source: EcnlProtoTool/trunk/openssl-1.1.0e/crypto/ocsp/ocsp_srv.c@ 331

Last change on this file since 331 was 331, checked in by coas-nagasima, 6 years ago

prototoolに関連するプロジェクトをnewlibからmuslを使うよう変更・更新
ntshellをnewlibの下位の実装から、muslのsyscallの実装に変更・更新
以下のOSSをアップデート
・mruby-1.3.0
・musl-1.1.18
・onigmo-6.1.3
・tcc-0.9.27
以下のOSSを追加
・openssl-1.1.0e
・curl-7.57.0
・zlib-1.2.11
以下のmrbgemsを追加
・iij/mruby-digest
・iij/mruby-env
・iij/mruby-errno
・iij/mruby-iijson
・iij/mruby-ipaddr
・iij/mruby-mock
・iij/mruby-require
・iij/mruby-tls-openssl
  • Property svn:eol-style set to native
  • Property svn:mime-type set to text/x-csrc
File size: 7.4 KB
Line 
1/*
2 * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdio.h>
11#include "internal/cryptlib.h"
12#include <openssl/objects.h>
13#include <openssl/x509.h>
14#include <openssl/pem.h>
15#include <openssl/x509v3.h>
16#include <openssl/ocsp.h>
17#include "ocsp_lcl.h"
18
19/*
20 * Utility functions related to sending OCSP responses and extracting
21 * relevant information from the request.
22 */
23
24int OCSP_request_onereq_count(OCSP_REQUEST *req)
25{
26 return sk_OCSP_ONEREQ_num(req->tbsRequest.requestList);
27}
28
29OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
30{
31 return sk_OCSP_ONEREQ_value(req->tbsRequest.requestList, i);
32}
33
34OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
35{
36 return one->reqCert;
37}
38
39int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
40 ASN1_OCTET_STRING **pikeyHash,
41 ASN1_INTEGER **pserial, OCSP_CERTID *cid)
42{
43 if (!cid)
44 return 0;
45 if (pmd)
46 *pmd = cid->hashAlgorithm.algorithm;
47 if (piNameHash)
48 *piNameHash = &cid->issuerNameHash;
49 if (pikeyHash)
50 *pikeyHash = &cid->issuerKeyHash;
51 if (pserial)
52 *pserial = &cid->serialNumber;
53 return 1;
54}
55
56int OCSP_request_is_signed(OCSP_REQUEST *req)
57{
58 if (req->optionalSignature)
59 return 1;
60 return 0;
61}
62
63/* Create an OCSP response and encode an optional basic response */
64OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
65{
66 OCSP_RESPONSE *rsp = NULL;
67
68 if ((rsp = OCSP_RESPONSE_new()) == NULL)
69 goto err;
70 if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status)))
71 goto err;
72 if (!bs)
73 return rsp;
74 if ((rsp->responseBytes = OCSP_RESPBYTES_new()) == NULL)
75 goto err;
76 rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
77 if (!ASN1_item_pack
78 (bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
79 goto err;
80 return rsp;
81 err:
82 OCSP_RESPONSE_free(rsp);
83 return NULL;
84}
85
86OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
87 OCSP_CERTID *cid,
88 int status, int reason,
89 ASN1_TIME *revtime,
90 ASN1_TIME *thisupd,
91 ASN1_TIME *nextupd)
92{
93 OCSP_SINGLERESP *single = NULL;
94 OCSP_CERTSTATUS *cs;
95 OCSP_REVOKEDINFO *ri;
96
97 if (rsp->tbsResponseData.responses == NULL
98 && (rsp->tbsResponseData.responses
99 = sk_OCSP_SINGLERESP_new_null()) == NULL)
100 goto err;
101
102 if ((single = OCSP_SINGLERESP_new()) == NULL)
103 goto err;
104
105 if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
106 goto err;
107 if (nextupd &&
108 !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
109 goto err;
110
111 OCSP_CERTID_free(single->certId);
112
113 if ((single->certId = OCSP_CERTID_dup(cid)) == NULL)
114 goto err;
115
116 cs = single->certStatus;
117 switch (cs->type = status) {
118 case V_OCSP_CERTSTATUS_REVOKED:
119 if (!revtime) {
120 OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS, OCSP_R_NO_REVOKED_TIME);
121 goto err;
122 }
123 if ((cs->value.revoked = ri = OCSP_REVOKEDINFO_new()) == NULL)
124 goto err;
125 if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
126 goto err;
127 if (reason != OCSP_REVOKED_STATUS_NOSTATUS) {
128 if ((ri->revocationReason = ASN1_ENUMERATED_new()) == NULL)
129 goto err;
130 if (!(ASN1_ENUMERATED_set(ri->revocationReason, reason)))
131 goto err;
132 }
133 break;
134
135 case V_OCSP_CERTSTATUS_GOOD:
136 if ((cs->value.good = ASN1_NULL_new()) == NULL)
137 goto err;
138 break;
139
140 case V_OCSP_CERTSTATUS_UNKNOWN:
141 if ((cs->value.unknown = ASN1_NULL_new()) == NULL)
142 goto err;
143 break;
144
145 default:
146 goto err;
147
148 }
149 if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData.responses, single)))
150 goto err;
151 return single;
152 err:
153 OCSP_SINGLERESP_free(single);
154 return NULL;
155}
156
157/* Add a certificate to an OCSP request */
158
159int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
160{
161 if (resp->certs == NULL
162 && (resp->certs = sk_X509_new_null()) == NULL)
163 return 0;
164
165 if (!sk_X509_push(resp->certs, cert))
166 return 0;
167 X509_up_ref(cert);
168 return 1;
169}
170
171int OCSP_basic_sign(OCSP_BASICRESP *brsp,
172 X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
173 STACK_OF(X509) *certs, unsigned long flags)
174{
175 int i;
176 OCSP_RESPID *rid;
177
178 if (!X509_check_private_key(signer, key)) {
179 OCSPerr(OCSP_F_OCSP_BASIC_SIGN,
180 OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
181 goto err;
182 }
183
184 if (!(flags & OCSP_NOCERTS)) {
185 if (!OCSP_basic_add1_cert(brsp, signer))
186 goto err;
187 for (i = 0; i < sk_X509_num(certs); i++) {
188 X509 *tmpcert = sk_X509_value(certs, i);
189 if (!OCSP_basic_add1_cert(brsp, tmpcert))
190 goto err;
191 }
192 }
193
194 rid = &brsp->tbsResponseData.responderId;
195 if (flags & OCSP_RESPID_KEY) {
196 if (!OCSP_RESPID_set_by_key(rid, signer))
197 goto err;
198 } else if (!OCSP_RESPID_set_by_name(rid, signer)) {
199 goto err;
200 }
201
202 if (!(flags & OCSP_NOTIME) &&
203 !X509_gmtime_adj(brsp->tbsResponseData.producedAt, 0))
204 goto err;
205
206 /*
207 * Right now, I think that not doing double hashing is the right thing.
208 * -- Richard Levitte
209 */
210
211 if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0))
212 goto err;
213
214 return 1;
215 err:
216 return 0;
217}
218
219int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert)
220{
221 if (!X509_NAME_set(&respid->value.byName, X509_get_subject_name(cert)))
222 return 0;
223
224 respid->type = V_OCSP_RESPID_NAME;
225
226 return 1;
227}
228
229int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
230{
231 ASN1_OCTET_STRING *byKey = NULL;
232 unsigned char md[SHA_DIGEST_LENGTH];
233
234 /* RFC2560 requires SHA1 */
235 if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL))
236 return 0;
237
238 byKey = ASN1_OCTET_STRING_new();
239 if (byKey == NULL)
240 return 0;
241
242 if (!(ASN1_OCTET_STRING_set(byKey, md, SHA_DIGEST_LENGTH))) {
243 ASN1_OCTET_STRING_free(byKey);
244 return 0;
245 }
246
247 respid->type = V_OCSP_RESPID_KEY;
248 respid->value.byKey = byKey;
249
250 return 1;
251}
252
253int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
254{
255 if (respid->type == V_OCSP_RESPID_KEY) {
256 unsigned char md[SHA_DIGEST_LENGTH];
257
258 if (respid->value.byKey == NULL)
259 return 0;
260
261 /* RFC2560 requires SHA1 */
262 if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL))
263 return 0;
264
265 return (ASN1_STRING_length(respid->value.byKey) == SHA_DIGEST_LENGTH)
266 && (memcmp(ASN1_STRING_get0_data(respid->value.byKey), md,
267 SHA_DIGEST_LENGTH) == 0);
268 } else if(respid->type == V_OCSP_RESPID_NAME) {
269 if (respid->value.byName == NULL)
270 return 0;
271
272 return X509_NAME_cmp(respid->value.byName,
273 X509_get_subject_name(cert)) == 0;
274 }
275
276 return 0;
277}
Note: See TracBrowser for help on using the repository browser.