Commit 2b916952 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files 

Fix ASN1_TIME_to_generlizedtime().

Add protoype for OCSP_response_create().

Add OCSP_request_sign() and OCSP_basic_sign()
private key and certificate checks and make
OCSP_NOCERTS consistent with PKCS7_NOCERTS
parent 02e4fbed

crypto/asn1/a_time.c

+2 −2
Original line number Diff line number Diff line
@@ -149,9 +149,9 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE 
	/* grow the string */

	if (!ASN1_STRING_set(ret, NULL, t->length + 2))

		return NULL;

	str = (char *)ret->data;

	/* Work out the century and prepend */

	str = (char *)t->data;

	if (*str >= '5') strcpy(str, "19");

	if (t->data[0] >= '5') strcpy(str, "19");

	else strcpy(str, "20");



	strcat(str, (char *)t->data);

crypto/ocsp/ocsp.h

+4 −0
Original line number Diff line number Diff line
@@ -454,6 +454,7 @@ OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one); 
int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,

			ASN1_OCTET_STRING **pikeyHash,

			ASN1_INTEGER **pserial, OCSP_CERTID *cid);

OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);

OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,

						OCSP_CERTID *cid,

						int status, int reason,
@@ -562,12 +563,14 @@ void ERR_load_OCSP_strings(void); 
#define OCSP_F_CERT_STATUS_NEW				 103

#define OCSP_F_D2I_OCSP_NONCE				 109

#define OCSP_F_OCSP_BASIC_ADD1_STATUS			 118

#define OCSP_F_OCSP_BASIC_SIGN				 119

#define OCSP_F_OCSP_BASIC_VERIFY			 113

#define OCSP_F_OCSP_CHECK_DELEGATED			 117

#define OCSP_F_OCSP_CHECK_IDS				 114

#define OCSP_F_OCSP_CHECK_ISSUER			 115

#define OCSP_F_OCSP_CHECK_NONCE				 112

#define OCSP_F_OCSP_MATCH_ISSUERID			 116

#define OCSP_F_OCSP_REQUEST_SIGN			 120

#define OCSP_F_OCSP_RESPONSE_GET1_BASIC			 111

#define OCSP_F_OCSP_SENDREQ_BIO				 110

#define OCSP_F_REQUEST_VERIFY				 104
@@ -595,6 +598,7 @@ void ERR_load_OCSP_strings(void); 
#define OCSP_R_NO_RESPONSE_DATA				 104

#define OCSP_R_NO_REVOKED_TIME				 132

#define OCSP_R_NO_SIGNATURE				 105

#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE	 133

#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA	 129

#define OCSP_R_REVOKED_NO_TIME				 106

#define OCSP_R_ROOT_CA_NOT_TRUSTED			 127

crypto/ocsp/ocsp_cl.c

+14 −5
Original line number Diff line number Diff line
@@ -148,13 +148,21 @@ int OCSP_request_sign(OCSP_REQUEST *req, 
	OCSP_SIGNATURE *sig;

	X509 *x;



	if (signer &&

		!OCSP_request_set1_name(req, X509_get_subject_name(signer)))

	if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))

			goto err;



	if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;

	if (!dgst) dgst = EVP_sha1();

	if (key && !OCSP_REQUEST_sign(req, key, dgst)) goto err;

	if (key)

		{

		if (!X509_check_private_key(signer, key))

			{

			OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);

			goto err;

			}

		if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;

		}



	if (!(flags & OCSP_NOCERTS))

		{

		if(!OCSP_request_add1_cert(req, signer)) goto err;
@@ -164,6 +172,7 @@ int OCSP_request_sign(OCSP_REQUEST *req, 
			if (!OCSP_request_add1_cert(req, x)) goto err;

			}

		}



	return 1;

err:

	OCSP_SIGNATURE_free(req->optionalSignature);

crypto/ocsp/ocsp_err.c

+3 −0
Original line number Diff line number Diff line
@@ -73,12 +73,14 @@ static ERR_STRING_DATA OCSP_str_functs[]= 
{ERR_PACK(0,OCSP_F_CERT_STATUS_NEW,0),	"CERT_STATUS_NEW"},

{ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),	"D2I_OCSP_NONCE"},

{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),	"OCSP_basic_add1_status"},

{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0),	"OCSP_basic_sign"},

{ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),	"OCSP_basic_verify"},

{ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),	"OCSP_CHECK_DELEGATED"},

{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),	"OCSP_CHECK_IDS"},

{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0),	"OCSP_CHECK_ISSUER"},

{ERR_PACK(0,OCSP_F_OCSP_CHECK_NONCE,0),	"OCSP_check_nonce"},

{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0),	"OCSP_MATCH_ISSUERID"},

{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0),	"OCSP_request_sign"},

{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0),	"OCSP_response_get1_basic"},

{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0),	"OCSP_sendreq_bio"},

{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0),	"REQUEST_VERIFY"},
@@ -109,6 +111,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]= 
{OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},

{OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},

{OCSP_R_NO_SIGNATURE                     ,"no signature"},

{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},

{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},

{OCSP_R_REVOKED_NO_TIME                  ,"revoked no time"},

{OCSP_R_ROOT_CA_NOT_TRUSTED              ,"root ca not trusted"},

crypto/ocsp/ocsp_srv.c

+12 −4
Original line number Diff line number Diff line
@@ -206,15 +206,23 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
	int i;

	OCSP_RESPID *rid;



	if(!(flags & OCSP_NOCERTS) && !OCSP_basic_add1_cert(brsp, signer))

	if (!X509_check_private_key(signer, key))

		{

		OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);

		goto err;

		}



	if(!(flags & OCSP_NOCERTS))

		{

		if(!OCSP_basic_add1_cert(brsp, signer))

			goto err;

		for (i = 0; i < sk_X509_num(certs); i++)

			{

			X509 *tmpcert = sk_X509_value(certs, i);

			if(!OCSP_basic_add1_cert(brsp, tmpcert))

				goto err;

			}

		}



	rid = brsp->tbsResponseData->responderId;

	if (flags & OCSP_RESPID_KEY)