summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/ocsp
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/ocsp')
-rw-r--r--src/lib/libcrypto/ocsp/Makefile213
-rw-r--r--src/lib/libcrypto/ocsp/ocsp.h623
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_asn.c182
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_cl.c372
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_err.c141
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ext.c545
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_ht.c471
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_lib.c262
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_prn.c291
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_srv.c264
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_vfy.c444
11 files changed, 3808 insertions, 0 deletions
diff --git a/src/lib/libcrypto/ocsp/Makefile b/src/lib/libcrypto/ocsp/Makefile
new file mode 100644
index 0000000000..0fe028960e
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/Makefile
@@ -0,0 +1,213 @@
1#
2# OpenSSL/ocsp/Makefile
3#
4
5DIR= ocsp
6TOP= ../..
7CC= cc
8INCLUDES= -I.. -I$(TOP) -I../../include
9CFLAG=-g
10MAKEFILE= Makefile
11AR= ar r
12
13CFLAGS= $(INCLUDES) $(CFLAG)
14
15GENERAL=Makefile README
16TEST=
17APPS=
18
19LIB=$(TOP)/libcrypto.a
20LIBSRC= ocsp_asn.c ocsp_ext.c ocsp_ht.c ocsp_lib.c ocsp_cl.c \
21 ocsp_srv.c ocsp_prn.c ocsp_vfy.c ocsp_err.c
22
23LIBOBJ= ocsp_asn.o ocsp_ext.o ocsp_ht.o ocsp_lib.o ocsp_cl.o \
24 ocsp_srv.o ocsp_prn.o ocsp_vfy.o ocsp_err.o
25
26SRC= $(LIBSRC)
27
28EXHEADER= ocsp.h
29HEADER= $(EXHEADER)
30
31ALL= $(GENERAL) $(SRC) $(HEADER)
32
33top:
34 (cd ../..; $(MAKE) DIRS=crypto SDIRS=$(DIR) sub_all)
35
36all: lib
37
38lib: $(LIBOBJ)
39 $(AR) $(LIB) $(LIBOBJ)
40 $(RANLIB) $(LIB) || echo Never mind.
41 @touch lib
42
43files:
44 $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
45
46links:
47 @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
48 @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
49 @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
50
51install:
52 @[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
53 @headerlist="$(EXHEADER)"; for i in $$headerlist ; \
54 do \
55 (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
56 chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
57 done;
58
59tags:
60 ctags $(SRC)
61
62tests:
63
64lint:
65 lint -DLINT $(INCLUDES) $(SRC)>fluff
66
67depend:
68 @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
69 $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
70
71dclean:
72 $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
73 mv -f Makefile.new $(MAKEFILE)
74
75clean:
76 rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
77
78# DO NOT DELETE THIS LINE -- make depend depends on it.
79
80ocsp_asn.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h
81ocsp_asn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
82ocsp_asn.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
83ocsp_asn.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
84ocsp_asn.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
85ocsp_asn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
86ocsp_asn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
87ocsp_asn.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
88ocsp_asn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
89ocsp_asn.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
90ocsp_asn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
91ocsp_asn.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
92ocsp_asn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
93ocsp_asn.o: ocsp_asn.c
94ocsp_cl.o: ../../e_os.h ../../include/openssl/asn1.h
95ocsp_cl.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
96ocsp_cl.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
97ocsp_cl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
98ocsp_cl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
99ocsp_cl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
100ocsp_cl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
101ocsp_cl.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
102ocsp_cl.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
103ocsp_cl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
104ocsp_cl.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
105ocsp_cl.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
106ocsp_cl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
107ocsp_cl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
108ocsp_cl.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
109ocsp_cl.o: ../cryptlib.h ocsp_cl.c
110ocsp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
111ocsp_err.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
112ocsp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
113ocsp_err.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
114ocsp_err.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
115ocsp_err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
116ocsp_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
117ocsp_err.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
118ocsp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
119ocsp_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
120ocsp_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
121ocsp_err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
122ocsp_err.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
123ocsp_err.o: ocsp_err.c
124ocsp_ext.o: ../../e_os.h ../../include/openssl/asn1.h
125ocsp_ext.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
126ocsp_ext.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
127ocsp_ext.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
128ocsp_ext.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
129ocsp_ext.o: ../../include/openssl/err.h ../../include/openssl/evp.h
130ocsp_ext.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
131ocsp_ext.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
132ocsp_ext.o: ../../include/openssl/opensslconf.h
133ocsp_ext.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
134ocsp_ext.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
135ocsp_ext.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
136ocsp_ext.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
137ocsp_ext.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
138ocsp_ext.o: ../../include/openssl/x509v3.h ../cryptlib.h ocsp_ext.c
139ocsp_ht.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
140ocsp_ht.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
141ocsp_ht.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
142ocsp_ht.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
143ocsp_ht.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
144ocsp_ht.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
145ocsp_ht.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
146ocsp_ht.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
147ocsp_ht.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
148ocsp_ht.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
149ocsp_ht.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
150ocsp_ht.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
151ocsp_ht.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
152ocsp_ht.o: ocsp_ht.c
153ocsp_lib.o: ../../e_os.h ../../include/openssl/asn1.h
154ocsp_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
155ocsp_lib.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
156ocsp_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
157ocsp_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
158ocsp_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
159ocsp_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
160ocsp_lib.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
161ocsp_lib.o: ../../include/openssl/opensslconf.h
162ocsp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
163ocsp_lib.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
164ocsp_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
165ocsp_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
166ocsp_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
167ocsp_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
168ocsp_lib.o: ../../include/openssl/x509v3.h ../cryptlib.h ocsp_lib.c
169ocsp_prn.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
170ocsp_prn.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
171ocsp_prn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
172ocsp_prn.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
173ocsp_prn.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
174ocsp_prn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
175ocsp_prn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
176ocsp_prn.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
177ocsp_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
178ocsp_prn.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
179ocsp_prn.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
180ocsp_prn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
181ocsp_prn.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
182ocsp_prn.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
183ocsp_prn.o: ocsp_prn.c
184ocsp_srv.o: ../../e_os.h ../../include/openssl/asn1.h
185ocsp_srv.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
186ocsp_srv.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
187ocsp_srv.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
188ocsp_srv.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
189ocsp_srv.o: ../../include/openssl/err.h ../../include/openssl/evp.h
190ocsp_srv.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
191ocsp_srv.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h
192ocsp_srv.o: ../../include/openssl/opensslconf.h
193ocsp_srv.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
194ocsp_srv.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
195ocsp_srv.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
196ocsp_srv.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
197ocsp_srv.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
198ocsp_srv.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
199ocsp_srv.o: ../../include/openssl/x509v3.h ../cryptlib.h ocsp_srv.c
200ocsp_vfy.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
201ocsp_vfy.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
202ocsp_vfy.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
203ocsp_vfy.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
204ocsp_vfy.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
205ocsp_vfy.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
206ocsp_vfy.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
207ocsp_vfy.o: ../../include/openssl/ocsp.h ../../include/openssl/opensslconf.h
208ocsp_vfy.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
209ocsp_vfy.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
210ocsp_vfy.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
211ocsp_vfy.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
212ocsp_vfy.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
213ocsp_vfy.o: ocsp_vfy.c
diff --git a/src/lib/libcrypto/ocsp/ocsp.h b/src/lib/libcrypto/ocsp/ocsp.h
new file mode 100644
index 0000000000..a0577a717e
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp.h
@@ -0,0 +1,623 @@
1/* ocsp.h */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#ifndef HEADER_OCSP_H
65#define HEADER_OCSP_H
66
67#include <openssl/x509.h>
68#include <openssl/x509v3.h>
69#include <openssl/safestack.h>
70
71#ifdef __cplusplus
72extern "C" {
73#endif
74
75/* Various flags and values */
76
77#define OCSP_DEFAULT_NONCE_LENGTH 16
78
79#define OCSP_NOCERTS 0x1
80#define OCSP_NOINTERN 0x2
81#define OCSP_NOSIGS 0x4
82#define OCSP_NOCHAIN 0x8
83#define OCSP_NOVERIFY 0x10
84#define OCSP_NOEXPLICIT 0x20
85#define OCSP_NOCASIGN 0x40
86#define OCSP_NODELEGATED 0x80
87#define OCSP_NOCHECKS 0x100
88#define OCSP_TRUSTOTHER 0x200
89#define OCSP_RESPID_KEY 0x400
90#define OCSP_NOTIME 0x800
91
92/* CertID ::= SEQUENCE {
93 * hashAlgorithm AlgorithmIdentifier,
94 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
95 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields)
96 * serialNumber CertificateSerialNumber }
97 */
98typedef struct ocsp_cert_id_st
99 {
100 X509_ALGOR *hashAlgorithm;
101 ASN1_OCTET_STRING *issuerNameHash;
102 ASN1_OCTET_STRING *issuerKeyHash;
103 ASN1_INTEGER *serialNumber;
104 } OCSP_CERTID;
105
106DECLARE_STACK_OF(OCSP_CERTID)
107
108/* Request ::= SEQUENCE {
109 * reqCert CertID,
110 * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
111 */
112typedef struct ocsp_one_request_st
113 {
114 OCSP_CERTID *reqCert;
115 STACK_OF(X509_EXTENSION) *singleRequestExtensions;
116 } OCSP_ONEREQ;
117
118DECLARE_STACK_OF(OCSP_ONEREQ)
119DECLARE_ASN1_SET_OF(OCSP_ONEREQ)
120
121
122/* TBSRequest ::= SEQUENCE {
123 * version [0] EXPLICIT Version DEFAULT v1,
124 * requestorName [1] EXPLICIT GeneralName OPTIONAL,
125 * requestList SEQUENCE OF Request,
126 * requestExtensions [2] EXPLICIT Extensions OPTIONAL }
127 */
128typedef struct ocsp_req_info_st
129 {
130 ASN1_INTEGER *version;
131 GENERAL_NAME *requestorName;
132 STACK_OF(OCSP_ONEREQ) *requestList;
133 STACK_OF(X509_EXTENSION) *requestExtensions;
134 } OCSP_REQINFO;
135
136/* Signature ::= SEQUENCE {
137 * signatureAlgorithm AlgorithmIdentifier,
138 * signature BIT STRING,
139 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
140 */
141typedef struct ocsp_signature_st
142 {
143 X509_ALGOR *signatureAlgorithm;
144 ASN1_BIT_STRING *signature;
145 STACK_OF(X509) *certs;
146 } OCSP_SIGNATURE;
147
148/* OCSPRequest ::= SEQUENCE {
149 * tbsRequest TBSRequest,
150 * optionalSignature [0] EXPLICIT Signature OPTIONAL }
151 */
152typedef struct ocsp_request_st
153 {
154 OCSP_REQINFO *tbsRequest;
155 OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */
156 } OCSP_REQUEST;
157
158/* OCSPResponseStatus ::= ENUMERATED {
159 * successful (0), --Response has valid confirmations
160 * malformedRequest (1), --Illegal confirmation request
161 * internalError (2), --Internal error in issuer
162 * tryLater (3), --Try again later
163 * --(4) is not used
164 * sigRequired (5), --Must sign the request
165 * unauthorized (6) --Request unauthorized
166 * }
167 */
168#define OCSP_RESPONSE_STATUS_SUCCESSFUL 0
169#define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1
170#define OCSP_RESPONSE_STATUS_INTERNALERROR 2
171#define OCSP_RESPONSE_STATUS_TRYLATER 3
172#define OCSP_RESPONSE_STATUS_SIGREQUIRED 5
173#define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6
174
175/* ResponseBytes ::= SEQUENCE {
176 * responseType OBJECT IDENTIFIER,
177 * response OCTET STRING }
178 */
179typedef struct ocsp_resp_bytes_st
180 {
181 ASN1_OBJECT *responseType;
182 ASN1_OCTET_STRING *response;
183 } OCSP_RESPBYTES;
184
185/* OCSPResponse ::= SEQUENCE {
186 * responseStatus OCSPResponseStatus,
187 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
188 */
189struct ocsp_response_st
190 {
191 ASN1_ENUMERATED *responseStatus;
192 OCSP_RESPBYTES *responseBytes;
193 };
194
195/* ResponderID ::= CHOICE {
196 * byName [1] Name,
197 * byKey [2] KeyHash }
198 */
199#define V_OCSP_RESPID_NAME 0
200#define V_OCSP_RESPID_KEY 1
201struct ocsp_responder_id_st
202 {
203 int type;
204 union {
205 X509_NAME* byName;
206 ASN1_OCTET_STRING *byKey;
207 } value;
208 };
209
210DECLARE_STACK_OF(OCSP_RESPID)
211DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
212
213/* KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
214 * --(excluding the tag and length fields)
215 */
216
217/* RevokedInfo ::= SEQUENCE {
218 * revocationTime GeneralizedTime,
219 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
220 */
221typedef struct ocsp_revoked_info_st
222 {
223 ASN1_GENERALIZEDTIME *revocationTime;
224 ASN1_ENUMERATED *revocationReason;
225 } OCSP_REVOKEDINFO;
226
227/* CertStatus ::= CHOICE {
228 * good [0] IMPLICIT NULL,
229 * revoked [1] IMPLICIT RevokedInfo,
230 * unknown [2] IMPLICIT UnknownInfo }
231 */
232#define V_OCSP_CERTSTATUS_GOOD 0
233#define V_OCSP_CERTSTATUS_REVOKED 1
234#define V_OCSP_CERTSTATUS_UNKNOWN 2
235typedef struct ocsp_cert_status_st
236 {
237 int type;
238 union {
239 ASN1_NULL *good;
240 OCSP_REVOKEDINFO *revoked;
241 ASN1_NULL *unknown;
242 } value;
243 } OCSP_CERTSTATUS;
244
245/* SingleResponse ::= SEQUENCE {
246 * certID CertID,
247 * certStatus CertStatus,
248 * thisUpdate GeneralizedTime,
249 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
250 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
251 */
252typedef struct ocsp_single_response_st
253 {
254 OCSP_CERTID *certId;
255 OCSP_CERTSTATUS *certStatus;
256 ASN1_GENERALIZEDTIME *thisUpdate;
257 ASN1_GENERALIZEDTIME *nextUpdate;
258 STACK_OF(X509_EXTENSION) *singleExtensions;
259 } OCSP_SINGLERESP;
260
261DECLARE_STACK_OF(OCSP_SINGLERESP)
262DECLARE_ASN1_SET_OF(OCSP_SINGLERESP)
263
264/* ResponseData ::= SEQUENCE {
265 * version [0] EXPLICIT Version DEFAULT v1,
266 * responderID ResponderID,
267 * producedAt GeneralizedTime,
268 * responses SEQUENCE OF SingleResponse,
269 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
270 */
271typedef struct ocsp_response_data_st
272 {
273 ASN1_INTEGER *version;
274 OCSP_RESPID *responderId;
275 ASN1_GENERALIZEDTIME *producedAt;
276 STACK_OF(OCSP_SINGLERESP) *responses;
277 STACK_OF(X509_EXTENSION) *responseExtensions;
278 } OCSP_RESPDATA;
279
280/* BasicOCSPResponse ::= SEQUENCE {
281 * tbsResponseData ResponseData,
282 * signatureAlgorithm AlgorithmIdentifier,
283 * signature BIT STRING,
284 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
285 */
286 /* Note 1:
287 The value for "signature" is specified in the OCSP rfc2560 as follows:
288 "The value for the signature SHALL be computed on the hash of the DER
289 encoding ResponseData." This means that you must hash the DER-encoded
290 tbsResponseData, and then run it through a crypto-signing function, which
291 will (at least w/RSA) do a hash-'n'-private-encrypt operation. This seems
292 a bit odd, but that's the spec. Also note that the data structures do not
293 leave anywhere to independently specify the algorithm used for the initial
294 hash. So, we look at the signature-specification algorithm, and try to do
295 something intelligent. -- Kathy Weinhold, CertCo */
296 /* Note 2:
297 It seems that the mentioned passage from RFC 2560 (section 4.2.1) is open
298 for interpretation. I've done tests against another responder, and found
299 that it doesn't do the double hashing that the RFC seems to say one
300 should. Therefore, all relevant functions take a flag saying which
301 variant should be used. -- Richard Levitte, OpenSSL team and CeloCom */
302typedef struct ocsp_basic_response_st
303 {
304 OCSP_RESPDATA *tbsResponseData;
305 X509_ALGOR *signatureAlgorithm;
306 ASN1_BIT_STRING *signature;
307 STACK_OF(X509) *certs;
308 } OCSP_BASICRESP;
309
310/*
311 * CRLReason ::= ENUMERATED {
312 * unspecified (0),
313 * keyCompromise (1),
314 * cACompromise (2),
315 * affiliationChanged (3),
316 * superseded (4),
317 * cessationOfOperation (5),
318 * certificateHold (6),
319 * removeFromCRL (8) }
320 */
321#define OCSP_REVOKED_STATUS_NOSTATUS -1
322#define OCSP_REVOKED_STATUS_UNSPECIFIED 0
323#define OCSP_REVOKED_STATUS_KEYCOMPROMISE 1
324#define OCSP_REVOKED_STATUS_CACOMPROMISE 2
325#define OCSP_REVOKED_STATUS_AFFILIATIONCHANGED 3
326#define OCSP_REVOKED_STATUS_SUPERSEDED 4
327#define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
328#define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
329#define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
330
331/* CrlID ::= SEQUENCE {
332 * crlUrl [0] EXPLICIT IA5String OPTIONAL,
333 * crlNum [1] EXPLICIT INTEGER OPTIONAL,
334 * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
335 */
336typedef struct ocsp_crl_id_st
337 {
338 ASN1_IA5STRING *crlUrl;
339 ASN1_INTEGER *crlNum;
340 ASN1_GENERALIZEDTIME *crlTime;
341 } OCSP_CRLID;
342
343/* ServiceLocator ::= SEQUENCE {
344 * issuer Name,
345 * locator AuthorityInfoAccessSyntax OPTIONAL }
346 */
347typedef struct ocsp_service_locator_st
348 {
349 X509_NAME* issuer;
350 STACK_OF(ACCESS_DESCRIPTION) *locator;
351 } OCSP_SERVICELOC;
352
353#define PEM_STRING_OCSP_REQUEST "OCSP REQUEST"
354#define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE"
355
356#define d2i_OCSP_REQUEST_bio(bp,p) ASN1_d2i_bio_of(OCSP_REQUEST,OCSP_REQUEST_new,d2i_OCSP_REQUEST,bp,p)
357
358#define d2i_OCSP_RESPONSE_bio(bp,p) ASN1_d2i_bio_of(OCSP_RESPONSE,OCSP_RESPONSE_new,d2i_OCSP_RESPONSE,bp,p)
359
360#define PEM_read_bio_OCSP_REQUEST(bp,x,cb) (OCSP_REQUEST *)PEM_ASN1_read_bio( \
361 (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,bp,(char **)x,cb,NULL)
362
363#define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
364 (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,bp,(char **)x,cb,NULL)
365
366#define PEM_write_bio_OCSP_REQUEST(bp,o) \
367 PEM_ASN1_write_bio((int (*)())i2d_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST,\
368 bp,(char *)o, NULL,NULL,0,NULL,NULL)
369
370#define PEM_write_bio_OCSP_RESPONSE(bp,o) \
371 PEM_ASN1_write_bio((int (*)())i2d_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE,\
372 bp,(char *)o, NULL,NULL,0,NULL,NULL)
373
374#define i2d_OCSP_RESPONSE_bio(bp,o) ASN1_i2d_bio_of(OCSP_RESPONSE,i2d_OCSP_RESPONSE,bp,o)
375
376#define i2d_OCSP_REQUEST_bio(bp,o) ASN1_i2d_bio_of(OCSP_REQUEST,i2d_OCSP_REQUEST,bp,o)
377
378#define OCSP_REQUEST_sign(o,pkey,md) \
379 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_REQINFO),\
380 o->optionalSignature->signatureAlgorithm,NULL,\
381 o->optionalSignature->signature,o->tbsRequest,pkey,md)
382
383#define OCSP_BASICRESP_sign(o,pkey,md,d) \
384 ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),o->signatureAlgorithm,NULL,\
385 o->signature,o->tbsResponseData,pkey,md)
386
387#define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\
388 a->optionalSignature->signatureAlgorithm,\
389 a->optionalSignature->signature,a->tbsRequest,r)
390
391#define OCSP_BASICRESP_verify(a,r,d) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_RESPDATA),\
392 a->signatureAlgorithm,a->signature,a->tbsResponseData,r)
393
394#define ASN1_BIT_STRING_digest(data,type,md,len) \
395 ASN1_item_digest(ASN1_ITEM_rptr(ASN1_BIT_STRING),type,data,md,len)
396
397#define OCSP_CERTID_dup(cid) ASN1_dup_of(OCSP_CERTID,i2d_OCSP_CERTID,d2i_OCSP_CERTID,cid)
398
399#define OCSP_CERTSTATUS_dup(cs)\
400 (OCSP_CERTSTATUS*)ASN1_dup((int(*)())i2d_OCSP_CERTSTATUS,\
401 (char *(*)())d2i_OCSP_CERTSTATUS,(char *)(cs))
402
403OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req);
404OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
405 int maxline);
406int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx);
407void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx);
408
409OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
410
411OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
412 X509_NAME *issuerName,
413 ASN1_BIT_STRING* issuerKey,
414 ASN1_INTEGER *serialNumber);
415
416OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
417
418int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len);
419int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len);
420int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs);
421int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req);
422
423int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm);
424int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
425
426int OCSP_request_sign(OCSP_REQUEST *req,
427 X509 *signer,
428 EVP_PKEY *key,
429 const EVP_MD *dgst,
430 STACK_OF(X509) *certs,
431 unsigned long flags);
432
433int OCSP_response_status(OCSP_RESPONSE *resp);
434OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
435
436int OCSP_resp_count(OCSP_BASICRESP *bs);
437OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
438int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last);
439int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
440 ASN1_GENERALIZEDTIME **revtime,
441 ASN1_GENERALIZEDTIME **thisupd,
442 ASN1_GENERALIZEDTIME **nextupd);
443int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
444 int *reason,
445 ASN1_GENERALIZEDTIME **revtime,
446 ASN1_GENERALIZEDTIME **thisupd,
447 ASN1_GENERALIZEDTIME **nextupd);
448int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
449 ASN1_GENERALIZEDTIME *nextupd,
450 long sec, long maxsec);
451
452int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags);
453
454int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl);
455
456int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
457int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
458
459int OCSP_request_onereq_count(OCSP_REQUEST *req);
460OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
461OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
462int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
463 ASN1_OCTET_STRING **pikeyHash,
464 ASN1_INTEGER **pserial, OCSP_CERTID *cid);
465int OCSP_request_is_signed(OCSP_REQUEST *req);
466OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
467OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
468 OCSP_CERTID *cid,
469 int status, int reason,
470 ASN1_TIME *revtime,
471 ASN1_TIME *thisupd, ASN1_TIME *nextupd);
472int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
473int OCSP_basic_sign(OCSP_BASICRESP *brsp,
474 X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
475 STACK_OF(X509) *certs, unsigned long flags);
476
477ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
478 void *data, STACK_OF(ASN1_OBJECT) *sk);
479#define ASN1_STRING_encode_of(type,s,i2d,data,sk) \
480 ASN1_STRING_encode(s, CHECKED_I2D_OF(type, i2d), data, sk)
481
482X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim);
483
484X509_EXTENSION *OCSP_accept_responses_new(char **oids);
485
486X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
487
488X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
489
490int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x);
491int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
492int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos);
493int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
494X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
495X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
496void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx);
497int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
498 unsigned long flags);
499int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
500
501int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
502int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
503int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos);
504int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
505X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
506X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
507void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
508int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
509 unsigned long flags);
510int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
511
512int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
513int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
514int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos);
515int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos);
516X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
517X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
518void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx);
519int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
520 unsigned long flags);
521int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
522
523int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
524int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
525int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos);
526int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos);
527X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
528X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
529void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx);
530int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
531 unsigned long flags);
532int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
533
534DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
535DECLARE_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
536DECLARE_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
537DECLARE_ASN1_FUNCTIONS(OCSP_BASICRESP)
538DECLARE_ASN1_FUNCTIONS(OCSP_RESPDATA)
539DECLARE_ASN1_FUNCTIONS(OCSP_RESPID)
540DECLARE_ASN1_FUNCTIONS(OCSP_RESPONSE)
541DECLARE_ASN1_FUNCTIONS(OCSP_RESPBYTES)
542DECLARE_ASN1_FUNCTIONS(OCSP_ONEREQ)
543DECLARE_ASN1_FUNCTIONS(OCSP_CERTID)
544DECLARE_ASN1_FUNCTIONS(OCSP_REQUEST)
545DECLARE_ASN1_FUNCTIONS(OCSP_SIGNATURE)
546DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
547DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
548DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
549
550char *OCSP_response_status_str(long s);
551char *OCSP_cert_status_str(long s);
552char *OCSP_crl_reason_str(long s);
553
554int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* a, unsigned long flags);
555int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags);
556
557int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
558 X509_STORE *st, unsigned long flags);
559
560/* BEGIN ERROR CODES */
561/* The following lines are auto generated by the script mkerr.pl. Any changes
562 * made after this point may be overwritten when the script is next run.
563 */
564void ERR_load_OCSP_strings(void);
565
566/* Error codes for the OCSP functions. */
567
568/* Function codes. */
569#define OCSP_F_ASN1_STRING_ENCODE 100
570#define OCSP_F_D2I_OCSP_NONCE 102
571#define OCSP_F_OCSP_BASIC_ADD1_STATUS 103
572#define OCSP_F_OCSP_BASIC_SIGN 104
573#define OCSP_F_OCSP_BASIC_VERIFY 105
574#define OCSP_F_OCSP_CERT_ID_NEW 101
575#define OCSP_F_OCSP_CHECK_DELEGATED 106
576#define OCSP_F_OCSP_CHECK_IDS 107
577#define OCSP_F_OCSP_CHECK_ISSUER 108
578#define OCSP_F_OCSP_CHECK_VALIDITY 115
579#define OCSP_F_OCSP_MATCH_ISSUERID 109
580#define OCSP_F_OCSP_PARSE_URL 114
581#define OCSP_F_OCSP_REQUEST_SIGN 110
582#define OCSP_F_OCSP_REQUEST_VERIFY 116
583#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
584#define OCSP_F_OCSP_SENDREQ_BIO 112
585#define OCSP_F_PARSE_HTTP_LINE1 117
586#define OCSP_F_REQUEST_VERIFY 113
587
588/* Reason codes. */
589#define OCSP_R_BAD_DATA 100
590#define OCSP_R_CERTIFICATE_VERIFY_ERROR 101
591#define OCSP_R_DIGEST_ERR 102
592#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122
593#define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123
594#define OCSP_R_ERROR_PARSING_URL 121
595#define OCSP_R_MISSING_OCSPSIGNING_USAGE 103
596#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE 124
597#define OCSP_R_NOT_BASIC_RESPONSE 104
598#define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105
599#define OCSP_R_NO_CONTENT 106
600#define OCSP_R_NO_PUBLIC_KEY 107
601#define OCSP_R_NO_RESPONSE_DATA 108
602#define OCSP_R_NO_REVOKED_TIME 109
603#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110
604#define OCSP_R_REQUEST_NOT_SIGNED 128
605#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111
606#define OCSP_R_ROOT_CA_NOT_TRUSTED 112
607#define OCSP_R_SERVER_READ_ERROR 113
608#define OCSP_R_SERVER_RESPONSE_ERROR 114
609#define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 115
610#define OCSP_R_SERVER_WRITE_ERROR 116
611#define OCSP_R_SIGNATURE_FAILURE 117
612#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 118
613#define OCSP_R_STATUS_EXPIRED 125
614#define OCSP_R_STATUS_NOT_YET_VALID 126
615#define OCSP_R_STATUS_TOO_OLD 127
616#define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119
617#define OCSP_R_UNKNOWN_NID 120
618#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE 129
619
620#ifdef __cplusplus
621}
622#endif
623#endif
diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c
new file mode 100644
index 0000000000..39b7a1c568
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_asn.c
@@ -0,0 +1,182 @@
1/* ocsp_asn.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58#include <openssl/asn1.h>
59#include <openssl/asn1t.h>
60#include <openssl/ocsp.h>
61
62ASN1_SEQUENCE(OCSP_SIGNATURE) = {
63 ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR),
64 ASN1_SIMPLE(OCSP_SIGNATURE, signature, ASN1_BIT_STRING),
65 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SIGNATURE, certs, X509, 0)
66} ASN1_SEQUENCE_END(OCSP_SIGNATURE)
67
68IMPLEMENT_ASN1_FUNCTIONS(OCSP_SIGNATURE)
69
70ASN1_SEQUENCE(OCSP_CERTID) = {
71 ASN1_SIMPLE(OCSP_CERTID, hashAlgorithm, X509_ALGOR),
72 ASN1_SIMPLE(OCSP_CERTID, issuerNameHash, ASN1_OCTET_STRING),
73 ASN1_SIMPLE(OCSP_CERTID, issuerKeyHash, ASN1_OCTET_STRING),
74 ASN1_SIMPLE(OCSP_CERTID, serialNumber, ASN1_INTEGER)
75} ASN1_SEQUENCE_END(OCSP_CERTID)
76
77IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTID)
78
79ASN1_SEQUENCE(OCSP_ONEREQ) = {
80 ASN1_SIMPLE(OCSP_ONEREQ, reqCert, OCSP_CERTID),
81 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_ONEREQ, singleRequestExtensions, X509_EXTENSION, 0)
82} ASN1_SEQUENCE_END(OCSP_ONEREQ)
83
84IMPLEMENT_ASN1_FUNCTIONS(OCSP_ONEREQ)
85
86ASN1_SEQUENCE(OCSP_REQINFO) = {
87 ASN1_EXP_OPT(OCSP_REQINFO, version, ASN1_INTEGER, 0),
88 ASN1_EXP_OPT(OCSP_REQINFO, requestorName, GENERAL_NAME, 1),
89 ASN1_SEQUENCE_OF(OCSP_REQINFO, requestList, OCSP_ONEREQ),
90 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_REQINFO, requestExtensions, X509_EXTENSION, 2)
91} ASN1_SEQUENCE_END(OCSP_REQINFO)
92
93IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQINFO)
94
95ASN1_SEQUENCE(OCSP_REQUEST) = {
96 ASN1_SIMPLE(OCSP_REQUEST, tbsRequest, OCSP_REQINFO),
97 ASN1_EXP_OPT(OCSP_REQUEST, optionalSignature, OCSP_SIGNATURE, 0)
98} ASN1_SEQUENCE_END(OCSP_REQUEST)
99
100IMPLEMENT_ASN1_FUNCTIONS(OCSP_REQUEST)
101
102/* OCSP_RESPONSE templates */
103
104ASN1_SEQUENCE(OCSP_RESPBYTES) = {
105 ASN1_SIMPLE(OCSP_RESPBYTES, responseType, ASN1_OBJECT),
106 ASN1_SIMPLE(OCSP_RESPBYTES, response, ASN1_OCTET_STRING)
107} ASN1_SEQUENCE_END(OCSP_RESPBYTES)
108
109IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPBYTES)
110
111ASN1_SEQUENCE(OCSP_RESPONSE) = {
112 ASN1_SIMPLE(OCSP_RESPONSE, responseStatus, ASN1_ENUMERATED),
113 ASN1_EXP_OPT(OCSP_RESPONSE, responseBytes, OCSP_RESPBYTES, 0)
114} ASN1_SEQUENCE_END(OCSP_RESPONSE)
115
116IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPONSE)
117
118ASN1_CHOICE(OCSP_RESPID) = {
119 ASN1_EXP(OCSP_RESPID, value.byName, X509_NAME, 1),
120 ASN1_EXP(OCSP_RESPID, value.byKey, ASN1_OCTET_STRING, 2)
121} ASN1_CHOICE_END(OCSP_RESPID)
122
123IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPID)
124
125ASN1_SEQUENCE(OCSP_REVOKEDINFO) = {
126 ASN1_SIMPLE(OCSP_REVOKEDINFO, revocationTime, ASN1_GENERALIZEDTIME),
127 ASN1_EXP_OPT(OCSP_REVOKEDINFO, revocationReason, ASN1_ENUMERATED, 0)
128} ASN1_SEQUENCE_END(OCSP_REVOKEDINFO)
129
130IMPLEMENT_ASN1_FUNCTIONS(OCSP_REVOKEDINFO)
131
132ASN1_CHOICE(OCSP_CERTSTATUS) = {
133 ASN1_IMP(OCSP_CERTSTATUS, value.good, ASN1_NULL, 0),
134 ASN1_IMP(OCSP_CERTSTATUS, value.revoked, OCSP_REVOKEDINFO, 1),
135 ASN1_IMP(OCSP_CERTSTATUS, value.unknown, ASN1_NULL, 2)
136} ASN1_CHOICE_END(OCSP_CERTSTATUS)
137
138IMPLEMENT_ASN1_FUNCTIONS(OCSP_CERTSTATUS)
139
140ASN1_SEQUENCE(OCSP_SINGLERESP) = {
141 ASN1_SIMPLE(OCSP_SINGLERESP, certId, OCSP_CERTID),
142 ASN1_SIMPLE(OCSP_SINGLERESP, certStatus, OCSP_CERTSTATUS),
143 ASN1_SIMPLE(OCSP_SINGLERESP, thisUpdate, ASN1_GENERALIZEDTIME),
144 ASN1_EXP_OPT(OCSP_SINGLERESP, nextUpdate, ASN1_GENERALIZEDTIME, 0),
145 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_SINGLERESP, singleExtensions, X509_EXTENSION, 1)
146} ASN1_SEQUENCE_END(OCSP_SINGLERESP)
147
148IMPLEMENT_ASN1_FUNCTIONS(OCSP_SINGLERESP)
149
150ASN1_SEQUENCE(OCSP_RESPDATA) = {
151 ASN1_EXP_OPT(OCSP_RESPDATA, version, ASN1_INTEGER, 0),
152 ASN1_SIMPLE(OCSP_RESPDATA, responderId, OCSP_RESPID),
153 ASN1_SIMPLE(OCSP_RESPDATA, producedAt, ASN1_GENERALIZEDTIME),
154 ASN1_SEQUENCE_OF(OCSP_RESPDATA, responses, OCSP_SINGLERESP),
155 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_RESPDATA, responseExtensions, X509_EXTENSION, 1)
156} ASN1_SEQUENCE_END(OCSP_RESPDATA)
157
158IMPLEMENT_ASN1_FUNCTIONS(OCSP_RESPDATA)
159
160ASN1_SEQUENCE(OCSP_BASICRESP) = {
161 ASN1_SIMPLE(OCSP_BASICRESP, tbsResponseData, OCSP_RESPDATA),
162 ASN1_SIMPLE(OCSP_BASICRESP, signatureAlgorithm, X509_ALGOR),
163 ASN1_SIMPLE(OCSP_BASICRESP, signature, ASN1_BIT_STRING),
164 ASN1_EXP_SEQUENCE_OF_OPT(OCSP_BASICRESP, certs, X509, 0)
165} ASN1_SEQUENCE_END(OCSP_BASICRESP)
166
167IMPLEMENT_ASN1_FUNCTIONS(OCSP_BASICRESP)
168
169ASN1_SEQUENCE(OCSP_CRLID) = {
170 ASN1_EXP_OPT(OCSP_CRLID, crlUrl, ASN1_IA5STRING, 0),
171 ASN1_EXP_OPT(OCSP_CRLID, crlNum, ASN1_INTEGER, 1),
172 ASN1_EXP_OPT(OCSP_CRLID, crlTime, ASN1_GENERALIZEDTIME, 2)
173} ASN1_SEQUENCE_END(OCSP_CRLID)
174
175IMPLEMENT_ASN1_FUNCTIONS(OCSP_CRLID)
176
177ASN1_SEQUENCE(OCSP_SERVICELOC) = {
178 ASN1_SIMPLE(OCSP_SERVICELOC, issuer, X509_NAME),
179 ASN1_SEQUENCE_OF_OPT(OCSP_SERVICELOC, locator, ACCESS_DESCRIPTION)
180} ASN1_SEQUENCE_END(OCSP_SERVICELOC)
181
182IMPLEMENT_ASN1_FUNCTIONS(OCSP_SERVICELOC)
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
new file mode 100644
index 0000000000..17bab5fc59
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -0,0 +1,372 @@
1/* ocsp_cl.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <time.h>
66#include <cryptlib.h>
67#include <openssl/objects.h>
68#include <openssl/rand.h>
69#include <openssl/x509.h>
70#include <openssl/pem.h>
71#include <openssl/x509v3.h>
72#include <openssl/ocsp.h>
73
74/* Utility functions related to sending OCSP requests and extracting
75 * relevant information from the response.
76 */
77
78/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ
79 * pointer: useful if we want to add extensions.
80 */
81
82OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
83 {
84 OCSP_ONEREQ *one = NULL;
85
86 if (!(one = OCSP_ONEREQ_new())) goto err;
87 if (one->reqCert) OCSP_CERTID_free(one->reqCert);
88 one->reqCert = cid;
89 if (req &&
90 !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
91 goto err;
92 return one;
93err:
94 OCSP_ONEREQ_free(one);
95 return NULL;
96 }
97
98/* Set requestorName from an X509_NAME structure */
99
100int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
101 {
102 GENERAL_NAME *gen;
103 gen = GENERAL_NAME_new();
104 if (gen == NULL)
105 return 0;
106 if (!X509_NAME_set(&gen->d.directoryName, nm))
107 {
108 GENERAL_NAME_free(gen);
109 return 0;
110 }
111 gen->type = GEN_DIRNAME;
112 if (req->tbsRequest->requestorName)
113 GENERAL_NAME_free(req->tbsRequest->requestorName);
114 req->tbsRequest->requestorName = gen;
115 return 1;
116 }
117
118
119/* Add a certificate to an OCSP request */
120
121int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
122 {
123 OCSP_SIGNATURE *sig;
124 if (!req->optionalSignature)
125 req->optionalSignature = OCSP_SIGNATURE_new();
126 sig = req->optionalSignature;
127 if (!sig) return 0;
128 if (!cert) return 1;
129 if (!sig->certs && !(sig->certs = sk_X509_new_null()))
130 return 0;
131
132 if(!sk_X509_push(sig->certs, cert)) return 0;
133 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
134 return 1;
135 }
136
137/* Sign an OCSP request set the requestorName to the subjec
138 * name of an optional signers certificate and include one
139 * or more optional certificates in the request. Behaves
140 * like PKCS7_sign().
141 */
142
143int OCSP_request_sign(OCSP_REQUEST *req,
144 X509 *signer,
145 EVP_PKEY *key,
146 const EVP_MD *dgst,
147 STACK_OF(X509) *certs,
148 unsigned long flags)
149 {
150 int i;
151 OCSP_SIGNATURE *sig;
152 X509 *x;
153
154 if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
155 goto err;
156
157 if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
158 if (!dgst) dgst = EVP_sha1();
159 if (key)
160 {
161 if (!X509_check_private_key(signer, key))
162 {
163 OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
164 goto err;
165 }
166 if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
167 }
168
169 if (!(flags & OCSP_NOCERTS))
170 {
171 if(!OCSP_request_add1_cert(req, signer)) goto err;
172 for (i = 0; i < sk_X509_num(certs); i++)
173 {
174 x = sk_X509_value(certs, i);
175 if (!OCSP_request_add1_cert(req, x)) goto err;
176 }
177 }
178
179 return 1;
180err:
181 OCSP_SIGNATURE_free(req->optionalSignature);
182 req->optionalSignature = NULL;
183 return 0;
184 }
185
186/* Get response status */
187
188int OCSP_response_status(OCSP_RESPONSE *resp)
189 {
190 return ASN1_ENUMERATED_get(resp->responseStatus);
191 }
192
193/* Extract basic response from OCSP_RESPONSE or NULL if
194 * no basic response present.
195 */
196
197
198OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
199 {
200 OCSP_RESPBYTES *rb;
201 rb = resp->responseBytes;
202 if (!rb)
203 {
204 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
205 return NULL;
206 }
207 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
208 {
209 OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
210 return NULL;
211 }
212
213 return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
214 }
215
216/* Return number of OCSP_SINGLERESP reponses present in
217 * a basic response.
218 */
219
220int OCSP_resp_count(OCSP_BASICRESP *bs)
221 {
222 if (!bs) return -1;
223 return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
224 }
225
226/* Extract an OCSP_SINGLERESP response with a given index */
227
228OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
229 {
230 if (!bs) return NULL;
231 return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
232 }
233
234/* Look single response matching a given certificate ID */
235
236int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
237 {
238 int i;
239 STACK_OF(OCSP_SINGLERESP) *sresp;
240 OCSP_SINGLERESP *single;
241 if (!bs) return -1;
242 if (last < 0) last = 0;
243 else last++;
244 sresp = bs->tbsResponseData->responses;
245 for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
246 {
247 single = sk_OCSP_SINGLERESP_value(sresp, i);
248 if (!OCSP_id_cmp(id, single->certId)) return i;
249 }
250 return -1;
251 }
252
253/* Extract status information from an OCSP_SINGLERESP structure.
254 * Note: the revtime and reason values are only set if the
255 * certificate status is revoked. Returns numerical value of
256 * status.
257 */
258
259int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
260 ASN1_GENERALIZEDTIME **revtime,
261 ASN1_GENERALIZEDTIME **thisupd,
262 ASN1_GENERALIZEDTIME **nextupd)
263 {
264 int ret;
265 OCSP_CERTSTATUS *cst;
266 if(!single) return -1;
267 cst = single->certStatus;
268 ret = cst->type;
269 if (ret == V_OCSP_CERTSTATUS_REVOKED)
270 {
271 OCSP_REVOKEDINFO *rev = cst->value.revoked;
272 if (revtime) *revtime = rev->revocationTime;
273 if (reason)
274 {
275 if(rev->revocationReason)
276 *reason = ASN1_ENUMERATED_get(rev->revocationReason);
277 else *reason = -1;
278 }
279 }
280 if(thisupd) *thisupd = single->thisUpdate;
281 if(nextupd) *nextupd = single->nextUpdate;
282 return ret;
283 }
284
285/* This function combines the previous ones: look up a certificate ID and
286 * if found extract status information. Return 0 is successful.
287 */
288
289int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
290 int *reason,
291 ASN1_GENERALIZEDTIME **revtime,
292 ASN1_GENERALIZEDTIME **thisupd,
293 ASN1_GENERALIZEDTIME **nextupd)
294 {
295 int i;
296 OCSP_SINGLERESP *single;
297 i = OCSP_resp_find(bs, id, -1);
298 /* Maybe check for multiple responses and give an error? */
299 if(i < 0) return 0;
300 single = OCSP_resp_get0(bs, i);
301 i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
302 if(status) *status = i;
303 return 1;
304 }
305
306/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
307 * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
308 * rejecting otherwise valid time we allow the times to be within 'nsec' of the current time.
309 * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
310 * parameter specifies the maximum age the thisUpdate field can be.
311 */
312
313int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
314 {
315 int ret = 1;
316 time_t t_now, t_tmp;
317 time(&t_now);
318 /* Check thisUpdate is valid and not more than nsec in the future */
319 if (!ASN1_GENERALIZEDTIME_check(thisupd))
320 {
321 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
322 ret = 0;
323 }
324 else
325 {
326 t_tmp = t_now + nsec;
327 if (X509_cmp_time(thisupd, &t_tmp) > 0)
328 {
329 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
330 ret = 0;
331 }
332
333 /* If maxsec specified check thisUpdate is not more than maxsec in the past */
334 if (maxsec >= 0)
335 {
336 t_tmp = t_now - maxsec;
337 if (X509_cmp_time(thisupd, &t_tmp) < 0)
338 {
339 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
340 ret = 0;
341 }
342 }
343 }
344
345
346 if (!nextupd) return ret;
347
348 /* Check nextUpdate is valid and not more than nsec in the past */
349 if (!ASN1_GENERALIZEDTIME_check(nextupd))
350 {
351 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
352 ret = 0;
353 }
354 else
355 {
356 t_tmp = t_now - nsec;
357 if (X509_cmp_time(nextupd, &t_tmp) < 0)
358 {
359 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
360 ret = 0;
361 }
362 }
363
364 /* Also don't allow nextUpdate to precede thisUpdate */
365 if (ASN1_STRING_cmp(nextupd, thisupd) < 0)
366 {
367 OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
368 ret = 0;
369 }
370
371 return ret;
372 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c
new file mode 100644
index 0000000000..d2f2e79f44
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_err.c
@@ -0,0 +1,141 @@
1/* crypto/ocsp/ocsp_err.c */
2/* ====================================================================
3 * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 *
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in
14 * the documentation and/or other materials provided with the
15 * distribution.
16 *
17 * 3. All advertising materials mentioning features or use of this
18 * software must display the following acknowledgment:
19 * "This product includes software developed by the OpenSSL Project
20 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
21 *
22 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
23 * endorse or promote products derived from this software without
24 * prior written permission. For written permission, please contact
25 * openssl-core@OpenSSL.org.
26 *
27 * 5. Products derived from this software may not be called "OpenSSL"
28 * nor may "OpenSSL" appear in their names without prior written
29 * permission of the OpenSSL Project.
30 *
31 * 6. Redistributions of any form whatsoever must retain the following
32 * acknowledgment:
33 * "This product includes software developed by the OpenSSL Project
34 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
35 *
36 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
37 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
38 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
39 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
40 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
41 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
43 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
44 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
45 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
46 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
47 * OF THE POSSIBILITY OF SUCH DAMAGE.
48 * ====================================================================
49 *
50 * This product includes cryptographic software written by Eric Young
51 * (eay@cryptsoft.com). This product includes software written by Tim
52 * Hudson (tjh@cryptsoft.com).
53 *
54 */
55
56/* NOTE: this file was auto generated by the mkerr.pl script: any changes
57 * made to it will be overwritten when the script next updates this file,
58 * only reason strings will be preserved.
59 */
60
61#include <stdio.h>
62#include <openssl/err.h>
63#include <openssl/ocsp.h>
64
65/* BEGIN ERROR CODES */
66#ifndef OPENSSL_NO_ERR
67
68#define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0)
69#define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
70
71static ERR_STRING_DATA OCSP_str_functs[]=
72 {
73{ERR_FUNC(OCSP_F_ASN1_STRING_ENCODE), "ASN1_STRING_encode"},
74{ERR_FUNC(OCSP_F_D2I_OCSP_NONCE), "D2I_OCSP_NONCE"},
75{ERR_FUNC(OCSP_F_OCSP_BASIC_ADD1_STATUS), "OCSP_basic_add1_status"},
76{ERR_FUNC(OCSP_F_OCSP_BASIC_SIGN), "OCSP_basic_sign"},
77{ERR_FUNC(OCSP_F_OCSP_BASIC_VERIFY), "OCSP_basic_verify"},
78{ERR_FUNC(OCSP_F_OCSP_CERT_ID_NEW), "OCSP_cert_id_new"},
79{ERR_FUNC(OCSP_F_OCSP_CHECK_DELEGATED), "OCSP_CHECK_DELEGATED"},
80{ERR_FUNC(OCSP_F_OCSP_CHECK_IDS), "OCSP_CHECK_IDS"},
81{ERR_FUNC(OCSP_F_OCSP_CHECK_ISSUER), "OCSP_CHECK_ISSUER"},
82{ERR_FUNC(OCSP_F_OCSP_CHECK_VALIDITY), "OCSP_check_validity"},
83{ERR_FUNC(OCSP_F_OCSP_MATCH_ISSUERID), "OCSP_MATCH_ISSUERID"},
84{ERR_FUNC(OCSP_F_OCSP_PARSE_URL), "OCSP_parse_url"},
85{ERR_FUNC(OCSP_F_OCSP_REQUEST_SIGN), "OCSP_request_sign"},
86{ERR_FUNC(OCSP_F_OCSP_REQUEST_VERIFY), "OCSP_request_verify"},
87{ERR_FUNC(OCSP_F_OCSP_RESPONSE_GET1_BASIC), "OCSP_response_get1_basic"},
88{ERR_FUNC(OCSP_F_OCSP_SENDREQ_BIO), "OCSP_sendreq_bio"},
89{ERR_FUNC(OCSP_F_PARSE_HTTP_LINE1), "PARSE_HTTP_LINE1"},
90{ERR_FUNC(OCSP_F_REQUEST_VERIFY), "REQUEST_VERIFY"},
91{0,NULL}
92 };
93
94static ERR_STRING_DATA OCSP_str_reasons[]=
95 {
96{ERR_REASON(OCSP_R_BAD_DATA) ,"bad data"},
97{ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR),"certificate verify error"},
98{ERR_REASON(OCSP_R_DIGEST_ERR) ,"digest err"},
99{ERR_REASON(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD),"error in nextupdate field"},
100{ERR_REASON(OCSP_R_ERROR_IN_THISUPDATE_FIELD),"error in thisupdate field"},
101{ERR_REASON(OCSP_R_ERROR_PARSING_URL) ,"error parsing url"},
102{ERR_REASON(OCSP_R_MISSING_OCSPSIGNING_USAGE),"missing ocspsigning usage"},
103{ERR_REASON(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE),"nextupdate before thisupdate"},
104{ERR_REASON(OCSP_R_NOT_BASIC_RESPONSE) ,"not basic response"},
105{ERR_REASON(OCSP_R_NO_CERTIFICATES_IN_CHAIN),"no certificates in chain"},
106{ERR_REASON(OCSP_R_NO_CONTENT) ,"no content"},
107{ERR_REASON(OCSP_R_NO_PUBLIC_KEY) ,"no public key"},
108{ERR_REASON(OCSP_R_NO_RESPONSE_DATA) ,"no response data"},
109{ERR_REASON(OCSP_R_NO_REVOKED_TIME) ,"no revoked time"},
110{ERR_REASON(OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE),"private key does not match certificate"},
111{ERR_REASON(OCSP_R_REQUEST_NOT_SIGNED) ,"request not signed"},
112{ERR_REASON(OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA),"response contains no revocation data"},
113{ERR_REASON(OCSP_R_ROOT_CA_NOT_TRUSTED) ,"root ca not trusted"},
114{ERR_REASON(OCSP_R_SERVER_READ_ERROR) ,"server read error"},
115{ERR_REASON(OCSP_R_SERVER_RESPONSE_ERROR),"server response error"},
116{ERR_REASON(OCSP_R_SERVER_RESPONSE_PARSE_ERROR),"server response parse error"},
117{ERR_REASON(OCSP_R_SERVER_WRITE_ERROR) ,"server write error"},
118{ERR_REASON(OCSP_R_SIGNATURE_FAILURE) ,"signature failure"},
119{ERR_REASON(OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND),"signer certificate not found"},
120{ERR_REASON(OCSP_R_STATUS_EXPIRED) ,"status expired"},
121{ERR_REASON(OCSP_R_STATUS_NOT_YET_VALID) ,"status not yet valid"},
122{ERR_REASON(OCSP_R_STATUS_TOO_OLD) ,"status too old"},
123{ERR_REASON(OCSP_R_UNKNOWN_MESSAGE_DIGEST),"unknown message digest"},
124{ERR_REASON(OCSP_R_UNKNOWN_NID) ,"unknown nid"},
125{ERR_REASON(OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE),"unsupported requestorname type"},
126{0,NULL}
127 };
128
129#endif
130
131void ERR_load_OCSP_strings(void)
132 {
133#ifndef OPENSSL_NO_ERR
134
135 if (ERR_func_error_string(OCSP_str_functs[0].error) == NULL)
136 {
137 ERR_load_strings(0,OCSP_str_functs);
138 ERR_load_strings(0,OCSP_str_reasons);
139 }
140#endif
141 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
new file mode 100644
index 0000000000..815cc29d58
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_ext.c
@@ -0,0 +1,545 @@
1/* ocsp_ext.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <cryptlib.h>
66#include <openssl/objects.h>
67#include <openssl/x509.h>
68#include <openssl/ocsp.h>
69#include <openssl/rand.h>
70#include <openssl/x509v3.h>
71
72/* Standard wrapper functions for extensions */
73
74/* OCSP request extensions */
75
76int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
77 {
78 return(X509v3_get_ext_count(x->tbsRequest->requestExtensions));
79 }
80
81int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
82 {
83 return(X509v3_get_ext_by_NID(x->tbsRequest->requestExtensions,nid,lastpos));
84 }
85
86int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos)
87 {
88 return(X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions,obj,lastpos));
89 }
90
91int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
92 {
93 return(X509v3_get_ext_by_critical(x->tbsRequest->requestExtensions,crit,lastpos));
94 }
95
96X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
97 {
98 return(X509v3_get_ext(x->tbsRequest->requestExtensions,loc));
99 }
100
101X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
102 {
103 return(X509v3_delete_ext(x->tbsRequest->requestExtensions,loc));
104 }
105
106void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
107 {
108 return X509V3_get_d2i(x->tbsRequest->requestExtensions, nid, crit, idx);
109 }
110
111int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
112 unsigned long flags)
113 {
114 return X509V3_add1_i2d(&x->tbsRequest->requestExtensions, nid, value, crit, flags);
115 }
116
117int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
118 {
119 return(X509v3_add_ext(&(x->tbsRequest->requestExtensions),ex,loc) != NULL);
120 }
121
122/* Single extensions */
123
124int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
125 {
126 return(X509v3_get_ext_count(x->singleRequestExtensions));
127 }
128
129int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
130 {
131 return(X509v3_get_ext_by_NID(x->singleRequestExtensions,nid,lastpos));
132 }
133
134int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
135 {
136 return(X509v3_get_ext_by_OBJ(x->singleRequestExtensions,obj,lastpos));
137 }
138
139int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
140 {
141 return(X509v3_get_ext_by_critical(x->singleRequestExtensions,crit,lastpos));
142 }
143
144X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
145 {
146 return(X509v3_get_ext(x->singleRequestExtensions,loc));
147 }
148
149X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
150 {
151 return(X509v3_delete_ext(x->singleRequestExtensions,loc));
152 }
153
154void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
155 {
156 return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
157 }
158
159int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
160 unsigned long flags)
161 {
162 return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit, flags);
163 }
164
165int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
166 {
167 return(X509v3_add_ext(&(x->singleRequestExtensions),ex,loc) != NULL);
168 }
169
170/* OCSP Basic response */
171
172int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
173 {
174 return(X509v3_get_ext_count(x->tbsResponseData->responseExtensions));
175 }
176
177int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
178 {
179 return(X509v3_get_ext_by_NID(x->tbsResponseData->responseExtensions,nid,lastpos));
180 }
181
182int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos)
183 {
184 return(X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions,obj,lastpos));
185 }
186
187int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos)
188 {
189 return(X509v3_get_ext_by_critical(x->tbsResponseData->responseExtensions,crit,lastpos));
190 }
191
192X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
193 {
194 return(X509v3_get_ext(x->tbsResponseData->responseExtensions,loc));
195 }
196
197X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
198 {
199 return(X509v3_delete_ext(x->tbsResponseData->responseExtensions,loc));
200 }
201
202void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit, int *idx)
203 {
204 return X509V3_get_d2i(x->tbsResponseData->responseExtensions, nid, crit, idx);
205 }
206
207int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value, int crit,
208 unsigned long flags)
209 {
210 return X509V3_add1_i2d(&x->tbsResponseData->responseExtensions, nid, value, crit, flags);
211 }
212
213int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
214 {
215 return(X509v3_add_ext(&(x->tbsResponseData->responseExtensions),ex,loc) != NULL);
216 }
217
218/* OCSP single response extensions */
219
220int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
221 {
222 return(X509v3_get_ext_count(x->singleExtensions));
223 }
224
225int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
226 {
227 return(X509v3_get_ext_by_NID(x->singleExtensions,nid,lastpos));
228 }
229
230int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, int lastpos)
231 {
232 return(X509v3_get_ext_by_OBJ(x->singleExtensions,obj,lastpos));
233 }
234
235int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos)
236 {
237 return(X509v3_get_ext_by_critical(x->singleExtensions,crit,lastpos));
238 }
239
240X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
241 {
242 return(X509v3_get_ext(x->singleExtensions,loc));
243 }
244
245X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
246 {
247 return(X509v3_delete_ext(x->singleExtensions,loc));
248 }
249
250void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit, int *idx)
251 {
252 return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
253 }
254
255int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value, int crit,
256 unsigned long flags)
257 {
258 return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
259 }
260
261int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
262 {
263 return(X509v3_add_ext(&(x->singleExtensions),ex,loc) != NULL);
264 }
265
266/* also CRL Entry Extensions */
267
268ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, i2d_of_void *i2d,
269 void *data, STACK_OF(ASN1_OBJECT) *sk)
270 {
271 int i;
272 unsigned char *p, *b = NULL;
273
274 if (data)
275 {
276 if ((i=i2d(data,NULL)) <= 0) goto err;
277 if (!(b=p=OPENSSL_malloc((unsigned int)i)))
278 goto err;
279 if (i2d(data, &p) <= 0) goto err;
280 }
281 else if (sk)
282 {
283 if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL,
284 (I2D_OF(ASN1_OBJECT))i2d,
285 V_ASN1_SEQUENCE,
286 V_ASN1_UNIVERSAL,
287 IS_SEQUENCE))<=0) goto err;
288 if (!(b=p=OPENSSL_malloc((unsigned int)i)))
289 goto err;
290 if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,(I2D_OF(ASN1_OBJECT))i2d,
291 V_ASN1_SEQUENCE,
292 V_ASN1_UNIVERSAL,
293 IS_SEQUENCE)<=0) goto err;
294 }
295 else
296 {
297 OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA);
298 goto err;
299 }
300 if (!s && !(s = ASN1_STRING_new())) goto err;
301 if (!(ASN1_STRING_set(s, b, i))) goto err;
302 OPENSSL_free(b);
303 return s;
304err:
305 if (b) OPENSSL_free(b);
306 return NULL;
307 }
308
309/* Nonce handling functions */
310
311/* Add a nonce to an extension stack. A nonce can be specificed or if NULL
312 * a random nonce will be generated.
313 * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the
314 * nonce, previous versions used the raw nonce.
315 */
316
317static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
318 {
319 unsigned char *tmpval;
320 ASN1_OCTET_STRING os;
321 int ret = 0;
322 if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
323 /* Create the OCTET STRING manually by writing out the header and
324 * appending the content octets. This avoids an extra memory allocation
325 * operation in some cases. Applications should *NOT* do this because
326 * it relies on library internals.
327 */
328 os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
329 os.data = OPENSSL_malloc(os.length);
330 if (os.data == NULL)
331 goto err;
332 tmpval = os.data;
333 ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
334 if (val)
335 memcpy(tmpval, val, len);
336 else
337 RAND_pseudo_bytes(tmpval, len);
338 if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
339 &os, 0, X509V3_ADD_REPLACE))
340 goto err;
341 ret = 1;
342 err:
343 if (os.data)
344 OPENSSL_free(os.data);
345 return ret;
346 }
347
348
349/* Add nonce to an OCSP request */
350
351int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
352 {
353 return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len);
354 }
355
356/* Same as above but for a response */
357
358int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
359 {
360 return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len);
361 }
362
363/* Check nonce validity in a request and response.
364 * Return value reflects result:
365 * 1: nonces present and equal.
366 * 2: nonces both absent.
367 * 3: nonce present in response only.
368 * 0: nonces both present and not equal.
369 * -1: nonce in request only.
370 *
371 * For most responders clients can check return > 0.
372 * If responder doesn't handle nonces return != 0 may be
373 * necessary. return == 0 is always an error.
374 */
375
376int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
377 {
378 /*
379 * Since we are only interested in the presence or absence of
380 * the nonce and comparing its value there is no need to use
381 * the X509V3 routines: this way we can avoid them allocating an
382 * ASN1_OCTET_STRING structure for the value which would be
383 * freed immediately anyway.
384 */
385
386 int req_idx, resp_idx;
387 X509_EXTENSION *req_ext, *resp_ext;
388 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
389 resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
390 /* Check both absent */
391 if((req_idx < 0) && (resp_idx < 0))
392 return 2;
393 /* Check in request only */
394 if((req_idx >= 0) && (resp_idx < 0))
395 return -1;
396 /* Check in response but not request */
397 if((req_idx < 0) && (resp_idx >= 0))
398 return 3;
399 /* Otherwise nonce in request and response so retrieve the extensions */
400 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
401 resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
402 if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value))
403 return 0;
404 return 1;
405 }
406
407/* Copy the nonce value (if any) from an OCSP request to
408 * a response.
409 */
410
411int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
412 {
413 X509_EXTENSION *req_ext;
414 int req_idx;
415 /* Check for nonce in request */
416 req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
417 /* If no nonce that's OK */
418 if (req_idx < 0) return 2;
419 req_ext = OCSP_REQUEST_get_ext(req, req_idx);
420 return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
421 }
422
423X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
424 {
425 X509_EXTENSION *x = NULL;
426 OCSP_CRLID *cid = NULL;
427
428 if (!(cid = OCSP_CRLID_new())) goto err;
429 if (url)
430 {
431 if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err;
432 if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err;
433 }
434 if (n)
435 {
436 if (!(cid->crlNum = ASN1_INTEGER_new())) goto err;
437 if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err;
438 }
439 if (tim)
440 {
441 if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err;
442 if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
443 goto err;
444 }
445 if (!(x = X509_EXTENSION_new())) goto err;
446 if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_CrlID))) goto err;
447 if (!(ASN1_STRING_encode_of(OCSP_CRLID,x->value,i2d_OCSP_CRLID,cid,
448 NULL)))
449 goto err;
450 OCSP_CRLID_free(cid);
451 return x;
452err:
453 if (x) X509_EXTENSION_free(x);
454 if (cid) OCSP_CRLID_free(cid);
455 return NULL;
456 }
457
458/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
459X509_EXTENSION *OCSP_accept_responses_new(char **oids)
460 {
461 int nid;
462 STACK_OF(ASN1_OBJECT) *sk = NULL;
463 ASN1_OBJECT *o = NULL;
464 X509_EXTENSION *x = NULL;
465
466 if (!(sk = sk_ASN1_OBJECT_new_null())) goto err;
467 while (oids && *oids)
468 {
469 if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid)))
470 sk_ASN1_OBJECT_push(sk, o);
471 oids++;
472 }
473 if (!(x = X509_EXTENSION_new())) goto err;
474 if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_acceptableResponses)))
475 goto err;
476 if (!(ASN1_STRING_encode_of(ASN1_OBJECT,x->value,i2d_ASN1_OBJECT,NULL,
477 sk)))
478 goto err;
479 sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
480 return x;
481err:
482 if (x) X509_EXTENSION_free(x);
483 if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
484 return NULL;
485 }
486
487/* ArchiveCutoff ::= GeneralizedTime */
488X509_EXTENSION *OCSP_archive_cutoff_new(char* tim)
489 {
490 X509_EXTENSION *x=NULL;
491 ASN1_GENERALIZEDTIME *gt = NULL;
492
493 if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err;
494 if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err;
495 if (!(x = X509_EXTENSION_new())) goto err;
496 if (!(x->object=OBJ_nid2obj(NID_id_pkix_OCSP_archiveCutoff)))goto err;
497 if (!(ASN1_STRING_encode_of(ASN1_GENERALIZEDTIME,x->value,
498 i2d_ASN1_GENERALIZEDTIME,gt,NULL))) goto err;
499 ASN1_GENERALIZEDTIME_free(gt);
500 return x;
501err:
502 if (gt) ASN1_GENERALIZEDTIME_free(gt);
503 if (x) X509_EXTENSION_free(x);
504 return NULL;
505 }
506
507/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
508 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This
509 * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
510 */
511X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls)
512 {
513 X509_EXTENSION *x = NULL;
514 ASN1_IA5STRING *ia5 = NULL;
515 OCSP_SERVICELOC *sloc = NULL;
516 ACCESS_DESCRIPTION *ad = NULL;
517
518 if (!(sloc = OCSP_SERVICELOC_new())) goto err;
519 if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err;
520 if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err;
521 while (urls && *urls)
522 {
523 if (!(ad = ACCESS_DESCRIPTION_new())) goto err;
524 if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err;
525 if (!(ad->location = GENERAL_NAME_new())) goto err;
526 if (!(ia5 = ASN1_IA5STRING_new())) goto err;
527 if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err;
528 ad->location->type = GEN_URI;
529 ad->location->d.ia5 = ia5;
530 if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err;
531 urls++;
532 }
533 if (!(x = X509_EXTENSION_new())) goto err;
534 if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_serviceLocator)))
535 goto err;
536 if (!(ASN1_STRING_encode_of(OCSP_SERVICELOC,x->value,
537 i2d_OCSP_SERVICELOC,sloc,NULL))) goto err;
538 OCSP_SERVICELOC_free(sloc);
539 return x;
540err:
541 if (x) X509_EXTENSION_free(x);
542 if (sloc) OCSP_SERVICELOC_free(sloc);
543 return NULL;
544 }
545
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
new file mode 100644
index 0000000000..a8e569b74a
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_ht.c
@@ -0,0 +1,471 @@
1/* ocsp_ht.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2006.
4 */
5/* ====================================================================
6 * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/asn1.h>
60#include <stdio.h>
61#include <stdlib.h>
62#include <ctype.h>
63#include <string.h>
64#include <openssl/ocsp.h>
65#include <openssl/err.h>
66#include <openssl/buffer.h>
67#ifdef OPENSSL_SYS_SUNOS
68#define strtoul (unsigned long)strtol
69#endif /* OPENSSL_SYS_SUNOS */
70
71/* Stateful OCSP request code, supporting non-blocking I/O */
72
73/* Opaque OCSP request status structure */
74
75struct ocsp_req_ctx_st {
76 int state; /* Current I/O state */
77 unsigned char *iobuf; /* Line buffer */
78 int iobuflen; /* Line buffer length */
79 BIO *io; /* BIO to perform I/O with */
80 BIO *mem; /* Memory BIO response is built into */
81 unsigned long asn1_len; /* ASN1 length of response */
82 };
83
84#define OCSP_MAX_REQUEST_LENGTH (100 * 1024)
85#define OCSP_MAX_LINE_LEN 4096;
86
87/* OCSP states */
88
89/* If set no reading should be performed */
90#define OHS_NOREAD 0x1000
91/* Error condition */
92#define OHS_ERROR (0 | OHS_NOREAD)
93/* First line being read */
94#define OHS_FIRSTLINE 1
95/* MIME headers being read */
96#define OHS_HEADERS 2
97/* OCSP initial header (tag + length) being read */
98#define OHS_ASN1_HEADER 3
99/* OCSP content octets being read */
100#define OHS_ASN1_CONTENT 4
101/* Request being sent */
102#define OHS_ASN1_WRITE (6 | OHS_NOREAD)
103/* Request being flushed */
104#define OHS_ASN1_FLUSH (7 | OHS_NOREAD)
105/* Completed */
106#define OHS_DONE (8 | OHS_NOREAD)
107
108
109static int parse_http_line1(char *line);
110
111void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx)
112 {
113 if (rctx->mem)
114 BIO_free(rctx->mem);
115 if (rctx->iobuf)
116 OPENSSL_free(rctx->iobuf);
117 OPENSSL_free(rctx);
118 }
119
120OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
121 int maxline)
122 {
123 static char post_hdr[] = "POST %s HTTP/1.0\r\n"
124 "Content-Type: application/ocsp-request\r\n"
125 "Content-Length: %d\r\n\r\n";
126
127 OCSP_REQ_CTX *rctx;
128 rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
129 rctx->state = OHS_FIRSTLINE;
130 rctx->mem = BIO_new(BIO_s_mem());
131 rctx->io = io;
132 if (maxline > 0)
133 rctx->iobuflen = maxline;
134 else
135 rctx->iobuflen = OCSP_MAX_LINE_LEN;
136 rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
137 if (!path)
138 path = "/";
139
140 if (BIO_printf(rctx->mem, post_hdr, path,
141 i2d_OCSP_REQUEST(req, NULL)) <= 0)
142 {
143 rctx->state = OHS_ERROR;
144 return 0;
145 }
146 if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
147 {
148 rctx->state = OHS_ERROR;
149 return 0;
150 }
151 rctx->state = OHS_ASN1_WRITE;
152 rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
153
154 return rctx;
155 }
156
157/* Parse the HTTP response. This will look like this:
158 * "HTTP/1.0 200 OK". We need to obtain the numeric code and
159 * (optional) informational message.
160 */
161
162static int parse_http_line1(char *line)
163 {
164 int retcode;
165 char *p, *q, *r;
166 /* Skip to first white space (passed protocol info) */
167
168 for(p = line; *p && !isspace((unsigned char)*p); p++)
169 continue;
170 if(!*p)
171 {
172 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
173 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
174 return 0;
175 }
176
177 /* Skip past white space to start of response code */
178 while(*p && isspace((unsigned char)*p))
179 p++;
180
181 if(!*p)
182 {
183 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
184 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
185 return 0;
186 }
187
188 /* Find end of response code: first whitespace after start of code */
189 for(q = p; *q && !isspace((unsigned char)*q); q++)
190 continue;
191
192 if(!*q)
193 {
194 OCSPerr(OCSP_F_PARSE_HTTP_LINE1,
195 OCSP_R_SERVER_RESPONSE_PARSE_ERROR);
196 return 0;
197 }
198
199 /* Set end of response code and start of message */
200 *q++ = 0;
201
202 /* Attempt to parse numeric code */
203 retcode = strtoul(p, &r, 10);
204
205 if(*r)
206 return 0;
207
208 /* Skip over any leading white space in message */
209 while(*q && isspace((unsigned char)*q))
210 q++;
211
212 if(*q)
213 {
214 /* Finally zap any trailing white space in message (include
215 * CRLF) */
216
217 /* We know q has a non white space character so this is OK */
218 for(r = q + strlen(q) - 1; isspace((unsigned char)*r); r--)
219 *r = 0;
220 }
221 if(retcode != 200)
222 {
223 OCSPerr(OCSP_F_PARSE_HTTP_LINE1, OCSP_R_SERVER_RESPONSE_ERROR);
224 if(!*q)
225 ERR_add_error_data(2, "Code=", p);
226 else
227 ERR_add_error_data(4, "Code=", p, ",Reason=", q);
228 return 0;
229 }
230
231
232 return 1;
233
234 }
235
236int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
237 {
238 int i, n;
239 const unsigned char *p;
240 next_io:
241 if (!(rctx->state & OHS_NOREAD))
242 {
243 n = BIO_read(rctx->io, rctx->iobuf, rctx->iobuflen);
244
245 if (n <= 0)
246 {
247 if (BIO_should_retry(rctx->io))
248 return -1;
249 return 0;
250 }
251
252 /* Write data to memory BIO */
253
254 if (BIO_write(rctx->mem, rctx->iobuf, n) != n)
255 return 0;
256 }
257
258 switch(rctx->state)
259 {
260
261 case OHS_ASN1_WRITE:
262 n = BIO_get_mem_data(rctx->mem, &p);
263
264 i = BIO_write(rctx->io,
265 p + (n - rctx->asn1_len), rctx->asn1_len);
266
267 if (i <= 0)
268 {
269 if (BIO_should_retry(rctx->io))
270 return -1;
271 rctx->state = OHS_ERROR;
272 return 0;
273 }
274
275 rctx->asn1_len -= i;
276
277 if (rctx->asn1_len > 0)
278 goto next_io;
279
280 rctx->state = OHS_ASN1_FLUSH;
281
282 (void)BIO_reset(rctx->mem);
283
284 case OHS_ASN1_FLUSH:
285
286 i = BIO_flush(rctx->io);
287
288 if (i > 0)
289 {
290 rctx->state = OHS_FIRSTLINE;
291 goto next_io;
292 }
293
294 if (BIO_should_retry(rctx->io))
295 return -1;
296
297 rctx->state = OHS_ERROR;
298 return 0;
299
300 case OHS_ERROR:
301 return 0;
302
303 case OHS_FIRSTLINE:
304 case OHS_HEADERS:
305
306 /* Attempt to read a line in */
307
308 next_line:
309 /* Due to &%^*$" memory BIO behaviour with BIO_gets we
310 * have to check there's a complete line in there before
311 * calling BIO_gets or we'll just get a partial read.
312 */
313 n = BIO_get_mem_data(rctx->mem, &p);
314 if ((n <= 0) || !memchr(p, '\n', n))
315 {
316 if (n >= rctx->iobuflen)
317 {
318 rctx->state = OHS_ERROR;
319 return 0;
320 }
321 goto next_io;
322 }
323 n = BIO_gets(rctx->mem, (char *)rctx->iobuf, rctx->iobuflen);
324
325 if (n <= 0)
326 {
327 if (BIO_should_retry(rctx->mem))
328 goto next_io;
329 rctx->state = OHS_ERROR;
330 return 0;
331 }
332
333 /* Don't allow excessive lines */
334 if (n == rctx->iobuflen)
335 {
336 rctx->state = OHS_ERROR;
337 return 0;
338 }
339
340 /* First line */
341 if (rctx->state == OHS_FIRSTLINE)
342 {
343 if (parse_http_line1((char *)rctx->iobuf))
344 {
345 rctx->state = OHS_HEADERS;
346 goto next_line;
347 }
348 else
349 {
350 rctx->state = OHS_ERROR;
351 return 0;
352 }
353 }
354 else
355 {
356 /* Look for blank line: end of headers */
357 for (p = rctx->iobuf; *p; p++)
358 {
359 if ((*p != '\r') && (*p != '\n'))
360 break;
361 }
362 if (*p)
363 goto next_line;
364
365 rctx->state = OHS_ASN1_HEADER;
366
367 }
368
369 /* Fall thru */
370
371
372 case OHS_ASN1_HEADER:
373 /* Now reading ASN1 header: can read at least 6 bytes which
374 * is more than enough for any valid ASN1 SEQUENCE header
375 */
376 n = BIO_get_mem_data(rctx->mem, &p);
377 if (n < 6)
378 goto next_io;
379
380 /* Check it is an ASN1 SEQUENCE */
381 if (*p++ != (V_ASN1_SEQUENCE|V_ASN1_CONSTRUCTED))
382 {
383 rctx->state = OHS_ERROR;
384 return 0;
385 }
386
387 /* Check out length field */
388 if (*p & 0x80)
389 {
390 n = *p & 0x7F;
391 /* Not NDEF or excessive length */
392 if (!n || (n > 4))
393 {
394 rctx->state = OHS_ERROR;
395 return 0;
396 }
397 p++;
398 rctx->asn1_len = 0;
399 for (i = 0; i < n; i++)
400 {
401 rctx->asn1_len <<= 8;
402 rctx->asn1_len |= *p++;
403 }
404
405 if (rctx->asn1_len > OCSP_MAX_REQUEST_LENGTH)
406 {
407 rctx->state = OHS_ERROR;
408 return 0;
409 }
410
411 rctx->asn1_len += n + 2;
412 }
413 else
414 rctx->asn1_len = *p + 2;
415
416 rctx->state = OHS_ASN1_CONTENT;
417
418 /* Fall thru */
419
420 case OHS_ASN1_CONTENT:
421 n = BIO_get_mem_data(rctx->mem, &p);
422 if (n < (int)rctx->asn1_len)
423 goto next_io;
424
425
426 *presp = d2i_OCSP_RESPONSE(NULL, &p, rctx->asn1_len);
427 if (*presp)
428 {
429 rctx->state = OHS_DONE;
430 return 1;
431 }
432
433 rctx->state = OHS_ERROR;
434 return 0;
435
436 break;
437
438 case OHS_DONE:
439 return 1;
440
441 }
442
443
444
445 return 0;
446
447
448 }
449
450/* Blocking OCSP request handler: now a special case of non-blocking I/O */
451
452OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
453 {
454 OCSP_RESPONSE *resp = NULL;
455 OCSP_REQ_CTX *ctx;
456 int rv;
457
458 ctx = OCSP_sendreq_new(b, path, req, -1);
459
460 do
461 {
462 rv = OCSP_sendreq_nbio(&resp, ctx);
463 } while ((rv == -1) && BIO_should_retry(b));
464
465 OCSP_REQ_CTX_free(ctx);
466
467 if (rv)
468 return resp;
469
470 return NULL;
471 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
new file mode 100644
index 0000000000..27450811d7
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_lib.c
@@ -0,0 +1,262 @@
1/* ocsp_lib.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <stdio.h>
65#include <cryptlib.h>
66#include <openssl/objects.h>
67#include <openssl/rand.h>
68#include <openssl/x509.h>
69#include <openssl/pem.h>
70#include <openssl/x509v3.h>
71#include <openssl/ocsp.h>
72
73/* Convert a certificate and its issuer to an OCSP_CERTID */
74
75OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
76{
77 X509_NAME *iname;
78 ASN1_INTEGER *serial;
79 ASN1_BIT_STRING *ikey;
80#ifndef OPENSSL_NO_SHA1
81 if(!dgst) dgst = EVP_sha1();
82#endif
83 if (subject)
84 {
85 iname = X509_get_issuer_name(subject);
86 serial = X509_get_serialNumber(subject);
87 }
88 else
89 {
90 iname = X509_get_subject_name(issuer);
91 serial = NULL;
92 }
93 ikey = X509_get0_pubkey_bitstr(issuer);
94 return OCSP_cert_id_new(dgst, iname, ikey, serial);
95}
96
97
98OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
99 X509_NAME *issuerName,
100 ASN1_BIT_STRING* issuerKey,
101 ASN1_INTEGER *serialNumber)
102 {
103 int nid;
104 unsigned int i;
105 X509_ALGOR *alg;
106 OCSP_CERTID *cid = NULL;
107 unsigned char md[EVP_MAX_MD_SIZE];
108
109 if (!(cid = OCSP_CERTID_new())) goto err;
110
111 alg = cid->hashAlgorithm;
112 if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm);
113 if ((nid = EVP_MD_type(dgst)) == NID_undef)
114 {
115 OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_UNKNOWN_NID);
116 goto err;
117 }
118 if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err;
119 if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err;
120 alg->parameter->type=V_ASN1_NULL;
121
122 if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr;
123 if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err;
124
125 /* Calculate the issuerKey hash, excluding tag and length */
126 EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL);
127
128 if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err;
129
130 if (serialNumber)
131 {
132 ASN1_INTEGER_free(cid->serialNumber);
133 if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err;
134 }
135 return cid;
136digerr:
137 OCSPerr(OCSP_F_OCSP_CERT_ID_NEW,OCSP_R_DIGEST_ERR);
138err:
139 if (cid) OCSP_CERTID_free(cid);
140 return NULL;
141 }
142
143int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
144 {
145 int ret;
146 ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
147 if (ret) return ret;
148 ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
149 if (ret) return ret;
150 return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
151 }
152
153int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
154 {
155 int ret;
156 ret = OCSP_id_issuer_cmp(a, b);
157 if (ret) return ret;
158 return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
159 }
160
161
162/* Parse a URL and split it up into host, port and path components and whether
163 * it is SSL.
164 */
165
166int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
167 {
168 char *p, *buf;
169
170 char *host, *port;
171
172 /* dup the buffer since we are going to mess with it */
173 buf = BUF_strdup(url);
174 if (!buf) goto mem_err;
175
176 *phost = NULL;
177 *pport = NULL;
178 *ppath = NULL;
179
180 /* Check for initial colon */
181 p = strchr(buf, ':');
182
183 if (!p) goto parse_err;
184
185 *(p++) = '\0';
186
187 if (!strcmp(buf, "http"))
188 {
189 *pssl = 0;
190 port = "80";
191 }
192 else if (!strcmp(buf, "https"))
193 {
194 *pssl = 1;
195 port = "443";
196 }
197 else
198 goto parse_err;
199
200 /* Check for double slash */
201 if ((p[0] != '/') || (p[1] != '/'))
202 goto parse_err;
203
204 p += 2;
205
206 host = p;
207
208 /* Check for trailing part of path */
209
210 p = strchr(p, '/');
211
212 if (!p)
213 *ppath = BUF_strdup("/");
214 else
215 {
216 *ppath = BUF_strdup(p);
217 /* Set start of path to 0 so hostname is valid */
218 *p = '\0';
219 }
220
221 if (!*ppath) goto mem_err;
222
223 /* Look for optional ':' for port number */
224 if ((p = strchr(host, ':')))
225 {
226 *p = 0;
227 port = p + 1;
228 }
229 else
230 {
231 /* Not found: set default port */
232 if (*pssl) port = "443";
233 else port = "80";
234 }
235
236 *pport = BUF_strdup(port);
237 if (!*pport) goto mem_err;
238
239 *phost = BUF_strdup(host);
240
241 if (!*phost) goto mem_err;
242
243 OPENSSL_free(buf);
244
245 return 1;
246
247 mem_err:
248 OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
249 goto err;
250
251 parse_err:
252 OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
253
254
255 err:
256 if (buf) OPENSSL_free(buf);
257 if (*ppath) OPENSSL_free(*ppath);
258 if (*pport) OPENSSL_free(*pport);
259 if (*phost) OPENSSL_free(*phost);
260 return 0;
261
262 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
new file mode 100644
index 0000000000..3dfb51c1e4
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_prn.c
@@ -0,0 +1,291 @@
1/* ocsp_prn.c */
2/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5/* History:
6 This file was originally part of ocsp.c and was transfered to Richard
7 Levitte from CertCo by Kathy Weinhold in mid-spring 2000 to be included
8 in OpenSSL or released as a patch kit. */
9
10/* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64#include <openssl/bio.h>
65#include <openssl/err.h>
66#include <openssl/ocsp.h>
67#include <openssl/pem.h>
68
69static int ocsp_certid_print(BIO *bp, OCSP_CERTID* a, int indent)
70 {
71 BIO_printf(bp, "%*sCertificate ID:\n", indent, "");
72 indent += 2;
73 BIO_printf(bp, "%*sHash Algorithm: ", indent, "");
74 i2a_ASN1_OBJECT(bp, a->hashAlgorithm->algorithm);
75 BIO_printf(bp, "\n%*sIssuer Name Hash: ", indent, "");
76 i2a_ASN1_STRING(bp, a->issuerNameHash, V_ASN1_OCTET_STRING);
77 BIO_printf(bp, "\n%*sIssuer Key Hash: ", indent, "");
78 i2a_ASN1_STRING(bp, a->issuerKeyHash, V_ASN1_OCTET_STRING);
79 BIO_printf(bp, "\n%*sSerial Number: ", indent, "");
80 i2a_ASN1_INTEGER(bp, a->serialNumber);
81 BIO_printf(bp, "\n");
82 return 1;
83 }
84
85typedef struct
86 {
87 long t;
88 char *m;
89 } OCSP_TBLSTR;
90
91static char *table2string(long s, OCSP_TBLSTR *ts, int len)
92{
93 OCSP_TBLSTR *p;
94 for (p=ts; p < ts + len; p++)
95 if (p->t == s)
96 return p->m;
97 return "(UNKNOWN)";
98}
99
100char *OCSP_response_status_str(long s)
101 {
102 static OCSP_TBLSTR rstat_tbl[] = {
103 { OCSP_RESPONSE_STATUS_SUCCESSFUL, "successful" },
104 { OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, "malformedrequest" },
105 { OCSP_RESPONSE_STATUS_INTERNALERROR, "internalerror" },
106 { OCSP_RESPONSE_STATUS_TRYLATER, "trylater" },
107 { OCSP_RESPONSE_STATUS_SIGREQUIRED, "sigrequired" },
108 { OCSP_RESPONSE_STATUS_UNAUTHORIZED, "unauthorized" } };
109 return table2string(s, rstat_tbl, 6);
110 }
111
112char *OCSP_cert_status_str(long s)
113 {
114 static OCSP_TBLSTR cstat_tbl[] = {
115 { V_OCSP_CERTSTATUS_GOOD, "good" },
116 { V_OCSP_CERTSTATUS_REVOKED, "revoked" },
117 { V_OCSP_CERTSTATUS_UNKNOWN, "unknown" } };
118 return table2string(s, cstat_tbl, 3);
119 }
120
121char *OCSP_crl_reason_str(long s)
122 {
123 OCSP_TBLSTR reason_tbl[] = {
124 { OCSP_REVOKED_STATUS_UNSPECIFIED, "unspecified" },
125 { OCSP_REVOKED_STATUS_KEYCOMPROMISE, "keyCompromise" },
126 { OCSP_REVOKED_STATUS_CACOMPROMISE, "cACompromise" },
127 { OCSP_REVOKED_STATUS_AFFILIATIONCHANGED, "affiliationChanged" },
128 { OCSP_REVOKED_STATUS_SUPERSEDED, "superseded" },
129 { OCSP_REVOKED_STATUS_CESSATIONOFOPERATION, "cessationOfOperation" },
130 { OCSP_REVOKED_STATUS_CERTIFICATEHOLD, "certificateHold" },
131 { OCSP_REVOKED_STATUS_REMOVEFROMCRL, "removeFromCRL" } };
132 return table2string(s, reason_tbl, 8);
133 }
134
135int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST* o, unsigned long flags)
136 {
137 int i;
138 long l;
139 OCSP_CERTID* cid = NULL;
140 OCSP_ONEREQ *one = NULL;
141 OCSP_REQINFO *inf = o->tbsRequest;
142 OCSP_SIGNATURE *sig = o->optionalSignature;
143
144 if (BIO_write(bp,"OCSP Request Data:\n",19) <= 0) goto err;
145 l=ASN1_INTEGER_get(inf->version);
146 if (BIO_printf(bp," Version: %lu (0x%lx)",l+1,l) <= 0) goto err;
147 if (inf->requestorName != NULL)
148 {
149 if (BIO_write(bp,"\n Requestor Name: ",21) <= 0)
150 goto err;
151 GENERAL_NAME_print(bp, inf->requestorName);
152 }
153 if (BIO_write(bp,"\n Requestor List:\n",21) <= 0) goto err;
154 for (i = 0; i < sk_OCSP_ONEREQ_num(inf->requestList); i++)
155 {
156 one = sk_OCSP_ONEREQ_value(inf->requestList, i);
157 cid = one->reqCert;
158 ocsp_certid_print(bp, cid, 8);
159 if (!X509V3_extensions_print(bp,
160 "Request Single Extensions",
161 one->singleRequestExtensions, flags, 8))
162 goto err;
163 }
164 if (!X509V3_extensions_print(bp, "Request Extensions",
165 inf->requestExtensions, flags, 4))
166 goto err;
167 if (sig)
168 {
169 X509_signature_print(bp, sig->signatureAlgorithm, sig->signature);
170 for (i=0; i<sk_X509_num(sig->certs); i++)
171 {
172 X509_print(bp, sk_X509_value(sig->certs,i));
173 PEM_write_bio_X509(bp,sk_X509_value(sig->certs,i));
174 }
175 }
176 return 1;
177err:
178 return 0;
179 }
180
181int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
182 {
183 int i, ret = 0;
184 long l;
185 unsigned char *p;
186 OCSP_CERTID *cid = NULL;
187 OCSP_BASICRESP *br = NULL;
188 OCSP_RESPID *rid = NULL;
189 OCSP_RESPDATA *rd = NULL;
190 OCSP_CERTSTATUS *cst = NULL;
191 OCSP_REVOKEDINFO *rev = NULL;
192 OCSP_SINGLERESP *single = NULL;
193 OCSP_RESPBYTES *rb = o->responseBytes;
194
195 if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
196 l=ASN1_ENUMERATED_get(o->responseStatus);
197 if (BIO_printf(bp," OCSP Response Status: %s (0x%lx)\n",
198 OCSP_response_status_str(l), l) <= 0) goto err;
199 if (rb == NULL) return 1;
200 if (BIO_puts(bp," Response Type: ") <= 0)
201 goto err;
202 if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
203 goto err;
204 if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
205 {
206 BIO_puts(bp," (unknown response type)\n");
207 return 1;
208 }
209
210 p = ASN1_STRING_data(rb->response);
211 i = ASN1_STRING_length(rb->response);
212 if (!(br = OCSP_response_get1_basic(o))) goto err;
213 rd = br->tbsResponseData;
214 l=ASN1_INTEGER_get(rd->version);
215 if (BIO_printf(bp,"\n Version: %lu (0x%lx)\n",
216 l+1,l) <= 0) goto err;
217 if (BIO_puts(bp," Responder Id: ") <= 0) goto err;
218
219 rid = rd->responderId;
220 switch (rid->type)
221 {
222 case V_OCSP_RESPID_NAME:
223 X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
224 break;
225 case V_OCSP_RESPID_KEY:
226 i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
227 break;
228 }
229
230 if (BIO_printf(bp,"\n Produced At: ")<=0) goto err;
231 if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err;
232 if (BIO_printf(bp,"\n Responses:\n") <= 0) goto err;
233 for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++)
234 {
235 if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue;
236 single = sk_OCSP_SINGLERESP_value(rd->responses, i);
237 cid = single->certId;
238 if(ocsp_certid_print(bp, cid, 4) <= 0) goto err;
239 cst = single->certStatus;
240 if (BIO_printf(bp," Cert Status: %s",
241 OCSP_cert_status_str(cst->type)) <= 0)
242 goto err;
243 if (cst->type == V_OCSP_CERTSTATUS_REVOKED)
244 {
245 rev = cst->value.revoked;
246 if (BIO_printf(bp, "\n Revocation Time: ") <= 0)
247 goto err;
248 if (!ASN1_GENERALIZEDTIME_print(bp,
249 rev->revocationTime))
250 goto err;
251 if (rev->revocationReason)
252 {
253 l=ASN1_ENUMERATED_get(rev->revocationReason);
254 if (BIO_printf(bp,
255 "\n Revocation Reason: %s (0x%lx)",
256 OCSP_crl_reason_str(l), l) <= 0)
257 goto err;
258 }
259 }
260 if (BIO_printf(bp,"\n This Update: ") <= 0) goto err;
261 if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate))
262 goto err;
263 if (single->nextUpdate)
264 {
265 if (BIO_printf(bp,"\n Next Update: ") <= 0)goto err;
266 if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
267 goto err;
268 }
269 if (!BIO_write(bp,"\n",1)) goto err;
270 if (!X509V3_extensions_print(bp,
271 "Response Single Extensions",
272 single->singleExtensions, flags, 8))
273 goto err;
274 if (!BIO_write(bp,"\n",1)) goto err;
275 }
276 if (!X509V3_extensions_print(bp, "Response Extensions",
277 rd->responseExtensions, flags, 4))
278 if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
279 goto err;
280
281 for (i=0; i<sk_X509_num(br->certs); i++)
282 {
283 X509_print(bp, sk_X509_value(br->certs,i));
284 PEM_write_bio_X509(bp,sk_X509_value(br->certs,i));
285 }
286
287 ret = 1;
288err:
289 OCSP_BASICRESP_free(br);
290 return ret;
291 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
new file mode 100644
index 0000000000..fffa134e75
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_srv.c
@@ -0,0 +1,264 @@
1/* ocsp_srv.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2001.
4 */
5/* ====================================================================
6 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * openssl-core@openssl.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <stdio.h>
60#include <cryptlib.h>
61#include <openssl/objects.h>
62#include <openssl/rand.h>
63#include <openssl/x509.h>
64#include <openssl/pem.h>
65#include <openssl/x509v3.h>
66#include <openssl/ocsp.h>
67
68/* Utility functions related to sending OCSP responses and extracting
69 * relevant information from the request.
70 */
71
72int OCSP_request_onereq_count(OCSP_REQUEST *req)
73 {
74 return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
75 }
76
77OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
78 {
79 return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
80 }
81
82OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
83 {
84 return one->reqCert;
85 }
86
87int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
88 ASN1_OCTET_STRING **pikeyHash,
89 ASN1_INTEGER **pserial, OCSP_CERTID *cid)
90 {
91 if (!cid) return 0;
92 if (pmd) *pmd = cid->hashAlgorithm->algorithm;
93 if(piNameHash) *piNameHash = cid->issuerNameHash;
94 if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
95 if (pserial) *pserial = cid->serialNumber;
96 return 1;
97 }
98
99int OCSP_request_is_signed(OCSP_REQUEST *req)
100 {
101 if(req->optionalSignature) return 1;
102 return 0;
103 }
104
105/* Create an OCSP response and encode an optional basic response */
106OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
107 {
108 OCSP_RESPONSE *rsp = NULL;
109
110 if (!(rsp = OCSP_RESPONSE_new())) goto err;
111 if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
112 if (!bs) return rsp;
113 if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
114 rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
115 if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
116 goto err;
117 return rsp;
118err:
119 if (rsp) OCSP_RESPONSE_free(rsp);
120 return NULL;
121 }
122
123
124OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
125 OCSP_CERTID *cid,
126 int status, int reason,
127 ASN1_TIME *revtime,
128 ASN1_TIME *thisupd, ASN1_TIME *nextupd)
129 {
130 OCSP_SINGLERESP *single = NULL;
131 OCSP_CERTSTATUS *cs;
132 OCSP_REVOKEDINFO *ri;
133
134 if(!rsp->tbsResponseData->responses &&
135 !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
136 goto err;
137
138 if (!(single = OCSP_SINGLERESP_new()))
139 goto err;
140
141
142
143 if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
144 goto err;
145 if (nextupd &&
146 !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
147 goto err;
148
149 OCSP_CERTID_free(single->certId);
150
151 if(!(single->certId = OCSP_CERTID_dup(cid)))
152 goto err;
153
154 cs = single->certStatus;
155 switch(cs->type = status)
156 {
157 case V_OCSP_CERTSTATUS_REVOKED:
158 if (!revtime)
159 {
160 OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
161 goto err;
162 }
163 if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
164 if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
165 goto err;
166 if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
167 {
168 if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
169 goto err;
170 if (!(ASN1_ENUMERATED_set(ri->revocationReason,
171 reason)))
172 goto err;
173 }
174 break;
175
176 case V_OCSP_CERTSTATUS_GOOD:
177 cs->value.good = ASN1_NULL_new();
178 break;
179
180 case V_OCSP_CERTSTATUS_UNKNOWN:
181 cs->value.unknown = ASN1_NULL_new();
182 break;
183
184 default:
185 goto err;
186
187 }
188 if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
189 goto err;
190 return single;
191err:
192 OCSP_SINGLERESP_free(single);
193 return NULL;
194 }
195
196/* Add a certificate to an OCSP request */
197
198int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
199 {
200 if (!resp->certs && !(resp->certs = sk_X509_new_null()))
201 return 0;
202
203 if(!sk_X509_push(resp->certs, cert)) return 0;
204 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
205 return 1;
206 }
207
208int OCSP_basic_sign(OCSP_BASICRESP *brsp,
209 X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
210 STACK_OF(X509) *certs, unsigned long flags)
211 {
212 int i;
213 OCSP_RESPID *rid;
214
215 if (!X509_check_private_key(signer, key))
216 {
217 OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
218 goto err;
219 }
220
221 if(!(flags & OCSP_NOCERTS))
222 {
223 if(!OCSP_basic_add1_cert(brsp, signer))
224 goto err;
225 for (i = 0; i < sk_X509_num(certs); i++)
226 {
227 X509 *tmpcert = sk_X509_value(certs, i);
228 if(!OCSP_basic_add1_cert(brsp, tmpcert))
229 goto err;
230 }
231 }
232
233 rid = brsp->tbsResponseData->responderId;
234 if (flags & OCSP_RESPID_KEY)
235 {
236 unsigned char md[SHA_DIGEST_LENGTH];
237 X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
238 if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
239 goto err;
240 if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
241 goto err;
242 rid->type = V_OCSP_RESPID_KEY;
243 }
244 else
245 {
246 if (!X509_NAME_set(&rid->value.byName,
247 X509_get_subject_name(signer)))
248 goto err;
249 rid->type = V_OCSP_RESPID_NAME;
250 }
251
252 if (!(flags & OCSP_NOTIME) &&
253 !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
254 goto err;
255
256 /* Right now, I think that not doing double hashing is the right
257 thing. -- Richard Levitte */
258
259 if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
260
261 return 1;
262err:
263 return 0;
264 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
new file mode 100644
index 0000000000..23ea41c847
--- /dev/null
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -0,0 +1,444 @@
1/* ocsp_vfy.c */
2/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3 * project 2000.
4 */
5/* ====================================================================
6 * Copyright (c) 2000-2004 The OpenSSL Project. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in
17 * the documentation and/or other materials provided with the
18 * distribution.
19 *
20 * 3. All advertising materials mentioning features or use of this
21 * software must display the following acknowledgment:
22 * "This product includes software developed by the OpenSSL Project
23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24 *
25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26 * endorse or promote products derived from this software without
27 * prior written permission. For written permission, please contact
28 * licensing@OpenSSL.org.
29 *
30 * 5. Products derived from this software may not be called "OpenSSL"
31 * nor may "OpenSSL" appear in their names without prior written
32 * permission of the OpenSSL Project.
33 *
34 * 6. Redistributions of any form whatsoever must retain the following
35 * acknowledgment:
36 * "This product includes software developed by the OpenSSL Project
37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38 *
39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50 * OF THE POSSIBILITY OF SUCH DAMAGE.
51 * ====================================================================
52 *
53 * This product includes cryptographic software written by Eric Young
54 * (eay@cryptsoft.com). This product includes software written by Tim
55 * Hudson (tjh@cryptsoft.com).
56 *
57 */
58
59#include <openssl/ocsp.h>
60#include <openssl/err.h>
61#include <string.h>
62
63static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
64 X509_STORE *st, unsigned long flags);
65static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
66static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
67static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
68static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
69static int ocsp_check_delegated(X509 *x, int flags);
70static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
71 X509_STORE *st, unsigned long flags);
72
73/* Verify a basic response message */
74
75int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
76 X509_STORE *st, unsigned long flags)
77 {
78 X509 *signer, *x;
79 STACK_OF(X509) *chain = NULL;
80 X509_STORE_CTX ctx;
81 int i, ret = 0;
82 ret = ocsp_find_signer(&signer, bs, certs, st, flags);
83 if (!ret)
84 {
85 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
86 goto end;
87 }
88 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
89 flags |= OCSP_NOVERIFY;
90 if (!(flags & OCSP_NOSIGS))
91 {
92 EVP_PKEY *skey;
93 skey = X509_get_pubkey(signer);
94 ret = OCSP_BASICRESP_verify(bs, skey, 0);
95 EVP_PKEY_free(skey);
96 if(ret <= 0)
97 {
98 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
99 goto end;
100 }
101 }
102 if (!(flags & OCSP_NOVERIFY))
103 {
104 int init_res;
105 if(flags & OCSP_NOCHAIN)
106 init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
107 else
108 init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
109 if(!init_res)
110 {
111 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
112 goto end;
113 }
114
115 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
116 ret = X509_verify_cert(&ctx);
117 chain = X509_STORE_CTX_get1_chain(&ctx);
118 X509_STORE_CTX_cleanup(&ctx);
119 if (ret <= 0)
120 {
121 i = X509_STORE_CTX_get_error(&ctx);
122 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
123 ERR_add_error_data(2, "Verify error:",
124 X509_verify_cert_error_string(i));
125 goto end;
126 }
127 if(flags & OCSP_NOCHECKS)
128 {
129 ret = 1;
130 goto end;
131 }
132 /* At this point we have a valid certificate chain
133 * need to verify it against the OCSP issuer criteria.
134 */
135 ret = ocsp_check_issuer(bs, chain, flags);
136
137 /* If fatal error or valid match then finish */
138 if (ret != 0) goto end;
139
140 /* Easy case: explicitly trusted. Get root CA and
141 * check for explicit trust
142 */
143 if(flags & OCSP_NOEXPLICIT) goto end;
144
145 x = sk_X509_value(chain, sk_X509_num(chain) - 1);
146 if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED)
147 {
148 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED);
149 goto end;
150 }
151 ret = 1;
152 }
153
154
155
156 end:
157 if(chain) sk_X509_pop_free(chain, X509_free);
158 return ret;
159 }
160
161
162static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
163 X509_STORE *st, unsigned long flags)
164 {
165 X509 *signer;
166 OCSP_RESPID *rid = bs->tbsResponseData->responderId;
167 if ((signer = ocsp_find_signer_sk(certs, rid)))
168 {
169 *psigner = signer;
170 return 2;
171 }
172 if(!(flags & OCSP_NOINTERN) &&
173 (signer = ocsp_find_signer_sk(bs->certs, rid)))
174 {
175 *psigner = signer;
176 return 1;
177 }
178 /* Maybe lookup from store if by subject name */
179
180 *psigner = NULL;
181 return 0;
182 }
183
184
185static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
186 {
187 int i;
188 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
189 X509 *x;
190
191 /* Easy if lookup by name */
192 if (id->type == V_OCSP_RESPID_NAME)
193 return X509_find_by_subject(certs, id->value.byName);
194
195 /* Lookup by key hash */
196
197 /* If key hash isn't SHA1 length then forget it */
198 if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL;
199 keyhash = id->value.byKey->data;
200 /* Calculate hash of each key and compare */
201 for (i = 0; i < sk_X509_num(certs); i++)
202 {
203 x = sk_X509_value(certs, i);
204 X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
205 if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
206 return x;
207 }
208 return NULL;
209 }
210
211
212static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags)
213 {
214 STACK_OF(OCSP_SINGLERESP) *sresp;
215 X509 *signer, *sca;
216 OCSP_CERTID *caid = NULL;
217 int i;
218 sresp = bs->tbsResponseData->responses;
219
220 if (sk_X509_num(chain) <= 0)
221 {
222 OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
223 return -1;
224 }
225
226 /* See if the issuer IDs match. */
227 i = ocsp_check_ids(sresp, &caid);
228
229 /* If ID mismatch or other error then return */
230 if (i <= 0) return i;
231
232 signer = sk_X509_value(chain, 0);
233 /* Check to see if OCSP responder CA matches request CA */
234 if (sk_X509_num(chain) > 1)
235 {
236 sca = sk_X509_value(chain, 1);
237 i = ocsp_match_issuerid(sca, caid, sresp);
238 if (i < 0) return i;
239 if (i)
240 {
241 /* We have a match, if extensions OK then success */
242 if (ocsp_check_delegated(signer, flags)) return 1;
243 return 0;
244 }
245 }
246
247 /* Otherwise check if OCSP request signed directly by request CA */
248 return ocsp_match_issuerid(signer, caid, sresp);
249 }
250
251
252/* Check the issuer certificate IDs for equality. If there is a mismatch with the same
253 * algorithm then there's no point trying to match any certificates against the issuer.
254 * If the issuer IDs all match then we just need to check equality against one of them.
255 */
256
257static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
258 {
259 OCSP_CERTID *tmpid, *cid;
260 int i, idcount;
261
262 idcount = sk_OCSP_SINGLERESP_num(sresp);
263 if (idcount <= 0)
264 {
265 OCSPerr(OCSP_F_OCSP_CHECK_IDS, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
266 return -1;
267 }
268
269 cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
270
271 *ret = NULL;
272
273 for (i = 1; i < idcount; i++)
274 {
275 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
276 /* Check to see if IDs match */
277 if (OCSP_id_issuer_cmp(cid, tmpid))
278 {
279 /* If algoritm mismatch let caller deal with it */
280 if (OBJ_cmp(tmpid->hashAlgorithm->algorithm,
281 cid->hashAlgorithm->algorithm))
282 return 2;
283 /* Else mismatch */
284 return 0;
285 }
286 }
287
288 /* All IDs match: only need to check one ID */
289 *ret = cid;
290 return 1;
291 }
292
293
294static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
295 STACK_OF(OCSP_SINGLERESP) *sresp)
296 {
297 /* If only one ID to match then do it */
298 if(cid)
299 {
300 const EVP_MD *dgst;
301 X509_NAME *iname;
302 int mdlen;
303 unsigned char md[EVP_MAX_MD_SIZE];
304 if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
305 {
306 OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
307 return -1;
308 }
309
310 mdlen = EVP_MD_size(dgst);
311 if ((cid->issuerNameHash->length != mdlen) ||
312 (cid->issuerKeyHash->length != mdlen))
313 return 0;
314 iname = X509_get_subject_name(cert);
315 if (!X509_NAME_digest(iname, dgst, md, NULL))
316 return -1;
317 if (memcmp(md, cid->issuerNameHash->data, mdlen))
318 return 0;
319 X509_pubkey_digest(cert, EVP_sha1(), md, NULL);
320 if (memcmp(md, cid->issuerKeyHash->data, mdlen))
321 return 0;
322
323 return 1;
324
325 }
326 else
327 {
328 /* We have to match the whole lot */
329 int i, ret;
330 OCSP_CERTID *tmpid;
331 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
332 {
333 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
334 ret = ocsp_match_issuerid(cert, tmpid, NULL);
335 if (ret <= 0) return ret;
336 }
337 return 1;
338 }
339
340 }
341
342static int ocsp_check_delegated(X509 *x, int flags)
343 {
344 X509_check_purpose(x, -1, 0);
345 if ((x->ex_flags & EXFLAG_XKUSAGE) &&
346 (x->ex_xkusage & XKU_OCSP_SIGN))
347 return 1;
348 OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
349 return 0;
350 }
351
352/* Verify an OCSP request. This is fortunately much easier than OCSP
353 * response verify. Just find the signers certificate and verify it
354 * against a given trust value.
355 */
356
357int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
358 {
359 X509 *signer;
360 X509_NAME *nm;
361 GENERAL_NAME *gen;
362 int ret;
363 X509_STORE_CTX ctx;
364 if (!req->optionalSignature)
365 {
366 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
367 return 0;
368 }
369 gen = req->tbsRequest->requestorName;
370 if (!gen || gen->type != GEN_DIRNAME)
371 {
372 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
373 return 0;
374 }
375 nm = gen->d.directoryName;
376 ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
377 if (ret <= 0)
378 {
379 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
380 return 0;
381 }
382 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
383 flags |= OCSP_NOVERIFY;
384 if (!(flags & OCSP_NOSIGS))
385 {
386 EVP_PKEY *skey;
387 skey = X509_get_pubkey(signer);
388 ret = OCSP_REQUEST_verify(req, skey);
389 EVP_PKEY_free(skey);
390 if(ret <= 0)
391 {
392 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
393 return 0;
394 }
395 }
396 if (!(flags & OCSP_NOVERIFY))
397 {
398 int init_res;
399 if(flags & OCSP_NOCHAIN)
400 init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
401 else
402 init_res = X509_STORE_CTX_init(&ctx, store, signer,
403 req->optionalSignature->certs);
404 if(!init_res)
405 {
406 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
407 return 0;
408 }
409
410 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
411 X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
412 ret = X509_verify_cert(&ctx);
413 X509_STORE_CTX_cleanup(&ctx);
414 if (ret <= 0)
415 {
416 ret = X509_STORE_CTX_get_error(&ctx);
417 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
418 ERR_add_error_data(2, "Verify error:",
419 X509_verify_cert_error_string(ret));
420 return 0;
421 }
422 }
423 return 1;
424 }
425
426static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
427 X509_STORE *st, unsigned long flags)
428 {
429 X509 *signer;
430 if(!(flags & OCSP_NOINTERN))
431 {
432 signer = X509_find_by_subject(req->optionalSignature->certs, nm);
433 *psigner = signer;
434 return 1;
435 }
436
437 signer = X509_find_by_subject(certs, nm);
438 if (signer)
439 {
440 *psigner = signer;
441 return 2;
442 }
443 return 0;
444 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-28 09:21:22 +0000