Tabification. Remove accidental duplication.

[openssl.git] / crypto / ocsp / ocsp_vfy.c
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c

index b656609ee8d53b473a182e5696fa3e69f94be2eb..214b4020fee79aa9cbca456a48097ac263073551 100644 (file)
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -1,9 +1,9 @@
  /* ocsp_vfy.c */
  /* ocsp_vfy.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   * project 2000.
   */
  /* ====================================================================
   * project 2000.
   */
  /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
@@ -58,14 +58,17 @@
  
  #include <openssl/ocsp.h>
  #include <openssl/err.h>
  
  #include <openssl/ocsp.h>
  #include <openssl/err.h>
+#include <string.h>
  
  
-static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                                 X509_STORE *st, unsigned long flags);
  static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
  static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
  static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
  static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
  static int ocsp_check_delegated(X509 *x, int flags);
                                 X509_STORE *st, unsigned long flags);
  static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
  static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned long flags);
  static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
  static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
  static int ocsp_check_delegated(X509 *x, int flags);
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+                               X509_STORE *st, unsigned long flags);
  
  /* Verify a basic response message */
  
  
  /* Verify a basic response message */
  
@@ -74,14 +77,18 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
         {
         X509 *signer, *x;
         STACK_OF(X509) *chain = NULL;
         {
         X509 *signer, *x;
         STACK_OF(X509) *chain = NULL;
+       STACK_OF(X509) *tmpchain = NULL;
+       X509_STORE *tmpstore = NULL;
         X509_STORE_CTX ctx;
         X509_STORE_CTX ctx;
-       int i, ret = 0;
-       signer = ocsp_find_signer(bs, certs, st, flags);
-       if (!signer)
+       int i, ret;
+       ret = ocsp_find_signer(&signer, bs, certs, st, flags);
+       if (!ret)
                 {
                 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
                 goto end;
                 }
                 {
                 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
                 goto end;
                 }
+       if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+               chain = certs;
         if (!(flags & OCSP_NOSIGS))
                 {
                 EVP_PKEY *skey;
         if (!(flags & OCSP_NOSIGS))
                 {
                 EVP_PKEY *skey;
@@ -96,23 +103,86 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                 }
         if (!(flags & OCSP_NOVERIFY))
                 {
                 }
         if (!(flags & OCSP_NOVERIFY))
                 {
+               int init_res;
+
+               /* If we trust the signer, we don't need to build a chain.
+                * (If the signer is a root certificate, X509_verify_cert()
+                * would fail anyway!)
+                */
+               if (chain == certs) goto verified_chain;
+
+               /* If we trust some "other" certificates, mark them as
+                * explicitly trusted (because some of them might be
+                * Intermediate CA Certificates), put them in a store and
+                * attempt to build a trusted chain.
+                */
+               if ((flags & OCSP_TRUSTOTHER) && (certs != NULL))
+                       {
+                       ASN1_OBJECT *objtmp = OBJ_nid2obj(NID_OCSP_sign);
+                       tmpstore = X509_STORE_new();
+                       if (!tmpstore)
+                               {
+                               ret = -1;
+                               OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
+                               goto end;
+                               }
+                       for (i = 0; i < sk_X509_num(certs); i++)
+                               {
+                               X509 *xother = sk_X509_value(certs, i);
+                               X509_add1_trust_object(xother, objtmp);
+                               if (!X509_STORE_add_cert(tmpstore, xother))
+                                       {
+                                       ret = -1;
+                                       goto end;
+                                       }
+                               }
+
+                       init_res = X509_STORE_CTX_init(&ctx, tmpstore, signer, NULL);
+                       if (!init_res)
+                               {
+                               ret = -1;
+                               OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
+                               goto end;
+                               }
+                       X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+                       ret = X509_verify_cert(&ctx);
+                       if (ret == 1)
+                               {
+                               chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx);
+                               X509_STORE_CTX_cleanup(&ctx);
+                               goto verified_chain;
+                               }
+                       X509_STORE_CTX_cleanup(&ctx);
+                       }
+
+               /* Attempt to build a chain up to a Root Certificate in the
+                * trust store provided by the caller.
+                */
                 if(flags & OCSP_NOCHAIN)
                 if(flags & OCSP_NOCHAIN)
-                       X509_STORE_CTX_init(&ctx, st, signer, NULL);
+                       init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
                 else
                 else
-                       X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+                       init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+               if(!init_res)
+                       {
+                       ret = -1;
+                       OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
+                       goto end;
+                       }
  
                 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
                 ret = X509_verify_cert(&ctx);
  
                 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
                 ret = X509_verify_cert(&ctx);
-               chain = X509_STORE_CTX_get1_chain(&ctx);
+               chain = tmpchain = X509_STORE_CTX_get1_chain(&ctx);
                 X509_STORE_CTX_cleanup(&ctx);
                 X509_STORE_CTX_cleanup(&ctx);
-                if (ret <= 0)
+               if (ret <= 0)
                         {
                         i = X509_STORE_CTX_get_error(&ctx);     
                         OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
                         ERR_add_error_data(2, "Verify error:",
                                         X509_verify_cert_error_string(i));
                         {
                         i = X509_STORE_CTX_get_error(&ctx);     
                         OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
                         ERR_add_error_data(2, "Verify error:",
                                         X509_verify_cert_error_string(i));
-                        goto end;
-                       }
+                       goto end;
+                       }
+
+       verified_chain:
                 if(flags & OCSP_NOCHECKS)
                         {
                         ret = 1;
                 if(flags & OCSP_NOCHECKS)
                         {
                         ret = 1;
@@ -139,28 +209,36 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                         }
                 ret = 1;
                 }
                         }
                 ret = 1;
                 }
-               
+
  
  
         end:
  
  
         end:
-       if(chain) sk_X509_pop_free(chain, X509_free);
-       return 1;
+       if(tmpchain) sk_X509_pop_free(tmpchain, X509_free);
+       if(tmpstore) X509_STORE_free(tmpstore);
+       return ret;
         }
  
  
         }
  
  
-static X509 *ocsp_find_signer(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
                                 X509_STORE *st, unsigned long flags)
         {
         X509 *signer;
         OCSP_RESPID *rid = bs->tbsResponseData->responderId;
         if ((signer = ocsp_find_signer_sk(certs, rid)))
                                 X509_STORE *st, unsigned long flags)
         {
         X509 *signer;
         OCSP_RESPID *rid = bs->tbsResponseData->responderId;
         if ((signer = ocsp_find_signer_sk(certs, rid)))
-               return signer;
+               {
+               *psigner = signer;
+               return 2;
+               }
         if(!(flags & OCSP_NOINTERN) &&
             (signer = ocsp_find_signer_sk(bs->certs, rid)))
         if(!(flags & OCSP_NOINTERN) &&
             (signer = ocsp_find_signer_sk(bs->certs, rid)))
-               return signer;
+               {
+               *psigner = signer;
+               return 1;
+               }
         /* Maybe lookup from store if by subject name */
  
         /* Maybe lookup from store if by subject name */
  
-       return NULL;
+       *psigner = NULL;
+       return 0;
         }
  
  
         }
  
  
@@ -168,8 +246,6 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
         {
         int i;
         unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
         {
         int i;
         unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
-       ASN1_BIT_STRING *key;
-       EVP_MD_CTX ctx;
         X509 *x;
  
         /* Easy if lookup by name */
         X509 *x;
  
         /* Easy if lookup by name */
@@ -185,10 +261,7 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
         for (i = 0; i < sk_X509_num(certs); i++)
                 {
                 x = sk_X509_value(certs, i);
         for (i = 0; i < sk_X509_num(certs); i++)
                 {
                 x = sk_X509_value(certs, i);
-               key = x->cert_info->key->public_key;
-               EVP_DigestInit(&ctx,EVP_sha1());
-               EVP_DigestUpdate(&ctx,key->data, key->length);
-               EVP_DigestFinal(&ctx,tmphash,NULL);
+               X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
                 if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
                         return x;
                 }
                 if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
                         return x;
                 }
@@ -259,7 +332,7 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
  
         for (i = 1; i < idcount; i++)
                 {
  
         for (i = 1; i < idcount; i++)
                 {
-               tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+               tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
                 /* Check to see if IDs match */
                 if (OCSP_id_issuer_cmp(cid, tmpid))
                         {
                 /* Check to see if IDs match */
                 if (OCSP_id_issuer_cmp(cid, tmpid))
                         {
@@ -285,9 +358,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
         if(cid)
                 {
                 const EVP_MD *dgst;
         if(cid)
                 {
                 const EVP_MD *dgst;
-               EVP_MD_CTX ctx;
                 X509_NAME *iname;
                 X509_NAME *iname;
-               ASN1_BIT_STRING *ikey;
                 int mdlen;
                 unsigned char md[EVP_MAX_MD_SIZE];
                 if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
                 int mdlen;
                 unsigned char md[EVP_MAX_MD_SIZE];
                 if (!(dgst = EVP_get_digestbyobj(cid->hashAlgorithm->algorithm)))
@@ -297,19 +368,17 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                         }
  
                 mdlen = EVP_MD_size(dgst);
                         }
  
                 mdlen = EVP_MD_size(dgst);
+               if (mdlen < 0)
+                   return -1;
                 if ((cid->issuerNameHash->length != mdlen) ||
                    (cid->issuerKeyHash->length != mdlen))
                         return 0;
                 if ((cid->issuerNameHash->length != mdlen) ||
                    (cid->issuerKeyHash->length != mdlen))
                         return 0;
-               iname = X509_get_issuer_name(cert);
+               iname = X509_get_subject_name(cert);
                 if (!X509_NAME_digest(iname, dgst, md, NULL))
                         return -1;
                 if (memcmp(md, cid->issuerNameHash->data, mdlen))
                         return 0;
                 if (!X509_NAME_digest(iname, dgst, md, NULL))
                         return -1;
                 if (memcmp(md, cid->issuerNameHash->data, mdlen))
                         return 0;
-               ikey = cert->cert_info->key->public_key;
-
-               EVP_DigestInit(&ctx,dgst);
-               EVP_DigestUpdate(&ctx,ikey->data, ikey->length);
-               EVP_DigestFinal(&ctx,md,NULL);
+               X509_pubkey_digest(cert, dgst, md, NULL);
                 if (memcmp(md, cid->issuerKeyHash->data, mdlen))
                         return 0;
  
                 if (memcmp(md, cid->issuerKeyHash->data, mdlen))
                         return 0;
  
@@ -323,7 +392,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                 OCSP_CERTID *tmpid;
                 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
                         {
                 OCSP_CERTID *tmpid;
                 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
                         {
-                       tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+                       tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
                         ret = ocsp_match_issuerid(cert, tmpid, NULL);
                         if (ret <= 0) return ret;
                         }
                         ret = ocsp_match_issuerid(cert, tmpid, NULL);
                         if (ret <= 0) return ret;
                         }
@@ -341,3 +410,97 @@ static int ocsp_check_delegated(X509 *x, int flags)
         OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
         return 0;
         }
         OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
         return 0;
         }
+
+/* Verify an OCSP request. This is fortunately much easier than OCSP
+ * response verify. Just find the signers certificate and verify it
+ * against a given trust value.
+ */
+
+int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
+        {
+       X509 *signer;
+       X509_NAME *nm;
+       GENERAL_NAME *gen;
+       int ret;
+       X509_STORE_CTX ctx;
+       if (!req->optionalSignature) 
+               {
+               OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
+               return 0;
+               }
+       gen = req->tbsRequest->requestorName;
+       if (!gen || gen->type != GEN_DIRNAME)
+               {
+               OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
+               return 0;
+               }
+       nm = gen->d.directoryName;
+       ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
+       if (ret <= 0)
+               {
+               OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+               return 0;
+               }
+       if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+               flags |= OCSP_NOVERIFY;
+       if (!(flags & OCSP_NOSIGS))
+               {
+               EVP_PKEY *skey;
+               skey = X509_get_pubkey(signer);
+               ret = OCSP_REQUEST_verify(req, skey);
+               EVP_PKEY_free(skey);
+               if(ret <= 0)
+                       {
+                       OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+                       return 0;
+                       }
+               }
+       if (!(flags & OCSP_NOVERIFY))
+               {
+               int init_res;
+               if(flags & OCSP_NOCHAIN)
+                       init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
+               else
+                       init_res = X509_STORE_CTX_init(&ctx, store, signer,
+                                       req->optionalSignature->certs);
+               if(!init_res)
+                       {
+                       OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
+                       return 0;
+                       }
+
+               X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+               X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
+               ret = X509_verify_cert(&ctx);
+               X509_STORE_CTX_cleanup(&ctx);
+                if (ret <= 0)
+                       {
+                       ret = X509_STORE_CTX_get_error(&ctx);   
+                       OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+                       ERR_add_error_data(2, "Verify error:",
+                                       X509_verify_cert_error_string(ret));
+                        return 0;
+                       }
+               }
+       return 1;
+        }
+
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+                               X509_STORE *st, unsigned long flags)
+       {
+       X509 *signer;
+       if(!(flags & OCSP_NOINTERN))
+               {
+               signer = X509_find_by_subject(req->optionalSignature->certs, nm);
+               *psigner = signer;
+               return 1;
+               }
+
+       signer = X509_find_by_subject(certs, nm);
+       if (signer)
+               {
+               *psigner = signer;
+               return 2;
+               }
+       return 0;
+       }