wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove "noise" comments from TS files.

Browse source 
Reviewed-by: Tim Hudson <tjh@openssl.org>
This commit is contained in:
Rich Salz 2015-05-07 23:41:07 -04:00 committed by Rich Salz
parent ff03599a2f
commit 18cd23df8a
10 changed files with 48 additions and 337 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

163
apps/ts.c
View file

@ -67,13 +67,17 @@
#include <openssl/ts.h>
#include <openssl/bn.h>
/* Length of the nonce of the request in bits (must be a multiple of 8). */
/* Request nonce length, in bits (must be a multiple of 8). */
#define NONCE_LENGTH 64
/* Macro definitions for the configuration file. */
/* Name of config entry that defines the OID file. */
#define ENV_OID_FILE "oid_file"
/* Local function declarations. */
/* Is |EXACTLY_ONE| of three pointers set? */
#define EXACTLY_ONE(a, b, c) \
(( a && !b && !c) || \
( b && !a && !c) || \
( c && !a && !b))
static ASN1_OBJECT *txt2obj(const char *oid);
static CONF *load_config_file(const char *configfile);
@ -309,7 +313,6 @@ int ts_main(int argc, char **argv)
app_RAND_load_files(rnd));
}
/* Get the password if required. */
if (mode == OPT_REPLY && passin &&
!app_passwd(passin, NULL, &password, NULL)) {
BIO_printf(bio_err, "Error getting password.\n");
@ -320,33 +323,22 @@ int ts_main(int argc, char **argv)
if (!app_load_modules(conf))
goto end;
/*
* Check consistency of parameters and execute the appropriate function.
*/
/* Check parameter consistency and execute the appropriate function. */
switch (mode) {
default:
case OPT_ERR:
goto opthelp;
case OPT_QUERY:
/*
* Data file and message imprint cannot be specified at the same
* time.
*/
ret = data != NULL && digest != NULL;
if (ret)
if ((data != NULL) && (digest != NULL))
goto opthelp;
ret = !query_command(data, digest, md, policy, no_nonce, cert,
in, out, text);
break;
case OPT_REPLY:
if ((in != NULL) && (queryfile != NULL))
goto opthelp;
if (in == NULL) {
ret = !(queryfile != NULL && conf != NULL && !token_in);
if (ret)
goto opthelp;
} else {
/* 'in' and 'queryfile' are exclusive. */
ret = !(queryfile == NULL);
if (ret)
if ((conf == NULL) || (token_in != 0))
goto opthelp;
}
ret = !reply_command(conf, section, engine, queryfile,
@ -354,24 +346,17 @@ int ts_main(int argc, char **argv)
in, token_in, out, token_out, text);
break;
case OPT_VERIFY:
ret = !(((queryfile && !data && !digest)
|| (!queryfile && data && !digest)
|| (!queryfile && !data && digest))
&& in != NULL);
if (ret)
if ((in == NULL) || !EXACTLY_ONE(queryfile, data, digest))
goto opthelp;
ret = !verify_command(data, digest, queryfile, in, token_in,
CApath, CAfile, untrusted);
}
end:
/* Clean up. */
app_RAND_write_file(NULL);
NCONF_free(conf);
OPENSSL_free(password);
OBJ_cleanup();
return (ret);
}
@ -427,13 +412,12 @@ static int query_command(const char *data, char *digest, const EVP_MD *md,
BIO *data_bio = NULL;
BIO *out_bio = NULL;
/* Build query object either from file or from scratch. */
/* Build query object. */
if (in != NULL) {
if ((in_bio = bio_open_default(in, 'r', FORMAT_ASN1)) == NULL)
goto end;
query = d2i_TS_REQ_bio(in_bio, NULL);
} else {
/* Open the file if no explicit digest bytes were specified. */
if (digest == NULL
&& (data_bio = bio_open_default(data, 'r', FORMAT_ASN1)) == NULL)
goto end;
@ -442,15 +426,12 @@ static int query_command(const char *data, char *digest, const EVP_MD *md,
if (query == NULL)
goto end;
/* Write query either in ASN.1 or in text format. */
if (text) {
/* Text output. */
if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL)
goto end;
if (!TS_REQ_print_bio(out_bio, query))
goto end;
} else {
/* ASN.1 output. */
if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL)
goto end;
if (!i2d_TS_REQ_bio(out_bio, query))
@ -461,13 +442,10 @@ static int query_command(const char *data, char *digest, const EVP_MD *md,
end:
ERR_print_errors(bio_err);
/* Clean up. */
BIO_free_all(in_bio);
BIO_free_all(data_bio);
BIO_free_all(out_bio);
TS_REQ_free(query);
return ret;
}
@ -483,23 +461,14 @@ static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md,
ASN1_OBJECT *policy_obj = NULL;
ASN1_INTEGER *nonce_asn1 = NULL;
/* Setting default message digest. */
if (md == NULL && (md = EVP_get_digestbyname("sha1")) == NULL)
goto err;
/* Creating request object. */
if ((ts_req = TS_REQ_new()) == NULL)
goto err;
/* Setting version. */
if (!TS_REQ_set_version(ts_req, 1))
goto err;
/* Creating and adding MSG_IMPRINT object. */
if ((msg_imprint = TS_MSG_IMPRINT_new()) == NULL)
goto err;
/* Adding algorithm. */
if ((algo = X509_ALGOR_new()) == NULL)
goto err;
if ((algo->algorithm = OBJ_nid2obj(EVP_MD_type(md))) == NULL)
@ -509,17 +478,12 @@ static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md,
algo->parameter->type = V_ASN1_NULL;
if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo))
goto err;
/* Adding message digest. */
if ((len = create_digest(data_bio, digest, md, &data)) == 0)
goto err;
if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len))
goto err;
if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint))
goto err;
/* Setting policy if requested. */
if (policy && (policy_obj = txt2obj(policy)) == NULL)
goto err;
if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj))
@ -530,8 +494,6 @@ static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md,
goto err;
if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1))
goto err;
/* Setting certificate request flag if requested. */
if (!TS_REQ_set_cert_req(ts_req, cert))
goto err;
@ -541,6 +503,7 @@ static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md,
TS_REQ_free(ts_req);
ts_req = NULL;
BIO_printf(bio_err, "could not create query\n");
ERR_print_errors(bio_err);
}
TS_MSG_IMPRINT_free(msg_imprint);
X509_ALGOR_free(algo);
@ -557,9 +520,9 @@ static int create_digest(BIO *input, char *digest, const EVP_MD *md,
md_value_len = EVP_MD_size(md);
if (md_value_len < 0)
goto err;
return 0;
if (input) {
/* Digest must be computed from an input file. */
EVP_MD_CTX md_ctx;
unsigned char buffer[4096];
int length;
@ -572,7 +535,6 @@ static int create_digest(BIO *input, char *digest, const EVP_MD *md,
if (!EVP_DigestFinal(&md_ctx, *md_value, NULL))
return 0;
} else {
/* Digest bytes are specified with digest. */
long digest_len;
*md_value = string_to_hex(digest, &digest_len);
if (!*md_value || md_value_len != digest_len) {
@ -580,13 +542,10 @@ static int create_digest(BIO *input, char *digest, const EVP_MD *md,
*md_value = NULL;
BIO_printf(bio_err, "bad digest, %d bytes "
"must be specified\n", md_value_len);
goto err;
return 0;
}
}
return md_value_len;
err:
return 0;
}
static ASN1_INTEGER *create_nonce(int bits)
@ -596,7 +555,6 @@ static ASN1_INTEGER *create_nonce(int bits)
int len = (bits - 1) / 8 + 1;
int i;
/* Generating random byte sequence. */
if (len > (int)sizeof(buf))
goto err;
if (RAND_bytes(buf, len) <= 0)
@ -608,12 +566,11 @@ static ASN1_INTEGER *create_nonce(int bits)
if ((nonce = ASN1_INTEGER_new()) == NULL)
goto err;
OPENSSL_free(nonce->data);
/* Allocate at least one byte. */
nonce->length = len - i;
nonce->data = app_malloc(nonce->length + 1, "nonce buffer");
memcpy(nonce->data, buf + i, nonce->length);
return nonce;
err:
BIO_printf(bio_err, "could not create nonce\n");
ASN1_INTEGER_free(nonce);
@ -638,18 +595,12 @@ static int reply_command(CONF *conf, char *section, char *engine,
BIO *signer_bio = NULL;
BIO *out_bio = NULL;
/* Build response object either from response or query. */
if (in != NULL) {
if ((in_bio = BIO_new_file(in, "rb")) == NULL)
goto end;
if (token_in) {
/*
* We have a ContentInfo (PKCS7) object, add 'granted' status
* info around it.
*/
response = read_PKCS7(in_bio);
} else {
/* We have a ready-made TS_RESP object. */
response = d2i_TS_RESP_bio(in_bio, NULL);
}
} else {
@ -663,9 +614,8 @@ static int reply_command(CONF *conf, char *section, char *engine,
if (response == NULL)
goto end;
/* Write response either in ASN.1 or text format. */
/* Write response. */
if (text) {
/* Text output. */
if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL)
goto end;
if (token_out) {
@ -677,7 +627,6 @@ static int reply_command(CONF *conf, char *section, char *engine,
goto end;
}
} else {
/* ASN.1 DER output. */
if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL)
goto end;
if (token_out) {
@ -694,15 +643,12 @@ static int reply_command(CONF *conf, char *section, char *engine,
end:
ERR_print_errors(bio_err);
/* Clean up. */
BIO_free_all(in_bio);
BIO_free_all(query_bio);
BIO_free_all(inkey_bio);
BIO_free_all(signer_bio);
BIO_free_all(out_bio);
TS_RESP_free(response);
return ret;
}
@ -715,30 +661,23 @@ static TS_RESP *read_PKCS7(BIO *in_bio)
TS_RESP *resp = NULL;
TS_STATUS_INFO *si = NULL;
/* Read PKCS7 object and extract the signed time stamp info. */
if ((token = d2i_PKCS7_bio(in_bio, NULL)) == NULL)
goto end;
if ((tst_info = PKCS7_to_TS_TST_INFO(token)) == NULL)
goto end;
/* Creating response object. */
if ((resp = TS_RESP_new()) == NULL)
goto end;
/* Create granted status info. */
if ((si = TS_STATUS_INFO_new()) == NULL)
goto end;
if (!TS_STATUS_INFO_set_status(si, TS_STATUS_GRANTED))
goto end;
if (!TS_RESP_set_status_info(resp, si))
goto end;
/* Setting encapsulated token. */
TS_RESP_set_tst_info(resp, token, tst_info);
token = NULL; /* Ownership is lost. */
tst_info = NULL; /* Ownership is lost. */
ret = 1;
end:
PKCS7_free(token);
TS_TST_INFO_free(tst_info);
@ -762,73 +701,42 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
if ((query_bio = BIO_new_file(queryfile, "rb")) == NULL)
goto end;
/* Getting TSA configuration section. */
if ((section = TS_CONF_get_tsa_section(conf, section)) == NULL)
goto end;
/* Setting up response generation context. */
if ((resp_ctx = TS_RESP_CTX_new()) == NULL)
goto end;
/* Setting serial number provider callback. */
if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
goto end;
#ifndef OPENSSL_NO_ENGINE
/* Setting default OpenSSL engine. */
if (!TS_CONF_set_crypto_device(conf, section, engine))
goto end;
#endif
/* Setting TSA signer certificate. */
if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
goto end;
/* Setting TSA signer certificate chain. */
if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
goto end;
/* Setting TSA signer private key. */
if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
goto end;
/* Setting default policy OID. */
if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
goto end;
/* Setting acceptable policy OIDs. */
if (!TS_CONF_set_policies(conf, section, resp_ctx))
goto end;
/* Setting the acceptable one-way hash algorithms. */
if (!TS_CONF_set_digests(conf, section, resp_ctx))
goto end;
/* Setting guaranteed time stamp accuracy. */
if (!TS_CONF_set_accuracy(conf, section, resp_ctx))
goto end;
/* Setting the precision of the time. */
if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx))
goto end;
/* Setting the ordering flaf if requested. */
if (!TS_CONF_set_ordering(conf, section, resp_ctx))
goto end;
/* Setting the TSA name required flag if requested. */
if (!TS_CONF_set_tsa_name(conf, section, resp_ctx))
goto end;
/* Setting the ESS cert id chain flag if requested. */
if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx))
goto end;
/* Creating the response. */
if ((response = TS_RESP_create_response(resp_ctx, query_bio)) == NULL)
goto end;
ret = 1;
end:
if (!ret) {
TS_RESP_free(response);
@ -836,7 +744,6 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
}
TS_RESP_CTX_free(resp_ctx);
BIO_free_all(query_bio);
return response;
}
@ -889,6 +796,7 @@ static ASN1_INTEGER *next_serial(const char *serialfile)
goto err;
}
ret = 1;
err:
if (!ret) {
ASN1_INTEGER_free(serial);
@ -919,6 +827,7 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial)
return ret;
}
/*
* Verify-related method definitions.
*/
@ -933,7 +842,6 @@ static int verify_command(char *data, char *digest, char *queryfile,
TS_VERIFY_CTX *verify_ctx = NULL;
int ret = 0;
/* Decode the token (PKCS7) or response (TS_RESP) files. */
if ((in_bio = BIO_new_file(in, "rb")) == NULL)
goto end;
if (token_in) {
@ -948,10 +856,9 @@ static int verify_command(char *data, char *digest, char *queryfile,
CApath, CAfile, untrusted)) == NULL)
goto end;
/* Checking the token or response against the request. */
ret = token_in ?
TS_RESP_verify_token(verify_ctx, token) :
TS_RESP_verify_response(verify_ctx, response);
ret = token_in
? TS_RESP_verify_token(verify_ctx, token)
: TS_RESP_verify_response(verify_ctx, response);
end:
printf("Verification: ");
@ -959,11 +866,9 @@ static int verify_command(char *data, char *digest, char *queryfile,
printf("OK\n");
else {
printf("FAILED\n");
/* Print errors, if there are any. */
ERR_print_errors(bio_err);
}
/* Clean up. */
BIO_free_all(in_bio);
PKCS7_free(token);
TS_RESP_free(response);
@ -1001,10 +906,6 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
}
} else if (queryfile != NULL) {
/*
* The request has just to be read, decoded and converted to a verify
* context object.
*/
if ((input = BIO_new_file(queryfile, "rb")) == NULL)
goto err;
if ((request = d2i_TS_REQ_bio(input, NULL)) == NULL)
@ -1026,8 +927,8 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
if (untrusted
&& TS_VERIFY_CTS_set_certs(ctx, TS_CONF_load_certs(untrusted)) == NULL)
goto err;
ret = 1;
err:
if (!ret) {
TS_VERIFY_CTX_free(ctx);
@ -1044,13 +945,8 @@ static X509_STORE *create_cert_store(char *CApath, char *CAfile)
X509_LOOKUP *lookup = NULL;
int i;
/* Creating the X509_STORE object. */
cert_ctx = X509_STORE_new();
/* Setting the callback for certificate chain verification. */
X509_STORE_set_verify_cb(cert_ctx, verify_cb);
/* Adding a trusted certificate directory source. */
if (CApath) {
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
if (lookup == NULL) {
@ -1064,7 +960,6 @@ static X509_STORE *create_cert_store(char *CApath, char *CAfile)
}
}
/* Adding a trusted certificate file source. */
if (CAfile) {
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
if (lookup == NULL) {
@ -1077,8 +972,8 @@ static X509_STORE *create_cert_store(char *CApath, char *CAfile)
goto err;
}
}
return cert_ctx;
err:
X509_STORE_free(cert_ctx);
return NULL;

9
crypto/ts/ts_asn1.c
View file

@ -287,31 +287,22 @@ TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token)
TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE);
return NULL;
}
/* Content must be present. */
if (PKCS7_get_detached(token)) {
TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_DETACHED_CONTENT);
return NULL;
}
/* We have a signed data with content. */
pkcs7_signed = token->d.sign;
enveloped = pkcs7_signed->contents;
if (OBJ_obj2nid(enveloped->type) != NID_id_smime_ct_TSTInfo) {
TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_PKCS7_TYPE);
return NULL;
}
/* We have a DER encoded TST_INFO as the signed data. */
tst_info_wrapper = enveloped->d.other;
if (tst_info_wrapper->type != V_ASN1_OCTET_STRING) {
TSerr(TS_F_PKCS7_TO_TS_TST_INFO, TS_R_BAD_TYPE);
return NULL;
}
/* We have the correct ASN1_OCTET_STRING type. */
tst_info_der = tst_info_wrapper->value.octet_string;
/* At last, decode the TST_INFO. */
p = tst_info_der->data;
return d2i_TS_TST_INFO(NULL, &p, tst_info_der->length);
}

8
crypto/ts/ts_conf.c
View file

@ -68,7 +68,6 @@
#include <openssl/ts.h>
/* Macro definitions for the configuration file. */
#define BASE_SECTION "tsa"
#define ENV_DEFAULT_TSA "default_tsa"
#define ENV_SERIAL "serial"
@ -214,20 +213,17 @@ int TS_CONF_set_default_engine(const char *name)
ENGINE *e = NULL;
int ret = 0;
/* Leave the default if builtin specified. */
if (strcmp(name, "builtin") == 0)
return 1;
if ((e = ENGINE_by_id(name)) == NULL)
goto err;
/* Enable the use of the NCipher HSM for forked children. */
if (strcmp(name, "chil") == 0)
ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
/* All the operations are going to be carried out by the engine. */
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
goto err;
ret = 1;
err:
if (!ret) {
TSerr(TS_F_TS_CONF_SET_DEFAULT_ENGINE, TS_R_COULD_NOT_SET_ENGINE);
@ -467,8 +463,8 @@ int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
static int ts_CONF_add_flag(CONF *conf, const char *section,
const char *field, int flag, TS_RESP_CTX *ctx)
{
/* Default is false. */
const char *value = NCONF_get_string(conf, section, field);
if (value) {
if (strcmp(value, ENV_VALUE_YES) == 0)
TS_RESP_CTX_add_flags(ctx, flag);

4
crypto/ts/ts_lib.c
View file

@ -66,10 +66,6 @@
#include <openssl/ts.h>
#include "ts_lcl.h"
/* Local function declarations. */
/* Function definitions. */
int TS_ASN1_INTEGER_print_bio(BIO *bio, const ASN1_INTEGER *num)
{
BIGNUM *num_bn;

2
crypto/ts/ts_req_print.c
View file

@ -65,8 +65,6 @@
#include <openssl/ts.h>
#include "ts_lcl.h"
/* Function definitions. */
int TS_REQ_print_bio(BIO *bio, TS_REQ *a)
{
int v;

16
crypto/ts/ts_rsp_print.c
View file

@ -70,13 +70,10 @@ struct status_map_st {
const char *text;
};
/* Local function declarations. */
static int ts_status_map_print(BIO *bio, const struct status_map_st *a,
const ASN1_BIT_STRING *v);
static int ts_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy);
/* Function definitions. */
int TS_RESP_print_bio(BIO *bio, TS_RESP *a)
{
@ -125,7 +122,6 @@ int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a)
long status;
int i, lines = 0;
/* Printing status code. */
BIO_printf(bio, "Status: ");
status = ASN1_INTEGER_get(a->status);
if (0 <= status && status < (long)OSSL_NELEM(status_map))
@ -133,7 +129,6 @@ int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a)
else
BIO_printf(bio, "out of bounds\n");
/* Printing status description. */
BIO_printf(bio, "Status description: ");
for (i = 0; i < sk_ASN1_UTF8STRING_num(a->text); ++i) {
if (i > 0)
@ -144,7 +139,6 @@ int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a)
if (i == 0)
BIO_printf(bio, "unspecified\n");
/* Printing failure information. */
BIO_printf(bio, "Failure info: ");
if (a->failure_info != NULL)
lines = ts_status_map_print(bio, failure_map, a->failure_info);
@ -178,18 +172,14 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
if (a == NULL)
return 0;
/* Print version. */
v = ASN1_INTEGER_get(a->version);
BIO_printf(bio, "Version: %d\n", v);
/* Print policy id. */
BIO_printf(bio, "Policy OID: ");
TS_OBJ_print_bio(bio, a->policy_id);
/* Print message imprint. */
TS_MSG_IMPRINT_print_bio(bio, a->msg_imprint);
/* Print serial number. */
BIO_printf(bio, "Serial number: ");
if (a->serial == NULL)
BIO_printf(bio, "unspecified");
@ -197,12 +187,10 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
TS_ASN1_INTEGER_print_bio(bio, a->serial);
BIO_write(bio, "\n", 1);
/* Print time stamp. */
BIO_printf(bio, "Time stamp: ");
ASN1_GENERALIZEDTIME_print(bio, a->time);
BIO_write(bio, "\n", 1);
/* Print accuracy. */
BIO_printf(bio, "Accuracy: ");
if (a->accuracy == NULL)
BIO_printf(bio, "unspecified");
@ -210,10 +198,8 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
ts_ACCURACY_print_bio(bio, a->accuracy);
BIO_write(bio, "\n", 1);
/* Print ordering. */
BIO_printf(bio, "Ordering: %s\n", a->ordering ? "yes" : "no");
/* Print nonce. */
BIO_printf(bio, "Nonce: ");
if (a->nonce == NULL)
BIO_printf(bio, "unspecified");
@ -221,7 +207,6 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
TS_ASN1_INTEGER_print_bio(bio, a->nonce);
BIO_write(bio, "\n", 1);
/* Print TSA name. */
BIO_printf(bio, "TSA: ");
if (a->tsa == NULL)
BIO_printf(bio, "unspecified");
@ -233,7 +218,6 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
}
BIO_write(bio, "\n", 1);
/* Print extensions. */
TS_ext_print_bio(bio, a->extensions);
return 1;

96
crypto/ts/ts_rsp_sign.c
View file

@ -68,8 +68,6 @@
#include <openssl/pkcs7.h>
#include "ts_lcl.h"
/* Private function declarations. */
static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *);
static int def_time_cb(struct TS_resp_ctx *, void *, long *sec, long *usec);
static int def_extension_cb(struct TS_resp_ctx *, X509_EXTENSION *, void *);
@ -93,16 +91,17 @@ static ASN1_GENERALIZEDTIME
*TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *, long, long,
unsigned);
/* Default callbacks for response generation. */
/* Default callback for response generation. */
static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *ctx, void *data)
{
ASN1_INTEGER *serial = ASN1_INTEGER_new();
if (!serial)
goto err;
if (!ASN1_INTEGER_set(serial, 1))
goto err;
return serial;
err:
TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE);
TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
@ -112,7 +111,6 @@ static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *ctx, void *data)
#if defined(OPENSSL_SYS_UNIX)
/* Use the gettimeofday function call. */
static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
long *sec, long *usec)
{
@ -124,7 +122,6 @@ static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE);
return 0;
}
/* Return time to caller. */
*sec = tv.tv_sec;
*usec = tv.tv_usec;
@ -133,7 +130,6 @@ static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
#else
/* Use the time function call that provides only seconds precision. */
static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
long *sec, long *usec)
{
@ -145,7 +141,6 @@ static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE);
return 0;
}
/* Return time to caller, only second precision. */
*sec = (long)t;
*usec = 0;
@ -157,7 +152,6 @@ static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
static int def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext,
void *data)
{
/* No extensions are processed here. */
TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
"Unsupported extension.");
TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_EXTENSION);
@ -175,7 +169,6 @@ TS_RESP_CTX *TS_RESP_CTX_new()
return NULL;
}
/* Setting default callbacks. */
ctx->serial_cb = def_serial_cb;
ctx->time_cb = def_time_cb;
ctx->extension_cb = def_extension_cb;
@ -252,7 +245,6 @@ int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
{
ASN1_OBJECT *copy = NULL;
/* Create new policy stack if necessary. */
if (ctx->policies == NULL
&& (ctx->policies = sk_ASN1_OBJECT_new_null()) == NULL)
goto err;
@ -270,11 +262,9 @@ int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md)
{
/* Create new md stack if necessary. */
if (ctx->mds == NULL
&& (ctx->mds = sk_EVP_MD_new_null()) == NULL)
goto err;
/* Add the shared md, no copy needed. */
if (!sk_EVP_MD_push(ctx->mds, (EVP_MD *)md))
goto err;
@ -381,7 +371,6 @@ int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx,
TS_STATUS_INFO *si = ctx->response->status_info;
if (ASN1_INTEGER_get(si->status) == TS_STATUS_GRANTED) {
/* Status has not been set, set it now. */
ret = TS_RESP_CTX_set_status_info(ctx, status, text);
}
return ret;
@ -429,46 +418,30 @@ TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio)
ts_RESP_CTX_init(ctx);
/* Creating the response object. */
if ((ctx->response = TS_RESP_new()) == NULL) {
TSerr(TS_F_TS_RESP_CREATE_RESPONSE, ERR_R_MALLOC_FAILURE);
goto end;
}
/* Parsing DER request. */
if ((ctx->request = d2i_TS_REQ_bio(req_bio, NULL)) == NULL) {
TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
"Bad request format or " "system error.");
"Bad request format or system error.");
TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
goto end;
}
/* Setting default status info. */
if (!TS_RESP_CTX_set_status_info(ctx, TS_STATUS_GRANTED, NULL))
goto end;
/* Checking the request format. */
if (!ts_RESP_check_request(ctx))
goto end;
/* Checking acceptable policies. */
if ((policy = ts_RESP_get_policy(ctx)) == NULL)
goto end;
/* Creating the TS_TST_INFO object. */
if ((ctx->tst_info = ts_RESP_create_tst_info(ctx, policy)) == NULL)
goto end;
/* Processing extensions. */
if (!ts_RESP_process_extensions(ctx))
goto end;
/* Generating the signature. */
if (!ts_RESP_sign(ctx))
goto end;
/* Everything was successful. */
result = 1;
end:
if (!result) {
TSerr(TS_F_TS_RESP_CREATE_RESPONSE, TS_R_RESPONSE_SETUP_ERROR);
@ -518,7 +491,6 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx)
EVP_MD *md = NULL;
int i;
/* Checking request version. */
if (TS_REQ_get_version(request) != 1) {
TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
"Bad request version.");
@ -526,7 +498,6 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx)
return 0;
}
/* Checking message digest algorithm. */
msg_imprint = request->msg_imprint;
md_alg = msg_imprint->hash_algo;
md_alg_id = OBJ_obj2nid(md_alg->algorithm);
@ -543,7 +514,6 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx)
return 0;
}
/* No message digest takes parameter. */
if (md_alg->parameter && ASN1_TYPE_get(md_alg->parameter) != V_ASN1_NULL) {
TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
"Superfluous message digest "
@ -551,7 +521,6 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx)
TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG);
return 0;
}
/* Checking message digest size. */
digest = msg_imprint->hashed_msg;
if (digest->length != EVP_MD_size(md)) {
TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
@ -574,10 +543,6 @@ static ASN1_OBJECT *ts_RESP_get_policy(TS_RESP_CTX *ctx)
TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_INVALID_NULL_POINTER);
return NULL;
}
/*
* Return the default policy if none is requested or the default is
* requested.
*/
if (!requested || !OBJ_cmp(requested, ctx->default_policy))
policy = ctx->default_policy;
@ -627,11 +592,9 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx,
|| !TS_TST_INFO_set_time(tst_info, asn1_time))
goto end;
/* Setting accuracy if needed. */
if ((ctx->seconds || ctx->millis || ctx->micros)
&& (accuracy = TS_ACCURACY_new()) == NULL)
goto end;
if (ctx->seconds && !TS_ACCURACY_set_seconds(accuracy, ctx->seconds))
goto end;
if (ctx->millis && !TS_ACCURACY_set_millis(accuracy, ctx->millis))
@ -641,17 +604,14 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx,
if (accuracy && !TS_TST_INFO_set_accuracy(tst_info, accuracy))
goto end;
/* Setting ordering. */
if ((ctx->flags & TS_ORDERING)
&& !TS_TST_INFO_set_ordering(tst_info, 1))
goto end;
/* Setting nonce if needed. */
if ((nonce = ctx->request->nonce) != NULL
&& !TS_TST_INFO_set_nonce(tst_info, nonce))
goto end;
/* Setting TSA name to subject of signer certificate. */
if (ctx->flags & TS_TSA_NAME) {
if ((tsa_name = GENERAL_NAME_new()) == NULL)
goto end;
@ -692,7 +652,7 @@ static int ts_RESP_process_extensions(TS_RESP_CTX *ctx)
for (i = 0; ok && i < sk_X509_EXTENSION_num(exts); ++i) {
X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
/*
* XXXXX The last argument was previously (void *)ctx->extension_cb,
* The last argument was previously (void *)ctx->extension_cb,
* but ISO C doesn't permit converting a function pointer to void *.
* For lack of better information, I'm placing a NULL there instead.
* The callback can pick its own address out from the ctx anyway...
@ -715,25 +675,20 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
BIO *p7bio = NULL;
int i;
/* Check if signcert and pkey match. */
if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) {
TSerr(TS_F_TS_RESP_SIGN, TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
goto err;
}
/* Create a new PKCS7 signed object. */
if ((p7 = PKCS7_new()) == NULL) {
TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!PKCS7_set_type(p7, NID_pkcs7_signed))
goto err;
/* Force SignedData version to be 3 instead of the default 1. */
if (!ASN1_INTEGER_set(p7->d.sign->version, 3))
goto err;
/* Add signer certificate and optional certificate chain. */
if (ctx->request->cert_req) {
PKCS7_add_certificate(p7, ctx->signer_cert);
if (ctx->certs) {
@ -744,14 +699,12 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
}
}
/* Add a new signer info. */
if ((si = PKCS7_add_signature(p7, ctx->signer_cert,
ctx->signer_key, EVP_sha1())) == NULL) {
TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
goto err;
}
/* Add content type signed attribute to the signer info. */
oid = OBJ_nid2obj(NID_id_smime_ct_TSTInfo);
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
V_ASN1_OBJECT, oid)) {
@ -759,43 +712,28 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
goto err;
}
/*
* Create the ESS SigningCertificate attribute which contains the signer
* certificate id and optionally the certificate chain.
*/
certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
if ((sc = ess_SIGNING_CERT_new_init(ctx->signer_cert, certs)) == NULL)
goto err;
/* Add SigningCertificate signed attribute to the signer info. */
if (!ESS_add_signing_cert(si, sc)) {
TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR);
goto err;
}
/* Add a new empty NID_id_smime_ct_TSTInfo encapsulated content. */
if (!ts_TST_INFO_content_new(p7))
goto err;
/* Add the DER encoded tst_info to the PKCS7 structure. */
if ((p7bio = PKCS7_dataInit(p7, NULL)) == NULL) {
TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
/* Convert tst_info to DER. */
if (!i2d_TS_TST_INFO_bio(p7bio, ctx->tst_info)) {
TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN);
goto err;
}
/* Create the signature and add it to the signer info. */
if (!PKCS7_dataFinal(p7, p7bio)) {
TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN);
goto err;
}
/* Set new PKCS7 and TST_INFO objects. */
TS_RESP_set_tst_info(ctx->response, p7, ctx->tst_info);
p7 = NULL; /* Ownership is lost. */
ctx->tst_info = NULL; /* Ownership is lost. */
@ -819,18 +757,15 @@ static ESS_SIGNING_CERT *ess_SIGNING_CERT_new_init(X509 *signcert,
ESS_SIGNING_CERT *sc = NULL;
int i;
/* Creating the ESS_CERT_ID stack. */
if ((sc = ESS_SIGNING_CERT_new()) == NULL)
goto err;
if (sc->cert_ids == NULL
&& (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL)
goto err;
/* Adding the signing certificate id. */
if ((cid = ess_CERT_ID_new_init(signcert, 0)) == NULL
|| !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
goto err;
/* Adding the certificate chain ids. */
for (i = 0; i < sk_X509_num(certs); ++i) {
X509 *cert = sk_X509_value(certs, i);
if ((cid = ess_CERT_ID_new_init(cert, 1)) == NULL
@ -850,9 +785,7 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
ESS_CERT_ID *cid = NULL;
GENERAL_NAME *name = NULL;
/* Recompute SHA1 hash of certificate if necessary (side effect). */
X509_check_purpose(cert, -1, 0);
if ((cid = ESS_CERT_ID_new()) == NULL)
goto err;
if (!ASN1_OCTET_STRING_set(cid->hash, cert->sha1_hash,
@ -861,11 +794,9 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
/* Setting the issuer/serial if requested. */
if (issuer_needed) {
/* Creating issuer/serial structure. */
if (cid->issuer_serial == NULL
&& (cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
goto err;
/* Creating general name from the certificate issuer. */
if ((name = GENERAL_NAME_new()) == NULL)
goto err;
name->type = GEN_DIRNAME;
@ -874,7 +805,6 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
goto err;
name = NULL; /* Ownership is lost. */
/* Setting the serial number. */
ASN1_INTEGER_free(cid->issuer_serial->serial);
if (!(cid->issuer_serial->serial =
ASN1_INTEGER_dup(X509_get_serialNumber(cert))))
@ -973,12 +903,7 @@ static ASN1_GENERALIZEDTIME
tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
tm->tm_hour, tm->tm_min, tm->tm_sec);
if (precision > 0) {
/* Add fraction of seconds (leave space for dot and null). */
BIO_snprintf(p, 2 + precision, ".%06ld", usec);
/*
* We cannot use the snprintf return value, because it might have
* been truncated.
*/
p += strlen(p);
/*
@ -997,18 +922,13 @@ static ASN1_GENERALIZEDTIME
* this loop even if all the digits are zero.
*/
while (*--p == '0')
/*
* empty
*/ ;
/* p points to either the dot or the last non-zero digit. */
continue;
if (*p != '.')
++p;
}
/* Add the trailing Z and the terminating null. */
*p++ = 'Z';
*p++ = '\0';
/* Now call OpenSSL to check and set our genTime value */
if (asn1_time == NULL
&& (asn1_time = ASN1_GENERALIZEDTIME_new()) == NULL)
goto err;
@ -1016,8 +936,8 @@ static ASN1_GENERALIZEDTIME
ASN1_GENERALIZEDTIME_free(asn1_time);
goto err;
}
return asn1_time;
err:
TSerr(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION, TS_R_COULD_NOT_SET_TIME);
return NULL;

3
crypto/ts/ts_rsp_utils.c
View file

@ -64,8 +64,6 @@
#include <openssl/pkcs7.h>
#include "ts_lcl.h"
/* Function definitions. */
int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *status_info)
{
TS_STATUS_INFO *new_status_info;
@ -91,7 +89,6 @@ TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a)
/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info)
{
/* Set new PKCS7 and TST_INFO objects. */
PKCS7_free(a->token);
a->token = p7;
TS_TST_INFO_free(a->tst_info);

80
crypto/ts/ts_rsp_verify.c
View file

@ -64,8 +64,6 @@
#include <openssl/pkcs7.h>
#include "ts_lcl.h"
/* Private function declarations. */
static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
X509 *signer, STACK_OF(X509) **chain);
static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
@ -126,7 +124,6 @@ static struct {
#define TS_FAILURE_INFO_SIZE OSSL_NELEM(ts_failure_info)
/* Functions for verifying a signed TS_TST_INFO structure. */
/*-
* This function carries out the following tasks:
@ -157,22 +154,16 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_INVALID_NULL_POINTER);
goto err;
}
/* Check for the correct content type */
if (!PKCS7_type_is_signed(token)) {
TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_WRONG_CONTENT_TYPE);
goto err;
}
/* Check if there is one and only one signer. */
sinfos = PKCS7_get_signer_info(token);
if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) {
TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_THERE_MUST_BE_ONE_SIGNER);
goto err;
}
si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0);
/* Check for no content: no data to verify signature. */
if (PKCS7_get_detached(token)) {
TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_NO_CONTENT);
goto err;
@ -187,35 +178,26 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
goto err;
signer = sk_X509_value(signers, 0);
/* Now verify the certificate. */
if (!ts_verify_cert(store, certs, signer, &chain))
goto err;
/*
* Check if the signer certificate is consistent with the ESS extension.
*/
if (!ts_check_signing_certs(si, chain))
goto err;
/* Creating the message digest. */
p7bio = PKCS7_dataInit(token, NULL);
/* We now have to 'read' from p7bio to calculate digests etc. */
while ((i = BIO_read(p7bio, buf, sizeof(buf))) > 0) ;
while ((i = BIO_read(p7bio, buf, sizeof(buf))) > 0)
continue;
/* Verifying the signature. */
j = PKCS7_signatureVerify(p7bio, token, si, signer);
if (j <= 0) {
TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_SIGNATURE_FAILURE);
goto err;
}
/* Return the signer certificate if needed. */
if (signer_out) {
*signer_out = signer;
X509_up_ref(signer);
}
ret = 1;
err:
@ -237,7 +219,6 @@ static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
int i;
int ret = 1;
/* chain is an out argument. */
*chain = NULL;
X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted);
X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
@ -249,7 +230,6 @@ static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
X509_verify_cert_error_string(j));
ret = 0;
} else {
/* Get a copy of the certificate chain. */
*chain = X509_STORE_CTX_get1_chain(&cert_ctx);
}
@ -270,7 +250,6 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
if (!ss)
goto err;
cert_ids = ss->cert_ids;
/* The signer certificate must be the first in cert_ids. */
cert = sk_X509_value(chain, 0);
if (ts_find_cert(cert_ids, cert) != 0)
goto err;
@ -280,7 +259,6 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
* certificate ids in cert_ids.
*/
if (sk_ESS_CERT_ID_num(cert_ids) > 1) {
/* All the certificates of the chain must be in cert_ids. */
for (i = 1; i < sk_X509_num(chain); ++i) {
cert = sk_X509_value(chain, i);
if (ts_find_cert(cert_ids, cert) < 0)
@ -322,11 +300,9 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) {
ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
/* Check the SHA-1 hash first. */
if (cid->hash->length == sizeof(cert->sha1_hash)
&& !memcmp(cid->hash->data, cert->sha1_hash,
sizeof(cert->sha1_hash))) {
/* Check the issuer/serial as well if specified. */
&& memcmp(cid->hash->data, cert->sha1_hash,
sizeof(cert->sha1_hash)) == 0) {
ESS_ISSUER_SERIAL *is = cid->issuer_serial;
if (!is || !ts_issuer_serial_cmp(is, cert))
return i;
@ -343,13 +319,11 @@ static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert)
if (!is || !cert || sk_GENERAL_NAME_num(is->issuer) != 1)
return -1;
/* Check the issuer first. It must be a directory name. */
issuer = sk_GENERAL_NAME_value(is->issuer, 0);
if (issuer->type != GEN_DIRNAME
|| X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert)))
return -1;
/* Check the serial number, too. */
if (ASN1_INTEGER_cmp(is->serial, X509_get_serialNumber(cert)))
return -1;
@ -368,15 +342,12 @@ int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response)
TS_TST_INFO *tst_info = response->tst_info;
int ret = 0;
/* Check if we have a successful TS_TST_INFO object in place. */
if (!ts_check_status_info(response))
goto err;
/* Check the contents of the time stamp token. */
if (!int_ts_RESP_verify_token(ctx, token, tst_info))
goto err;
ret = 1;
err:
return ret;
}
@ -418,56 +389,41 @@ static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx,
unsigned imprint_len = 0;
int ret = 0;
/* Verify the signature. */
if ((ctx->flags & TS_VFY_SIGNATURE)
&& !TS_RESP_verify_signature(token, ctx->certs, ctx->store, &signer))
goto err;
/* Check version number of response. */
if ((ctx->flags & TS_VFY_VERSION)
&& TS_TST_INFO_get_version(tst_info) != 1) {
TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_UNSUPPORTED_VERSION);
goto err;
}
/* Check policies. */
if ((ctx->flags & TS_VFY_POLICY)
&& !ts_check_policy(ctx->policy, tst_info))
goto err;
/* Check message imprints. */
if ((ctx->flags & TS_VFY_IMPRINT)
&& !ts_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len,
tst_info))
goto err;
/* Compute and check message imprints. */
if ((ctx->flags & TS_VFY_DATA)
&& (!ts_compute_imprint(ctx->data, tst_info,
&md_alg, &imprint, &imprint_len)
|| !ts_check_imprints(md_alg, imprint, imprint_len, tst_info)))
goto err;
/* Check nonces. */
if ((ctx->flags & TS_VFY_NONCE)
&& !ts_check_nonces(ctx->nonce, tst_info))
goto err;
/* Check whether TSA name and signer certificate match. */
if ((ctx->flags & TS_VFY_SIGNER)
&& tsa_name && !ts_check_signer_name(tsa_name, signer)) {
TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_NAME_MISMATCH);
goto err;
}
/* Check whether the TSA is the expected one. */
if ((ctx->flags & TS_VFY_TSA_NAME)
&& !ts_check_signer_name(ctx->tsa_name, signer)) {
TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_UNTRUSTED);
goto err;
}
ret = 1;
err:
X509_free(signer);
X509_ALGOR_free(md_alg);
@ -483,7 +439,6 @@ static int ts_check_status_info(TS_RESP *response)
char *embedded_status_text = NULL;
char failure_text[TS_STATUS_BUF_SIZE] = "";
/* Check if everything went fine. */
if (status == 0 || status == 1)
return 1;
@ -493,16 +448,15 @@ static int ts_check_status_info(TS_RESP *response)
else
status_text = "unknown code";
/* Set the embedded_status_text to the returned description. */
if (sk_ASN1_UTF8STRING_num(info->text) > 0
&& (embedded_status_text = ts_get_status_text(info->text)) == NULL)
return 0;
/* Filling in failure_text with the failure information. */
/* Fill in failure_text with the failure information. */
if (info->failure_info) {
int i;
int first = 1;
for (i = 0; i < (int)TS_FAILURE_INFO_SIZE; ++i) {
for (i = 0; i < (int)OSSL_NELEM(ts_failure_info); ++i) {
if (ASN1_BIT_STRING_get_bit(info->failure_info,
ts_failure_info[i].code)) {
if (!first)
@ -516,7 +470,6 @@ static int ts_check_status_info(TS_RESP *response)
if (failure_text[0] == '\0')
strcpy(failure_text, "unspecified");
/* Making up the error string. */
TSerr(TS_F_TS_CHECK_STATUS_INFO, TS_R_NO_TIME_STAMP_TOKEN);
ERR_add_error_data(6,
"status code: ", status_text,
@ -535,18 +488,16 @@ static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
char *result = NULL;
char *p;
/* Determine length first. */
for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) {
ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
length += ASN1_STRING_length(current);
length += 1; /* separator character */
}
/* Allocate memory (closing '\0' included). */
if ((result = OPENSSL_malloc(length)) == NULL) {
TSerr(TS_F_TS_GET_STATUS_TEXT, ERR_R_MALLOC_FAILURE);
return NULL;
}
/* Concatenate the descriptions. */
for (i = 0, p = result; i < sk_ASN1_UTF8STRING_num(text); ++i) {
ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
length = ASN1_STRING_length(current);
@ -555,7 +506,6 @@ static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
strncpy(p, (const char *)ASN1_STRING_data(current), length);
p += length;
}
/* We do have space for this, too. */
*p = '\0';
return result;
@ -587,17 +537,12 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
*md_alg = NULL;
*imprint = NULL;
/* Return the MD algorithm of the response. */
if ((*md_alg = X509_ALGOR_dup(md_alg_resp)) == NULL)
goto err;
/* Getting the MD object. */
if ((md = EVP_get_digestbyobj((*md_alg)->algorithm)) == NULL) {
TSerr(TS_F_TS_COMPUTE_IMPRINT, TS_R_UNSUPPORTED_MD_ALGORITHM);
goto err;
}
/* Compute message digest. */
length = EVP_MD_size(md);
if (length < 0)
goto err;
@ -633,9 +578,7 @@ static int ts_check_imprints(X509_ALGOR *algor_a,
X509_ALGOR *algor_b = b->hash_algo;
int ret = 0;
/* algor_a is optional. */
if (algor_a) {
/* Compare algorithm OIDs. */
if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm))
goto err;
@ -647,7 +590,6 @@ static int ts_check_imprints(X509_ALGOR *algor_a,
goto err;
}
/* Compare octet strings. */
ret = len_a == (unsigned)ASN1_STRING_length(b->hashed_msg) &&
memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0;
err:
@ -660,7 +602,6 @@ static int ts_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info)
{
const ASN1_INTEGER *b = tst_info->nonce;
/* Error if nonce is missing. */
if (!b) {
TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_NOT_RETURNED);
return 0;
@ -685,12 +626,9 @@ static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer)
int idx = -1;
int found = 0;
/* Check the subject name first. */
if (tsa_name->type == GEN_DIRNAME
&& X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer)) == 0)
return 1;
/* Check all the alternative names. */
gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, NULL, &idx);
while (gen_names != NULL) {
found = ts_find_name(gen_names, tsa_name) >= 0;

4
crypto/ts/ts_verify_ctx.c
View file

@ -162,17 +162,14 @@ TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
else if ((ret = TS_VERIFY_CTX_new()) == NULL)
return NULL;
/* Setting flags. */
ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE);
/* Setting policy. */
if ((policy = req->policy_id) != NULL) {
if ((ret->policy = OBJ_dup(policy)) == NULL)
goto err;
} else
ret->flags &= ~TS_VFY_POLICY;
/* Setting md_alg, imprint and imprint_len. */
imprint = req->msg_imprint;
md_alg = imprint->hash_algo;
if ((ret->md_alg = X509_ALGOR_dup(md_alg)) == NULL)
@ -183,7 +180,6 @@ TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
goto err;
memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len);
/* Setting nonce. */
if ((nonce = req->nonce) != NULL) {
if ((ret->nonce = ASN1_INTEGER_dup(nonce)) == NULL)
goto err;