Make editorial changes suggested by Matt Caswell and fixed Travis failures.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index b9bad81f24e31d0a7e4695113a46b027a08eb46e..4a68e52d743930f10ac53d6a07e5942f6fb8abe0 100644 (file)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -78,7 +78,7 @@ typedef enum OPTION_choice {
     OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,
     OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,
     OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,
     OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,
     OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,
     OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,

-    OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_SIGOPT, OPT_HEADER,
+    OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_RSIGOPT, OPT_HEADER,

     OPT_V_ENUM,
     OPT_MD
 } OPTION_CHOICE;
     OPT_V_ENUM,
     OPT_MD
 } OPTION_CHOICE;


@@ -155,7 +155,7 @@ const OPTIONS ocsp_options[] = {
     {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},
     {"rother", OPT_ROTHER, '<', "Other certificates to include in response"},
     {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"},
     {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},
     {"rother", OPT_ROTHER, '<', "Other certificates to include in response"},
     {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"},

-    {"rsigopt", OPT_SIGOPT, 's', "OCSP response signature parameter in n:v form"},
+    {"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"},

     {"header", OPT_HEADER, 's', "key=value header to add"},
     {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"},
     OPT_V_OPTIONS,
     {"header", OPT_HEADER, 's', "key=value header to add"},
     {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"},
     OPT_V_OPTIONS,


@@ -422,7 +422,7 @@ int ocsp_main(int argc, char **argv)
             if (!opt_md(opt_arg(), &rsign_md))
                 goto end;
             break;
             if (!opt_md(opt_arg(), &rsign_md))
                 goto end;
             break;

-        case OPT_SIGOPT:
+        case OPT_RSIGOPT:

             if (rsign_sigopts == NULL)
                 rsign_sigopts = sk_OPENSSL_STRING_new_null();
             if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
             if (rsign_sigopts == NULL)
                 rsign_sigopts = sk_OPENSSL_STRING_new_null();
             if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))

diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 0ed1b09fe19d37bd46b628a2dbc50801096cb696..accd83cadc4d9acfe0c1c05f77469f44e89750fa 100644 (file)
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -1,4 +1,4 @@
-# Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.

 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy


@@ -735,6 +735,7 @@ OBJ_F_OBJ_NID2SN:104:OBJ_nid2sn
 OCSP_F_D2I_OCSP_NONCE:102:d2i_ocsp_nonce
 OCSP_F_OCSP_BASIC_ADD1_STATUS:103:OCSP_basic_add1_status
 OCSP_F_OCSP_BASIC_SIGN:104:OCSP_basic_sign
 OCSP_F_D2I_OCSP_NONCE:102:d2i_ocsp_nonce
 OCSP_F_OCSP_BASIC_ADD1_STATUS:103:OCSP_basic_add1_status
 OCSP_F_OCSP_BASIC_SIGN:104:OCSP_basic_sign

+OCSP_F_OCSP_BASIC_SIGN_CTX:119:OCSP_basic_sign_ctx

 OCSP_F_OCSP_BASIC_VERIFY:105:OCSP_basic_verify
 OCSP_F_OCSP_CERT_ID_NEW:101:OCSP_cert_id_new
 OCSP_F_OCSP_CHECK_DELEGATED:106:ocsp_check_delegated
 OCSP_F_OCSP_BASIC_VERIFY:105:OCSP_basic_verify
 OCSP_F_OCSP_CERT_ID_NEW:101:OCSP_cert_id_new
 OCSP_F_OCSP_CHECK_DELEGATED:106:ocsp_check_delegated

diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index b459e695b93ebc6d2a184e0ec7535858af98b51c..9c7c81a1b010d03946682bca2edbfc589d852de0 100644 (file)
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -1,5 +1,5 @@
 /*
 /*

- * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.

  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy


@@ -168,16 +168,27 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
     return 1;
 }
 
     return 1;
 }
 

+/*
+ * Sign an OCSP response using the parameters contained in the digest context,
+ * set the responderID to the subject name in the signer's certificate, and
+ * include one or more optional certificates in the response.
+ */
+

 int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
                     X509 *signer, EVP_MD_CTX *ctx,
                     STACK_OF(X509) *certs, unsigned long flags)
 {
     int i;
     OCSP_RESPID *rid;
 int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
                     X509 *signer, EVP_MD_CTX *ctx,
                     STACK_OF(X509) *certs, unsigned long flags)
 {
     int i;
     OCSP_RESPID *rid;

+    EVP_PKEY *pkey;
+
+    if (ctx == NULL || EVP_MD_CTX_pkey_ctx(ctx) == NULL) {
+        OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX, OCSP_R_NO_SIGNER_KEY);
+        goto err;
+    }

 
 

-    if (ctx == NULL || EVP_MD_CTX_pkey_ctx(ctx) == NULL
-        || EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)) == NULL
-        || !X509_check_private_key(signer, EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)))) {
+    pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));
+    if (pkey == NULL || !X509_check_private_key(signer, pkey)) {

         OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX,
                 OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
         goto err;
         OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX,
                 OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
         goto err;

diff --git a/include/openssl/ocsperr.h b/include/openssl/ocsperr.h
index 4edb2b725f12219f594eef7e605746d25d989a32..08800d1ae8b4547cc4b639129f19e7ba9dc968ac 100644 (file)
--- a/include/openssl/ocsperr.h
+++ b/include/openssl/ocsperr.h
@@ -25,7 +25,7 @@ int ERR_load_OCSP_strings(void);
 # define OCSP_F_D2I_OCSP_NONCE                            102
 # define OCSP_F_OCSP_BASIC_ADD1_STATUS                    103
 # define OCSP_F_OCSP_BASIC_SIGN                           104
 # define OCSP_F_D2I_OCSP_NONCE                            102
 # define OCSP_F_OCSP_BASIC_ADD1_STATUS                    103
 # define OCSP_F_OCSP_BASIC_SIGN                           104

-# define OCSP_F_OCSP_BASIC_SIGN_CTX                       131
+# define OCSP_F_OCSP_BASIC_SIGN_CTX                       119

 # define OCSP_F_OCSP_BASIC_VERIFY                         105
 # define OCSP_F_OCSP_CERT_ID_NEW                          101
 # define OCSP_F_OCSP_CHECK_DELEGATED                      106
 # define OCSP_F_OCSP_BASIC_VERIFY                         105
 # define OCSP_F_OCSP_CERT_ID_NEW                          101
 # define OCSP_F_OCSP_CHECK_DELEGATED                      106