{
83 return X509v3_get_ext_count(x->tbsRequest->requestExtensions);
84}
85LCRYPTO_ALIAS(OCSP_REQUEST_get_ext_count);
86
87int
88OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
89{
90 return X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions, nid,
91 lastpos);
92}
93LCRYPTO_ALIAS(OCSP_REQUEST_get_ext_by_NID);
94
95int
96OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj,
97 int lastpos)
98{
99 return X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions, obj,
100 lastpos);
101}
102LCRYPTO_ALIAS(OCSP_REQUEST_get_ext_by_OBJ);
103
104int
105OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
106{
107 return X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,
108 crit, lastpos);
109}
110LCRYPTO_ALIAS(OCSP_REQUEST_get_ext_by_critical);
111
112X509_EXTENSION *
113OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
114{
115 return X509v3_get_ext(x->tbsRequest->requestExtensions, loc);
116}
117LCRYPTO_ALIAS(OCSP_REQUEST_get_ext);
118
119X509_EXTENSION *
120OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
121{
122 return X509v3_delete_ext(x->tbsRequest->requestExtensions, loc);
123}
124LCRYPTO_ALIAS(OCSP_REQUEST_delete_ext);
125
126void *
127OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
128{
129 return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
130}
131LCRYPTO_ALIAS(OCSP_REQUEST_get1_ext_d2i);
132
133int
134OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
135 unsigned long flags)
136{
137 return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value,
138 crit, flags);
139}
140LCRYPTO_ALIAS(OCSP_REQUEST_add1_ext_i2d);
141
142int
143OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
144{
145 return X509v3_add_ext(&(x->tbsRequest->requestExtensions), ex,
146 loc) != NULL;
147}
148LCRYPTO_ALIAS(OCSP_REQUEST_add_ext);
149
150/* Single extensions */
151
152int
153OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
154{
155 return X509v3_get_ext_count(x->singleRequestExtensions);
156}
157LCRYPTO_ALIAS(OCSP_ONEREQ_get_ext_count);
158
159int
160OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
161{
162 return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos);
163}
164LCRYPTO_ALIAS(OCSP_ONEREQ_get_ext_by_NID);
165
166int
167OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj, int lastpos)
168{
169 return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos);
170}
171LCRYPTO_ALIAS(OCSP_ONEREQ_get_ext_by_OBJ);
172
173int
174OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
175{
176 return X509v3_get_ext_by_critical(x->singleRequestExtensions, crit,
177 lastpos);
178}
179LCRYPTO_ALIAS(OCSP_ONEREQ_get_ext_by_critical);
180
181X509_EXTENSION *
182OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
183{
184 return X509v3_get_ext(x->singleRequestExtensions, loc);
185}
186LCRYPTO_ALIAS(OCSP_ONEREQ_get_ext);
187
188X509_EXTENSION *
189OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
190{
191 return X509v3_delete_ext(x->singleRequestExtensions, loc);
192}
193LCRYPTO_ALIAS(OCSP_ONEREQ_delete_ext);
194
195void *
196OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
197{
198 return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
199}
200LCRYPTO_ALIAS(OCSP_ONEREQ_get1_ext_d2i);
201
202int
203OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
204 unsigned long flags)
205{
206 return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
207 flags);
208}
209LCRYPTO_ALIAS(OCSP_ONEREQ_add1_ext_i2d);
210
211int
212OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
213{
214 return X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL;
215}
216LCRYPTO_ALIAS(OCSP_ONEREQ_add_ext);
217
218/* OCSP Basic response */
219
220int
221OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
222{
223 return X509v3_get_ext_count(x->tbsResponseData->responseExtensions);
224}
225LCRYPTO_ALIAS(OCSP_BASICRESP_get_ext_count);
226
227int
228OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
229{
230 return X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,
231 nid, lastpos);
232}
233LCRYPTO_ALIAS(OCSP_BASICRESP_get_ext_by_NID);
234
235int
236OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj,
237 int lastpos)
238{
239 return X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,
240 obj, lastpos);
241}
242LCRYPTO_ALIAS(OCSP_BASICRESP_get_ext_by_OBJ);
243
244int
245OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
246{
247 return X509v3_get_ext_by_critical(
248 x->tbsResponseData->responseExtensions, crit, lastpos);
249}
250LCRYPTO_ALIAS(OCSP_BASICRESP_get_ext_by_critical);
251
252X509_EXTENSION *
253OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
254{
255 return X509v3_get_ext(x->tbsResponseData->responseExtensions, loc);
256}
257LCRYPTO_ALIAS(OCSP_BASICRESP_get_ext);
258
259X509_EXTENSION *
260OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
261{
262 return X509v3_delete_ext(x->tbsResponseData->responseExtensions, loc);
263}
264LCRYPTO_ALIAS(OCSP_BASICRESP_delete_ext);
265
266void *
267OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
268{
269 return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid,
270 crit, idx);
271}
272LCRYPTO_ALIAS(OCSP_BASICRESP_get1_ext_d2i);
273
274int
275OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
276 unsigned long flags)
277{
278 return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid,
279 value, crit, flags);
280}
281LCRYPTO_ALIAS(OCSP_BASICRESP_add1_ext_i2d);
282
283int
284OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
285{
286 return X509v3_add_ext(&(x->tbsResponseData->responseExtensions), ex,
287 loc) != NULL;
288}
289LCRYPTO_ALIAS(OCSP_BASICRESP_add_ext);
290
291/* OCSP single response extensions */
292
293int
294OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
295{
296 return X509v3_get_ext_count(x->singleExtensions);
297}
298LCRYPTO_ALIAS(OCSP_SINGLERESP_get_ext_count);
299
300int
301OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
302{
303 return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos);
304}
305LCRYPTO_ALIAS(OCSP_SINGLERESP_get_ext_by_NID);
306
307int
308OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, const ASN1_OBJECT *obj,
309 int lastpos)
310{
311 return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos);
312}
313LCRYPTO_ALIAS(OCSP_SINGLERESP_get_ext_by_OBJ);
314
315int
316OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
317{
318 return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos);
319}
320LCRYPTO_ALIAS(OCSP_SINGLERESP_get_ext_by_critical);
321
322X509_EXTENSION *
323OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
324{
325 return X509v3_get_ext(x->singleExtensions, loc);
326}
327LCRYPTO_ALIAS(OCSP_SINGLERESP_get_ext);
328
329X509_EXTENSION *
330OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
331{
332 return X509v3_delete_ext(x->singleExtensions, loc);
333}
334LCRYPTO_ALIAS(OCSP_SINGLERESP_delete_ext);
335
336void *
337OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
338{
339 return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
340}
341LCRYPTO_ALIAS(OCSP_SINGLERESP_get1_ext_d2i);
342
343int
344OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
345 unsigned long flags)
346{
347 return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
348}
349LCRYPTO_ALIAS(OCSP_SINGLERESP_add1_ext_i2d);
350
351int
352OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
353{
354 return X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL;
355}
356LCRYPTO_ALIAS(OCSP_SINGLERESP_add_ext);
357
358/* Nonce handling functions */
359
360/* Add a nonce to an extension stack. A nonce can be specified or if NULL
361 * a random nonce will be generated.
362 * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the
363 * nonce, previous versions used the raw nonce.
364 */
365
366static int
367ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
368{
369 unsigned char *tmpval;
370 ASN1_OCTET_STRING os;
371 int ret = 0;
372
373 if (len <= 0)
374 len = OCSP_DEFAULT_NONCE_LENGTH;
375 /* Create the OCTET STRING manually by writing out the header and
376 * appending the content octets. This avoids an extra memory allocation
377 * operation in some cases. Applications should *NOT* do this because
378 * it relies on library internals.
379 */
380 os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
381 os.data = malloc(os.length);
382 if (os.data == NULL)
383 goto err;
384 tmpval = os.data;
385 ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
386 if (val)
387 memcpy(tmpval, val, len);
388 else
389 arc4random_buf(tmpval, len);
390 if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0,
391 X509V3_ADD_REPLACE))
392 goto err;
393 ret = 1;
394
395err:
396 free(os.data);
397 return ret;
398}
399
400/* Add nonce to an OCSP request */
401int
402OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
403{
404 return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
405}
406LCRYPTO_ALIAS(OCSP_request_add1_nonce);
407
408/* Same as above but for a response */
409int
410OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
411{
412 return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val,
413 len);
414}
415LCRYPTO_ALIAS(OCSP_basic_add1_nonce);
416
417/* Check nonce validity in a request and response.
418 * Return value reflects result:
419 * 1: nonces present and equal.
420 * 2: nonces both absent.
421 * 3: nonce present in response only.
422 * 0: nonces both present and not equal.
423 * -1: nonce in request only.
424 *
425 * For most responders clients can check return > 0.
426 * If responder doesn't handle nonces return != 0 may be
427 * necessary. return == 0 is always an error.
428 */
429int
430OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
431{
432 /*
433 * Since we are only interested in the presence or absence of
434 * the nonce and comparing its value there is no need to use
435 * the X509V3 routines: this way we can avoid them allocating an
436 * ASN1_OCTET_STRING structure for the value which would be
437 * freed immediately anyway.
438 */
439 int req_idx, resp_idx;
440 X509_EXTENSION *req_ext, *resp_ext;
441
442 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
443 resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs,
444 NID_id_pkix_OCSP_Nonce, -1);
445 /* Check both absent */
446 if (req_idx < 0 && resp_idx < 0)
447 return 2;
448 /* Check in request only */
449 if (req_idx >= 0 && resp_idx < 0)
450 return -1;
451 /* Check in response but not request */
452 if (req_idx < 0 && resp_idx >= 0)
453 return 3;
454 /* Otherwise nonce in request and response so retrieve the extensions */
455 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
456 resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
457 if (ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
458 return 0;
459 return 1;
460}
461LCRYPTO_ALIAS(OCSP_check_nonce);
462
463/* Copy the nonce value (if any) from an OCSP request to
464 * a response.
465 */
466int
467OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
468{
469 X509_EXTENSION *req_ext;
470 int req_idx;
471
472 /* Check for nonce in request */
473 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
474 /* If no nonce that's OK */
475 if (req_idx < 0)
476 return 2;
477 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
478 return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
479}
480LCRYPTO_ALIAS(OCSP_copy_nonce);
481
482X509_EXTENSION *
483OCSP_crlID_new(const char *url, long *n, char *tim)
484{
485 X509_EXTENSION *x = NULL;
486 OCSP_CRLID *cid = NULL;
487
488 if (!(cid = OCSP_CRLID_new()))
489 goto err;
490 if (url) {
491 if (!(cid->crlUrl = ASN1_IA5STRING_new()))
492 goto err;
493 if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
494 goto err;
495 }
496 if (n) {
497 if (!(cid->crlNum = ASN1_INTEGER_new()))
498 goto err;
499 if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
500 goto err;
501 }
502 if (tim) {
503 if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new()))
504 goto err;
505 if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
506 goto err;
507 }
508 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
509
510err:
511 if (cid)
512 OCSP_CRLID_free(cid);
513 return x;
514}
515LCRYPTO_ALIAS(OCSP_crlID_new);
516
517/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
518X509_EXTENSION *
519OCSP_accept_responses_new(char **oids)
520{
521 int nid;
522 STACK_OF(ASN1_OBJECT) *sk = NULL;
523 ASN1_OBJECT *o = NULL;
524 X509_EXTENSION *x = NULL;
525
526 if (!(sk = sk_ASN1_OBJECT_new_null()))
527 return NULL;
528 while (oids && *oids) {
529 if ((nid = OBJ_txt2nid(*oids)) != NID_undef &&
530 (o = OBJ_nid2obj(nid)))
531 if (sk_ASN1_OBJECT_push(sk, o) == 0) {
532 sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
533 return NULL;
534 }
535 oids++;
536 }
537 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
538 sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
539 return x;
540}
541LCRYPTO_ALIAS(OCSP_accept_responses_new);
542
543/* ArchiveCutoff ::= GeneralizedTime */
544X509_EXTENSION *
545OCSP_archive_cutoff_new(char* tim)
546{
547 X509_EXTENSION *x = NULL;
548 ASN1_GENERALIZEDTIME *gt = NULL;
549
550 if (!(gt = ASN1_GENERALIZEDTIME_new()))
551 return NULL;
552 if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
553 goto err;
554 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
555
556err:
557 if (gt)
558 ASN1_GENERALIZEDTIME_free(gt);
559 return x;
560}
561LCRYPTO_ALIAS(OCSP_archive_cutoff_new);
562
563/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
564 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This
565 * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
566 */
567X509_EXTENSION *
568OCSP_url_svcloc_new(X509_NAME* issuer, const char **urls)
569{
570 X509_EXTENSION *x = NULL;
571 ASN1_IA5STRING *ia5 = NULL;
572 OCSP_SERVICELOC *sloc = NULL;
573 ACCESS_DESCRIPTION *ad = NULL;
574
575 if (!(sloc = OCSP_SERVICELOC_new()))
576 goto err;
577 if (!(sloc->issuer = X509_NAME_dup(issuer)))
578 goto err;
579 if (urls && *urls &&
580 !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null()))
581 goto err;
582 while (urls && *urls) {
583 if (!(ad = ACCESS_DESCRIPTION_new()))
584 goto err;
585 if (!(ad->method = OBJ_nid2obj(NID_ad_OCSP)))
586 goto err;
587 if (!(ad->location = GENERAL_NAME_new()))
588 goto err;
589 if (!(ia5 = ASN1_IA5STRING_new()))
590 goto err;
591 if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1))
592 goto err;
593 ad->location->type = GEN_URI;
594 ad->location->d.ia5 = ia5;
595 ia5 = NULL;
596 if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
597 goto err;
598 ad = NULL;
599 urls++;
600 }
601 x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
602
603err:
604 if (ia5)
605 ASN1_IA5STRING_free(ia5);
606 if (ad)
607 ACCESS_DESCRIPTION_free(ad);
608 if (sloc)
609 OCSP_SERVICELOC_free(sloc);
610 return x;
611}
612LCRYPTO_ALIAS(OCSP_url_svcloc_new);
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
deleted file mode 100644
index 69723c2154..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ /dev/null
@@ -1,469 +0,0 @@
1/* $OpenBSD: ocsp_ht.c,v 1.27 2023/11/28 09:29:20 jsg Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <stdlib.h>
61#include <ctype.h>
62#include <string.h>
63#include <openssl/asn1.h>
64#include <openssl/ocsp.h>
65#include <openssl/err.h>
66#include <openssl/buffer.h>
67
68/* Stateful OCSP request code, supporting non-blocking I/O */
69
70/* Opaque OCSP request status structure */
71
72struct ocsp_req_ctx_st {
73 int state; /* Current I/O state */
74 unsigned char *iobuf; /* Line buffer */
75 int iobuflen; /* Line buffer length */
76 BIO *io; /* BIO to perform I/O with */
77 BIO *mem; /* Memory BIO response is built into */
78 unsigned long asn1_len; /* ASN1 length of response */
79};
80
81#define OCSP_MAX_REQUEST_LENGTH (100 * 1024)
82#define OCSP_MAX_LINE_LEN 4096;
83
84/* OCSP states */
85
86/* If set no reading should be performed */
87#define OHS_NOREAD 0x1000
88/* Error condition */
89#define OHS_ERROR (0 | OHS_NOREAD)
90/* First line being read */
91#define OHS_FIRSTLINE 1
92/* MIME headers being read */
93#define OHS_HEADERS 2
94/* OCSP initial header (tag + length) being read */
95#define OHS_ASN1_HEADER 3
96/* OCSP content octets being read */
97#define OHS_ASN1_CONTENT 4
98/* Request being sent */
99#define OHS_ASN1_WRITE (6 | OHS_NOREAD)
100/* Request being flushed */
101#define OHS_ASN1_FLUSH (7 | OHS_NOREAD)
102/* Completed */
103#define OHS_DONE (8 | OHS_NOREAD)
104
105
106static int parse_http_line1(char *line);
107
108void
109OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
110{
111 if (rctx == NULL)
112 return;
113
114 BIO_free(rctx->mem);
115 free(rctx->iobuf);
116 free(rctx);
117}
118LCRYPTO_ALIAS(OCSP_REQ_CTX_free);
119
120int
121OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
122{
123 if (BIO_printf(rctx->mem, "Content-Type: application/ocsp-request\r\n"
124 "Content-Length: %d\r\n\r\n", i2d_OCSP_REQUEST(req, NULL)) <= 0)
125 return 0;
126 if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
127 return 0;
128 rctx->state = OHS_ASN1_WRITE;
129 rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
130 return 1;
131}
132LCRYPTO_ALIAS(OCSP_REQ_CTX_set1_req);
133
134int
135OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name,
136 const char *value)
137{
138 if (!name)
139 return 0;
140 if (BIO_puts(rctx->mem, name) <= 0)
141 return 0;
142 if (value) {
143 if (BIO_write(rctx->mem, ": ", 2) != 2)
144 return 0;
145 if (BIO_puts(rctx->mem, value) <= 0)
146 return 0;
147 }
148 if (BIO_write(rctx->mem, "\r\n", 2) != 2)
149 return 0;
150 return 1;
151}
152LCRYPTO_ALIAS(OCSP_REQ_CTX_add1_header);
153
154OCSP_REQ_CTX *
155OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, int maxline)
156{
157 OCSP_REQ_CTX *rctx;
158
159 rctx = malloc(sizeof(OCSP_REQ_CTX));
160 if (rctx == NULL)
161 return NULL;
162 rctx->state = OHS_ERROR;
163 if ((rctx->mem = BIO_new(BIO_s_mem())) == NULL) {
164 free(rctx);
165 return NULL;
166 }
167 rctx->io = io;
168 rctx->asn1_len = 0;
169 if (maxline > 0)
170 rctx->iobuflen = maxline;
171 else
172 rctx->iobuflen = OCSP_MAX_LINE_LEN;
173 rctx->iobuf = malloc(rctx->iobuflen);
174 if (!rctx->iobuf) {
175 BIO_free(rctx->mem);
176 free(rctx);
177 return NULL;
178 }
179 if (!path)
180 path = "/";
181
182 if (BIO_printf(rctx->mem, "POST %s HTTP/1.0\r\n", path) <= 0) {
183 free(rctx->iobuf);
184 BIO_free(rctx->mem);
185 free(rctx);
186 return NULL;
187 }
188
189 if (req && !OCSP_REQ_CTX_set1_req(rctx, req)) {
190 free(rctx->iobuf);
191 BIO_free(rctx->mem);
192 free(rctx);
193 return NULL;
194 }
195
196 return rctx;
197}
198LCRYPTO_ALIAS(OCSP_sendreq_new);
199
200/* Parse the HTTP response. This will look like this:
201 * "HTTP/1.0 200 OK". We need to obtain the numeric code and
202 * (optional) informational message.
203 */
204static int
205parse_http_line1(char *line)
206{
207 int retcode;
208 char *p, *q, *r;
209
210 /* Skip to first white space (passed protocol info) */
211 for (p = line; *p && !isspace((unsigned char)*p); p++)
212 continue;
213 if (!*p) {
214 OCSPerror(OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
215 return 0;
216 }
217
218 /* Skip past white space to start of response code */
219 while (*p && isspace((unsigned char)*p))
220 p++;
221 if (!*p) {
222 OCSPerror(OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
223 return 0;
224 }
225
226 /* Find end of response code: first whitespace after start of code */
227 for (q = p; *q && !isspace((unsigned char)*q); q++)
228 continue;
229 if (!*q) {
230 OCSPerror(OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
231 return 0;
232 }
233
234 /* Set end of response code and start of message */
235 *q++ = 0;
236
237 /* Attempt to parse numeric code */
238 retcode = strtoul(p, &r, 10);
239
240 if (*r)
241 return 0;
242
243 /* Skip over any leading white space in message */
244 while (*q && isspace((unsigned char)*q))
245 q++;
246 if (*q) {
247 /* Finally zap any trailing white space in message (include
248 * CRLF) */
249
250 /* We know q has a non white space character so this is OK */
251 for (r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
252 *r = 0;
253 }
254 if (retcode != 200) {
255 OCSPerror(OCSP_R_SERVER_RESPONSE_ERROR);
256 if (!*q)
257 ERR_asprintf_error_data("Code=%s", p);
258 else
259 ERR_asprintf_error_data("Code=%s,Reason=%s", p, q);
260 return 0;
261 }
262
263 return 1;
264}
265
266int
267OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
268{
269 int i, n;
270 const unsigned char *p;
271
272next_io:
273 if (!(rctx->state & OHS_NOREAD)) {
274 n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen);
275
276 if (n <= 0) {
277 if (BIO_should_retry(rctx->io))
278 return -1;
279 return 0;
280 }
281
282 /* Write data to memory BIO */
283 if (BIO_write(rctx->mem, rctx->iobuf, n) != n)
284 return 0;
285 }
286
287 switch (rctx->state) {
288 case OHS_ASN1_WRITE:
289 n = BIO_get_mem_data(rctx->mem, &p);
290 i = BIO_write(rctx->io,
291 p + (n - rctx->asn1_len), rctx->asn1_len);
292 if (i <= 0) {
293 if (BIO_should_retry(rctx->io))
294 return -1;
295 rctx->state = OHS_ERROR;
296 return 0;
297 }
298
299 rctx->asn1_len -= i;
300 if (rctx->asn1_len > 0)
301 goto next_io;
302
303 rctx->state = OHS_ASN1_FLUSH;
304
305 (void)BIO_reset(rctx->mem);
306 /* FALLTHROUGH */
307
308 case OHS_ASN1_FLUSH:
309 i = BIO_flush(rctx->io);
310 if (i > 0) {
311 rctx->state = OHS_FIRSTLINE;
312 goto next_io;
313 }
314
315 if (BIO_should_retry(rctx->io))
316 return -1;
317
318 rctx->state = OHS_ERROR;
319 return 0;
320
321 case OHS_ERROR:
322 return 0;
323
324 case OHS_FIRSTLINE:
325 case OHS_HEADERS:
326 /* Attempt to read a line in */
327next_line:
328 /* Due to &%^*$" memory BIO behaviour with BIO_gets we
329 * have to check there's a complete line in there before
330 * calling BIO_gets or we'll just get a partial read.
331 */
332 n = BIO_get_mem_data(rctx->mem, &p);
333 if ((n <= 0) || !memchr(p, '\n', n)) {
334 if (n >= rctx->iobuflen) {
335 rctx->state = OHS_ERROR;
336 return 0;
337 }
338 goto next_io;
339 }
340 n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen);
341 if (n <= 0) {
342 if (BIO_should_retry(rctx->mem))
343 goto next_io;
344 rctx->state = OHS_ERROR;
345 return 0;
346 }
347
348 /* Don't allow excessive lines */
349 if (n == rctx->iobuflen) {
350 rctx->state = OHS_ERROR;
351 return 0;
352 }
353
354 /* First line */
355 if (rctx->state == OHS_FIRSTLINE) {
356 if (parse_http_line1((char *)rctx->iobuf)) {
357 rctx->state = OHS_HEADERS;
358 goto next_line;
359 } else {
360 rctx->state = OHS_ERROR;
361 return 0;
362 }
363 } else {
364 /* Look for blank line: end of headers */
365 for (p = rctx->iobuf; *p; p++) {
366 if ((*p != '\r') && (*p != '\n'))
367 break;
368 }
369 if (*p)
370 goto next_line;
371
372 rctx->state = OHS_ASN1_HEADER;
373 }
374 /* FALLTHROUGH */
375
376 case OHS_ASN1_HEADER:
377 /* Now reading ASN1 header: can read at least 2 bytes which
378 * is enough for ASN1 SEQUENCE header and either length field
379 * or at least the length of the length field.
380 */
381 n = BIO_get_mem_data(rctx->mem, &p);
382 if (n < 2)
383 goto next_io;
384
385 /* Check it is an ASN1 SEQUENCE */
386 if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED)) {
387 rctx->state = OHS_ERROR;
388 return 0;
389 }
390
391 /* Check out length field */
392 if (*p & 0x80) {
393 /* If MSB set on initial length octet we can now
394 * always read 6 octets: make sure we have them.
395 */
396 if (n < 6)
397 goto next_io;
398 n = *p & 0x7F;
399 /* Not NDEF or excessive length */
400 if (!n || (n > 4)) {
401 rctx->state = OHS_ERROR;
402 return 0;
403 }
404 p++;
405 rctx->asn1_len = 0;
406 for (i = 0; i < n; i++) {
407 rctx->asn1_len <<= 8;
408 rctx->asn1_len |= *p++;
409 }
410
411 if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH) {
412 rctx->state = OHS_ERROR;
413 return 0;
414 }
415
416 rctx->asn1_len += n + 2;
417 } else
418 rctx->asn1_len = *p + 2;
419
420 rctx->state = OHS_ASN1_CONTENT;
421
422 /* FALLTHROUGH */
423
424 case OHS_ASN1_CONTENT:
425 n = BIO_get_mem_data(rctx->mem, &p);
426 if (n < (int)rctx->asn1_len)
427 goto next_io;
428
429 *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len);
430 if (*presp) {
431 rctx->state = OHS_DONE;
432 return 1;
433 }
434
435 rctx->state = OHS_ERROR;
436 return 0;
437
438 case OHS_DONE:
439 return 1;
440 }
441
442 return 0;
443}
444LCRYPTO_ALIAS(OCSP_sendreq_nbio);
445
446/* Blocking OCSP request handler: now a special case of non-blocking I/O */
447OCSP_RESPONSE *
448OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req)
449{
450 OCSP_RESPONSE *resp = NULL;
451 OCSP_REQ_CTX *ctx;
452 int rv;
453
454 ctx = OCSP_sendreq_new(b, path, req, -1);
455 if (ctx == NULL)
456 return NULL;
457
458 do {
459 rv = OCSP_sendreq_nbio(&resp, ctx);
460 } while ((rv == -1) && BIO_should_retry(b));
461
462 OCSP_REQ_CTX_free(ctx);
463
464 if (rv)
465 return resp;
466
467 return NULL;
468}
469LCRYPTO_ALIAS(OCSP_sendreq_bio);
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
deleted file mode 100644
index 521fb67aed..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ /dev/null
@@ -1,249 +0,0 @@
1/* $OpenBSD: ocsp_lib.c,v 1.28 2024/08/28 06:27:19 tb Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <string.h>
66
67#include <openssl/opensslconf.h>
68
69#include <openssl/asn1t.h>
70#include <openssl/err.h>
71#include <openssl/objects.h>
72#include <openssl/ocsp.h>
73#include <openssl/pem.h>
74#include <openssl/x509.h>
75#include <openssl/x509v3.h>
76
77#include "ocsp_local.h"
78#include "x509_local.h"
79
80/* Convert a certificate and its issuer to an OCSP_CERTID */
81
82OCSP_CERTID *
83OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, const X509 *issuer)
84{
85 X509_NAME *iname;
86 const ASN1_INTEGER *serial;
87 ASN1_BIT_STRING *ikey;
88
89#ifndef OPENSSL_NO_SHA1
90 if (!dgst)
91 dgst = EVP_sha1();
92#endif
93 if (subject) {
94 iname = X509_get_issuer_name(subject);
95 serial = X509_get0_serialNumber(subject);
96 } else {
97 iname = X509_get_subject_name(issuer);
98 serial = NULL;
99 }
100 if ((ikey = X509_get0_pubkey_bitstr(issuer)) == NULL)
101 return NULL;
102
103 return OCSP_cert_id_new(dgst, iname, ikey, serial);
104}
105LCRYPTO_ALIAS(OCSP_cert_to_id);
106
107OCSP_CERTID *
108OCSP_cert_id_new(const EVP_MD *dgst, const X509_NAME *issuerName,
109 const ASN1_BIT_STRING *issuerKey, const ASN1_INTEGER *serialNumber)
110{
111 int nid;
112 unsigned int i;
113 OCSP_CERTID *cid = NULL;
114 unsigned char md[EVP_MAX_MD_SIZE];
115
116 if ((cid = OCSP_CERTID_new()) == NULL)
117 goto err;
118
119 if ((nid = EVP_MD_type(dgst)) == NID_undef) {
120 OCSPerror(OCSP_R_UNKNOWN_NID);
121 goto err;
122 }
123 if (!X509_ALGOR_set0_by_nid(cid->hashAlgorithm, nid, V_ASN1_NULL, NULL))
124 goto err;
125
126 if (!X509_NAME_digest(issuerName, dgst, md, &i)) {
127 OCSPerror(OCSP_R_DIGEST_ERR);
128 goto err;
129 }
130 if (!ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))
131 goto err;
132
133 /* Calculate the issuerKey hash, excluding tag and length */
134 if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
135 goto err;
136
137 if (!ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))
138 goto err;
139
140 if (serialNumber != NULL) {
141 ASN1_INTEGER_free(cid->serialNumber);
142 if ((cid->serialNumber = ASN1_INTEGER_dup(serialNumber)) == NULL)
143 goto err;
144 }
145
146 return cid;
147
148 err:
149 OCSP_CERTID_free(cid);
150
151 return NULL;
152}
153LCRYPTO_ALIAS(OCSP_cert_id_new);
154
155int
156OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
157{
158 int ret;
159
160 /*
161 * XXX - should we really ignore parameters here? We probably need to
162 * consider omitted parameters and explicit ASN.1 NULL as equal for
163 * the SHAs, so don't blindly switch to X509_ALGOR_cmp().
164 */
165 ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
166 if (ret)
167 return ret;
168 ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
169 if (ret)
170 return ret;
171 return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
172}
173LCRYPTO_ALIAS(OCSP_id_issuer_cmp);
174
175int
176OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
177{
178 int ret;
179
180 ret = OCSP_id_issuer_cmp(a, b);
181 if (ret)
182 return ret;
183 return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
184}
185LCRYPTO_ALIAS(OCSP_id_cmp);
186
187/* Parse a URL and split it up into host, port and path components and whether
188 * it is SSL.
189 */
190int
191OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
192 int *pssl)
193{
194 char *host, *path, *port, *tmp;
195
196 *phost = *pport = *ppath = NULL;
197 *pssl = 0;
198
199 if (strncmp(url, "https://", 8) == 0) {
200 *pssl = 1;
201 host = strdup(url + 8);
202 } else if (strncmp(url, "http://", 7) == 0)
203 host = strdup(url + 7);
204 else {
205 OCSPerror(OCSP_R_ERROR_PARSING_URL);
206 return 0;
207 }
208 if (host == NULL) {
209 OCSPerror(ERR_R_MALLOC_FAILURE);
210 return 0;
211 }
212
213 if ((tmp = strchr(host, '/')) != NULL) {
214 path = strdup(tmp);
215 *tmp = '\0';
216 } else
217 path = strdup("/");
218
219 if ((tmp = strchr(host, ':')) != NULL ) {
220 port = strdup(tmp + 1);
221 *tmp = '\0';
222 } else {
223 if (*pssl)
224 port = strdup("443");
225 else
226 port = strdup("80");
227 }
228
229 if (path == NULL || port == NULL) {
230 free(host);
231 free(path);
232 free(port);
233 OCSPerror(ERR_R_MALLOC_FAILURE);
234 return 0;
235 }
236
237 *phost = host;
238 *ppath = path;
239 *pport = port;
240 return 1;
241}
242LCRYPTO_ALIAS(OCSP_parse_url);
243
244OCSP_CERTID *
245OCSP_CERTID_dup(OCSP_CERTID *x)
246{
247 return ASN1_item_dup(&OCSP_CERTID_it, x);
248}
249LCRYPTO_ALIAS(OCSP_CERTID_dup);
diff --git a/src/lib/libcrypto/ocsp/ocsp_local.h b/src/lib/libcrypto/ocsp/ocsp_local.h
deleted file mode 100644
index bd933b1915..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_local.h
+++ /dev/null
@@ -1,291 +0,0 @@
1/* $OpenBSD: ocsp_local.h,v 1.2 2022/01/14 08:32:26 tb Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#ifndef HEADER_OCSP_LOCAL_H
65#define HEADER_OCSP_LOCAL_H
66
67__BEGIN_HIDDEN_DECLS
68
69/* CertID ::= SEQUENCE {
70 * hashAlgorithm AlgorithmIdentifier,
71 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
72 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
73 * serialNumber CertificateSerialNumber }
74 */
75struct ocsp_cert_id_st {
76 X509_ALGOR *hashAlgorithm;
77 ASN1_OCTET_STRING *issuerNameHash;
78 ASN1_OCTET_STRING *issuerKeyHash;
79 ASN1_INTEGER *serialNumber;
80} /* OCSP_CERTID */;
81
82/* Request ::= SEQUENCE {
83 * reqCert CertID,
84 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
85 */
86struct ocsp_one_request_st {
87 OCSP_CERTID *reqCert;
88 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
89} /* OCSP_ONEREQ */;
90
91/* TBSRequest ::= SEQUENCE {
92 * version [0] EXPLICIT Version DEFAULT v1,
93 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
94 * requestList SEQUENCE OF Request,
95 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
96 */
97struct ocsp_req_info_st {
98 ASN1_INTEGER *version;
99 GENERAL_NAME *requestorName;
100 STACK_OF(OCSP_ONEREQ) *requestList;
101 STACK_OF(X509_EXTENSION) *requestExtensions;
102} /* OCSP_REQINFO */;
103
104/* Signature ::= SEQUENCE {
105 * signatureAlgorithm AlgorithmIdentifier,
106 * signature BIT STRING,
107 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
108 */
109struct ocsp_signature_st {
110 X509_ALGOR *signatureAlgorithm;
111 ASN1_BIT_STRING *signature;
112 STACK_OF(X509) *certs;
113} /* OCSP_SIGNATURE */;
114
115/* OCSPRequest ::= SEQUENCE {
116 * tbsRequest TBSRequest,
117 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
118 */
119struct ocsp_request_st {
120 OCSP_REQINFO *tbsRequest;
121 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
122} /* OCSP_REQUEST */;
123
124/* OCSPResponseStatus ::= ENUMERATED {
125 * successful (0), --Response has valid confirmations
126 * malformedRequest (1), --Illegal confirmation request
127 * internalError (2), --Internal error in issuer
128 * tryLater (3), --Try again later
129 * --(4) is not used
130 * sigRequired (5), --Must sign the request
131 * unauthorized (6) --Request unauthorized
132 * }
133 */
134
135/* ResponseBytes ::= SEQUENCE {
136 * responseType OBJECT IDENTIFIER,
137 * response OCTET STRING }
138 */
139struct ocsp_resp_bytes_st {
140 ASN1_OBJECT *responseType;
141 ASN1_OCTET_STRING *response;
142} /* OCSP_RESPBYTES */;
143
144/* OCSPResponse ::= SEQUENCE {
145 * responseStatus OCSPResponseStatus,
146 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
147 */
148struct ocsp_response_st {
149 ASN1_ENUMERATED *responseStatus;
150 OCSP_RESPBYTES *responseBytes;
151};
152
153/* ResponderID ::= CHOICE {
154 * byName [1] Name,
155 * byKey [2] KeyHash }
156 */
157struct ocsp_responder_id_st {
158 int type;
159 union {
160 X509_NAME* byName;
161 ASN1_OCTET_STRING *byKey;
162 } value;
163};
164
165/* KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
166 * --(excluding the tag and length fields)
167 */
168
169/* RevokedInfo ::= SEQUENCE {
170 * revocationTime GeneralizedTime,
171 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
172 */
173struct ocsp_revoked_info_st {
174 ASN1_GENERALIZEDTIME *revocationTime;
175 ASN1_ENUMERATED *revocationReason;
176} /* OCSP_REVOKEDINFO */;
177
178/* CertStatus ::= CHOICE {
179 * good [0] IMPLICIT NULL,
180 * revoked [1] IMPLICIT RevokedInfo,
181 * unknown [2] IMPLICIT UnknownInfo }
182 */
183struct ocsp_cert_status_st {
184 int type;
185 union {
186 ASN1_NULL *good;
187 OCSP_REVOKEDINFO *revoked;
188 ASN1_NULL *unknown;
189 } value;
190} /* OCSP_CERTSTATUS */;
191
192/* SingleResponse ::= SEQUENCE {
193 * certID CertID,
194 * certStatus CertStatus,
195 * thisUpdate GeneralizedTime,
196 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
197 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
198 */
199struct ocsp_single_response_st {
200 OCSP_CERTID *certId;
201 OCSP_CERTSTATUS *certStatus;
202 ASN1_GENERALIZEDTIME *thisUpdate;
203 ASN1_GENERALIZEDTIME *nextUpdate;
204 STACK_OF(X509_EXTENSION) *singleExtensions;
205} /* OCSP_SINGLERESP */;
206
207/* ResponseData ::= SEQUENCE {
208 * version [0] EXPLICIT Version DEFAULT v1,
209 * responderID ResponderID,
210 * producedAt GeneralizedTime,
211 * responses SEQUENCE OF SingleResponse,
212 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
213 */
214struct ocsp_response_data_st {
215 ASN1_INTEGER *version;
216 OCSP_RESPID *responderId;
217 ASN1_GENERALIZEDTIME *producedAt;
218 STACK_OF(OCSP_SINGLERESP) *responses;
219 STACK_OF(X509_EXTENSION) *responseExtensions;
220} /* OCSP_RESPDATA */;
221
222/* BasicOCSPResponse ::= SEQUENCE {
223 * tbsResponseData ResponseData,
224 * signatureAlgorithm AlgorithmIdentifier,
225 * signature BIT STRING,
226 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
227 */
228 /* Note 1:
229 The value for "signature" is specified in the OCSP rfc2560 as follows:
230 "The value for the signature SHALL be computed on the hash of the DER
231 encoding ResponseData." This means that you must hash the DER-encoded
232 tbsResponseData, and then run it through a crypto-signing function, which
233 will (at least w/RSA) do a hash-'n'-private-encrypt operation. This seems
234 a bit odd, but that's the spec. Also note that the data structures do not
235 leave anywhere to independently specify the algorithm used for the initial
236 hash. So, we look at the signature-specification algorithm, and try to do
237 something intelligent. -- Kathy Weinhold, CertCo */
238 /* Note 2:
239 It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
240 for interpretation. I've done tests against another responder, and found
241 that it doesn't do the double hashing that the RFC seems to say one
242 should. Therefore, all relevant functions take a flag saying which
243 variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */
244struct ocsp_basic_response_st {
245 OCSP_RESPDATA *tbsResponseData;
246 X509_ALGOR *signatureAlgorithm;
247 ASN1_BIT_STRING *signature;
248 STACK_OF(X509) *certs;
249} /* OCSP_BASICRESP */;
250
251/* CrlID ::= SEQUENCE {
252 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
253 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
254 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
255 */
256struct ocsp_crl_id_st {
257 ASN1_IA5STRING *crlUrl;
258 ASN1_INTEGER *crlNum;
259 ASN1_GENERALIZEDTIME *crlTime;
260} /* OCSP_CRLID */;
261
262/* ServiceLocator ::= SEQUENCE {
263 * issuer Name,
264 * locator AuthorityInfoAccessSyntax OPTIONAL }
265 */
266struct ocsp_service_locator_st {
267 X509_NAME* issuer;
268 STACK_OF(ACCESS_DESCRIPTION) *locator;
269} /* OCSP_SERVICELOC */;
270
271#define OCSP_REQUEST_sign(o,pkey,md) \
272 ASN1_item_sign(&OCSP_REQINFO_it, \
273 (o)->optionalSignature->signatureAlgorithm, NULL, \
274 (o)->optionalSignature->signature,o->tbsRequest, (pkey), (md))
275
276#define OCSP_BASICRESP_sign(o,pkey,md,d) \
277 ASN1_item_sign(&OCSP_RESPDATA_it,o->signatureAlgorithm,NULL, \
278 (o)->signature,(o)->tbsResponseData,(pkey),(md))
279
280#define OCSP_REQUEST_verify(a,r) \
281 ASN1_item_verify(&OCSP_REQINFO_it, \
282 (a)->optionalSignature->signatureAlgorithm, \
283 (a)->optionalSignature->signature, (a)->tbsRequest, (r))
284
285#define OCSP_BASICRESP_verify(a,r,d) \
286 ASN1_item_verify(&OCSP_RESPDATA_it, \
287 (a)->signatureAlgorithm, (a)->signature, (a)->tbsResponseData, (r))
288
289__END_HIDDEN_DECLS
290
291#endif /* !HEADER_OCSP_LOCAL_H */
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
deleted file mode 100644
index fb7b9651d9..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_prn.c
+++ /dev/null
@@ -1,323 +0,0 @@
1/* $OpenBSD: ocsp_prn.c,v 1.11 2024/08/28 06:18:44 tb Exp $ */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was originally part of ocsp.c and was transfered to Richard
7 Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included
8 in OpenSSL or released as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <openssl/bio.h>
65#include <openssl/err.h>
66#include <openssl/ocsp.h>
67#include <openssl/pem.h>
68#include <openssl/x509.h>
69
70#include "ocsp_local.h"
71
72static int
73ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
74{
75 const ASN1_OBJECT *aobj;
76
77 BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
78 indent += 2;
79 BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
80 X509_ALGOR_get0(&aobj, NULL, NULL, a->hashAlgorithm);
81 i2a_ASN1_OBJECT(bp, aobj);
82 BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
83 i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
84 BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
85 i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING);
86 BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
87 i2a_ASN1_INTEGER(bp, a->serialNumber);
88 BIO_printf(bp, "\n");
89 return 1;
90}
91
92typedef struct {
93 long t;
94 const char *m;
95} OCSP_TBLSTR;
96
97static const char *
98table2string(long s, const OCSP_TBLSTR *ts, int len)
99{
100 const OCSP_TBLSTR *p;
101
102 for (p = ts; p < ts + len; p++)
103 if (p->t == s)
104 return p->m;
105 return "(UNKNOWN)";
106}
107
108const char *
109OCSP_response_status_str(long s)
110{
111 static const OCSP_TBLSTR rstat_tbl[] = {
112 { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
113 { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
114 { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
115 { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
116 { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
117 { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" }
118 };
119 return table2string(s, rstat_tbl, 6);
120}
121LCRYPTO_ALIAS(OCSP_response_status_str);
122
123const char *
124OCSP_cert_status_str(long s)
125{
126 static const OCSP_TBLSTR cstat_tbl[] = {
127 { V_OCSP_CERTSTATUS_GOOD, "good" },
128 { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
129 { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" }
130 };
131 return table2string(s, cstat_tbl, 3);
132}
133LCRYPTO_ALIAS(OCSP_cert_status_str);
134
135const char *
136OCSP_crl_reason_str(long s)
137{
138 static const OCSP_TBLSTR reason_tbl[] = {
139 { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
140 { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
141 { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
142 { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
143 { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
144 { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
145 { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
146 { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" }
147 };
148 return table2string(s, reason_tbl, 8);
149}
150LCRYPTO_ALIAS(OCSP_crl_reason_str);
151
152int
153OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
154{
155 int i;
156 long l;
157 OCSP_CERTID* cid = NULL;
158 OCSP_ONEREQ *one = NULL;
159 OCSP_REQINFO *inf = o->tbsRequest;
160 OCSP_SIGNATURE *sig = o->optionalSignature;
161
162 if (BIO_write(bp, "OCSP Request Data:\n", 19) <= 0)
163 goto err;
164 l = ASN1_INTEGER_get(inf->version);
165 if (BIO_printf(bp, " Version: %lu (0x%lx)", l+1, l) <= 0)
166 goto err;
167 if (inf->requestorName != NULL) {
168 if (BIO_write(bp, "\n Requestor Name: ", 21) <= 0)
169 goto err;
170 GENERAL_NAME_print(bp, inf->requestorName);
171 }
172 if (BIO_write(bp, "\n Requestor List:\n", 21) <= 0)
173 goto err;
174 for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++) {
175 one = sk_OCSP_ONEREQ_value(inf->requestList, i);
176 cid = one->reqCert;
177 ocsp_certid_print(bp, cid, 8);
178 if (!X509V3_extensions_print(bp, "Request Single Extensions",
179 one->singleRequestExtensions, flags, 8))
180 goto err;
181 }
182 if (!X509V3_extensions_print(bp, "Request Extensions",
183 inf->requestExtensions, flags, 4))
184 goto err;
185 if (sig) {
186 if (X509_signature_print(bp, sig->signatureAlgorithm,
187 sig->signature) == 0)
188 goto err;
189 for (i = 0; i < sk_X509_num(sig->certs); i++) {
190 if (X509_print(bp, sk_X509_value(sig->certs, i)) == 0)
191 goto err;
192 if (PEM_write_bio_X509(bp,
193 sk_X509_value(sig->certs, i)) == 0)
194 goto err;
195 }
196 }
197 return 1;
198
199err:
200 return 0;
201}
202LCRYPTO_ALIAS(OCSP_REQUEST_print);
203
204int
205OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
206{
207 int i, ret = 0;
208 long l;
209 OCSP_CERTID *cid = NULL;
210 OCSP_BASICRESP *br = NULL;
211 OCSP_RESPID *rid = NULL;
212 OCSP_RESPDATA *rd = NULL;
213 OCSP_CERTSTATUS *cst = NULL;
214 OCSP_REVOKEDINFO *rev = NULL;
215 OCSP_SINGLERESP *single = NULL;
216 OCSP_RESPBYTES *rb = o->responseBytes;
217
218 if (BIO_puts(bp, "OCSP Response Data:\n") <= 0)
219 goto err;
220 l = ASN1_ENUMERATED_get(o->responseStatus);
221 if (BIO_printf(bp, " OCSP Response Status: %s (0x%lx)\n",
222 OCSP_response_status_str(l), l) <= 0)
223 goto err;
224 if (rb == NULL)
225 return 1;
226 if (BIO_puts(bp, " Response Type: ") <= 0)
227 goto err;
228 if (i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
229 goto err;
230 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
231 BIO_puts(bp, " (unknown response type)\n");
232 return 1;
233 }
234
235 i = ASN1_STRING_length(rb->response);
236 if (!(br = OCSP_response_get1_basic(o)))
237 goto err;
238 rd = br->tbsResponseData;
239 l = ASN1_INTEGER_get(rd->version);
240 if (BIO_printf(bp, "\n Version: %lu (0x%lx)\n", l+1, l) <= 0)
241 goto err;
242 if (BIO_puts(bp, " Responder Id: ") <= 0)
243 goto err;
244
245 rid = rd->responderId;
246 switch (rid->type) {
247 case V_OCSP_RESPID_NAME:
248 X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
249 break;
250 case V_OCSP_RESPID_KEY:
251 i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
252 break;
253 }
254
255 if (BIO_printf(bp, "\n Produced At: ")<=0)
256 goto err;
257 if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt))
258 goto err;
259 if (BIO_printf(bp, "\n Responses:\n") <= 0)
260 goto err;
261 for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) {
262 if (! sk_OCSP_SINGLERESP_value(rd->responses, i))
263 continue;
264 single = sk_OCSP_SINGLERESP_value(rd->responses, i);
265 cid = single->certId;
266 if (ocsp_certid_print(bp, cid, 4) <= 0)
267 goto err;
268 cst = single->certStatus;
269 if (BIO_printf(bp, " Cert Status: %s",
270 OCSP_cert_status_str(cst->type)) <= 0)
271 goto err;
272 if (cst->type == V_OCSP_CERTSTATUS_REVOKED) {
273 rev = cst->value.revoked;
274 if (BIO_printf(bp, "\n Revocation Time: ") <= 0)
275 goto err;
276 if (!ASN1_GENERALIZEDTIME_print(bp,
277 rev->revocationTime))
278 goto err;
279 if (rev->revocationReason) {
280 l = ASN1_ENUMERATED_get(rev->revocationReason);
281 if (BIO_printf(bp,
282 "\n Revocation Reason: %s (0x%lx)",
283 OCSP_crl_reason_str(l), l) <= 0)
284 goto err;
285 }
286 }
287 if (BIO_printf(bp, "\n This Update: ") <= 0)
288 goto err;
289 if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate))
290 goto err;
291 if (single->nextUpdate) {
292 if (BIO_printf(bp, "\n Next Update: ") <= 0)
293 goto err;
294 if (!ASN1_GENERALIZEDTIME_print(bp, single->nextUpdate))
295 goto err;
296 }
297 if (BIO_write(bp, "\n", 1) <= 0)
298 goto err;
299 if (!X509V3_extensions_print(bp, "Response Single Extensions",
300 single->singleExtensions, flags, 8))
301 goto err;
302 if (BIO_write(bp, "\n", 1) <= 0)
303 goto err;
304 }
305 if (!X509V3_extensions_print(bp, "Response Extensions",
306 rd->responseExtensions, flags, 4))
307 goto err;
308 if (X509_signature_print(bp, br->signatureAlgorithm, br->signature) <=
309 0)
310 goto err;
311
312 for (i = 0; i < sk_X509_num(br->certs); i++) {
313 X509_print(bp, sk_X509_value(br->certs, i));
314 PEM_write_bio_X509(bp, sk_X509_value(br->certs, i));
315 }
316
317 ret = 1;
318
319err:
320 OCSP_BASICRESP_free(br);
321 return ret;
322}
323LCRYPTO_ALIAS(OCSP_RESPONSE_print);
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
deleted file mode 100644
index 77c5e2e0fd..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ /dev/null
@@ -1,285 +0,0 @@
1/* $OpenBSD: ocsp_srv.c,v 1.13 2023/07/08 10:44:00 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60
61#include <openssl/err.h>
62#include <openssl/objects.h>
63#include <openssl/ocsp.h>
64#include <openssl/pem.h>
65#include <openssl/x509.h>
66#include <openssl/x509v3.h>
67
68#include "ocsp_local.h"
69
70/* Utility functions related to sending OCSP responses and extracting
71 * relevant information from the request.
72 */
73
74int
75OCSP_request_onereq_count(OCSP_REQUEST *req)
76{
77 return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
78}
79LCRYPTO_ALIAS(OCSP_request_onereq_count);
80
81OCSP_ONEREQ *
82OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
83{
84 return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
85}
86LCRYPTO_ALIAS(OCSP_request_onereq_get0);
87
88OCSP_CERTID *
89OCSP_onereq_get0_id(OCSP_ONEREQ *one)
90{
91 return one->reqCert;
92}
93LCRYPTO_ALIAS(OCSP_onereq_get0_id);
94
95int
96OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
97 ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, OCSP_CERTID *cid)
98{
99 if (!cid)
100 return 0;
101 if (pmd)
102 *pmd = cid->hashAlgorithm->algorithm;
103 if (piNameHash)
104 *piNameHash = cid->issuerNameHash;
105 if (pikeyHash)
106 *pikeyHash = cid->issuerKeyHash;
107 if (pserial)
108 *pserial = cid->serialNumber;
109 return 1;
110}
111LCRYPTO_ALIAS(OCSP_id_get0_info);
112
113int
114OCSP_request_is_signed(OCSP_REQUEST *req)
115{
116 if (req->optionalSignature)
117 return 1;
118 return 0;
119}
120LCRYPTO_ALIAS(OCSP_request_is_signed);
121
122/* Create an OCSP response and encode an optional basic response */
123OCSP_RESPONSE *
124OCSP_response_create(int status, OCSP_BASICRESP *bs)
125{
126 OCSP_RESPONSE *rsp = NULL;
127
128 if (!(rsp = OCSP_RESPONSE_new()))
129 goto err;
130 if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status)))
131 goto err;
132 if (!bs)
133 return rsp;
134 if (!(rsp->responseBytes = OCSP_RESPBYTES_new()))
135 goto err;
136 rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
137 if (!ASN1_item_pack(bs, &OCSP_BASICRESP_it,
138 &rsp->responseBytes->response))
139 goto err;
140 return rsp;
141
142err:
143 if (rsp)
144 OCSP_RESPONSE_free(rsp);
145 return NULL;
146}
147LCRYPTO_ALIAS(OCSP_response_create);
148
149OCSP_SINGLERESP *
150OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status,
151 int reason, ASN1_TIME *revtime, ASN1_TIME *thisupd, ASN1_TIME *nextupd)
152{
153 OCSP_SINGLERESP *single = NULL;
154 OCSP_CERTSTATUS *cs;
155 OCSP_REVOKEDINFO *ri;
156
157 if (!rsp->tbsResponseData->responses &&
158 !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
159 goto err;
160
161 if (!(single = OCSP_SINGLERESP_new()))
162 goto err;
163
164 if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
165 goto err;
166 if (nextupd &&
167 !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
168 goto err;
169
170 OCSP_CERTID_free(single->certId);
171
172 if (!(single->certId = OCSP_CERTID_dup(cid)))
173 goto err;
174
175 cs = single->certStatus;
176 switch (cs->type = status) {
177 case V_OCSP_CERTSTATUS_REVOKED:
178 if (!revtime) {
179 OCSPerror(OCSP_R_NO_REVOKED_TIME);
180 goto err;
181 }
182 if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new()))
183 goto err;
184 if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
185 goto err;
186 if (reason != OCSP_REVOKED_STATUS_NOSTATUS) {
187 if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
188 goto err;
189 if (!(ASN1_ENUMERATED_set(ri->revocationReason,
190 reason)))
191 goto err;
192 }
193 break;
194
195 case V_OCSP_CERTSTATUS_GOOD:
196 cs->value.good = ASN1_NULL_new();
197 break;
198
199 case V_OCSP_CERTSTATUS_UNKNOWN:
200 cs->value.unknown = ASN1_NULL_new();
201 break;
202
203 default:
204 goto err;
205 }
206 if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
207 goto err;
208 return single;
209
210err:
211 OCSP_SINGLERESP_free(single);
212 return NULL;
213}
214LCRYPTO_ALIAS(OCSP_basic_add1_status);
215
216/* Add a certificate to an OCSP request */
217int
218OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
219{
220 if (!resp->certs && !(resp->certs = sk_X509_new_null()))
221 return 0;
222
223 if (!sk_X509_push(resp->certs, cert))
224 return 0;
225 X509_up_ref(cert);
226 return 1;
227}
228LCRYPTO_ALIAS(OCSP_basic_add1_cert);
229
230int
231OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
232 const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags)
233{
234 int i;
235 OCSP_RESPID *rid;
236
237 if (!X509_check_private_key(signer, key)) {
238 OCSPerror(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
239 goto err;
240 }
241
242 if (!(flags & OCSP_NOCERTS)) {
243 if (!OCSP_basic_add1_cert(brsp, signer))
244 goto err;
245 for (i = 0; i < sk_X509_num(certs); i++) {
246 X509 *tmpcert = sk_X509_value(certs, i);
247 if (!OCSP_basic_add1_cert(brsp, tmpcert))
248 goto err;
249 }
250 }
251
252 rid = brsp->tbsResponseData->responderId;
253 if (flags & OCSP_RESPID_KEY) {
254 unsigned char md[SHA_DIGEST_LENGTH];
255
256 X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
257 if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
258 goto err;
259 if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md,
260 SHA_DIGEST_LENGTH)))
261 goto err;
262 rid->type = V_OCSP_RESPID_KEY;
263 } else {
264 if (!X509_NAME_set(&rid->value.byName,
265 X509_get_subject_name(signer)))
266 goto err;
267 rid->type = V_OCSP_RESPID_NAME;
268 }
269
270 if (!(flags & OCSP_NOTIME) &&
271 !ASN1_GENERALIZEDTIME_set(brsp->tbsResponseData->producedAt, time(NULL)))
272 goto err;
273
274 /* Right now, I think that not doing double hashing is the right
275 thing. -- Richard Levitte */
276
277 if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0))
278 goto err;
279
280 return 1;
281
282err:
283 return 0;
284}
285LCRYPTO_ALIAS(OCSP_basic_sign);
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
deleted file mode 100644
index 27d2283ea7..0000000000
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ /dev/null
@@ -1,475 +0,0 @@
1/* $OpenBSD: ocsp_vfy.c,v 1.24 2024/07/12 18:15:10 beck Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/ocsp.h>
60#include <openssl/err.h>
61#include <string.h>
62
63#include "ocsp_local.h"
64#include "x509_local.h"
65
66static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
67 STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags);
68static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
69static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
70 unsigned long flags);
71static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
72static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
73 STACK_OF(OCSP_SINGLERESP) *sresp);
74static int ocsp_check_delegated(X509 *x, int flags);
75static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
76 X509_NAME *nm, STACK_OF(X509) *certs, X509_STORE *st,
77 unsigned long flags);
78
79/* Verify a basic response message */
80int
81OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st,
82 unsigned long flags)
83{
84 X509 *signer, *x;
85 STACK_OF(X509) *chain = NULL;
86 STACK_OF(X509) *untrusted = NULL;
87 X509_STORE_CTX ctx;
88 int i, ret = 0;
89
90 ret = ocsp_find_signer(&signer, bs, certs, st, flags);
91 if (!ret) {
92 OCSPerror(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
93 goto end;
94 }
95 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
96 flags |= OCSP_NOVERIFY;
97 if (!(flags & OCSP_NOSIGS)) {
98 EVP_PKEY *skey;
99
100 skey = X509_get0_pubkey(signer);
101 if (skey) {
102 ret = OCSP_BASICRESP_verify(bs, skey, 0);
103 }
104 if (!skey || ret <= 0) {
105 OCSPerror(OCSP_R_SIGNATURE_FAILURE);
106 goto end;
107 }
108 }
109 if (!(flags & OCSP_NOVERIFY)) {
110 int init_res;
111
112 if (flags & OCSP_NOCHAIN) {
113 untrusted = NULL;
114 } else if (bs->certs && certs) {
115 untrusted = sk_X509_dup(bs->certs);
116 for (i = 0; i < sk_X509_num(certs); i++) {
117 if (!sk_X509_push(untrusted,
118 sk_X509_value(certs, i))) {
119 OCSPerror(ERR_R_MALLOC_FAILURE);
120 goto end;
121 }
122 }
123 } else if (certs != NULL) {
124 untrusted = certs;
125 } else {
126 untrusted = bs->certs;
127 }
128 init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
129 if (!init_res) {
130 ret = -1;
131 OCSPerror(ERR_R_X509_LIB);
132 goto end;
133 }
134
135 if (X509_STORE_CTX_set_purpose(&ctx,
136 X509_PURPOSE_OCSP_HELPER) == 0) {
137 X509_STORE_CTX_cleanup(&ctx);
138 ret = -1;
139 goto end;
140 }
141 ret = X509_verify_cert(&ctx);
142 chain = X509_STORE_CTX_get1_chain(&ctx);
143 X509_STORE_CTX_cleanup(&ctx);
144 if (ret <= 0) {
145 i = X509_STORE_CTX_get_error(&ctx);
146 OCSPerror(OCSP_R_CERTIFICATE_VERIFY_ERROR);
147 ERR_asprintf_error_data("Verify error:%s",
148 X509_verify_cert_error_string(i));
149 goto end;
150 }
151 if (flags & OCSP_NOCHECKS) {
152 ret = 1;
153 goto end;
154 }
155 /* At this point we have a valid certificate chain
156 * need to verify it against the OCSP issuer criteria.
157 */
158 ret = ocsp_check_issuer(bs, chain, flags);
159
160 /* If fatal error or valid match then finish */
161 if (ret != 0)
162 goto end;
163
164 /* Easy case: explicitly trusted. Get root CA and
165 * check for explicit trust
166 */
167 if (flags & OCSP_NOEXPLICIT)
168 goto end;
169
170 x = sk_X509_value(chain, sk_X509_num(chain) - 1);
171 if (X509_check_trust(x, X509_TRUST_OCSP_SIGN, 0) !=
172 X509_TRUST_TRUSTED) {
173 OCSPerror(OCSP_R_ROOT_CA_NOT_TRUSTED);
174 goto end;
175 }
176 ret = 1;
177 }
178
179end:
180 if (chain)
181 sk_X509_pop_free(chain, X509_free);
182 if (bs->certs && certs)
183 sk_X509_free(untrusted);
184 return ret;
185}
186LCRYPTO_ALIAS(OCSP_basic_verify);
187
188int
189OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
190 STACK_OF(X509) *extra_certs)
191{
192 return ocsp_find_signer(signer, bs, extra_certs, NULL, 0) > 0;
193}
194LCRYPTO_ALIAS(OCSP_resp_get0_signer);
195
196static int
197ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
198 X509_STORE *st, unsigned long flags)
199{
200 X509 *signer;
201 OCSP_RESPID *rid = bs->tbsResponseData->responderId;
202
203 if ((signer = ocsp_find_signer_sk(certs, rid))) {
204 *psigner = signer;
205 return 2;
206 }
207 if (!(flags & OCSP_NOINTERN) &&
208 (signer = ocsp_find_signer_sk(bs->certs, rid))) {
209 *psigner = signer;
210 return 1;
211 }
212 /* Maybe lookup from store if by subject name */
213
214 *psigner = NULL;
215 return 0;
216}
217
218static X509 *
219ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
220{
221 int i;
222 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
223 X509 *x;
224
225 /* Easy if lookup by name */
226 if (id->type == V_OCSP_RESPID_NAME)
227 return X509_find_by_subject(certs, id->value.byName);
228
229 /* Lookup by key hash */
230
231 /* If key hash isn't SHA1 length then forget it */
232 if (id->value.byKey->length != SHA_DIGEST_LENGTH)
233 return NULL;
234 keyhash = id->value.byKey->data;
235 /* Calculate hash of each key and compare */
236 for (i = 0; i < sk_X509_num(certs); i++) {
237 x = sk_X509_value(certs, i);
238 X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
239 if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
240 return x;
241 }
242 return NULL;
243}
244
245static int
246ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain,
247 unsigned long flags)
248{
249 STACK_OF(OCSP_SINGLERESP) *sresp;
250 X509 *signer, *sca;
251 OCSP_CERTID *caid = NULL;
252 int i;
253
254 sresp = bs->tbsResponseData->responses;
255
256 if (sk_X509_num(chain) <= 0) {
257 OCSPerror(OCSP_R_NO_CERTIFICATES_IN_CHAIN);
258 return -1;
259 }
260
261 /* See if the issuer IDs match. */
262 i = ocsp_check_ids(sresp, &caid);
263
264 /* If ID mismatch or other error then return */
265 if (i <= 0)
266 return i;
267
268 signer = sk_X509_value(chain, 0);
269 /* Check to see if OCSP responder CA matches request CA */
270 if (sk_X509_num(chain) > 1) {
271 sca = sk_X509_value(chain, 1);
272 i = ocsp_match_issuerid(sca, caid, sresp);
273 if (i < 0)
274 return i;
275 if (i) {
276 /* We have a match, if extensions OK then success */
277 if (ocsp_check_delegated(signer, flags))
278 return 1;
279 return 0;
280 }
281 }
282
283 /* Otherwise check if OCSP request signed directly by request CA */
284 return ocsp_match_issuerid(signer, caid, sresp);
285}
286
287/* Check the issuer certificate IDs for equality. If there is a mismatch with the same
288 * algorithm then there's no point trying to match any certificates against the issuer.
289 * If the issuer IDs all match then we just need to check equality against one of them.
290 */
291static int
292ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
293{
294 OCSP_CERTID *tmpid, *cid;
295 int i, idcount;
296
297 idcount = sk_OCSP_SINGLERESP_num(sresp);
298 if (idcount <= 0) {
299 OCSPerror(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
300 return -1;
301 }
302
303 cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
304
305 *ret = NULL;
306
307 for (i = 1; i < idcount; i++) {
308 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
309 /* Check to see if IDs match */
310 if (OCSP_id_issuer_cmp(cid, tmpid)) {
311 return 0;
312 }
313 }
314
315 /* All IDs match: only need to check one ID */
316 *ret = cid;
317 return 1;
318}
319
320static int
321ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
322 STACK_OF(OCSP_SINGLERESP) *sresp)
323{
324 /* If only one ID to match then do it */
325 if (cid) {
326 const EVP_MD *dgst;
327 X509_NAME *iname;
328 int mdlen;
329 unsigned char md[EVP_MAX_MD_SIZE];
330
331 if (!(dgst =
332 EVP_get_digestbyobj(cid->hashAlgorithm->algorithm))) {
333 OCSPerror(OCSP_R_UNKNOWN_MESSAGE_DIGEST);
334 return -1;
335 }
336
337 mdlen = EVP_MD_size(dgst);
338 if (mdlen < 0)
339 return -1;
340 if (cid->issuerNameHash->length != mdlen ||
341 cid->issuerKeyHash->length != mdlen)
342 return 0;
343 iname = X509_get_subject_name(cert);
344 if (!X509_NAME_digest(iname, dgst, md, NULL))
345 return -1;
346 if (memcmp(md, cid->issuerNameHash->data, mdlen))
347 return 0;
348 X509_pubkey_digest(cert, dgst, md, NULL);
349 if (memcmp(md, cid->issuerKeyHash->data, mdlen))
350 return 0;
351
352 return 1;
353 } else {
354 /* We have to match the whole lot */
355 int i, ret;
356 OCSP_CERTID *tmpid;
357
358 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
359 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
360 ret = ocsp_match_issuerid(cert, tmpid, NULL);
361 if (ret <= 0)
362 return ret;
363 }
364 return 1;
365 }
366}
367
368static int
369ocsp_check_delegated(X509 *x, int flags)
370{
371 X509_check_purpose(x, -1, 0);
372 if ((x->ex_flags & EXFLAG_XKUSAGE) && (x->ex_xkusage & XKU_OCSP_SIGN))
373 return 1;
374 OCSPerror(OCSP_R_MISSING_OCSPSIGNING_USAGE);
375 return 0;
376}
377
378/* Verify an OCSP request. This is fortunately much easier than OCSP
379 * response verify. Just find the signers certificate and verify it
380 * against a given trust value.
381 */
382int
383OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store,
384 unsigned long flags)
385{
386 X509 *signer;
387 X509_NAME *nm;
388 GENERAL_NAME *gen;
389 int ret;
390 X509_STORE_CTX ctx;
391
392 if (!req->optionalSignature) {
393 OCSPerror(OCSP_R_REQUEST_NOT_SIGNED);
394 return 0;
395 }
396 gen = req->tbsRequest->requestorName;
397 if (!gen || gen->type != GEN_DIRNAME) {
398 OCSPerror(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
399 return 0;
400 }
401 nm = gen->d.directoryName;
402 ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
403 if (ret <= 0) {
404 OCSPerror(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
405 return 0;
406 }
407 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
408 flags |= OCSP_NOVERIFY;
409 if (!(flags & OCSP_NOSIGS)) {
410 EVP_PKEY *skey;
411
412 if ((skey = X509_get0_pubkey(signer)) == NULL)
413 return 0;
414 ret = OCSP_REQUEST_verify(req, skey);
415 if (ret <= 0) {
416 OCSPerror(OCSP_R_SIGNATURE_FAILURE);
417 return 0;
418 }
419 }
420 if (!(flags & OCSP_NOVERIFY)) {
421 int init_res;
422
423 if (flags & OCSP_NOCHAIN)
424 init_res = X509_STORE_CTX_init(&ctx, store, signer,
425 NULL);
426 else
427 init_res = X509_STORE_CTX_init(&ctx, store, signer,
428 req->optionalSignature->certs);
429 if (!init_res) {
430 OCSPerror(ERR_R_X509_LIB);
431 return 0;
432 }
433
434 if (X509_STORE_CTX_set_purpose(&ctx,
435 X509_PURPOSE_OCSP_HELPER) == 0 ||
436 X509_STORE_CTX_set_trust(&ctx,
437 X509_TRUST_OCSP_REQUEST) == 0) {
438 X509_STORE_CTX_cleanup(&ctx);
439 return 0;
440 }
441 ret = X509_verify_cert(&ctx);
442 X509_STORE_CTX_cleanup(&ctx);
443 if (ret <= 0) {
444 ret = X509_STORE_CTX_get_error(&ctx);
445 OCSPerror(OCSP_R_CERTIFICATE_VERIFY_ERROR);
446 ERR_asprintf_error_data("Verify error:%s",
447 X509_verify_cert_error_string(ret));
448 return 0;
449 }
450 }
451 return 1;
452}
453LCRYPTO_ALIAS(OCSP_request_verify);
454
455static int
456ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm,
457 STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags)
458{
459 X509 *signer;
460
461 if (!(flags & OCSP_NOINTERN)) {
462 signer = X509_find_by_subject(req->optionalSignature->certs, nm);
463 if (signer) {
464 *psigner = signer;
465 return 1;
466 }
467 }
468
469 signer = X509_find_by_subject(certs, nm);
470 if (signer) {
471 *psigner = signer;
472 return 2;
473 }
474 return 0;
475}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-05-06 20:29:02 +0000