/*
- * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
int ret = -1;
if (ctx == NULL) {
- OCSPerr(0, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_OCSP, ERR_R_MALLOC_FAILURE);
goto end;
}
if (!X509_STORE_CTX_init(ctx, st, signer, untrusted)) {
- OCSPerr(0, ERR_R_X509_LIB);
+ ERR_raise(ERR_LIB_OCSP, ERR_R_X509_LIB);
goto end;
}
if ((vp = X509_STORE_CTX_get0_param(ctx)) == NULL)
ret = X509_verify_cert(ctx);
if (ret <= 0) {
ret = X509_STORE_CTX_get_error(ctx);
- OCSPerr(0, OCSP_R_CERTIFICATE_VERIFY_ERROR);
- ERR_add_error_data(2, "Verify error:",
- X509_verify_cert_error_string(ret));
+ ERR_raise_data(ERR_LIB_OCSP, OCSP_R_CERTIFICATE_VERIFY_ERROR,
+ "Verify error: %s", X509_verify_cert_error_string(ret));
goto end;
}
if (chain != NULL)
if ((flags & OCSP_NOSIGS) == 0) {
if ((skey = X509_get0_pubkey(signer)) == NULL) {
- OCSPerr(0, OCSP_R_NO_SIGNER_KEY);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_NO_SIGNER_KEY);
return -1;
}
if (req != NULL)
- ret = OCSP_REQUEST_verify(req, skey);
+ ret = OCSP_REQUEST_verify(req, skey, signer->libctx, signer->propq);
else
- ret = OCSP_BASICRESP_verify(bs, skey);
+ ret = OCSP_BASICRESP_verify(bs, skey, signer->libctx, signer->propq);
if (ret <= 0)
- OCSPerr(0, OCSP_R_SIGNATURE_FAILURE);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNATURE_FAILURE);
}
return ret;
}
int ret = ocsp_find_signer(&signer, bs, certs, flags);
if (ret == 0) {
- OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
- OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
goto end;
}
if ((ret == 2) && (flags & OCSP_TRUSTOTHER) != 0)
goto end;
if ((flags & OCSP_NOVERIFY) == 0) {
ret = -1;
- if ((flags & OCSP_NOCHAIN) != 0) {
- untrusted = NULL;
- } else if (bs->certs != NULL && certs != NULL) {
- untrusted = sk_X509_dup(bs->certs);
+ if ((flags & OCSP_NOCHAIN) == 0) {
+ if ((untrusted = sk_X509_dup(bs->certs)) == NULL)
+ goto end;
if (!X509_add_certs(untrusted, certs, X509_ADD_FLAG_DEFAULT))
goto end;
- } else if (certs != NULL) {
- untrusted = certs;
- } else {
- untrusted = bs->certs;
}
ret = ocsp_verify_signer(signer, 1, st, flags, untrusted, &chain);
if (ret <= 0)
x = sk_X509_value(chain, sk_X509_num(chain) - 1);
if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
- OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_ROOT_CA_NOT_TRUSTED);
ret = 0;
goto end;
}
end:
sk_X509_pop_free(chain, X509_free);
- if (bs->certs && certs)
- sk_X509_free(untrusted);
+ sk_X509_free(untrusted);
return ret;
}
int ret;
if (sk_X509_num(chain) <= 0) {
- OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
return -1;
}
idcount = sk_OCSP_SINGLERESP_num(sresp);
if (idcount <= 0) {
- OCSPerr(OCSP_F_OCSP_CHECK_IDS,
- OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
return -1;
}
unsigned char md[EVP_MAX_MD_SIZE];
if (dgst == NULL) {
- OCSPerr(0, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
return -1;
}
mdlen = EVP_MD_size(dgst);
if (mdlen < 0) {
- OCSPerr(0, OCSP_R_DIGEST_SIZE_ERR);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_SIZE_ERR);
return -1;
}
if (cid->issuerNameHash.length != mdlen ||
return 0;
iname = X509_get_subject_name(cert);
if (!X509_NAME_digest(iname, dgst, md, NULL)) {
- OCSPerr(0, OCSP_R_DIGEST_NAME_ERR);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_NAME_ERR);
return -1;
}
if (memcmp(md, cid->issuerNameHash.data, mdlen) != 0)
return 0;
if (!X509_pubkey_digest(cert, dgst, md, NULL)) {
- OCSPerr(0, OCSP_R_DIGEST_ERR);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_ERR);
return -1;
}
if (memcmp(md, cid->issuerKeyHash.data, mdlen) != 0)
if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE)
&& (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN))
return 1;
- OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_MISSING_OCSPSIGNING_USAGE);
return 0;
}
int ret;
if (!req->optionalSignature) {
- OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_REQUEST_NOT_SIGNED);
return 0;
}
gen = req->tbsRequest.requestorName;
if (!gen || gen->type != GEN_DIRNAME) {
- OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
- OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
return 0; /* not returning -1 here for backward compatibility*/
}
nm = gen->d.directoryName;
ret = ocsp_req_find_signer(&signer, req, nm, certs, flags);
if (ret <= 0) {
- OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
- OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+ ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
return 0; /* not returning -1 here for backward compatibility*/
}
if ((ret == 2) && (flags & OCSP_TRUSTOTHER) != 0)