From 2b916952a8de5b1197169801925dad74aa3360cd Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 4 Feb 2001 03:04:43 +0000 Subject: [PATCH] Fix ASN1_TIME_to_generlizedtime(). Add protoype for OCSP_response_create(). Add OCSP_request_sign() and OCSP_basic_sign() private key and certificate checks and make OCSP_NOCERTS consistent with PKCS7_NOCERTS --- crypto/asn1/a_time.c | 4 ++-- crypto/ocsp/ocsp.h | 4 ++++ crypto/ocsp/ocsp_cl.c | 19 ++++++++++++++----- crypto/ocsp/ocsp_err.c | 3 +++ crypto/ocsp/ocsp_srv.c | 20 ++++++++++++++------ 5 files changed, 37 insertions(+), 13 deletions(-) diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c index 03788a7d62..4c6b37ba06 100644 --- a/crypto/asn1/a_time.c +++ b/crypto/asn1/a_time.c @@ -149,9 +149,9 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE /* grow the string */ if (!ASN1_STRING_set(ret, NULL, t->length + 2)) return NULL; + str = (char *)ret->data; /* Work out the century and prepend */ - str = (char *)t->data; - if (*str >= '5') strcpy(str, "19"); + if (t->data[0] >= '5') strcpy(str, "19"); else strcpy(str, "20"); strcat(str, (char *)t->data); diff --git a/crypto/ocsp/ocsp.h b/crypto/ocsp/ocsp.h index ca748a0fed..f77c4fd039 100644 --- a/crypto/ocsp/ocsp.h +++ b/crypto/ocsp/ocsp.h @@ -454,6 +454,7 @@ OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one); int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd, ASN1_OCTET_STRING **pikeyHash, ASN1_INTEGER **pserial, OCSP_CERTID *cid); +OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs); OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp, OCSP_CERTID *cid, int status, int reason, @@ -562,12 +563,14 @@ void ERR_load_OCSP_strings(void); #define OCSP_F_CERT_STATUS_NEW 103 #define OCSP_F_D2I_OCSP_NONCE 109 #define OCSP_F_OCSP_BASIC_ADD1_STATUS 118 +#define OCSP_F_OCSP_BASIC_SIGN 119 #define OCSP_F_OCSP_BASIC_VERIFY 113 #define OCSP_F_OCSP_CHECK_DELEGATED 117 #define OCSP_F_OCSP_CHECK_IDS 114 #define OCSP_F_OCSP_CHECK_ISSUER 115 #define OCSP_F_OCSP_CHECK_NONCE 112 #define OCSP_F_OCSP_MATCH_ISSUERID 116 +#define OCSP_F_OCSP_REQUEST_SIGN 120 #define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111 #define OCSP_F_OCSP_SENDREQ_BIO 110 #define OCSP_F_REQUEST_VERIFY 104 @@ -595,6 +598,7 @@ void ERR_load_OCSP_strings(void); #define OCSP_R_NO_RESPONSE_DATA 104 #define OCSP_R_NO_REVOKED_TIME 132 #define OCSP_R_NO_SIGNATURE 105 +#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 133 #define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA 129 #define OCSP_R_REVOKED_NO_TIME 106 #define OCSP_R_ROOT_CA_NOT_TRUSTED 127 diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index 34c3969bcc..7b3e742e4a 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -148,22 +148,31 @@ int OCSP_request_sign(OCSP_REQUEST *req, OCSP_SIGNATURE *sig; X509 *x; - if (signer && - !OCSP_request_set1_name(req, X509_get_subject_name(signer))) + if (!OCSP_request_set1_name(req, X509_get_subject_name(signer))) goto err; if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err; if (!dgst) dgst = EVP_sha1(); - if (key && !OCSP_REQUEST_sign(req, key, dgst)) goto err; + if (key) + { + if (!X509_check_private_key(signer, key)) + { + OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); + goto err; + } + if (!OCSP_REQUEST_sign(req, key, dgst)) goto err; + } + if (!(flags & OCSP_NOCERTS)) { - if (!OCSP_request_add1_cert(req, signer)) goto err; - for (i = 0; i < sk_X509_num(certs); i++) + if(!OCSP_request_add1_cert(req, signer)) goto err; + for (i = 0; i < sk_X509_num(certs); i++) { x = sk_X509_value(certs, i); if (!OCSP_request_add1_cert(req, x)) goto err; } } + return 1; err: OCSP_SIGNATURE_free(req->optionalSignature); diff --git a/crypto/ocsp/ocsp_err.c b/crypto/ocsp/ocsp_err.c index e1b2e3444d..abf8307397 100644 --- a/crypto/ocsp/ocsp_err.c +++ b/crypto/ocsp/ocsp_err.c @@ -73,12 +73,14 @@ static ERR_STRING_DATA OCSP_str_functs[]= {ERR_PACK(0,OCSP_F_CERT_STATUS_NEW,0), "CERT_STATUS_NEW"}, {ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0), "D2I_OCSP_NONCE"}, {ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0), "OCSP_basic_add1_status"}, +{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0), "OCSP_basic_sign"}, {ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0), "OCSP_basic_verify"}, {ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0), "OCSP_CHECK_DELEGATED"}, {ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0), "OCSP_CHECK_IDS"}, {ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0), "OCSP_CHECK_ISSUER"}, {ERR_PACK(0,OCSP_F_OCSP_CHECK_NONCE,0), "OCSP_check_nonce"}, {ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0), "OCSP_MATCH_ISSUERID"}, +{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0), "OCSP_request_sign"}, {ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"}, {ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"}, {ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0), "REQUEST_VERIFY"}, @@ -109,6 +111,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]= {OCSP_R_NO_RESPONSE_DATA ,"no response data"}, {OCSP_R_NO_REVOKED_TIME ,"no revoked time"}, {OCSP_R_NO_SIGNATURE ,"no signature"}, +{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"}, {OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"}, {OCSP_R_REVOKED_NO_TIME ,"revoked no time"}, {OCSP_R_ROOT_CA_NOT_TRUSTED ,"root ca not trusted"}, diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index b83992896f..5743f9c754 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -206,14 +206,22 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp, int i; OCSP_RESPID *rid; - if(!(flags & OCSP_NOCERTS) && !OCSP_basic_add1_cert(brsp, signer)) - goto err; - - for (i = 0; i < sk_X509_num(certs); i++) + if (!X509_check_private_key(signer, key)) { - X509 *tmpcert = sk_X509_value(certs, i); - if(!OCSP_basic_add1_cert(brsp, tmpcert)) + OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); + goto err; + } + + if(!(flags & OCSP_NOCERTS)) + { + if(!OCSP_basic_add1_cert(brsp, signer)) + goto err; + for (i = 0; i < sk_X509_num(certs); i++) + { + X509 *tmpcert = sk_X509_value(certs, i); + if(!OCSP_basic_add1_cert(brsp, tmpcert)) goto err; + } } rid = brsp->tbsResponseData->responderId;