From 6ef869d7d0a9d2e7ea7908c0b5aab1cb451e00fa Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 5 Mar 2015 13:41:11 +0000 Subject: [PATCH] Make OCSP structures opaque. Reviewed-by: Matt Caswell --- apps/ocsp.c | 8 +- crypto/ocsp/Makefile | 6 +- crypto/ocsp/ocsp.h | 219 +++--------------------- crypto/ocsp/ocsp_asn.c | 1 + crypto/ocsp/ocsp_cl.c | 6 + crypto/ocsp/ocsp_ext.c | 1 + crypto/ocsp/ocsp_lcl.h | 273 ++++++++++++++++++++++++++++++ crypto/ocsp/ocsp_lib.c | 1 + crypto/ocsp/ocsp_prn.c | 1 + crypto/ocsp/ocsp_srv.c | 1 + crypto/ocsp/ocsp_vfy.c | 1 + crypto/{x509v3 => ocsp}/v3_ocsp.c | 4 +- crypto/x509v3/Makefile | 18 +- 13 files changed, 316 insertions(+), 224 deletions(-) create mode 100644 crypto/ocsp/ocsp_lcl.h rename crypto/{x509v3 => ocsp}/v3_ocsp.c (99%) diff --git a/apps/ocsp.c b/apps/ocsp.c index b0b3069676..83a71752b1 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -1110,8 +1110,12 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags); - if (badsig) - bs->signature->data[bs->signature->length - 1] ^= 0x1; + if (badsig) { + ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs); + unsigned char *sigptr; + sigptr = ASN1_STRING_data(sig); + sigptr[ASN1_STRING_length(sig) - 1] ^= 0x1; + } *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); diff --git a/crypto/ocsp/Makefile b/crypto/ocsp/Makefile index 60c414cf4d..f5b8445242 100644 --- a/crypto/ocsp/Makefile +++ b/crypto/ocsp/Makefile @@ -18,15 +18,15 @@ APPS= LIB=$(TOP)/libcrypto.a LIBSRC= ocsp_asn.c ocsp_ext.c ocsp_ht.c ocsp_lib.c ocsp_cl.c \ - ocsp_srv.c ocsp_prn.c ocsp_vfy.c ocsp_err.c + ocsp_srv.c ocsp_prn.c ocsp_vfy.c ocsp_err.c v3_ocsp.c LIBOBJ= ocsp_asn.o ocsp_ext.o ocsp_ht.o ocsp_lib.o ocsp_cl.o \ - ocsp_srv.o ocsp_prn.o ocsp_vfy.o ocsp_err.o + ocsp_srv.o ocsp_prn.o ocsp_vfy.o ocsp_err.o v3_ocsp.o SRC= $(LIBSRC) EXHEADER= ocsp.h -HEADER= $(EXHEADER) +HEADER= ocsp_lcl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) diff --git a/crypto/ocsp/ocsp.h b/crypto/ocsp/ocsp.h index ca2ee76dce..699978859f 100644 --- a/crypto/ocsp/ocsp.h +++ b/crypto/ocsp/ocsp.h @@ -93,76 +93,19 @@ extern "C" { # define OCSP_RESPID_KEY 0x400 # define OCSP_NOTIME 0x800 -/*- CertID ::= SEQUENCE { - * hashAlgorithm AlgorithmIdentifier, - * issuerNameHash OCTET STRING, -- Hash of Issuer's DN - * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields) - * serialNumber CertificateSerialNumber } - */ -typedef struct ocsp_cert_id_st { - X509_ALGOR *hashAlgorithm; - ASN1_OCTET_STRING *issuerNameHash; - ASN1_OCTET_STRING *issuerKeyHash; - ASN1_INTEGER *serialNumber; -} OCSP_CERTID; +typedef struct ocsp_cert_id_st OCSP_CERTID; DECLARE_STACK_OF(OCSP_CERTID) -/*- Request ::= SEQUENCE { - * reqCert CertID, - * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_one_request_st { - OCSP_CERTID *reqCert; - STACK_OF(X509_EXTENSION) *singleRequestExtensions; -} OCSP_ONEREQ; +typedef struct ocsp_one_request_st OCSP_ONEREQ; DECLARE_STACK_OF(OCSP_ONEREQ) DECLARE_ASN1_SET_OF(OCSP_ONEREQ) -/*- TBSRequest ::= SEQUENCE { - * version [0] EXPLICIT Version DEFAULT v1, - * requestorName [1] EXPLICIT GeneralName OPTIONAL, - * requestList SEQUENCE OF Request, - * requestExtensions [2] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_req_info_st { - ASN1_INTEGER *version; - GENERAL_NAME *requestorName; - STACK_OF(OCSP_ONEREQ) *requestList; - STACK_OF(X509_EXTENSION) *requestExtensions; -} OCSP_REQINFO; - -/*- Signature ::= SEQUENCE { - * signatureAlgorithm AlgorithmIdentifier, - * signature BIT STRING, - * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } - */ -typedef struct ocsp_signature_st { - X509_ALGOR *signatureAlgorithm; - ASN1_BIT_STRING *signature; - STACK_OF(X509) *certs; -} OCSP_SIGNATURE; - -/*- OCSPRequest ::= SEQUENCE { - * tbsRequest TBSRequest, - * optionalSignature [0] EXPLICIT Signature OPTIONAL } - */ -typedef struct ocsp_request_st { - OCSP_REQINFO *tbsRequest; - OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */ -} OCSP_REQUEST; - -/*- OCSPResponseStatus ::= ENUMERATED { - * successful (0), --Response has valid confirmations - * malformedRequest (1), --Illegal confirmation request - * internalError (2), --Internal error in issuer - * tryLater (3), --Try again later - * --(4) is not used - * sigRequired (5), --Must sign the request - * unauthorized (6) --Request unauthorized - * } - */ +typedef struct ocsp_req_info_st OCSP_REQINFO; +typedef struct ocsp_signature_st OCSP_SIGNATURE; +typedef struct ocsp_request_st OCSP_REQUEST; + # define OCSP_RESPONSE_STATUS_SUCCESSFUL 0 # define OCSP_RESPONSE_STATUS_MALFORMEDREQUEST 1 # define OCSP_RESPONSE_STATUS_INTERNALERROR 2 @@ -170,136 +113,29 @@ typedef struct ocsp_request_st { # define OCSP_RESPONSE_STATUS_SIGREQUIRED 5 # define OCSP_RESPONSE_STATUS_UNAUTHORIZED 6 -/*- ResponseBytes ::= SEQUENCE { - * responseType OBJECT IDENTIFIER, - * response OCTET STRING } - */ -typedef struct ocsp_resp_bytes_st { - ASN1_OBJECT *responseType; - ASN1_OCTET_STRING *response; -} OCSP_RESPBYTES; - -/*- OCSPResponse ::= SEQUENCE { - * responseStatus OCSPResponseStatus, - * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } - */ -struct ocsp_response_st { - ASN1_ENUMERATED *responseStatus; - OCSP_RESPBYTES *responseBytes; -}; - -/*- ResponderID ::= CHOICE { - * byName [1] Name, - * byKey [2] KeyHash } - */ +typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES; + # define V_OCSP_RESPID_NAME 0 # define V_OCSP_RESPID_KEY 1 -struct ocsp_responder_id_st { - int type; - union { - X509_NAME *byName; - ASN1_OCTET_STRING *byKey; - } value; -}; DECLARE_STACK_OF(OCSP_RESPID) DECLARE_ASN1_FUNCTIONS(OCSP_RESPID) -/*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key - * --(excluding the tag and length fields) - */ +typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO; -/*- RevokedInfo ::= SEQUENCE { - * revocationTime GeneralizedTime, - * revocationReason [0] EXPLICIT CRLReason OPTIONAL } - */ -typedef struct ocsp_revoked_info_st { - ASN1_GENERALIZEDTIME *revocationTime; - ASN1_ENUMERATED *revocationReason; -} OCSP_REVOKEDINFO; - -/*- CertStatus ::= CHOICE { - * good [0] IMPLICIT NULL, - * revoked [1] IMPLICIT RevokedInfo, - * unknown [2] IMPLICIT UnknownInfo } - */ # define V_OCSP_CERTSTATUS_GOOD 0 # define V_OCSP_CERTSTATUS_REVOKED 1 # define V_OCSP_CERTSTATUS_UNKNOWN 2 -typedef struct ocsp_cert_status_st { - int type; - union { - ASN1_NULL *good; - OCSP_REVOKEDINFO *revoked; - ASN1_NULL *unknown; - } value; -} OCSP_CERTSTATUS; - -/*- SingleResponse ::= SEQUENCE { - * certID CertID, - * certStatus CertStatus, - * thisUpdate GeneralizedTime, - * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, - * singleExtensions [1] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_single_response_st { - OCSP_CERTID *certId; - OCSP_CERTSTATUS *certStatus; - ASN1_GENERALIZEDTIME *thisUpdate; - ASN1_GENERALIZEDTIME *nextUpdate; - STACK_OF(X509_EXTENSION) *singleExtensions; -} OCSP_SINGLERESP; + +typedef struct ocsp_cert_status_st OCSP_CERTSTATUS; +typedef struct ocsp_single_response_st OCSP_SINGLERESP; DECLARE_STACK_OF(OCSP_SINGLERESP) DECLARE_ASN1_SET_OF(OCSP_SINGLERESP) -/*- ResponseData ::= SEQUENCE { - * version [0] EXPLICIT Version DEFAULT v1, - * responderID ResponderID, - * producedAt GeneralizedTime, - * responses SEQUENCE OF SingleResponse, - * responseExtensions [1] EXPLICIT Extensions OPTIONAL } - */ -typedef struct ocsp_response_data_st { - ASN1_INTEGER *version; - OCSP_RESPID *responderId; - ASN1_GENERALIZEDTIME *producedAt; - STACK_OF(OCSP_SINGLERESP) *responses; - STACK_OF(X509_EXTENSION) *responseExtensions; -} OCSP_RESPDATA; - -/*- BasicOCSPResponse ::= SEQUENCE { - * tbsResponseData ResponseData, - * signatureAlgorithm AlgorithmIdentifier, - * signature BIT STRING, - * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } - */ - /* - * Note 1: The value for "signature" is specified in the OCSP rfc2560 as - * follows: "The value for the signature SHALL be computed on the hash of - * the DER encoding ResponseData." This means that you must hash the - * DER-encoded tbsResponseData, and then run it through a crypto-signing - * function, which will (at least w/RSA) do a hash-'n'-private-encrypt - * operation. This seems a bit odd, but that's the spec. Also note that - * the data structures do not leave anywhere to independently specify the - * algorithm used for the initial hash. So, we look at the - * signature-specification algorithm, and try to do something intelligent. - * -- Kathy Weinhold, CertCo - */ - /* - * Note 2: It seems that the mentioned passage from RFC 2560 (section - * 4.2.1) is open for interpretation. I've done tests against another - * responder, and found that it doesn't do the double hashing that the RFC - * seems to say one should. Therefore, all relevant functions take a flag - * saying which variant should be used. -- Richard Levitte, OpenSSL team - * and CeloCom - */ -typedef struct ocsp_basic_response_st { - OCSP_RESPDATA *tbsResponseData; - X509_ALGOR *signatureAlgorithm; - ASN1_BIT_STRING *signature; - STACK_OF(X509) *certs; -} OCSP_BASICRESP; +typedef struct ocsp_response_data_st OCSP_RESPDATA; + +typedef struct ocsp_basic_response_st OCSP_BASICRESP; /*- * CRLReason ::= ENUMERATED { @@ -322,27 +158,8 @@ typedef struct ocsp_basic_response_st { # define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6 # define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8 -/*- - * CrlID ::= SEQUENCE { - * crlUrl [0] EXPLICIT IA5String OPTIONAL, - * crlNum [1] EXPLICIT INTEGER OPTIONAL, - * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } - */ -typedef struct ocsp_crl_id_st { - ASN1_IA5STRING *crlUrl; - ASN1_INTEGER *crlNum; - ASN1_GENERALIZEDTIME *crlTime; -} OCSP_CRLID; - -/*- - * ServiceLocator ::= SEQUENCE { - * issuer Name, - * locator AuthorityInfoAccessSyntax OPTIONAL } - */ -typedef struct ocsp_service_locator_st { - X509_NAME *issuer; - STACK_OF(ACCESS_DESCRIPTION) *locator; -} OCSP_SERVICELOC; +typedef struct ocsp_crl_id_st OCSP_CRLID; +typedef struct ocsp_service_locator_st OCSP_SERVICELOC; # define PEM_STRING_OCSP_REQUEST "OCSP REQUEST" # define PEM_STRING_OCSP_RESPONSE "OCSP RESPONSE" @@ -440,6 +257,8 @@ int OCSP_request_sign(OCSP_REQUEST *req, int OCSP_response_status(OCSP_RESPONSE *resp); OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); +ASN1_OCTET_STRING *OCSP_resp_get0_signature(OCSP_BASICRESP *bs); + int OCSP_resp_count(OCSP_BASICRESP *bs); OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx); int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last); diff --git a/crypto/ocsp/ocsp_asn.c b/crypto/ocsp/ocsp_asn.c index e2e52e77af..c3362f0b97 100644 --- a/crypto/ocsp/ocsp_asn.c +++ b/crypto/ocsp/ocsp_asn.c @@ -59,6 +59,7 @@ #include #include #include +#include "ocsp_lcl.h" ASN1_SEQUENCE(OCSP_SIGNATURE) = { ASN1_SIMPLE(OCSP_SIGNATURE, signatureAlgorithm, X509_ALGOR), diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index 7e6ccdd4af..78d817db9e 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -73,6 +73,7 @@ #include #include #include +#include "ocsp_lcl.h" /* * Utility functions related to sending OCSP requests and extracting relevant @@ -216,6 +217,11 @@ OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp) return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP)); } +ASN1_OCTET_STRING *OCSP_resp_get0_signature(OCSP_BASICRESP *bs) +{ + return bs->signature; +} + /* * Return number of OCSP_SINGLERESP reponses present in a basic response. */ diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index ce31b1b832..04ae17f8a7 100644 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -69,6 +69,7 @@ #include #include #include +#include "ocsp_lcl.h" #include #include diff --git a/crypto/ocsp/ocsp_lcl.h b/crypto/ocsp/ocsp_lcl.h new file mode 100644 index 0000000000..86fb0b99b4 --- /dev/null +++ b/crypto/ocsp/ocsp_lcl.h @@ -0,0 +1,273 @@ +/* ocsp_lcl.h */ +/* + * Written by Tom Titchener for the OpenSSL + * project. + */ + +/* + * History: This file was transfered to Richard Levitte from CertCo by Kathy + * Weinhold in mid-spring 2000 to be included in OpenSSL or released as a + * patch kit. + */ + +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +/*- CertID ::= SEQUENCE { + * hashAlgorithm AlgorithmIdentifier, + * issuerNameHash OCTET STRING, -- Hash of Issuer's DN + * issuerKeyHash OCTET STRING, -- Hash of Issuers public key (excluding the tag & length fields) + * serialNumber CertificateSerialNumber } + */ +struct ocsp_cert_id_st { + X509_ALGOR *hashAlgorithm; + ASN1_OCTET_STRING *issuerNameHash; + ASN1_OCTET_STRING *issuerKeyHash; + ASN1_INTEGER *serialNumber; +}; + +/*- Request ::= SEQUENCE { + * reqCert CertID, + * singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } + */ +struct ocsp_one_request_st { + OCSP_CERTID *reqCert; + STACK_OF(X509_EXTENSION) *singleRequestExtensions; +}; + +/*- TBSRequest ::= SEQUENCE { + * version [0] EXPLICIT Version DEFAULT v1, + * requestorName [1] EXPLICIT GeneralName OPTIONAL, + * requestList SEQUENCE OF Request, + * requestExtensions [2] EXPLICIT Extensions OPTIONAL } + */ +struct ocsp_req_info_st { + ASN1_INTEGER *version; + GENERAL_NAME *requestorName; + STACK_OF(OCSP_ONEREQ) *requestList; + STACK_OF(X509_EXTENSION) *requestExtensions; +}; + +/*- Signature ::= SEQUENCE { + * signatureAlgorithm AlgorithmIdentifier, + * signature BIT STRING, + * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } + */ +struct ocsp_signature_st { + X509_ALGOR *signatureAlgorithm; + ASN1_BIT_STRING *signature; + STACK_OF(X509) *certs; +}; + +/*- OCSPRequest ::= SEQUENCE { + * tbsRequest TBSRequest, + * optionalSignature [0] EXPLICIT Signature OPTIONAL } + */ +struct ocsp_request_st { + OCSP_REQINFO *tbsRequest; + OCSP_SIGNATURE *optionalSignature; /* OPTIONAL */ +}; + +/*- OCSPResponseStatus ::= ENUMERATED { + * successful (0), --Response has valid confirmations + * malformedRequest (1), --Illegal confirmation request + * internalError (2), --Internal error in issuer + * tryLater (3), --Try again later + * --(4) is not used + * sigRequired (5), --Must sign the request + * unauthorized (6) --Request unauthorized + * } + */ + +/*- ResponseBytes ::= SEQUENCE { + * responseType OBJECT IDENTIFIER, + * response OCTET STRING } + */ +struct ocsp_resp_bytes_st { + ASN1_OBJECT *responseType; + ASN1_OCTET_STRING *response; +}; + +/*- OCSPResponse ::= SEQUENCE { + * responseStatus OCSPResponseStatus, + * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } + */ +struct ocsp_response_st { + ASN1_ENUMERATED *responseStatus; + OCSP_RESPBYTES *responseBytes; +}; + +/*- ResponderID ::= CHOICE { + * byName [1] Name, + * byKey [2] KeyHash } + */ +struct ocsp_responder_id_st { + int type; + union { + X509_NAME *byName; + ASN1_OCTET_STRING *byKey; + } value; +}; + +/*- KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key + * --(excluding the tag and length fields) + */ + +/*- RevokedInfo ::= SEQUENCE { + * revocationTime GeneralizedTime, + * revocationReason [0] EXPLICIT CRLReason OPTIONAL } + */ +struct ocsp_revoked_info_st { + ASN1_GENERALIZEDTIME *revocationTime; + ASN1_ENUMERATED *revocationReason; +}; + +/*- CertStatus ::= CHOICE { + * good [0] IMPLICIT NULL, + * revoked [1] IMPLICIT RevokedInfo, + * unknown [2] IMPLICIT UnknownInfo } + */ +struct ocsp_cert_status_st { + int type; + union { + ASN1_NULL *good; + OCSP_REVOKEDINFO *revoked; + ASN1_NULL *unknown; + } value; +}; + +/*- SingleResponse ::= SEQUENCE { + * certID CertID, + * certStatus CertStatus, + * thisUpdate GeneralizedTime, + * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, + * singleExtensions [1] EXPLICIT Extensions OPTIONAL } + */ +struct ocsp_single_response_st { + OCSP_CERTID *certId; + OCSP_CERTSTATUS *certStatus; + ASN1_GENERALIZEDTIME *thisUpdate; + ASN1_GENERALIZEDTIME *nextUpdate; + STACK_OF(X509_EXTENSION) *singleExtensions; +}; + +/*- ResponseData ::= SEQUENCE { + * version [0] EXPLICIT Version DEFAULT v1, + * responderID ResponderID, + * producedAt GeneralizedTime, + * responses SEQUENCE OF SingleResponse, + * responseExtensions [1] EXPLICIT Extensions OPTIONAL } + */ +struct ocsp_response_data_st { + ASN1_INTEGER *version; + OCSP_RESPID *responderId; + ASN1_GENERALIZEDTIME *producedAt; + STACK_OF(OCSP_SINGLERESP) *responses; + STACK_OF(X509_EXTENSION) *responseExtensions; +}; + +/*- BasicOCSPResponse ::= SEQUENCE { + * tbsResponseData ResponseData, + * signatureAlgorithm AlgorithmIdentifier, + * signature BIT STRING, + * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } + */ + /* + * Note 1: The value for "signature" is specified in the OCSP rfc2560 as + * follows: "The value for the signature SHALL be computed on the hash of + * the DER encoding ResponseData." This means that you must hash the + * DER-encoded tbsResponseData, and then run it through a crypto-signing + * function, which will (at least w/RSA) do a hash-'n'-private-encrypt + * operation. This seems a bit odd, but that's the spec. Also note that + * the data structures do not leave anywhere to independently specify the + * algorithm used for the initial hash. So, we look at the + * signature-specification algorithm, and try to do something intelligent. + * -- Kathy Weinhold, CertCo + */ + /* + * Note 2: It seems that the mentioned passage from RFC 2560 (section + * 4.2.1) is open for interpretation. I've done tests against another + * responder, and found that it doesn't do the double hashing that the RFC + * seems to say one should. Therefore, all relevant functions take a flag + * saying which variant should be used. -- Richard Levitte, OpenSSL team + * and CeloCom + */ +struct ocsp_basic_response_st { + OCSP_RESPDATA *tbsResponseData; + X509_ALGOR *signatureAlgorithm; + ASN1_BIT_STRING *signature; + STACK_OF(X509) *certs; +}; + +/*- + * CrlID ::= SEQUENCE { + * crlUrl [0] EXPLICIT IA5String OPTIONAL, + * crlNum [1] EXPLICIT INTEGER OPTIONAL, + * crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } + */ +struct ocsp_crl_id_st { + ASN1_IA5STRING *crlUrl; + ASN1_INTEGER *crlNum; + ASN1_GENERALIZEDTIME *crlTime; +}; + +/*- + * ServiceLocator ::= SEQUENCE { + * issuer Name, + * locator AuthorityInfoAccessSyntax OPTIONAL } + */ +struct ocsp_service_locator_st { + X509_NAME *issuer; + STACK_OF(ACCESS_DESCRIPTION) *locator; +}; diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c index 24ca40eef1..8e87f49a5d 100644 --- a/crypto/ocsp/ocsp_lib.c +++ b/crypto/ocsp/ocsp_lib.c @@ -72,6 +72,7 @@ #include #include #include +#include "ocsp_lcl.h" #include /* Convert a certificate and its issuer to an OCSP_CERTID */ diff --git a/crypto/ocsp/ocsp_prn.c b/crypto/ocsp/ocsp_prn.c index 1834256af2..96c2023450 100644 --- a/crypto/ocsp/ocsp_prn.c +++ b/crypto/ocsp/ocsp_prn.c @@ -67,6 +67,7 @@ #include #include #include +#include "ocsp_lcl.h" #include static int ocsp_certid_print(BIO *bp, OCSP_CERTID *a, int indent) diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index 2ec2c63618..00cafea108 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -65,6 +65,7 @@ #include #include #include +#include "ocsp_lcl.h" /* * Utility functions related to sending OCSP responses and extracting diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 6c0ccb565d..8beadf7001 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -58,6 +58,7 @@ */ #include +#include "ocsp_lcl.h" #include #include diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/ocsp/v3_ocsp.c similarity index 99% rename from crypto/x509v3/v3_ocsp.c rename to crypto/ocsp/v3_ocsp.c index b151eaccba..006db1785c 100644 --- a/crypto/x509v3/v3_ocsp.c +++ b/crypto/ocsp/v3_ocsp.c @@ -57,13 +57,12 @@ * */ -#ifndef OPENSSL_NO_OCSP - # include # include "cryptlib.h" # include # include # include +# include "ocsp_lcl.h" # include /* @@ -309,4 +308,3 @@ static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, err: return 0; } -#endif diff --git a/crypto/x509v3/Makefile b/crypto/x509v3/Makefile index cdbfd52403..284dfa82b8 100644 --- a/crypto/x509v3/Makefile +++ b/crypto/x509v3/Makefile @@ -20,13 +20,13 @@ LIB=$(TOP)/libcrypto.a LIBSRC= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \ v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \ v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \ -v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \ +v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \ pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \ v3_asid.c v3_addr.c v3_scts.c LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \ v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \ v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \ -v3_ocsp.o v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \ +v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \ pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o \ v3_asid.o v3_addr.o v3_scts.o @@ -422,20 +422,6 @@ v3_ncons.o: ../../include/openssl/sha.h ../../include/openssl/stack.h v3_ncons.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h v3_ncons.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h v3_ncons.o: ../cryptlib.h v3_ncons.c -v3_ocsp.o: ../../e_os.h ../../include/openssl/asn1.h -v3_ocsp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h -v3_ocsp.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h -v3_ocsp.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -v3_ocsp.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h -v3_ocsp.o: ../../include/openssl/err.h ../../include/openssl/evp.h -v3_ocsp.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -v3_ocsp.o: ../../include/openssl/objects.h ../../include/openssl/ocsp.h -v3_ocsp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -v3_ocsp.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h -v3_ocsp.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h -v3_ocsp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -v3_ocsp.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h -v3_ocsp.o: ../../include/openssl/x509v3.h ../cryptlib.h v3_ocsp.c v3_pci.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h v3_pci.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h v3_pci.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -- 2.34.1