X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Focsp%2Focsp_vfy.c;h=da4c5b20a5b87c1bd9a5c8d328ecc24e707cb5ce;hp=c4f513a3b61a6b3756477a5b2d63a6f73102bd0a;hb=fafc7f987563ee2ea199ef27608f5a25a7cbe253;hpb=d88a26c4892152c326d8b4ca80a0cc59fe8c8d51

diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index c4f513a3b6..da4c5b20a5 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -67,6 +67,8 @@ static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain, unsigned
 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret);
 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp);
 static int ocsp_check_delegated(X509 *x, int flags);
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+				X509_STORE *st, unsigned long flags);
 
 /* Verify a basic response message */
 
@@ -340,3 +342,90 @@ static int ocsp_check_delegated(X509 *x, int flags)
 	OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
 	return 0;
 	}
+
+/* Verify an OCSP request. This is fortunately much easier than OCSP
+ * request verify. Just find the signers certificate and verify it
+ * against a given trust value.
+ */
+
+int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags)
+        {
+	X509 *signer;
+	X509_NAME *nm;
+	GENERAL_NAME *gen;
+	int ret;
+	X509_STORE_CTX ctx;
+	if (!req->optionalSignature) 
+		{
+		OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
+		return 0;
+		}
+	gen = req->tbsRequest->requestorName;
+	if (gen->type != GEN_DIRNAME)
+		{
+		OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
+		return 0;
+		}
+	nm = gen->d.directoryName;
+	ret = ocsp_req_find_signer(&signer, req, nm, certs, store, flags);
+	if (ret <= 0)
+		{
+		OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
+		return 0;
+		}
+	if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
+		flags |= OCSP_NOVERIFY;
+	if (!(flags & OCSP_NOSIGS))
+		{
+		EVP_PKEY *skey;
+		skey = X509_get_pubkey(signer);
+		ret = OCSP_REQUEST_verify(req, skey);
+		EVP_PKEY_free(skey);
+		if(ret <= 0)
+			{
+			OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
+			return 0;
+			}
+		}
+	if (!(flags & OCSP_NOVERIFY))
+		{
+		if(flags & OCSP_NOCHAIN)
+			X509_STORE_CTX_init(&ctx, store, signer, NULL);
+		else
+			X509_STORE_CTX_init(&ctx, store, signer, req->optionalSignature->certs);
+
+		X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
+		X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
+		ret = X509_verify_cert(&ctx);
+		X509_STORE_CTX_cleanup(&ctx);
+                if (ret <= 0)
+			{
+			ret = X509_STORE_CTX_get_error(&ctx);	
+			OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR);
+			ERR_add_error_data(2, "Verify error:",
+					X509_verify_cert_error_string(ret));
+                        return 0;
+                	}
+		}
+	return 1;
+        }
+
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, X509_NAME *nm, STACK_OF(X509) *certs,
+				X509_STORE *st, unsigned long flags)
+	{
+	X509 *signer;
+	if(!(flags & OCSP_NOINTERN))
+		{
+		signer = X509_find_by_subject(req->optionalSignature->certs, nm);
+		*psigner = signer;
+		return 1;
+		}
+
+	signer = X509_find_by_subject(certs, nm);
+	if (signer)
+		{
+		*psigner = signer;
+		return 2;
+		}
+	return 0;
+	}