Tabification. Remove accidental duplication.
[openssl.git] / crypto / ocsp / ocsp_vfy.c
index 8868c98..214b402 100644 (file)
@@ -1,9 +1,9 @@
 /* ocsp_vfy.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
 
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
+#include <string.h>
 
-static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                                X509_STORE *st, unsigned long flags);
 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
 static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
 static int ocsp_check_delegated(X509 *x, int flags);
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+                               X509_STORE *st, unsigned long flags);
 
 /* Verify a basic response message */
 
@@ -74,14 +77,18 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
        {
        X509 *signer, *x;
        STACK_OF(X509) *chain = NULL;
+       STACK_OF(X509) *tmpchain = NULL;
+       X509_STORE *tmpstore = NULL;
        X509_STORE_CTX ctx;
-       int i, ret = 0;
-       signer = ocsp_find_signer(bs, certs, st, flags);
-       if (!signer)
+       int i, ret;
+       ret = ocsp_find_signer(&signer, bs, certs, st, flags);
+       if (!ret)
                {
                OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
                goto end;
                }
+       if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+               chain = certs;
        if (!(flags & OCSP_NOSIGS))
                {
                EVP_PKEY *skey;
@@ -96,23 +103,86 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                }
        if (!(flags & OCSP_NOVERIFY))
                {
+               int init_res;
+
+               /* If we trust the signer, we don't need to build a chain.
+                * (If the signer is a root certificate, X509_verify_cert()
+                * would fail anyway!)
+                */
+               if (chain == certs) goto verified_chain;
+
+               /* If we trust some "other" certificates, mark them as
+                * explicitly trusted (because some of them might be
+                * Intermediate CA Certificates), put them in a store and
+                * attempt to build a trusted chain.
+                */
+               if ((flags & OCSP_TRUSTOTHER) && (certs != NULL))
+                       {
+                       ASN1_OBJECT *objtmp = OBJ_nid2obj(NID_OCSP_sign);
+                       tmpstore = X509_STORE_new();
+                       if (!tmpstore)
+                               {
+                               ret = -1;
+                               OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
+                               goto end;
+                               }
+                       for (i = 0; i < sk_X509_num(certs); i++)
+                               {
+                               X509 *xother = sk_X509_value(certs, i);
+                               X509_add1_trust_object(xother, objtmp);
+                               if (!X509_STORE_add_cert(tmpstore, xother))
+                                       {
+                                       ret = -1;
+                                       goto end;
+                                       }
+                               }
+
+                       init_res = X509_STORE_CTX_init(&ctx, tmpstore, signer, NULL);
+                       if (!init_res)
+                               {
+                               ret = -1;
+                               OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
+                               goto end;
+                               }
+                       X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+                       ret = X509_verify_cert(&ctx);
+                       if (ret == 1)
+                               {
+                               chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx);
+                               X509_STORE_CTX_cleanup(&ctx);
+                               goto verified_chain;
+                               }
+                       X509_STORE_CTX_cleanup(&ctx);
+                       }
+
+               /* Attempt to build a chain up to a Root Certificate in the
+                * trust store provided by the caller.
+                */
                if(flags & OCSP_NOCHAIN)
-                       X509_STORE_CTX_init(&ctx, st, signer, NULL);
+                       init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
                else
-                       X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+                       init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+               if(!init_res)
+                       {
+                       ret = -1;
+                       OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
+                       goto end;
+                       }
 
                X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
                ret = X509_verify_cert(&ctx);
-               chain = X509_STORE_CTX_get1_chain(&ctx);
+               chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx);
                X509_STORE_CTX_cleanup(&ctx);
-                if (ret <= 0)
+               if (ret <= 0)
                        {
                        i = X509_STORE_CTX_get_error(&ctx);     
                        OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
                        ERR_add_error_data(2, "Verify error:",
                                        X509_verify_cert_error_string(i));
-                        goto end;
-                       }
+                       goto end;
+                       }
+
+       verified_chain:
                if(flags & OCSP_NOCHECKS)
                        {
                        ret = 1;
@@ -139,28 +209,36 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                        }
                ret = 1;
                }
-               
+
 
 
        end:
-       if(chain) sk_X509_pop_free(chain, X509_free);
+       if(tmpchain) sk_X509_pop_free(tmpchain, X509_free);
+       if(tmpstore) X509_STORE_free(tmpstore);
        return ret;
        }
 
 
-static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                                X509_STORE *st, unsigned long flags)
        {
        X509 *signer;
        OCSP_RESPID *rid = bs->tbsResponseData->responderId;
        if ((signer = ocsp_find_signer_sk(certs, rid)))
-               return signer;
+               {
+               *psigner = signer;
+               return 2;
+               }
        if(!(flags & OCSP_NOINTERN) &&
            (signer = ocsp_find_signer_sk(bs->certs, rid)))
-               return signer;
+               {
+               *psigner = signer;
+               return 1;
+               }
        /* Maybe lookup from store if by subject name */
 
-       return NULL;
+       *psigner = NULL;
+       return 0;
        }
 
 
@@ -168,8 +246,6 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
        {
        int i;
        unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
-       ASN1_BIT_STRING *key;
-       EVP_MD_CTX ctx;
        X509 *x;
 
        /* Easy if lookup by name */
@@ -185,10 +261,7 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
        for (i = 0; i < sk_X509_num(certs); i++)
                {
                x = sk_X509_value(certs, i);
-               key = x->cert_info->key->public_key;
-               EVP_DigestInit(&ctx,EVP_sha1());
-               EVP_DigestUpdate(&ctx,key->data, key->length);
-               EVP_DigestFinal(&ctx,tmphash,NULL);
+               X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
                if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
                        return x;
                }
@@ -259,7 +332,7 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
 
        for (i = 1; i < idcount; i++)
                {
-               tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+               tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
                /* Check to see if IDs match */
                if (OCSP_id_issuer_cmp(cid, tmpid))
                        {
@@ -285,9 +358,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
        if(cid)
                {
                const EVP_MD *dgst;
-               EVP_MD_CTX ctx;
                X509_NAME *iname;
-               ASN1_BIT_STRING *ikey;
                int mdlen;
                unsigned char md[EVP_MAX_MD_SIZE];
                if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
@@ -297,19 +368,17 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                        }
 
                mdlen = EVP_MD_size(dgst);
+               if (mdlen < 0)
+                   return -1;
                if ((cid->issuerNameHash->length != mdlen) ||
                   (cid->issuerKeyHash->length != mdlen))
                        return 0;
-               iname = X509_get_issuer_name(cert);
+               iname = X509_get_subject_name(cert);
                if (!X509_NAME_digest(iname, dgst, md, NULL))
                        return -1;
                if (memcmp(md, cid->issuerNameHash->data, mdlen))
                        return 0;
-               ikey = cert->cert_info->key->public_key;
-
-               EVP_DigestInit(&ctx,dgst);
-               EVP_DigestUpdate(&ctx,ikey->data, ikey->length);
-               EVP_DigestFinal(&ctx,md,NULL);
+               X509_pubkey_digest(cert, dgst, md, NULL);
                if (memcmp(md, cid->issuerKeyHash->data, mdlen))
                        return 0;
 
@@ -323,7 +392,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                OCSP_CERTID *tmpid;
                for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
                        {
-                       tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+                       tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
                        ret = ocsp_match_issuerid(cert, tmpid, NULL);
                        if (ret <= 0) return ret;
                        }
@@ -341,3 +410,97 @@ static int ocsp_check_delegated(X509 *x, int flags)
        OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
        return 0;
        }
+
+/* Verify an OCSP request. This is fortunately much easier than OCSP
+ * response verify. Just find the signers certificate and verify it
+ * against a given trust value.
+ */
+
+int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
+        {
+       X509 *signer;
+       X509_NAME *nm;
+       GENERAL_NAME *gen;
+       int ret;
+       X509_STORE_CTX ctx;
+       if (!req->optionalSignature) 
+               {
+               OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
+               return 0;
+               }
+       gen = req->tbsRequest->requestorName;
+       if (!gen || gen->type != GEN_DIRNAME)
+               {
+               OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
+               return 0;
+               }
+       nm = gen->d.directoryName;
+       ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
+       if (ret <= 0)
+               {
+               OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+               return 0;
+               }
+       if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+               flags |= OCSP_NOVERIFY;
+       if (!(flags & OCSP_NOSIGS))
+               {
+               EVP_PKEY *skey;
+               skey = X509_get_pubkey(signer);
+               ret = OCSP_REQUEST_verify(req, skey);
+               EVP_PKEY_free(skey);
+               if(ret <= 0)
+                       {
+                       OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                       return 0;
+                       }
+               }
+       if (!(flags & OCSP_NOVERIFY))
+               {
+               int init_res;
+               if(flags & OCSP_NOCHAIN)
+                       init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
+               else
+                       init_res = X509_STORE_CTX_init(&ctx, store, signer,
+                                       req->optionalSignature->certs);
+               if(!init_res)
+                       {
+                       OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
+                       return 0;
+                       }
+
+               X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+               X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
+               ret = X509_verify_cert(&ctx);
+               X509_STORE_CTX_cleanup(&ctx);
+                if (ret <= 0)
+                       {
+                       ret = X509_STORE_CTX_get_error(&ctx);   
+                       OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                       ERR_add_error_data(2, "Verify error:",
+                                       X509_verify_cert_error_string(ret));
+                        return 0;
+                       }
+               }
+       return 1;
+        }
+
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+                               X509_STORE *st, unsigned long flags)
+       {
+       X509 *signer;
+       if(!(flags & OCSP_NOINTERN))
+               {
+               signer = X509_find_by_subject(req->optionalSignature->certs, nm);
+               *psigner = signer;
+               return 1;
+               }
+
+       signer = X509_find_by_subject(certs, nm);
+       if (signer)
+               {
+               *psigner = signer;
+               return 2;
+               }
+       return 0;
+       }