From cec2538ca9d053eb905069ea65e4925e9288558c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 4 Dec 2007 12:41:28 +0000 Subject: [PATCH] Submitted by: Victor B. Wagner , steve Use default algorithms for OCSP request and response signing. New command line option to support other digest use for OCSP certificate IDs. --- apps/ocsp.c | 34 +++++++++++++++++++++------------- crypto/ocsp/ocsp_cl.c | 1 - crypto/ocsp/ocsp_vfy.c | 2 +- doc/apps/ocsp.pod | 6 ++++++ 4 files changed, 28 insertions(+), 15 deletions(-) diff --git a/apps/ocsp.c b/apps/ocsp.c index df0339b743..856bead88a 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -65,14 +65,15 @@ #include #include #include +#include #include "apps.h" /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) -static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); -static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD * cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, STACK *names, STACK_OF(OCSP_CERTID) *ids, @@ -136,6 +137,7 @@ int MAIN(int argc, char **argv) char *rca_filename = NULL; CA_DB *rdb = NULL; int nmin = 0, ndays = -1; + const EVP_MD *cert_id_md = NULL; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -403,7 +405,8 @@ int MAIN(int argc, char **argv) cert = load_cert(bio_err, *args, FORMAT_PEM, NULL, e, "certificate"); if(!cert) goto end; - if(!add_ocsp_cert(&req, cert, issuer, ids)) + if (!cert_id_md) cert_id_md = EVP_sha1(); + if(!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) goto end; if(!sk_push(reqnames, *args)) goto end; @@ -415,7 +418,8 @@ int MAIN(int argc, char **argv) if (args[1]) { args++; - if(!add_ocsp_serial(&req, *args, issuer, ids)) + if (!cert_id_md) cert_id_md = EVP_sha1(); + if(!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids)) goto end; if(!sk_push(reqnames, *args)) goto end; @@ -517,7 +521,10 @@ int MAIN(int argc, char **argv) } else badarg = 1; } - else badarg = 1; + else if ((cert_id_md = EVP_get_digestbyname((*args)+1))==NULL) + { + badarg = 1; + } args++; } @@ -573,6 +580,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-ndays n number of days before next update\n"); BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n"); BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n"); + BIO_printf (bio_err, "- use specified digest in the request"); goto end; } @@ -679,7 +687,8 @@ int MAIN(int argc, char **argv) "signer private key"); if (!key) goto end; - if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags)) + + if (!OCSP_request_sign(req, signer, key, NULL, sign_other, sign_flags)) { BIO_printf(bio_err, "Error signing OCSP request\n"); goto end; @@ -883,7 +892,7 @@ end: OPENSSL_EXIT(ret); } -static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, +static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md,X509 *issuer, STACK_OF(OCSP_CERTID) *ids) { OCSP_CERTID *id; @@ -894,7 +903,7 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, } if(!*req) *req = OCSP_REQUEST_new(); if(!*req) goto err; - id = OCSP_cert_to_id(NULL, cert, issuer); + id = OCSP_cert_to_id(cert_id_md, cert, issuer); if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err; if(!OCSP_request_add0_id(*req, id)) goto err; return 1; @@ -904,7 +913,7 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, return 0; } -static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, +static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids) { OCSP_CERTID *id; @@ -926,7 +935,7 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, BIO_printf(bio_err, "Error converting serial number %s\n", serial); return 0; } - id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno); + id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno); ASN1_INTEGER_free(sno); if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err; if(!OCSP_request_add0_id(*req, id)) goto err; @@ -1012,7 +1021,6 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db OCSP_BASICRESP *bs = NULL; int i, id_count, ret = 1; - id_count = OCSP_request_onereq_count(req); if (id_count <= 0) @@ -1080,8 +1088,8 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db } OCSP_copy_nonce(bs, req); - - OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags); + + OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags); *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index 17bab5fc59..9c14d9da27 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -155,7 +155,6 @@ int OCSP_request_sign(OCSP_REQUEST *req, goto err; if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err; - if (!dgst) dgst = EVP_sha1(); if (key) { if (!X509_check_private_key(signer, key)) diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 23ea41c847..5ea7c270ed 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -316,7 +316,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, return -1; if (memcmp(md, cid->issuerNameHash->data, mdlen)) return 0; - X509_pubkey_digest(cert, EVP_sha1(), md, NULL); + X509_pubkey_digest(cert, dgst, md, NULL); if (memcmp(md, cid->issuerKeyHash->data, mdlen)) return 0; diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 4f266058e5..a6a7d80c6e 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -51,6 +51,7 @@ B B [B<-ndays n>] [B<-resp_key_id>] [B<-nrequest n>] +[B<-md5|-sha1|...>] =head1 DESCRIPTION @@ -206,6 +207,11 @@ information is immediately available. In this case the age of the B f is checked to see it is not older than B seconds old. By default this additional check is not performed. +=item B<-md5|-sha1|-sha256|-ripemod160|...> + +this option sets digest algorithm to use for certificate identification +in the OCSP request. By default SHA-1 is used. + =back =head1 OCSP SERVER OPTIONS -- 2.34.1