Fix ASN1_TIME_to_generlizedtime().

Add protoype for OCSP_response_create().

Add OCSP_request_sign() and OCSP_basic_sign()
private key and certificate checks and make
OCSP_NOCERTS consistent with PKCS7_NOCERTS

crypto/asn1/a_time.c

@@ -149,9 +149,9 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
 	/* grow the string */
 	if (!ASN1_STRING_set(ret, NULL, t->length + 2))
 		return NULL;
+	str = (char *)ret->data;
 	/* Work out the century and prepend */
-	str = (char *)t->data;
-	if (*str >= '5') strcpy(str, "19");
+	if (t->data[0] >= '5') strcpy(str, "19");
 	else strcpy(str, "20");
 
 	strcat(str, (char *)t->data);

crypto/ocsp/ocsp.h

@@ -454,6 +454,7 @@ OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
 int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
 			ASN1_OCTET_STRING **pikeyHash,
 			ASN1_INTEGER **pserial, OCSP_CERTID *cid);
+OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
 OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
 						OCSP_CERTID *cid,
 						int status, int reason,
@@ -562,12 +563,14 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_F_CERT_STATUS_NEW				 103
 #define OCSP_F_D2I_OCSP_NONCE				 109
 #define OCSP_F_OCSP_BASIC_ADD1_STATUS			 118
+#define OCSP_F_OCSP_BASIC_SIGN				 119
 #define OCSP_F_OCSP_BASIC_VERIFY			 113
 #define OCSP_F_OCSP_CHECK_DELEGATED			 117
 #define OCSP_F_OCSP_CHECK_IDS				 114
 #define OCSP_F_OCSP_CHECK_ISSUER			 115
 #define OCSP_F_OCSP_CHECK_NONCE				 112
 #define OCSP_F_OCSP_MATCH_ISSUERID			 116
+#define OCSP_F_OCSP_REQUEST_SIGN			 120
 #define OCSP_F_OCSP_RESPONSE_GET1_BASIC			 111
 #define OCSP_F_OCSP_SENDREQ_BIO				 110
 #define OCSP_F_REQUEST_VERIFY				 104
@@ -595,6 +598,7 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_R_NO_RESPONSE_DATA				 104
 #define OCSP_R_NO_REVOKED_TIME				 132
 #define OCSP_R_NO_SIGNATURE				 105
+#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE	 133
 #define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA	 129
 #define OCSP_R_REVOKED_NO_TIME				 106
 #define OCSP_R_ROOT_CA_NOT_TRUSTED			 127

crypto/ocsp/ocsp_cl.c

@@ -148,22 +148,31 @@ int OCSP_request_sign(OCSP_REQUEST   *req,
 	OCSP_SIGNATURE *sig;
 	X509 *x;
 
-	if (signer &&
-		!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
+	if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
 			goto err;
 
 	if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
 	if (!dgst) dgst = EVP_sha1();
-	if (key && !OCSP_REQUEST_sign(req, key, dgst)) goto err;
+	if (key)
+		{
+		if (!X509_check_private_key(signer, key))
+			{
+			OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+			goto err;
+			}
+		if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
+		}
+
 	if (!(flags & OCSP_NOCERTS))
 		{
-		if (!OCSP_request_add1_cert(req, signer)) goto err;
-	        for (i = 0; i < sk_X509_num(certs); i++)
+		if(!OCSP_request_add1_cert(req, signer)) goto err;
+		for (i = 0; i < sk_X509_num(certs); i++)
 			{
 			x = sk_X509_value(certs, i);
 			if (!OCSP_request_add1_cert(req, x)) goto err;
 			}
 		}
+
 	return 1;
 err:
 	OCSP_SIGNATURE_free(req->optionalSignature);

crypto/ocsp/ocsp_err.c

@@ -73,12 +73,14 @@ static ERR_STRING_DATA OCSP_str_functs[]=
 {ERR_PACK(0,OCSP_F_CERT_STATUS_NEW,0),	"CERT_STATUS_NEW"},
 {ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),	"D2I_OCSP_NONCE"},
 {ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),	"OCSP_basic_add1_status"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0),	"OCSP_basic_sign"},
 {ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),	"OCSP_basic_verify"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),	"OCSP_CHECK_DELEGATED"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),	"OCSP_CHECK_IDS"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0),	"OCSP_CHECK_ISSUER"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_NONCE,0),	"OCSP_check_nonce"},
 {ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0),	"OCSP_MATCH_ISSUERID"},
+{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0),	"OCSP_request_sign"},
 {ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0),	"OCSP_response_get1_basic"},
 {ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0),	"OCSP_sendreq_bio"},
 {ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0),	"REQUEST_VERIFY"},
@@ -109,6 +111,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
 {OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},
 {OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},
 {OCSP_R_NO_SIGNATURE                     ,"no signature"},
+{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
 {OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
 {OCSP_R_REVOKED_NO_TIME                  ,"revoked no time"},
 {OCSP_R_ROOT_CA_NOT_TRUSTED              ,"root ca not trusted"},

crypto/ocsp/ocsp_srv.c

@@ -206,14 +206,22 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
 	int i;
 	OCSP_RESPID *rid;
 
-	if(!(flags & OCSP_NOCERTS) && !OCSP_basic_add1_cert(brsp, signer))
-		goto err;
-
-	for (i = 0; i < sk_X509_num(certs); i++)
+	if (!X509_check_private_key(signer, key))
 		{
-		X509 *tmpcert = sk_X509_value(certs, i);
-		if(!OCSP_basic_add1_cert(brsp, tmpcert))
+		OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+		goto err;
+		}
+
+	if(!(flags & OCSP_NOCERTS))
+		{
+		if(!OCSP_basic_add1_cert(brsp, signer))
+			goto err;
+		for (i = 0; i < sk_X509_num(certs); i++)
+			{
+			X509 *tmpcert = sk_X509_value(certs, i);
+			if(!OCSP_basic_add1_cert(brsp, tmpcert))
 				goto err;
+			}
 		}
 
 	rid = brsp->tbsResponseData->responderId;