wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix ASN1_TIME_to_generlizedtime().

Browse source 
Add protoype for OCSP_response_create().

Add OCSP_request_sign() and OCSP_basic_sign()
private key and certificate checks and make
OCSP_NOCERTS consistent with PKCS7_NOCERTS
This commit is contained in:
Dr. Stephen Henson 2001-02-04 03:04:43 +00:00
parent 02e4fbed3d
commit 2b916952a8
5 changed files with 37 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
crypto/asn1/a_time.c
View file

@ -149,9 +149,9 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
/* grow the string */ /* grow the string */
if (!ASN1_STRING_set(ret, NULL, t->length + 2)) if (!ASN1_STRING_set(ret, NULL, t->length + 2))
return NULL; return NULL;
str = (char *)ret->data;
/* Work out the century and prepend */ /* Work out the century and prepend */
str = (char *)t->data; if (t->data[0] >= '5') strcpy(str, "19");
if (*str >= '5') strcpy(str, "19");
else strcpy(str, "20"); else strcpy(str, "20");
strcat(str, (char *)t->data); strcat(str, (char *)t->data);

4
crypto/ocsp/ocsp.h
View file

@ -454,6 +454,7 @@ OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
ASN1_OCTET_STRING **pikeyHash, ASN1_OCTET_STRING **pikeyHash,
ASN1_INTEGER **pserial, OCSP_CERTID *cid); ASN1_INTEGER **pserial, OCSP_CERTID *cid);
OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
OCSP_CERTID *cid, OCSP_CERTID *cid,
int status, int reason, int status, int reason,
@ -562,12 +563,14 @@ void ERR_load_OCSP_strings(void);
#define OCSP_F_CERT_STATUS_NEW 103 #define OCSP_F_CERT_STATUS_NEW 103
#define OCSP_F_D2I_OCSP_NONCE 109 #define OCSP_F_D2I_OCSP_NONCE 109
#define OCSP_F_OCSP_BASIC_ADD1_STATUS 118 #define OCSP_F_OCSP_BASIC_ADD1_STATUS 118
#define OCSP_F_OCSP_BASIC_SIGN 119
#define OCSP_F_OCSP_BASIC_VERIFY 113 #define OCSP_F_OCSP_BASIC_VERIFY 113
#define OCSP_F_OCSP_CHECK_DELEGATED 117 #define OCSP_F_OCSP_CHECK_DELEGATED 117
#define OCSP_F_OCSP_CHECK_IDS 114 #define OCSP_F_OCSP_CHECK_IDS 114
#define OCSP_F_OCSP_CHECK_ISSUER 115 #define OCSP_F_OCSP_CHECK_ISSUER 115
#define OCSP_F_OCSP_CHECK_NONCE 112 #define OCSP_F_OCSP_CHECK_NONCE 112
#define OCSP_F_OCSP_MATCH_ISSUERID 116 #define OCSP_F_OCSP_MATCH_ISSUERID 116
#define OCSP_F_OCSP_REQUEST_SIGN 120
#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111 #define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
#define OCSP_F_OCSP_SENDREQ_BIO 110 #define OCSP_F_OCSP_SENDREQ_BIO 110
#define OCSP_F_REQUEST_VERIFY 104 #define OCSP_F_REQUEST_VERIFY 104
@ -595,6 +598,7 @@ void ERR_load_OCSP_strings(void);
#define OCSP_R_NO_RESPONSE_DATA 104 #define OCSP_R_NO_RESPONSE_DATA 104
#define OCSP_R_NO_REVOKED_TIME 132 #define OCSP_R_NO_REVOKED_TIME 132
#define OCSP_R_NO_SIGNATURE 105 #define OCSP_R_NO_SIGNATURE 105
#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 133
#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 129 #define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 129
#define OCSP_R_REVOKED_NO_TIME 106 #define OCSP_R_REVOKED_NO_TIME 106
#define OCSP_R_ROOT_CA_NOT_TRUSTED 127 #define OCSP_R_ROOT_CA_NOT_TRUSTED 127

15
crypto/ocsp/ocsp_cl.c
View file

@ -148,13 +148,21 @@ int OCSP_request_sign(OCSP_REQUEST *req,
OCSP_SIGNATURE *sig; OCSP_SIGNATURE *sig;
X509 *x; X509 *x;
if (signer && if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
goto err; goto err;
if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err; if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
if (!dgst) dgst = EVP_sha1(); if (!dgst) dgst = EVP_sha1();
if (key && !OCSP_REQUEST_sign(req, key, dgst)) goto err; if (key)
{
if (!X509_check_private_key(signer, key))
{
OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
goto err;
}
if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
}
if (!(flags & OCSP_NOCERTS)) if (!(flags & OCSP_NOCERTS))
{ {
if(!OCSP_request_add1_cert(req, signer)) goto err; if(!OCSP_request_add1_cert(req, signer)) goto err;
@ -164,6 +172,7 @@ int OCSP_request_sign(OCSP_REQUEST *req,
if (!OCSP_request_add1_cert(req, x)) goto err; if (!OCSP_request_add1_cert(req, x)) goto err;
} }
} }
return 1; return 1;
err: err:
OCSP_SIGNATURE_free(req->optionalSignature); OCSP_SIGNATURE_free(req->optionalSignature);

3
crypto/ocsp/ocsp_err.c
View file

@ -73,12 +73,14 @@ static ERR_STRING_DATA OCSP_str_functs[]=
{ERR_PACK(0,OCSP_F_CERT_STATUS_NEW,0), "CERT_STATUS_NEW"}, {ERR_PACK(0,OCSP_F_CERT_STATUS_NEW,0), "CERT_STATUS_NEW"},
{ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0), "D2I_OCSP_NONCE"}, {ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0), "D2I_OCSP_NONCE"},
{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0), "OCSP_basic_add1_status"}, {ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0), "OCSP_basic_add1_status"},
{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0), "OCSP_basic_sign"},
{ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0), "OCSP_basic_verify"}, {ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0), "OCSP_basic_verify"},
{ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0), "OCSP_CHECK_DELEGATED"}, {ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0), "OCSP_CHECK_DELEGATED"},
{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0), "OCSP_CHECK_IDS"}, {ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0), "OCSP_CHECK_IDS"},
{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0), "OCSP_CHECK_ISSUER"}, {ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0), "OCSP_CHECK_ISSUER"},
{ERR_PACK(0,OCSP_F_OCSP_CHECK_NONCE,0), "OCSP_check_nonce"}, {ERR_PACK(0,OCSP_F_OCSP_CHECK_NONCE,0), "OCSP_check_nonce"},
{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0), "OCSP_MATCH_ISSUERID"}, {ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0), "OCSP_MATCH_ISSUERID"},
{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0), "OCSP_request_sign"},
{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"}, {ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"},
{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"}, {ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"},
{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0), "REQUEST_VERIFY"}, {ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0), "REQUEST_VERIFY"},
@ -109,6 +111,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
{OCSP_R_NO_RESPONSE_DATA ,"no response data"}, {OCSP_R_NO_RESPONSE_DATA ,"no response data"},
{OCSP_R_NO_REVOKED_TIME ,"no revoked time"}, {OCSP_R_NO_REVOKED_TIME ,"no revoked time"},
{OCSP_R_NO_SIGNATURE ,"no signature"}, {OCSP_R_NO_SIGNATURE ,"no signature"},
{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"}, {OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
{OCSP_R_REVOKED_NO_TIME ,"revoked no time"}, {OCSP_R_REVOKED_NO_TIME ,"revoked no time"},
{OCSP_R_ROOT_CA_NOT_TRUSTED ,"root ca not trusted"}, {OCSP_R_ROOT_CA_NOT_TRUSTED ,"root ca not trusted"},

10
crypto/ocsp/ocsp_srv.c
View file

@ -206,15 +206,23 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
int i; int i;
OCSP_RESPID *rid; OCSP_RESPID *rid;
if(!(flags & OCSP_NOCERTS) && !OCSP_basic_add1_cert(brsp, signer)) if (!X509_check_private_key(signer, key))
{
OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
goto err; goto err;
}
if(!(flags & OCSP_NOCERTS))
{
if(!OCSP_basic_add1_cert(brsp, signer))
goto err;
for (i = 0; i < sk_X509_num(certs); i++) for (i = 0; i < sk_X509_num(certs); i++)
{ {
X509 *tmpcert = sk_X509_value(certs, i); X509 *tmpcert = sk_X509_value(certs, i);
if(!OCSP_basic_add1_cert(brsp, tmpcert)) if(!OCSP_basic_add1_cert(brsp, tmpcert))
goto err; goto err;
} }
}
rid = brsp->tbsResponseData->responderId; rid = brsp->tbsResponseData->responderId;
if (flags & OCSP_RESPID_KEY) if (flags & OCSP_RESPID_KEY)