1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libcrypto/src/crypto/ocsp/ocsp_cl.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,372 @@
1.4 +/* ocsp_cl.c */
1.5 +/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
1.6 + * project. */
1.7 +
1.8 +/* History:
1.9 + This file was transfered to Richard Levitte from CertCo by Kathy
1.10 + Weinhold in mid-spring 2000 to be included in OpenSSL or released
1.11 + as a patch kit. */
1.12 +
1.13 +/* ====================================================================
1.14 + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
1.15 + *
1.16 + * Redistribution and use in source and binary forms, with or without
1.17 + * modification, are permitted provided that the following conditions
1.18 + * are met:
1.19 + *
1.20 + * 1. Redistributions of source code must retain the above copyright
1.21 + * notice, this list of conditions and the following disclaimer.
1.22 + *
1.23 + * 2. Redistributions in binary form must reproduce the above copyright
1.24 + * notice, this list of conditions and the following disclaimer in
1.25 + * the documentation and/or other materials provided with the
1.26 + * distribution.
1.27 + *
1.28 + * 3. All advertising materials mentioning features or use of this
1.29 + * software must display the following acknowledgment:
1.30 + * "This product includes software developed by the OpenSSL Project
1.31 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1.32 + *
1.33 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.34 + * endorse or promote products derived from this software without
1.35 + * prior written permission. For written permission, please contact
1.36 + * openssl-core@openssl.org.
1.37 + *
1.38 + * 5. Products derived from this software may not be called "OpenSSL"
1.39 + * nor may "OpenSSL" appear in their names without prior written
1.40 + * permission of the OpenSSL Project.
1.41 + *
1.42 + * 6. Redistributions of any form whatsoever must retain the following
1.43 + * acknowledgment:
1.44 + * "This product includes software developed by the OpenSSL Project
1.45 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1.46 + *
1.47 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.48 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.49 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.50 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.51 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.52 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.53 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.54 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.55 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.56 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.57 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.58 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.59 + * ====================================================================
1.60 + *
1.61 + * This product includes cryptographic software written by Eric Young
1.62 + * (eay@cryptsoft.com). This product includes software written by Tim
1.63 + * Hudson (tjh@cryptsoft.com).
1.64 + *
1.65 + */
1.66 +
1.67 +#include <stdio.h>
1.68 +#include <time.h>
1.69 +#include <cryptlib.h>
1.70 +#include <openssl/objects.h>
1.71 +#include <openssl/rand.h>
1.72 +#include <openssl/x509.h>
1.73 +#include <openssl/pem.h>
1.74 +#include <openssl/x509v3.h>
1.75 +#include <openssl/ocsp.h>
1.76 +
1.77 +/* Utility functions related to sending OCSP requests and extracting
1.78 + * relevant information from the response.
1.79 + */
1.80 +
1.81 +/* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ
1.82 + * pointer: useful if we want to add extensions.
1.83 + */
1.84 +
1.85 +EXPORT_C OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
1.86 + {
1.87 + OCSP_ONEREQ *one = NULL;
1.88 +
1.89 + if (!(one = OCSP_ONEREQ_new())) goto err;
1.90 + if (one->reqCert) OCSP_CERTID_free(one->reqCert);
1.91 + one->reqCert = cid;
1.92 + if (req &&
1.93 + !sk_OCSP_ONEREQ_push(req->tbsRequest->requestList, one))
1.94 + goto err;
1.95 + return one;
1.96 +err:
1.97 + OCSP_ONEREQ_free(one);
1.98 + return NULL;
1.99 + }
1.100 +
1.101 +/* Set requestorName from an X509_NAME structure */
1.102 +
1.103 +EXPORT_C int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
1.104 + {
1.105 + GENERAL_NAME *gen;
1.106 + gen = GENERAL_NAME_new();
1.107 + if (gen == NULL)
1.108 + return 0;
1.109 + if (!X509_NAME_set(&gen->d.directoryName, nm))
1.110 + {
1.111 + GENERAL_NAME_free(gen);
1.112 + return 0;
1.113 + }
1.114 + gen->type = GEN_DIRNAME;
1.115 + if (req->tbsRequest->requestorName)
1.116 + GENERAL_NAME_free(req->tbsRequest->requestorName);
1.117 + req->tbsRequest->requestorName = gen;
1.118 + return 1;
1.119 + }
1.120 +
1.121 +
1.122 +/* Add a certificate to an OCSP request */
1.123 +
1.124 +EXPORT_C int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
1.125 + {
1.126 + OCSP_SIGNATURE *sig;
1.127 + if (!req->optionalSignature)
1.128 + req->optionalSignature = OCSP_SIGNATURE_new();
1.129 + sig = req->optionalSignature;
1.130 + if (!sig) return 0;
1.131 + if (!cert) return 1;
1.132 + if (!sig->certs && !(sig->certs = sk_X509_new_null()))
1.133 + return 0;
1.134 +
1.135 + if(!sk_X509_push(sig->certs, cert)) return 0;
1.136 + CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
1.137 + return 1;
1.138 + }
1.139 +
1.140 +/* Sign an OCSP request set the requestorName to the subjec
1.141 + * name of an optional signers certificate and include one
1.142 + * or more optional certificates in the request. Behaves
1.143 + * like PKCS7_sign().
1.144 + */
1.145 +
1.146 +EXPORT_C int OCSP_request_sign(OCSP_REQUEST *req,
1.147 + X509 *signer,
1.148 + EVP_PKEY *key,
1.149 + const EVP_MD *dgst,
1.150 + STACK_OF(X509) *certs,
1.151 + unsigned long flags)
1.152 + {
1.153 + int i;
1.154 + OCSP_SIGNATURE *sig;
1.155 + X509 *x;
1.156 +
1.157 + if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
1.158 + goto err;
1.159 +
1.160 + if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
1.161 + if (!dgst) dgst = EVP_sha1();
1.162 + if (key)
1.163 + {
1.164 + if (!X509_check_private_key(signer, key))
1.165 + {
1.166 + OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
1.167 + goto err;
1.168 + }
1.169 + if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
1.170 + }
1.171 +
1.172 + if (!(flags & OCSP_NOCERTS))
1.173 + {
1.174 + if(!OCSP_request_add1_cert(req, signer)) goto err;
1.175 + for (i = 0; i < sk_X509_num(certs); i++)
1.176 + {
1.177 + x = sk_X509_value(certs, i);
1.178 + if (!OCSP_request_add1_cert(req, x)) goto err;
1.179 + }
1.180 + }
1.181 +
1.182 + return 1;
1.183 +err:
1.184 + OCSP_SIGNATURE_free(req->optionalSignature);
1.185 + req->optionalSignature = NULL;
1.186 + return 0;
1.187 + }
1.188 +
1.189 +/* Get response status */
1.190 +
1.191 +EXPORT_C int OCSP_response_status(OCSP_RESPONSE *resp)
1.192 + {
1.193 + return ASN1_ENUMERATED_get(resp->responseStatus);
1.194 + }
1.195 +
1.196 +/* Extract basic response from OCSP_RESPONSE or NULL if
1.197 + * no basic response present.
1.198 + */
1.199 +
1.200 +
1.201 +EXPORT_C OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
1.202 + {
1.203 + OCSP_RESPBYTES *rb;
1.204 + rb = resp->responseBytes;
1.205 + if (!rb)
1.206 + {
1.207 + OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
1.208 + return NULL;
1.209 + }
1.210 + if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
1.211 + {
1.212 + OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
1.213 + return NULL;
1.214 + }
1.215 +
1.216 + return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
1.217 + }
1.218 +
1.219 +/* Return number of OCSP_SINGLERESP reponses present in
1.220 + * a basic response.
1.221 + */
1.222 +
1.223 +EXPORT_C int OCSP_resp_count(OCSP_BASICRESP *bs)
1.224 + {
1.225 + if (!bs) return -1;
1.226 + return sk_OCSP_SINGLERESP_num(bs->tbsResponseData->responses);
1.227 + }
1.228 +
1.229 +/* Extract an OCSP_SINGLERESP response with a given index */
1.230 +
1.231 +EXPORT_C OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
1.232 + {
1.233 + if (!bs) return NULL;
1.234 + return sk_OCSP_SINGLERESP_value(bs->tbsResponseData->responses, idx);
1.235 + }
1.236 +
1.237 +/* Look single response matching a given certificate ID */
1.238 +
1.239 +EXPORT_C int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
1.240 + {
1.241 + int i;
1.242 + STACK_OF(OCSP_SINGLERESP) *sresp;
1.243 + OCSP_SINGLERESP *single;
1.244 + if (!bs) return -1;
1.245 + if (last < 0) last = 0;
1.246 + else last++;
1.247 + sresp = bs->tbsResponseData->responses;
1.248 + for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++)
1.249 + {
1.250 + single = sk_OCSP_SINGLERESP_value(sresp, i);
1.251 + if (!OCSP_id_cmp(id, single->certId)) return i;
1.252 + }
1.253 + return -1;
1.254 + }
1.255 +
1.256 +/* Extract status information from an OCSP_SINGLERESP structure.
1.257 + * Note: the revtime and reason values are only set if the
1.258 + * certificate status is revoked. Returns numerical value of
1.259 + * status.
1.260 + */
1.261 +
1.262 +EXPORT_C int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
1.263 + ASN1_GENERALIZEDTIME **revtime,
1.264 + ASN1_GENERALIZEDTIME **thisupd,
1.265 + ASN1_GENERALIZEDTIME **nextupd)
1.266 + {
1.267 + int ret;
1.268 + OCSP_CERTSTATUS *cst;
1.269 + if(!single) return -1;
1.270 + cst = single->certStatus;
1.271 + ret = cst->type;
1.272 + if (ret == V_OCSP_CERTSTATUS_REVOKED)
1.273 + {
1.274 + OCSP_REVOKEDINFO *rev = cst->value.revoked;
1.275 + if (revtime) *revtime = rev->revocationTime;
1.276 + if (reason)
1.277 + {
1.278 + if(rev->revocationReason)
1.279 + *reason = ASN1_ENUMERATED_get(rev->revocationReason);
1.280 + else *reason = -1;
1.281 + }
1.282 + }
1.283 + if(thisupd) *thisupd = single->thisUpdate;
1.284 + if(nextupd) *nextupd = single->nextUpdate;
1.285 + return ret;
1.286 + }
1.287 +
1.288 +/* This function combines the previous ones: look up a certificate ID and
1.289 + * if found extract status information. Return 0 is successful.
1.290 + */
1.291 +
1.292 +EXPORT_C int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
1.293 + int *reason,
1.294 + ASN1_GENERALIZEDTIME **revtime,
1.295 + ASN1_GENERALIZEDTIME **thisupd,
1.296 + ASN1_GENERALIZEDTIME **nextupd)
1.297 + {
1.298 + int i;
1.299 + OCSP_SINGLERESP *single;
1.300 + i = OCSP_resp_find(bs, id, -1);
1.301 + /* Maybe check for multiple responses and give an error? */
1.302 + if(i < 0) return 0;
1.303 + single = OCSP_resp_get0(bs, i);
1.304 + i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
1.305 + if(status) *status = i;
1.306 + return 1;
1.307 + }
1.308 +
1.309 +/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
1.310 + * take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
1.311 + * rejecting otherwise valid time we allow the times to be within 'nsec' of the current time.
1.312 + * Also to avoid accepting very old responses without a nextUpdate field an optional maxage
1.313 + * parameter specifies the maximum age the thisUpdate field can be.
1.314 + */
1.315 +
1.316 +EXPORT_C int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
1.317 + {
1.318 + int ret = 1;
1.319 + time_t t_now, t_tmp;
1.320 + time(&t_now);
1.321 + /* Check thisUpdate is valid and not more than nsec in the future */
1.322 + if (!ASN1_GENERALIZEDTIME_check(thisupd))
1.323 + {
1.324 + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
1.325 + ret = 0;
1.326 + }
1.327 + else
1.328 + {
1.329 + t_tmp = t_now + nsec;
1.330 + if (X509_cmp_time(thisupd, &t_tmp) > 0)
1.331 + {
1.332 + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
1.333 + ret = 0;
1.334 + }
1.335 +
1.336 + /* If maxsec specified check thisUpdate is not more than maxsec in the past */
1.337 + if (maxsec >= 0)
1.338 + {
1.339 + t_tmp = t_now - maxsec;
1.340 + if (X509_cmp_time(thisupd, &t_tmp) < 0)
1.341 + {
1.342 + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
1.343 + ret = 0;
1.344 + }
1.345 + }
1.346 + }
1.347 +
1.348 +
1.349 + if (!nextupd) return ret;
1.350 +
1.351 + /* Check nextUpdate is valid and not more than nsec in the past */
1.352 + if (!ASN1_GENERALIZEDTIME_check(nextupd))
1.353 + {
1.354 + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
1.355 + ret = 0;
1.356 + }
1.357 + else
1.358 + {
1.359 + t_tmp = t_now - nsec;
1.360 + if (X509_cmp_time(nextupd, &t_tmp) < 0)
1.361 + {
1.362 + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
1.363 + ret = 0;
1.364 + }
1.365 + }
1.366 +
1.367 + /* Also don't allow nextUpdate to precede thisUpdate */
1.368 + if (ASN1_STRING_cmp(nextupd, thisupd) < 0)
1.369 + {
1.370 + OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
1.371 + ret = 0;
1.372 + }
1.373 +
1.374 + return ret;
1.375 + }