(fafc7f98) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

CHANGES

+6 −0

Original line number	Diff line number	Diff line
		@@ -3,6 +3,12 @@

		Changes between 0.9.6 and 0.9.7 [xx XXX 2000]

		*) Function OCSP_request_verify(). This checks the signature on an
		OCSP request and verifies the signer certificate. The signer
		certificate is just checked for a generic purpose and OCSP request
		trust settings.
		[Steve Henson]

		*) Add OCSP_check_validity() function to check the validity of OCSP
		responses. OCSP responses are prepared in real time and may only
		be a few seconds old. Simply checking that the current time lies

crypto/ocsp/ocsp.h

+5 −1

Original line number	Diff line number	Diff line
		@@ -448,7 +448,7 @@ int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
		ASN1_GENERALIZEDTIME *nextupd,
		long sec, long maxsec);

		int OCSP_request_verify(OCSP_REQUEST req, EVP_PKEY pkey);
		int OCSP_request_verify(OCSP_REQUEST req, STACK_OF(X509) certs, X509_STORE *store, unsigned long flags);

		int OCSP_parse_url(char url, char phost, char pport, char ppath, int pssl);

		@@ -461,6 +461,7 @@ OCSP_CERTID OCSP_onereq_get0_id(OCSP_ONEREQ one);
		int OCSP_id_get0_info(ASN1_OCTET_STRING piNameHash, ASN1_OBJECT pmd,
		ASN1_OCTET_STRING **pikeyHash,
		ASN1_INTEGER *pserial, OCSP_CERTID cid);
		int OCSP_request_is_signed(OCSP_REQUEST *req);
		OCSP_RESPONSE OCSP_response_create(int status, OCSP_BASICRESP bs);
		OCSP_SINGLERESP OCSP_basic_add1_status(OCSP_BASICRESP rsp,
		OCSP_CERTID *cid,
		@@ -576,6 +577,7 @@ void ERR_load_OCSP_strings(void);
		#define OCSP_F_OCSP_MATCH_ISSUERID 109
		#define OCSP_F_OCSP_PARSE_URL 114
		#define OCSP_F_OCSP_REQUEST_SIGN 110
		#define OCSP_F_OCSP_REQUEST_VERIFY 116
		#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
		#define OCSP_F_OCSP_SENDREQ_BIO 112
		#define OCSP_F_REQUEST_VERIFY 113
		@@ -596,6 +598,7 @@ void ERR_load_OCSP_strings(void);
		#define OCSP_R_NO_RESPONSE_DATA 108
		#define OCSP_R_NO_REVOKED_TIME 109
		#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 110
		#define OCSP_R_REQUEST_NOT_SIGNED 128
		#define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 111
		#define OCSP_R_ROOT_CA_NOT_TRUSTED 112
		#define OCSP_R_SERVER_READ_ERROR 113
		@@ -609,6 +612,7 @@ void ERR_load_OCSP_strings(void);
		#define OCSP_R_STATUS_TOO_OLD 127
		#define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119
		#define OCSP_R_UNKNOWN_NID 120
		#define OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE 129

		#ifdef __cplusplus
		}

crypto/ocsp/ocsp_err.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -79,6 +79,7 @@ static ERR_STRING_DATA OCSP_str_functs[]=
		{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0), "OCSP_MATCH_ISSUERID"},
		{ERR_PACK(0,OCSP_F_OCSP_PARSE_URL,0), "OCSP_parse_url"},
		{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0), "OCSP_request_sign"},
		{ERR_PACK(0,OCSP_F_OCSP_REQUEST_VERIFY,0), "OCSP_request_verify"},
		{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"},
		{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"},
		{ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0), "REQUEST_VERIFY"},
		@@ -102,6 +103,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
		{OCSP_R_NO_RESPONSE_DATA ,"no response data"},
		{OCSP_R_NO_REVOKED_TIME ,"no revoked time"},
		{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
		{OCSP_R_REQUEST_NOT_SIGNED ,"request not signed"},
		{OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
		{OCSP_R_ROOT_CA_NOT_TRUSTED ,"root ca not trusted"},
		{OCSP_R_SERVER_READ_ERROR ,"server read error"},
		@@ -115,6 +117,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
		{OCSP_R_STATUS_TOO_OLD ,"status too old"},
		{OCSP_R_UNKNOWN_MESSAGE_DIGEST ,"unknown message digest"},
		{OCSP_R_UNKNOWN_NID ,"unknown nid"},
		{OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE ,"unsupported requestorname type"},
		{0,NULL}
		};

crypto/ocsp/ocsp_lib.c

+0 −18

Original line number	Diff line number	Diff line
		@@ -158,24 +158,6 @@ int OCSP_id_cmp(OCSP_CERTID a, OCSP_CERTID b)
		return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
		}

		/* XXX assumes certs in signature are sorted root to leaf XXX */
		int OCSP_request_verify(OCSP_REQUEST req, EVP_PKEY pkey)
		{
		STACK_OF(X509) *sk;

		if (!req->optionalSignature) return 0;
		if (pkey == NULL)
		{
		if (!(sk = req->optionalSignature->certs)) return 0;
		if (!(pkey=X509_get_pubkey(sk_X509_value(sk, sk_X509_num(sk)-1))))
		{
		OCSPerr(OCSP_F_REQUEST_VERIFY,OCSP_R_NO_PUBLIC_KEY);
		return 0;
		}
		}
		return OCSP_REQUEST_verify(req, pkey);
		}


		/* Parse a URL and split it up into host, port and path components and whether
		* it is SSL.

crypto/ocsp/ocsp_srv.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -96,6 +96,12 @@ int OCSP_id_get0_info(ASN1_OCTET_STRING piNameHash, ASN1_OBJECT pmd,
		return 1;
		}

		int OCSP_request_is_signed(OCSP_REQUEST *req)
		{
		if(req->optionalSignature) return 1;
		return 0;
		}

		/* Create an OCSP response and encode an optional basic response */
		OCSP_RESPONSE OCSP_response_create(int status, OCSP_BASICRESP bs)
		{