Commit 1f0067ec authored by Benjamin Kaduk's avatar Benjamin Kaduk Committed by Ben Kaduk
Browse files

Add an API to get the signer of an OCSP response 



Add a new function OCSP_resp_get0_signer() that looks in the
certs bundled with the response as well as in additional certificates
provided as a function argument, returning the certificate that signed
the given response (if present).

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarTim Hudson <tjh@openssl.org>

(cherry picked from commit ce5886dd)

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4723)
parent e1e59eca

crypto/ocsp/ocsp_vfy.c

+9 −0
Original line number Diff line number Diff line
@@ -138,6 +138,15 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, 
    goto end;

}



int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,

                     STACK_OF(X509) *extra_certs)

{

    int ret;



    ret = ocsp_find_signer(signer, bs, extra_certs, 0);

    return (ret > 0) ? 1 : 0;

}



static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,

                            STACK_OF(X509) *certs, unsigned long flags)

{

doc/crypto/OCSP_resp_find_status.pod

+14 −1
Original line number Diff line number Diff line
@@ -3,6 +3,7 @@ 
=head1 NAME



OCSP_resp_get0_certs,

OCSP_resp_get0_signer,

OCSP_resp_get0_id,

OCSP_resp_get0_produced_at,

OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find,
@@ -32,6 +33,9 @@ OCSP_single_get0_status, OCSP_check_validity 


 const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);



 int OCSP_resp get0_signer(OCSP_BASICRESP *bs, X509 **signer,

                           STACK_OF(X509) *extra_certs);



 int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,

                       const ASN1_OCTET_STRING **pid,

                       const X509_NAME **pname);
@@ -72,7 +76,13 @@ single response B<bs>. 


OCSP_resp_get0_certs() returns any certificates included in B<bs>.



OCSP_resp_get0_id() gets the responder id of <bs>. If the responder ID is

OCSP_resp_get0_signer() attempts to retrive the certificate that directly

signed B<bs>.  The OCSP protocol does not require that this certificate

is included in the B<certs> field of the response, so additional certificates

can be supplied in B<extra_certs> if the certificates that may have

signed the response are known via some out-of-band mechanism.



OCSP_resp_get0_id() gets the responder id of B<bs>. If the responder ID is

a name then <*pname> is set to the name and B<*pid> is set to NULL. If the

responder ID is by key ID then B<*pid> is set to the key ID and B<*pname>

is set to NULL.
@@ -99,6 +109,9 @@ B<id> was not found. 
OCSP_single_get0_status() returns the status of B<single> or -1 if an error

occurred.



OCSP_resp_get0_signer() returns 1 if the signing certificate was located,

or 0 on error.



=head1 NOTES



Applications will typically call OCSP_resp_find_status() using the certificate

include/openssl/ocsp.h

+2 −0
Original line number Diff line number Diff line
@@ -194,6 +194,8 @@ int OCSP_response_status(OCSP_RESPONSE *resp); 
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);



const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);

int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,

                          STACK_OF(X509) *extra_certs);



int OCSP_resp_count(OCSP_BASICRESP *bs);

OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);