Fix ASN1_TIME_to_generlizedtime().
Add protoype for OCSP_response_create(). Add OCSP_request_sign() and OCSP_basic_sign() private key and certificate checks and make OCSP_NOCERTS consistent with PKCS7_NOCERTS
This commit is contained in:
Dr. Stephen Henson
parent
02e4fbed3d
commit
2b916952a8
5 changed files with 37 additions and 13 deletions
|
|
@ -149,9 +149,9 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
|
|||
/* grow the string */
|
||||
if (!ASN1_STRING_set(ret, NULL, t->length + 2))
|
||||
return NULL;
|
||||
str = (char *)ret->data;
|
||||
/* Work out the century and prepend */
|
||||
str = (char *)t->data;
|
||||
if (*str >= '5') strcpy(str, "19");
|
||||
if (t->data[0] >= '5') strcpy(str, "19");
|
||||
else strcpy(str, "20");
|
||||
|
||||
strcat(str, (char *)t->data);
|
||||
|
|
|
|||
|
|
@ -454,6 +454,7 @@ OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
|
|||
int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
|
||||
ASN1_OCTET_STRING **pikeyHash,
|
||||
ASN1_INTEGER **pserial, OCSP_CERTID *cid);
|
||||
OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
|
||||
OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
|
||||
OCSP_CERTID *cid,
|
||||
int status, int reason,
|
||||
|
|
@ -562,12 +563,14 @@ void ERR_load_OCSP_strings(void);
|
|||
#define OCSP_F_CERT_STATUS_NEW 103
|
||||
#define OCSP_F_D2I_OCSP_NONCE 109
|
||||
#define OCSP_F_OCSP_BASIC_ADD1_STATUS 118
|
||||
#define OCSP_F_OCSP_BASIC_SIGN 119
|
||||
#define OCSP_F_OCSP_BASIC_VERIFY 113
|
||||
#define OCSP_F_OCSP_CHECK_DELEGATED 117
|
||||
#define OCSP_F_OCSP_CHECK_IDS 114
|
||||
#define OCSP_F_OCSP_CHECK_ISSUER 115
|
||||
#define OCSP_F_OCSP_CHECK_NONCE 112
|
||||
#define OCSP_F_OCSP_MATCH_ISSUERID 116
|
||||
#define OCSP_F_OCSP_REQUEST_SIGN 120
|
||||
#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
|
||||
#define OCSP_F_OCSP_SENDREQ_BIO 110
|
||||
#define OCSP_F_REQUEST_VERIFY 104
|
||||
|
|
@ -595,6 +598,7 @@ void ERR_load_OCSP_strings(void);
|
|||
#define OCSP_R_NO_RESPONSE_DATA 104
|
||||
#define OCSP_R_NO_REVOKED_TIME 132
|
||||
#define OCSP_R_NO_SIGNATURE 105
|
||||
#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 133
|
||||
#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 129
|
||||
#define OCSP_R_REVOKED_NO_TIME 106
|
||||
#define OCSP_R_ROOT_CA_NOT_TRUSTED 127
|
||||
|
|
|
|||
|
|
@ -148,13 +148,21 @@ int OCSP_request_sign(OCSP_REQUEST *req,
|
|||
OCSP_SIGNATURE *sig;
|
||||
X509 *x;
|
||||
|
||||
if (signer &&
|
||||
!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
|
||||
if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
|
||||
goto err;
|
||||
|
||||
if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
|
||||
if (!dgst) dgst = EVP_sha1();
|
||||
if (key && !OCSP_REQUEST_sign(req, key, dgst)) goto err;
|
||||
if (key)
|
||||
{
|
||||
if (!X509_check_private_key(signer, key))
|
||||
{
|
||||
OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
|
||||
goto err;
|
||||
}
|
||||
if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
|
||||
}
|
||||
|
||||
if (!(flags & OCSP_NOCERTS))
|
||||
{
|
||||
if(!OCSP_request_add1_cert(req, signer)) goto err;
|
||||
|
|
@ -164,6 +172,7 @@ int OCSP_request_sign(OCSP_REQUEST *req,
|
|||
if (!OCSP_request_add1_cert(req, x)) goto err;
|
||||
}
|
||||
}
|
||||
|
||||
return 1;
|
||||
err:
|
||||
OCSP_SIGNATURE_free(req->optionalSignature);
|
||||
|
|
|
|||
|
|
@ -73,12 +73,14 @@ static ERR_STRING_DATA OCSP_str_functs[]=
|
|||
{ERR_PACK(0,OCSP_F_CERT_STATUS_NEW,0), "CERT_STATUS_NEW"},
|
||||
{ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0), "D2I_OCSP_NONCE"},
|
||||
{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0), "OCSP_basic_add1_status"},
|
||||
{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0), "OCSP_basic_sign"},
|
||||
{ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0), "OCSP_basic_verify"},
|
||||
{ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0), "OCSP_CHECK_DELEGATED"},
|
||||
{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0), "OCSP_CHECK_IDS"},
|
||||
{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0), "OCSP_CHECK_ISSUER"},
|
||||
{ERR_PACK(0,OCSP_F_OCSP_CHECK_NONCE,0), "OCSP_check_nonce"},
|
||||
{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0), "OCSP_MATCH_ISSUERID"},
|
||||
{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0), "OCSP_request_sign"},
|
||||
{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"},
|
||||
{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"},
|
||||
{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0), "REQUEST_VERIFY"},
|
||||
|
|
@ -109,6 +111,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
|
|||
{OCSP_R_NO_RESPONSE_DATA ,"no response data"},
|
||||
{OCSP_R_NO_REVOKED_TIME ,"no revoked time"},
|
||||
{OCSP_R_NO_SIGNATURE ,"no signature"},
|
||||
{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
|
||||
{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
|
||||
{OCSP_R_REVOKED_NO_TIME ,"revoked no time"},
|
||||
{OCSP_R_ROOT_CA_NOT_TRUSTED ,"root ca not trusted"},
|
||||
|
|
|
|||
|
|
@ -206,15 +206,23 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
|
|||
int i;
|
||||
OCSP_RESPID *rid;
|
||||
|
||||
if(!(flags & OCSP_NOCERTS) && !OCSP_basic_add1_cert(brsp, signer))
|
||||
if (!X509_check_private_key(signer, key))
|
||||
{
|
||||
OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if(!(flags & OCSP_NOCERTS))
|
||||
{
|
||||
if(!OCSP_basic_add1_cert(brsp, signer))
|
||||
goto err;
|
||||
for (i = 0; i < sk_X509_num(certs); i++)
|
||||
{
|
||||
X509 *tmpcert = sk_X509_value(certs, i);
|
||||
if(!OCSP_basic_add1_cert(brsp, tmpcert))
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
|
||||
rid = brsp->tbsResponseData->responderId;
|
||||
if (flags & OCSP_RESPID_KEY)
|
||||
|
|
|
|||
Loading…
Reference in a new issue