1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/os/ossrv/ssl/libcrypto/src/crypto/ocsp/ocsp_srv.c Fri Jun 15 03:10:57 2012 +0200
1.3 @@ -0,0 +1,264 @@
1.4 +/* ocsp_srv.c */
1.5 +/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
1.6 + * project 2001.
1.7 + */
1.8 +/* ====================================================================
1.9 + * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
1.10 + *
1.11 + * Redistribution and use in source and binary forms, with or without
1.12 + * modification, are permitted provided that the following conditions
1.13 + * are met:
1.14 + *
1.15 + * 1. Redistributions of source code must retain the above copyright
1.16 + * notice, this list of conditions and the following disclaimer.
1.17 + *
1.18 + * 2. Redistributions in binary form must reproduce the above copyright
1.19 + * notice, this list of conditions and the following disclaimer in
1.20 + * the documentation and/or other materials provided with the
1.21 + * distribution.
1.22 + *
1.23 + * 3. All advertising materials mentioning features or use of this
1.24 + * software must display the following acknowledgment:
1.25 + * "This product includes software developed by the OpenSSL Project
1.26 + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
1.27 + *
1.28 + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
1.29 + * endorse or promote products derived from this software without
1.30 + * prior written permission. For written permission, please contact
1.31 + * openssl-core@openssl.org.
1.32 + *
1.33 + * 5. Products derived from this software may not be called "OpenSSL"
1.34 + * nor may "OpenSSL" appear in their names without prior written
1.35 + * permission of the OpenSSL Project.
1.36 + *
1.37 + * 6. Redistributions of any form whatsoever must retain the following
1.38 + * acknowledgment:
1.39 + * "This product includes software developed by the OpenSSL Project
1.40 + * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
1.41 + *
1.42 + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
1.43 + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1.44 + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
1.45 + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
1.46 + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
1.47 + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
1.48 + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
1.49 + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1.50 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
1.51 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
1.52 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
1.53 + * OF THE POSSIBILITY OF SUCH DAMAGE.
1.54 + * ====================================================================
1.55 + *
1.56 + * This product includes cryptographic software written by Eric Young
1.57 + * (eay@cryptsoft.com). This product includes software written by Tim
1.58 + * Hudson (tjh@cryptsoft.com).
1.59 + *
1.60 + */
1.61 +
1.62 +#include <stdio.h>
1.63 +#include <cryptlib.h>
1.64 +#include <openssl/objects.h>
1.65 +#include <openssl/rand.h>
1.66 +#include <openssl/x509.h>
1.67 +#include <openssl/pem.h>
1.68 +#include <openssl/x509v3.h>
1.69 +#include <openssl/ocsp.h>
1.70 +
1.71 +/* Utility functions related to sending OCSP responses and extracting
1.72 + * relevant information from the request.
1.73 + */
1.74 +
1.75 +EXPORT_C int OCSP_request_onereq_count(OCSP_REQUEST *req)
1.76 + {
1.77 + return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
1.78 + }
1.79 +
1.80 +EXPORT_C OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
1.81 + {
1.82 + return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
1.83 + }
1.84 +
1.85 +EXPORT_C OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
1.86 + {
1.87 + return one->reqCert;
1.88 + }
1.89 +
1.90 +EXPORT_C int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
1.91 + ASN1_OCTET_STRING **pikeyHash,
1.92 + ASN1_INTEGER **pserial, OCSP_CERTID *cid)
1.93 + {
1.94 + if (!cid) return 0;
1.95 + if (pmd) *pmd = cid->hashAlgorithm->algorithm;
1.96 + if(piNameHash) *piNameHash = cid->issuerNameHash;
1.97 + if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
1.98 + if (pserial) *pserial = cid->serialNumber;
1.99 + return 1;
1.100 + }
1.101 +
1.102 +EXPORT_C int OCSP_request_is_signed(OCSP_REQUEST *req)
1.103 + {
1.104 + if(req->optionalSignature) return 1;
1.105 + return 0;
1.106 + }
1.107 +
1.108 +/* Create an OCSP response and encode an optional basic response */
1.109 +EXPORT_C OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
1.110 + {
1.111 + OCSP_RESPONSE *rsp = NULL;
1.112 +
1.113 + if (!(rsp = OCSP_RESPONSE_new())) goto err;
1.114 + if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
1.115 + if (!bs) return rsp;
1.116 + if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
1.117 + rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
1.118 + if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
1.119 + goto err;
1.120 + return rsp;
1.121 +err:
1.122 + if (rsp) OCSP_RESPONSE_free(rsp);
1.123 + return NULL;
1.124 + }
1.125 +
1.126 +
1.127 +EXPORT_C OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
1.128 + OCSP_CERTID *cid,
1.129 + int status, int reason,
1.130 + ASN1_TIME *revtime,
1.131 + ASN1_TIME *thisupd, ASN1_TIME *nextupd)
1.132 + {
1.133 + OCSP_SINGLERESP *single = NULL;
1.134 + OCSP_CERTSTATUS *cs;
1.135 + OCSP_REVOKEDINFO *ri;
1.136 +
1.137 + if(!rsp->tbsResponseData->responses &&
1.138 + !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
1.139 + goto err;
1.140 +
1.141 + if (!(single = OCSP_SINGLERESP_new()))
1.142 + goto err;
1.143 +
1.144 +
1.145 +
1.146 + if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
1.147 + goto err;
1.148 + if (nextupd &&
1.149 + !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
1.150 + goto err;
1.151 +
1.152 + OCSP_CERTID_free(single->certId);
1.153 +
1.154 + if(!(single->certId = OCSP_CERTID_dup(cid)))
1.155 + goto err;
1.156 +
1.157 + cs = single->certStatus;
1.158 + switch(cs->type = status)
1.159 + {
1.160 + case V_OCSP_CERTSTATUS_REVOKED:
1.161 + if (!revtime)
1.162 + {
1.163 + OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
1.164 + goto err;
1.165 + }
1.166 + if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
1.167 + if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
1.168 + goto err;
1.169 + if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
1.170 + {
1.171 + if (!(ri->revocationReason = ASN1_ENUMERATED_new()))
1.172 + goto err;
1.173 + if (!(ASN1_ENUMERATED_set(ri->revocationReason,
1.174 + reason)))
1.175 + goto err;
1.176 + }
1.177 + break;
1.178 +
1.179 + case V_OCSP_CERTSTATUS_GOOD:
1.180 + cs->value.good = ASN1_NULL_new();
1.181 + break;
1.182 +
1.183 + case V_OCSP_CERTSTATUS_UNKNOWN:
1.184 + cs->value.unknown = ASN1_NULL_new();
1.185 + break;
1.186 +
1.187 + default:
1.188 + goto err;
1.189 +
1.190 + }
1.191 + if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
1.192 + goto err;
1.193 + return single;
1.194 +err:
1.195 + OCSP_SINGLERESP_free(single);
1.196 + return NULL;
1.197 + }
1.198 +
1.199 +/* Add a certificate to an OCSP request */
1.200 +
1.201 +EXPORT_C int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
1.202 + {
1.203 + if (!resp->certs && !(resp->certs = sk_X509_new_null()))
1.204 + return 0;
1.205 +
1.206 + if(!sk_X509_push(resp->certs, cert)) return 0;
1.207 + CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
1.208 + return 1;
1.209 + }
1.210 +
1.211 +EXPORT_C int OCSP_basic_sign(OCSP_BASICRESP *brsp,
1.212 + X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
1.213 + STACK_OF(X509) *certs, unsigned long flags)
1.214 + {
1.215 + int i;
1.216 + OCSP_RESPID *rid;
1.217 +
1.218 + if (!X509_check_private_key(signer, key))
1.219 + {
1.220 + OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
1.221 + goto err;
1.222 + }
1.223 +
1.224 + if(!(flags & OCSP_NOCERTS))
1.225 + {
1.226 + if(!OCSP_basic_add1_cert(brsp, signer))
1.227 + goto err;
1.228 + for (i = 0; i < sk_X509_num(certs); i++)
1.229 + {
1.230 + X509 *tmpcert = sk_X509_value(certs, i);
1.231 + if(!OCSP_basic_add1_cert(brsp, tmpcert))
1.232 + goto err;
1.233 + }
1.234 + }
1.235 +
1.236 + rid = brsp->tbsResponseData->responderId;
1.237 + if (flags & OCSP_RESPID_KEY)
1.238 + {
1.239 + unsigned char md[SHA_DIGEST_LENGTH];
1.240 + X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
1.241 + if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
1.242 + goto err;
1.243 + if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
1.244 + goto err;
1.245 + rid->type = V_OCSP_RESPID_KEY;
1.246 + }
1.247 + else
1.248 + {
1.249 + if (!X509_NAME_set(&rid->value.byName,
1.250 + X509_get_subject_name(signer)))
1.251 + goto err;
1.252 + rid->type = V_OCSP_RESPID_NAME;
1.253 + }
1.254 +
1.255 + if (!(flags & OCSP_NOTIME) &&
1.256 + !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
1.257 + goto err;
1.258 +
1.259 + /* Right now, I think that not doing double hashing is the right
1.260 + thing. -- Richard Levitte */
1.261 +
1.262 + if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
1.263 +
1.264 + return 1;
1.265 +err:
1.266 + return 0;
1.267 + }