From ca4a494cb7437a7af155361b0084de8329c0bf25 Mon Sep 17 00:00:00 2001 From: Rich Salz Date: Wed, 10 Jun 2015 14:07:40 -0400 Subject: [PATCH] Make TS structures opaque. Most of the accessors existed and were already used so it was easy. TS_VERIFY_CTX didn't have accessors/settors so I added the simple and obvious ones, and changed the app to use them. Also, within crypto/ts, replaced the functions with direct access to the structure members since we generally aren't opaque within a directory. Also fix RT3901. Reviewed-by: Tim Hudson --- apps/ts.c | 23 ++-- crypto/ts/Makefile | 18 +-- crypto/ts/ts_asn1.c | 1 + crypto/ts/ts_lcl.h | 230 ++++++++++++++++++++++++++++++++++++++ crypto/ts/ts_lib.c | 5 +- crypto/ts/ts_req_print.c | 13 +-- crypto/ts/ts_req_utils.c | 1 + crypto/ts/ts_rsp_print.c | 69 +++++------- crypto/ts/ts_rsp_sign.c | 19 ++-- crypto/ts/ts_rsp_utils.c | 6 + crypto/ts/ts_rsp_verify.c | 21 ++-- crypto/ts/ts_verify_ctx.c | 50 ++++++++- include/openssl/ts.h | 223 ++++-------------------------------- util/libeay.num | 25 +++-- 14 files changed, 398 insertions(+), 306 deletions(-) create mode 100644 crypto/ts/ts_lcl.h diff --git a/apps/ts.c b/apps/ts.c index feec34ba4f..6e6b834401 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -724,7 +724,7 @@ static TS_RESP *read_PKCS7(BIO *in_bio) /* Create granted status info. */ if ((si = TS_STATUS_INFO_new()) == NULL) goto end; - if (!(ASN1_INTEGER_set(si->status, TS_STATUS_GRANTED))) + if (!TS_STATUS_INFO_set_status(si, TS_STATUS_GRANTED)) goto end; if (!TS_RESP_set_status_info(resp, si)) goto end; @@ -976,23 +976,24 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, BIO *input = NULL; TS_REQ *request = NULL; int ret = 0; + int f = 0; if (data != NULL || digest != NULL) { if ((ctx = TS_VERIFY_CTX_new()) == NULL) goto err; - ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER; + f = TS_VFY_VERSION | TS_VFY_SIGNER; if (data != NULL) { - ctx->flags |= TS_VFY_DATA; - if ((ctx->data = BIO_new_file(data, "rb")) == NULL) + f |= TS_VFY_DATA; + if (TS_VERIFY_CTX_set_data(ctx, BIO_new_file(data, "rb")) == NULL) goto err; } else if (digest != NULL) { long imprint_len; - ctx->flags |= TS_VFY_IMPRINT; - if ((ctx->imprint = string_to_hex(digest, &imprint_len)) == NULL) { + unsigned char *hexstr = string_to_hex(digest, &imprint_len); + f |= TS_VFY_IMPRINT; + if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) { BIO_printf(bio_err, "invalid digest string\n"); goto err; } - ctx->imprint_len = imprint_len; } } else if (queryfile != NULL) { @@ -1010,14 +1011,16 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest, return NULL; /* Add the signature verification flag and arguments. */ - ctx->flags |= TS_VFY_SIGNATURE; + TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE); /* Initialising the X509_STORE object. */ - if ((ctx->store = create_cert_store(CApath, CAfile)) == NULL) + if (TS_VERIFY_CTX_set_store(ctx, create_cert_store(CApath, CAfile)) + == NULL) goto err; /* Loading untrusted certificates. */ - if (untrusted && (ctx->certs = TS_CONF_load_certs(untrusted)) == NULL) + if (untrusted + && TS_VERIFY_CTS_set_certs(ctx, TS_CONF_load_certs(untrusted)) == NULL) goto err; ret = 1; diff --git a/crypto/ts/Makefile b/crypto/ts/Makefile index 673d01b9c4..76d1aeac72 100644 --- a/crypto/ts/Makefile +++ b/crypto/ts/Makefile @@ -86,7 +86,7 @@ ts_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ts_asn1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ts_asn1.o: ../../include/openssl/ts.h ../../include/openssl/x509.h ts_asn1.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -ts_asn1.o: ts_asn1.c +ts_asn1.o: ts_asn1.c ts_lcl.h ts_conf.o: ../../e_os.h ../../include/openssl/asn1.h ts_conf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_conf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -135,7 +135,7 @@ ts_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ts_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ts_lib.o: ../../include/openssl/ts.h ../../include/openssl/x509.h ts_lib.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h -ts_lib.o: ../include/internal/cryptlib.h ts_lib.c +ts_lib.o: ../include/internal/cryptlib.h ts_lcl.h ts_lib.c ts_req_print.o: ../../e_os.h ../../include/openssl/asn1.h ts_req_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h ts_req_print.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -153,7 +153,7 @@ ts_req_print.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_req_print.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_req_print.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_req_print.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_req_print.o: ts_req_print.c +ts_req_print.o: ts_lcl.h ts_req_print.c ts_req_utils.o: ../../e_os.h ../../include/openssl/asn1.h ts_req_utils.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_req_utils.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -171,7 +171,7 @@ ts_req_utils.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_req_utils.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_req_utils.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_req_utils.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_req_utils.o: ts_req_utils.c +ts_req_utils.o: ts_lcl.h ts_req_utils.c ts_rsp_print.o: ../../e_os.h ../../include/openssl/asn1.h ts_rsp_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h ts_rsp_print.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h @@ -189,7 +189,7 @@ ts_rsp_print.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_rsp_print.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_rsp_print.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_rsp_print.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_rsp_print.o: ts_rsp_print.c +ts_rsp_print.o: ts_lcl.h ts_rsp_print.c ts_rsp_sign.o: ../../e_os.h ../../include/openssl/asn1.h ts_rsp_sign.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_rsp_sign.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -207,7 +207,7 @@ ts_rsp_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_rsp_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_rsp_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_rsp_sign.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_rsp_sign.o: ts_rsp_sign.c +ts_rsp_sign.o: ts_lcl.h ts_rsp_sign.c ts_rsp_utils.o: ../../e_os.h ../../include/openssl/asn1.h ts_rsp_utils.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_rsp_utils.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -225,7 +225,7 @@ ts_rsp_utils.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_rsp_utils.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_rsp_utils.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_rsp_utils.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_rsp_utils.o: ts_rsp_utils.c +ts_rsp_utils.o: ts_lcl.h ts_rsp_utils.c ts_rsp_verify.o: ../../e_os.h ../../include/openssl/asn1.h ts_rsp_verify.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_rsp_verify.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -243,7 +243,7 @@ ts_rsp_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_rsp_verify.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_rsp_verify.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_rsp_verify.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_rsp_verify.o: ts_rsp_verify.c +ts_rsp_verify.o: ts_lcl.h ts_rsp_verify.c ts_verify_ctx.o: ../../e_os.h ../../include/openssl/asn1.h ts_verify_ctx.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h ts_verify_ctx.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h @@ -261,4 +261,4 @@ ts_verify_ctx.o: ../../include/openssl/sha.h ../../include/openssl/stack.h ts_verify_ctx.o: ../../include/openssl/symhacks.h ../../include/openssl/ts.h ts_verify_ctx.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ts_verify_ctx.o: ../../include/openssl/x509v3.h ../include/internal/cryptlib.h -ts_verify_ctx.o: ts_verify_ctx.c +ts_verify_ctx.o: ts_lcl.h ts_verify_ctx.c diff --git a/crypto/ts/ts_asn1.c b/crypto/ts/ts_asn1.c index 99b686f39d..f4884a2596 100644 --- a/crypto/ts/ts_asn1.c +++ b/crypto/ts/ts_asn1.c @@ -59,6 +59,7 @@ #include #include #include +#include "ts_lcl.h" ASN1_SEQUENCE(TS_MSG_IMPRINT) = { ASN1_SIMPLE(TS_MSG_IMPRINT, hash_algo, X509_ALGOR), diff --git a/crypto/ts/ts_lcl.h b/crypto/ts/ts_lcl.h new file mode 100644 index 0000000000..7bd23e979c --- /dev/null +++ b/crypto/ts/ts_lcl.h @@ -0,0 +1,230 @@ +/* ==================================================================== + * Copyright (c) 2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + +/*- + * MessageImprint ::= SEQUENCE { + * hashAlgorithm AlgorithmIdentifier, + * hashedMessage OCTET STRING } + */ +struct TS_msg_imprint_st { + X509_ALGOR *hash_algo; + ASN1_OCTET_STRING *hashed_msg; +}; + +/*- + * TimeStampResp ::= SEQUENCE { + * status PKIStatusInfo, + * timeStampToken TimeStampToken OPTIONAL } + */ +struct TS_resp_st { + TS_STATUS_INFO *status_info; + PKCS7 *token; + TS_TST_INFO *tst_info; +}; + +/*- + * TimeStampReq ::= SEQUENCE { + * version INTEGER { v1(1) }, + * messageImprint MessageImprint, + * --a hash algorithm OID and the hash value of the data to be + * --time-stamped + * reqPolicy TSAPolicyId OPTIONAL, + * nonce INTEGER OPTIONAL, + * certReq BOOLEAN DEFAULT FALSE, + * extensions [0] IMPLICIT Extensions OPTIONAL } + */ +struct TS_req_st { + ASN1_INTEGER *version; + TS_MSG_IMPRINT *msg_imprint; + ASN1_OBJECT *policy_id; + ASN1_INTEGER *nonce; + ASN1_BOOLEAN cert_req; + STACK_OF(X509_EXTENSION) *extensions; +}; + +/*- + * Accuracy ::= SEQUENCE { + * seconds INTEGER OPTIONAL, + * millis [0] INTEGER (1..999) OPTIONAL, + * micros [1] INTEGER (1..999) OPTIONAL } + */ +struct TS_accuracy_st { + ASN1_INTEGER *seconds; + ASN1_INTEGER *millis; + ASN1_INTEGER *micros; +}; + +/*- + * TSTInfo ::= SEQUENCE { + * version INTEGER { v1(1) }, + * policy TSAPolicyId, + * messageImprint MessageImprint, + * -- MUST have the same value as the similar field in + * -- TimeStampReq + * serialNumber INTEGER, + * -- Time-Stamping users MUST be ready to accommodate integers + * -- up to 160 bits. + * genTime GeneralizedTime, + * accuracy Accuracy OPTIONAL, + * ordering BOOLEAN DEFAULT FALSE, + * nonce INTEGER OPTIONAL, + * -- MUST be present if the similar field was present + * -- in TimeStampReq. In that case it MUST have the same value. + * tsa [0] GeneralName OPTIONAL, + * extensions [1] IMPLICIT Extensions OPTIONAL } + */ +struct TS_tst_info_st { + ASN1_INTEGER *version; + ASN1_OBJECT *policy_id; + TS_MSG_IMPRINT *msg_imprint; + ASN1_INTEGER *serial; + ASN1_GENERALIZEDTIME *time; + TS_ACCURACY *accuracy; + ASN1_BOOLEAN ordering; + ASN1_INTEGER *nonce; + GENERAL_NAME *tsa; + STACK_OF(X509_EXTENSION) *extensions; +}; + +struct TS_status_info_st { + ASN1_INTEGER *status; + STACK_OF(ASN1_UTF8STRING) *text; + ASN1_BIT_STRING *failure_info; +}; + +DECLARE_STACK_OF(ASN1_UTF8STRING) + +/*- + * IssuerSerial ::= SEQUENCE { + * issuer GeneralNames, + * serialNumber CertificateSerialNumber + * } + */ +struct ESS_issuer_serial { + STACK_OF(GENERAL_NAME) *issuer; + ASN1_INTEGER *serial; +}; + +/*- + * ESSCertID ::= SEQUENCE { + * certHash Hash, + * issuerSerial IssuerSerial OPTIONAL + * } + */ +struct ESS_cert_id { + ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ + ESS_ISSUER_SERIAL *issuer_serial; +}; + +/*- + * SigningCertificate ::= SEQUENCE { + * certs SEQUENCE OF ESSCertID, + * policies SEQUENCE OF PolicyInformation OPTIONAL + * } + */ +struct ESS_signing_cert { + STACK_OF(ESS_CERT_ID) *cert_ids; + STACK_OF(POLICYINFO) *policy_info; +}; + + +struct TS_resp_ctx { + X509 *signer_cert; + EVP_PKEY *signer_key; + STACK_OF(X509) *certs; /* Certs to include in signed data. */ + STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ + ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ + STACK_OF(EVP_MD) *mds; /* Acceptable message digests. */ + ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */ + ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */ + ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */ + unsigned clock_precision_digits; /* fraction of seconds in time stamp + * token. */ + unsigned flags; /* Optional info, see values above. */ + /* Callback functions. */ + TS_serial_cb serial_cb; + void *serial_cb_data; /* User data for serial_cb. */ + TS_time_cb time_cb; + void *time_cb_data; /* User data for time_cb. */ + TS_extension_cb extension_cb; + void *extension_cb_data; /* User data for extension_cb. */ + /* These members are used only while creating the response. */ + TS_REQ *request; + TS_RESP *response; + TS_TST_INFO *tst_info; +}; + +struct TS_verify_ctx { + /* Set this to the union of TS_VFY_... flags you want to carry out. */ + unsigned flags; + /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */ + X509_STORE *store; + STACK_OF(X509) *certs; + /* Must be set only with TS_VFY_POLICY. */ + ASN1_OBJECT *policy; + /* + * Must be set only with TS_VFY_IMPRINT. If md_alg is NULL, the + * algorithm from the response is used. + */ + X509_ALGOR *md_alg; + unsigned char *imprint; + unsigned imprint_len; + /* Must be set only with TS_VFY_DATA. */ + BIO *data; + /* Must be set only with TS_VFY_TSA_NAME. */ + ASN1_INTEGER *nonce; + /* Must be set only with TS_VFY_TSA_NAME. */ + GENERAL_NAME *tsa_name; +}; diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c index 2bf7c505f6..cd9c19f76a 100644 --- a/crypto/ts/ts_lib.c +++ b/crypto/ts/ts_lib.c @@ -64,6 +64,7 @@ #include #include #include +#include "ts_lcl.h" /* Local function declarations. */ @@ -135,10 +136,10 @@ int TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a) { ASN1_OCTET_STRING *msg; - TS_X509_ALGOR_print_bio(bio, TS_MSG_IMPRINT_get_algo(a)); + TS_X509_ALGOR_print_bio(bio, a->hash_algo); BIO_printf(bio, "Message data:\n"); - msg = TS_MSG_IMPRINT_get_msg(a); + msg = a->hashed_msg; BIO_dump_indent(bio, (const char *)ASN1_STRING_data(msg), ASN1_STRING_length(msg), 4); diff --git a/crypto/ts/ts_req_print.c b/crypto/ts/ts_req_print.c index eef1b8aab1..0f618d5662 100644 --- a/crypto/ts/ts_req_print.c +++ b/crypto/ts/ts_req_print.c @@ -63,6 +63,7 @@ #include #include #include +#include "ts_lcl.h" /* Function definitions. */ @@ -70,7 +71,6 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a) { int v; ASN1_OBJECT *policy_id; - const ASN1_INTEGER *nonce; if (a == NULL) return 0; @@ -78,7 +78,7 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a) v = TS_REQ_get_version(a); BIO_printf(bio, "Version: %d\n", v); - TS_MSG_IMPRINT_print_bio(bio, TS_REQ_get_msg_imprint(a)); + TS_MSG_IMPRINT_print_bio(bio, a->msg_imprint); BIO_printf(bio, "Policy OID: "); policy_id = TS_REQ_get_policy_id(a); @@ -88,17 +88,16 @@ int TS_REQ_print_bio(BIO *bio, TS_REQ *a) TS_OBJ_print_bio(bio, policy_id); BIO_printf(bio, "Nonce: "); - nonce = TS_REQ_get_nonce(a); - if (nonce == NULL) + if (a->nonce == NULL) BIO_printf(bio, "unspecified"); else - TS_ASN1_INTEGER_print_bio(bio, nonce); + TS_ASN1_INTEGER_print_bio(bio, a->nonce); BIO_write(bio, "\n", 1); BIO_printf(bio, "Certificate required: %s\n", - TS_REQ_get_cert_req(a) ? "yes" : "no"); + a->cert_req ? "yes" : "no"); - TS_ext_print_bio(bio, TS_REQ_get_exts(a)); + TS_ext_print_bio(bio, a->extensions); return 1; } diff --git a/crypto/ts/ts_req_utils.c b/crypto/ts/ts_req_utils.c index 7f3a4a4289..706f4428ff 100644 --- a/crypto/ts/ts_req_utils.c +++ b/crypto/ts/ts_req_utils.c @@ -62,6 +62,7 @@ #include #include #include +#include "ts_lcl.h" int TS_REQ_set_version(TS_REQ *a, long version) { diff --git a/crypto/ts/ts_rsp_print.c b/crypto/ts/ts_rsp_print.c index b71985f46c..f2fae69294 100644 --- a/crypto/ts/ts_rsp_print.c +++ b/crypto/ts/ts_rsp_print.c @@ -63,6 +63,7 @@ #include #include #include +#include "ts_lcl.h" struct status_map_st { int bit; @@ -79,15 +80,12 @@ static int ts_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy); int TS_RESP_print_bio(BIO *bio, TS_RESP *a) { - TS_TST_INFO *tst_info; - BIO_printf(bio, "Status info:\n"); - TS_STATUS_INFO_print_bio(bio, TS_RESP_get_status_info(a)); + TS_STATUS_INFO_print_bio(bio, a->status_info); BIO_printf(bio, "\nTST info:\n"); - tst_info = TS_RESP_get_tst_info(a); - if (tst_info != NULL) - TS_TST_INFO_print_bio(bio, TS_RESP_get_tst_info(a)); + if (a->tst_info != NULL) + TS_TST_INFO_print_bio(bio, a->tst_info); else BIO_printf(bio, "Not included.\n"); @@ -176,102 +174,85 @@ static int ts_status_map_print(BIO *bio, const struct status_map_st *a, int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a) { int v; - ASN1_OBJECT *policy_id; - const ASN1_INTEGER *serial; - const ASN1_GENERALIZEDTIME *gtime; - TS_ACCURACY *accuracy; - const ASN1_INTEGER *nonce; - GENERAL_NAME *tsa_name; if (a == NULL) return 0; /* Print version. */ - v = TS_TST_INFO_get_version(a); + v = ASN1_INTEGER_get(a->version); BIO_printf(bio, "Version: %d\n", v); /* Print policy id. */ BIO_printf(bio, "Policy OID: "); - policy_id = TS_TST_INFO_get_policy_id(a); - TS_OBJ_print_bio(bio, policy_id); + TS_OBJ_print_bio(bio, a->policy_id); /* Print message imprint. */ - TS_MSG_IMPRINT_print_bio(bio, TS_TST_INFO_get_msg_imprint(a)); + TS_MSG_IMPRINT_print_bio(bio, a->msg_imprint); /* Print serial number. */ BIO_printf(bio, "Serial number: "); - serial = TS_TST_INFO_get_serial(a); - if (serial == NULL) + if (a->serial == NULL) BIO_printf(bio, "unspecified"); else - TS_ASN1_INTEGER_print_bio(bio, serial); + TS_ASN1_INTEGER_print_bio(bio, a->serial); BIO_write(bio, "\n", 1); /* Print time stamp. */ BIO_printf(bio, "Time stamp: "); - gtime = TS_TST_INFO_get_time(a); - ASN1_GENERALIZEDTIME_print(bio, gtime); + ASN1_GENERALIZEDTIME_print(bio, a->time); BIO_write(bio, "\n", 1); /* Print accuracy. */ BIO_printf(bio, "Accuracy: "); - accuracy = TS_TST_INFO_get_accuracy(a); - if (accuracy == NULL) + if (a->accuracy == NULL) BIO_printf(bio, "unspecified"); else - ts_ACCURACY_print_bio(bio, accuracy); + ts_ACCURACY_print_bio(bio, a->accuracy); BIO_write(bio, "\n", 1); /* Print ordering. */ - BIO_printf(bio, "Ordering: %s\n", - TS_TST_INFO_get_ordering(a) ? "yes" : "no"); + BIO_printf(bio, "Ordering: %s\n", a->ordering ? "yes" : "no"); /* Print nonce. */ BIO_printf(bio, "Nonce: "); - nonce = TS_TST_INFO_get_nonce(a); - if (nonce == NULL) + if (a->nonce == NULL) BIO_printf(bio, "unspecified"); else - TS_ASN1_INTEGER_print_bio(bio, nonce); + TS_ASN1_INTEGER_print_bio(bio, a->nonce); BIO_write(bio, "\n", 1); /* Print TSA name. */ BIO_printf(bio, "TSA: "); - tsa_name = TS_TST_INFO_get_tsa(a); - if (tsa_name == NULL) + if (a->tsa == NULL) BIO_printf(bio, "unspecified"); else { STACK_OF(CONF_VALUE) *nval; - if ((nval = i2v_GENERAL_NAME(NULL, tsa_name, NULL))) + if ((nval = i2v_GENERAL_NAME(NULL, a->tsa, NULL))) X509V3_EXT_val_prn(bio, nval, 0, 0); sk_CONF_VALUE_pop_free(nval, X509V3_conf_free); } BIO_write(bio, "\n", 1); /* Print extensions. */ - TS_ext_print_bio(bio, TS_TST_INFO_get_exts(a)); + TS_ext_print_bio(bio, a->extensions); return 1; } -static int ts_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *accuracy) +static int ts_ACCURACY_print_bio(BIO *bio, const TS_ACCURACY *a) { - const ASN1_INTEGER *seconds = TS_ACCURACY_get_seconds(accuracy); - const ASN1_INTEGER *millis = TS_ACCURACY_get_millis(accuracy); - const ASN1_INTEGER *micros = TS_ACCURACY_get_micros(accuracy); - - if (seconds != NULL) - TS_ASN1_INTEGER_print_bio(bio, seconds); + if (a->seconds != NULL) + TS_ASN1_INTEGER_print_bio(bio, a->seconds); else BIO_printf(bio, "unspecified"); BIO_printf(bio, " seconds, "); - if (millis != NULL) - TS_ASN1_INTEGER_print_bio(bio, millis); + if (a->millis != NULL) + TS_ASN1_INTEGER_print_bio(bio, a->millis); else BIO_printf(bio, "unspecified"); BIO_printf(bio, " millis, "); - if (micros != NULL) - TS_ASN1_INTEGER_print_bio(bio, micros); + if (a->micros != NULL) + TS_ASN1_INTEGER_print_bio(bio, a->micros); else BIO_printf(bio, "unspecified"); BIO_printf(bio, " micros"); diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 9cacec8713..3343dce275 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -66,6 +66,7 @@ #include #include #include +#include "ts_lcl.h" /* Private function declarations. */ @@ -377,7 +378,7 @@ int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, int status, const char *text) { int ret = 1; - TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response); + TS_STATUS_INFO *si = ctx->response->status_info; if (ASN1_INTEGER_get(si->status) == TS_STATUS_GRANTED) { /* Status has not been set, set it now. */ @@ -388,7 +389,7 @@ int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx, int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure) { - TS_STATUS_INFO *si = TS_RESP_get_status_info(ctx->response); + TS_STATUS_INFO *si = ctx->response->status_info; if (si->failure_info == NULL && (si->failure_info = ASN1_BIT_STRING_new()) == NULL) goto err; @@ -526,8 +527,8 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx) } /* Checking message digest algorithm. */ - msg_imprint = TS_REQ_get_msg_imprint(request); - md_alg = TS_MSG_IMPRINT_get_algo(msg_imprint); + msg_imprint = request->msg_imprint; + md_alg = msg_imprint->hash_algo; md_alg_id = OBJ_obj2nid(md_alg->algorithm); for (i = 0; !md && i < sk_EVP_MD_num(ctx->mds); ++i) { EVP_MD *current_md = sk_EVP_MD_value(ctx->mds, i); @@ -551,7 +552,7 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx) return 0; } /* Checking message digest size. */ - digest = TS_MSG_IMPRINT_get_msg(msg_imprint); + digest = msg_imprint->hashed_msg; if (digest->length != EVP_MD_size(md)) { TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION, "Bad message digest."); @@ -565,7 +566,7 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx) /* Returns the TSA policy based on the requested and acceptable policies. */ static ASN1_OBJECT *ts_RESP_get_policy(TS_RESP_CTX *ctx) { - ASN1_OBJECT *requested = TS_REQ_get_policy_id(ctx->request); + ASN1_OBJECT *requested = ctx->request->policy_id; ASN1_OBJECT *policy = NULL; int i; @@ -646,7 +647,7 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx, goto end; /* Setting nonce if needed. */ - if ((nonce = TS_REQ_get_nonce(ctx->request)) != NULL + if ((nonce = ctx->request->nonce) != NULL && !TS_TST_INFO_set_nonce(tst_info, nonce)) goto end; @@ -684,7 +685,7 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx, /* Processing the extensions of the request. */ static int ts_RESP_process_extensions(TS_RESP_CTX *ctx) { - STACK_OF(X509_EXTENSION) *exts = TS_REQ_get_exts(ctx->request); + STACK_OF(X509_EXTENSION) *exts = ctx->request->extensions; int i; int ok = 1; @@ -733,7 +734,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) goto err; /* Add signer certificate and optional certificate chain. */ - if (TS_REQ_get_cert_req(ctx->request)) { + if (ctx->request->cert_req) { PKCS7_add_certificate(p7, ctx->signer_cert); if (ctx->certs) { for (i = 0; i < sk_X509_num(ctx->certs); ++i) { diff --git a/crypto/ts/ts_rsp_utils.c b/crypto/ts/ts_rsp_utils.c index 8c66c5fe0d..887d31497c 100644 --- a/crypto/ts/ts_rsp_utils.c +++ b/crypto/ts/ts_rsp_utils.c @@ -62,6 +62,7 @@ #include #include #include +#include "ts_lcl.h" /* Function definitions. */ @@ -394,3 +395,8 @@ void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx) { return X509V3_get_d2i(a->extensions, nid, crit, idx); } + +int TS_STATUS_INFO_set_status(TS_STATUS_INFO *a, int i) +{ + return ASN1_INTEGER_set(a->status, i); +} diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 5784e3dc5a..c01d6a6565 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -62,6 +62,7 @@ #include #include #include +#include "ts_lcl.h" /* Private function declarations. */ @@ -363,8 +364,8 @@ static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo) */ int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response) { - PKCS7 *token = TS_RESP_get_token(response); - TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); + PKCS7 *token = response->token; + TS_TST_INFO *tst_info = response->tst_info; int ret = 0; /* Check if we have a successful TS_TST_INFO object in place. */ @@ -411,7 +412,7 @@ static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token, TS_TST_INFO *tst_info) { X509 *signer = NULL; - GENERAL_NAME *tsa_name = TS_TST_INFO_get_tsa(tst_info); + GENERAL_NAME *tsa_name = tst_info->tsa; X509_ALGOR *md_alg = NULL; unsigned char *imprint = NULL; unsigned imprint_len = 0; @@ -476,7 +477,7 @@ static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx, static int ts_check_status_info(TS_RESP *response) { - TS_STATUS_INFO *info = TS_RESP_get_status_info(response); + TS_STATUS_INFO *info = response->status_info; long status = ASN1_INTEGER_get(info->status); const char *status_text = NULL; char *embedded_status_text = NULL; @@ -562,7 +563,7 @@ static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text) static int ts_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info) { - ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info); + ASN1_OBJECT *resp_oid = tst_info->policy_id; if (OBJ_cmp(req_oid, resp_oid) != 0) { TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH); @@ -576,8 +577,8 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info, X509_ALGOR **md_alg, unsigned char **imprint, unsigned *imprint_len) { - TS_MSG_IMPRINT *msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info); - X509_ALGOR *md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint); + TS_MSG_IMPRINT *msg_imprint = tst_info->msg_imprint; + X509_ALGOR *md_alg_resp = msg_imprint->hash_algo; const EVP_MD *md; EVP_MD_CTX md_ctx; unsigned char buffer[4096]; @@ -628,8 +629,8 @@ static int ts_check_imprints(X509_ALGOR *algor_a, unsigned char *imprint_a, unsigned len_a, TS_TST_INFO *tst_info) { - TS_MSG_IMPRINT *b = TS_TST_INFO_get_msg_imprint(tst_info); - X509_ALGOR *algor_b = TS_MSG_IMPRINT_get_algo(b); + TS_MSG_IMPRINT *b = tst_info->msg_imprint; + X509_ALGOR *algor_b = b->hash_algo; int ret = 0; /* algor_a is optional. */ @@ -657,7 +658,7 @@ static int ts_check_imprints(X509_ALGOR *algor_a, static int ts_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info) { - const ASN1_INTEGER *b = TS_TST_INFO_get_nonce(tst_info); + const ASN1_INTEGER *b = tst_info->nonce; /* Error if nonce is missing. */ if (!b) { diff --git a/crypto/ts/ts_verify_ctx.c b/crypto/ts/ts_verify_ctx.c index e23ae268f4..c370137fee 100644 --- a/crypto/ts/ts_verify_ctx.c +++ b/crypto/ts/ts_verify_ctx.c @@ -60,6 +60,7 @@ #include "internal/cryptlib.h" #include #include +#include "ts_lcl.h" TS_VERIFY_CTX *TS_VERIFY_CTX_new(void) { @@ -85,6 +86,45 @@ void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx) OPENSSL_free(ctx); } +int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int f) +{ + ctx->flags |= f; + return ctx->flags; +} + +int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f) +{ + ctx->flags = f; + return ctx->flags; +} + +BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *b) +{ + ctx->data = b; + return ctx->data; +} + +X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *s) +{ + ctx->store = s; + return ctx->store; +} + +STACK_OF(X509) *TS_VERIFY_CTS_set_certs(TS_VERIFY_CTX *ctx, + STACK_OF(X509) *certs) +{ + ctx->certs = certs; + return ctx->certs; +} + +unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, + unsigned char *hexstr, long len) +{ + ctx->imprint = hexstr; + ctx->imprint_len = len; + return ctx->imprint; +} + void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx) { if (!ctx) @@ -126,25 +166,25 @@ TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx) ret->flags = TS_VFY_ALL_IMPRINT & ~(TS_VFY_TSA_NAME | TS_VFY_SIGNATURE); /* Setting policy. */ - if ((policy = TS_REQ_get_policy_id(req)) != NULL) { + if ((policy = req->policy_id) != NULL) { if ((ret->policy = OBJ_dup(policy)) == NULL) goto err; } else ret->flags &= ~TS_VFY_POLICY; /* Setting md_alg, imprint and imprint_len. */ - imprint = TS_REQ_get_msg_imprint(req); - md_alg = TS_MSG_IMPRINT_get_algo(imprint); + imprint = req->msg_imprint; + md_alg = imprint->hash_algo; if ((ret->md_alg = X509_ALGOR_dup(md_alg)) == NULL) goto err; - msg = TS_MSG_IMPRINT_get_msg(imprint); + msg = imprint->hashed_msg; ret->imprint_len = ASN1_STRING_length(msg); if ((ret->imprint = OPENSSL_malloc(ret->imprint_len)) == NULL) goto err; memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len); /* Setting nonce. */ - if ((nonce = TS_REQ_get_nonce(req)) != NULL) { + if ((nonce = req->nonce) != NULL) { if ((ret->nonce = ASN1_INTEGER_dup(nonce)) == NULL) goto err; } else diff --git a/include/openssl/ts.h b/include/openssl/ts.h index b983abc2cd..d66b49d734 100644 --- a/include/openssl/ts.h +++ b/include/openssl/ts.h @@ -93,99 +93,12 @@ extern "C" { # include # include -/*- -MessageImprint ::= SEQUENCE { - hashAlgorithm AlgorithmIdentifier, - hashedMessage OCTET STRING } -*/ - -typedef struct TS_msg_imprint_st { - X509_ALGOR *hash_algo; - ASN1_OCTET_STRING *hashed_msg; -} TS_MSG_IMPRINT; - -/*- -TimeStampReq ::= SEQUENCE { - version INTEGER { v1(1) }, - messageImprint MessageImprint, - --a hash algorithm OID and the hash value of the data to be - --time-stamped - reqPolicy TSAPolicyId OPTIONAL, - nonce INTEGER OPTIONAL, - certReq BOOLEAN DEFAULT FALSE, - extensions [0] IMPLICIT Extensions OPTIONAL } -*/ - -typedef struct TS_req_st { - ASN1_INTEGER *version; - TS_MSG_IMPRINT *msg_imprint; - ASN1_OBJECT *policy_id; /* OPTIONAL */ - ASN1_INTEGER *nonce; /* OPTIONAL */ - ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */ - STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */ -} TS_REQ; - -/*- -Accuracy ::= SEQUENCE { - seconds INTEGER OPTIONAL, - millis [0] INTEGER (1..999) OPTIONAL, - micros [1] INTEGER (1..999) OPTIONAL } -*/ - -typedef struct TS_accuracy_st { - ASN1_INTEGER *seconds; - ASN1_INTEGER *millis; - ASN1_INTEGER *micros; -} TS_ACCURACY; - -/*- -TSTInfo ::= SEQUENCE { - version INTEGER { v1(1) }, - policy TSAPolicyId, - messageImprint MessageImprint, - -- MUST have the same value as the similar field in - -- TimeStampReq - serialNumber INTEGER, - -- Time-Stamping users MUST be ready to accommodate integers - -- up to 160 bits. - genTime GeneralizedTime, - accuracy Accuracy OPTIONAL, - ordering BOOLEAN DEFAULT FALSE, - nonce INTEGER OPTIONAL, - -- MUST be present if the similar field was present - -- in TimeStampReq. In that case it MUST have the same value. - tsa [0] GeneralName OPTIONAL, - extensions [1] IMPLICIT Extensions OPTIONAL } -*/ - -typedef struct TS_tst_info_st { - ASN1_INTEGER *version; - ASN1_OBJECT *policy_id; - TS_MSG_IMPRINT *msg_imprint; - ASN1_INTEGER *serial; - ASN1_GENERALIZEDTIME *time; - TS_ACCURACY *accuracy; - ASN1_BOOLEAN ordering; - ASN1_INTEGER *nonce; - GENERAL_NAME *tsa; - STACK_OF(X509_EXTENSION) *extensions; -} TS_TST_INFO; - -/*- -PKIStatusInfo ::= SEQUENCE { - status PKIStatus, - statusString PKIFreeText OPTIONAL, - failInfo PKIFailureInfo OPTIONAL } - -From RFC 1510 - section 3.1.1: -PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String - -- text encoded as UTF-8 String (note: each UTF8String SHOULD - -- include an RFC 1766 language tag to indicate the language - -- of the contained text) -*/ - -/* Possible values for status. See ts_resp_print.c && ts_resp_verify.c. */ +typedef struct TS_msg_imprint_st TS_MSG_IMPRINT; +typedef struct TS_req_st TS_REQ; +typedef struct TS_accuracy_st TS_ACCURACY; +typedef struct TS_tst_info_st TS_TST_INFO; +/* Possible values for status. */ # define TS_STATUS_GRANTED 0 # define TS_STATUS_GRANTED_WITH_MODS 1 # define TS_STATUS_REJECTION 2 @@ -193,10 +106,7 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String # define TS_STATUS_REVOCATION_WARNING 4 # define TS_STATUS_REVOCATION_NOTIFICATION 5 -/* - * Possible values for failure_info. See ts_resp_print.c && ts_resp_verify.c - */ - +/* Possible values for failure_info. */ # define TS_INFO_BAD_ALG 0 # define TS_INFO_BAD_REQUEST 2 # define TS_INFO_BAD_DATA_FORMAT 5 @@ -206,65 +116,15 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String # define TS_INFO_ADD_INFO_NOT_AVAILABLE 17 # define TS_INFO_SYSTEM_FAILURE 25 -typedef struct TS_status_info_st { - ASN1_INTEGER *status; - STACK_OF(ASN1_UTF8STRING) *text; - ASN1_BIT_STRING *failure_info; -} TS_STATUS_INFO; -DECLARE_STACK_OF(ASN1_UTF8STRING) - -/*- -TimeStampResp ::= SEQUENCE { - status PKIStatusInfo, - timeStampToken TimeStampToken OPTIONAL } -*/ - -typedef struct TS_resp_st { - TS_STATUS_INFO *status_info; - PKCS7 *token; - TS_TST_INFO *tst_info; -} TS_RESP; - -/* The structure below would belong to the ESS component. */ - -/*- -IssuerSerial ::= SEQUENCE { - issuer GeneralNames, - serialNumber CertificateSerialNumber - } -*/ - -typedef struct ESS_issuer_serial { - STACK_OF(GENERAL_NAME) *issuer; - ASN1_INTEGER *serial; -} ESS_ISSUER_SERIAL; - -/*- -ESSCertID ::= SEQUENCE { - certHash Hash, - issuerSerial IssuerSerial OPTIONAL -} -*/ - -typedef struct ESS_cert_id { - ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ - ESS_ISSUER_SERIAL *issuer_serial; -} ESS_CERT_ID; +typedef struct TS_status_info_st TS_STATUS_INFO; +typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL; +typedef struct ESS_cert_id ESS_CERT_ID; +typedef struct ESS_signing_cert ESS_SIGNING_CERT; DECLARE_STACK_OF(ESS_CERT_ID) -/*- -SigningCertificate ::= SEQUENCE { - certs SEQUENCE OF ESSCertID, - policies SEQUENCE OF PolicyInformation OPTIONAL -} -*/ - -typedef struct ESS_signing_cert { - STACK_OF(ESS_CERT_ID) *cert_ids; - STACK_OF(POLICYINFO) *policy_info; -} ESS_SIGNING_CERT; +typedef struct TS_resp_st TS_RESP; TS_REQ *TS_REQ_new(void); void TS_REQ_free(TS_REQ *a); @@ -356,6 +216,8 @@ void ERR_load_TS_strings(void); int TS_REQ_set_version(TS_REQ *a, long version); long TS_REQ_get_version(const TS_REQ *a); +int TS_STATUS_INFO_set_status(TS_STATUS_INFO *a, int i); + int TS_REQ_set_msg_imprint(TS_REQ *a, TS_MSG_IMPRINT *msg_imprint); TS_MSG_IMPRINT *TS_REQ_get_msg_imprint(TS_REQ *a); @@ -487,31 +349,7 @@ typedef int (*TS_time_cb) (struct TS_resp_ctx *, void *, long *sec, typedef int (*TS_extension_cb) (struct TS_resp_ctx *, X509_EXTENSION *, void *); -typedef struct TS_resp_ctx { - X509 *signer_cert; - EVP_PKEY *signer_key; - STACK_OF(X509) *certs; /* Certs to include in signed data. */ - STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ - ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ - STACK_OF(EVP_MD) *mds; /* Acceptable message digests. */ - ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */ - ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */ - ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */ - unsigned clock_precision_digits; /* fraction of seconds in time stamp - * token. */ - unsigned flags; /* Optional info, see values above. */ - /* Callback functions. */ - TS_serial_cb serial_cb; - void *serial_cb_data; /* User data for serial_cb. */ - TS_time_cb time_cb; - void *time_cb_data; /* User data for time_cb. */ - TS_extension_cb extension_cb; - void *extension_cb_data; /* User data for extension_cb. */ - /* These members are used only while creating the response. */ - TS_REQ *request; - TS_RESP *response; - TS_TST_INFO *tst_info; -} TS_RESP_CTX; +typedef struct TS_resp_ctx TS_RESP_CTX; DECLARE_STACK_OF(EVP_MD) @@ -645,42 +483,25 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, | TS_VFY_SIGNER \ | TS_VFY_TSA_NAME) -typedef struct TS_verify_ctx { - /* Set this to the union of TS_VFY_... flags you want to carry out. */ - unsigned flags; - /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */ - X509_STORE *store; - STACK_OF(X509) *certs; - /* Must be set only with TS_VFY_POLICY. */ - ASN1_OBJECT *policy; - /* - * Must be set only with TS_VFY_IMPRINT. If md_alg is NULL, the - * algorithm from the response is used. - */ - X509_ALGOR *md_alg; - unsigned char *imprint; - unsigned imprint_len; - /* Must be set only with TS_VFY_DATA. */ - BIO *data; - /* Must be set only with TS_VFY_TSA_NAME. */ - ASN1_INTEGER *nonce; - /* Must be set only with TS_VFY_TSA_NAME. */ - GENERAL_NAME *tsa_name; -} TS_VERIFY_CTX; +typedef struct TS_verify_ctx TS_VERIFY_CTX; int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response); int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token); /* * Declarations related to response verification context, - * they are defined in ts/ts_verify_ctx.c. */ - -/* Set all fields to zero. */ TS_VERIFY_CTX *TS_VERIFY_CTX_new(void); void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx); void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx); void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx); +int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f); +int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int f); +BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *b); +unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, + unsigned char *hexstr, long len); +X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *s); +STACK_OF(X509) *TS_VERIFY_CTS_set_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs); /*- * If ctx is NULL, it allocates and returns a new object, otherwise diff --git a/util/libeay.num b/util/libeay.num index 612fff60c6..39c90207e5 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -4587,19 +4587,26 @@ CRYPTO_secure_free 4945 EXIST::FUNCTION: BIO_s_secmem 4946 EXIST::FUNCTION: CRYPTO_get_secure_mem_ex_functions 4947 EXIST::FUNCTION: CRYPTO_set_secure_mem_functions 4948 EXIST::FUNCTION: +TS_VERIFY_CTX_set_flags 4949 EXIST::FUNCTION: X509_STORE_CTX_get_num_untrusted 4949 EXIST::FUNCTION: +TS_STATUS_INFO_set_status 4950 EXIST::FUNCTION: X509_up_ref 4950 EXIST::FUNCTION: +TS_VERIFY_CTX_set_imprint 4951 EXIST::FUNCTION: X509_REQ_get_version 4951 EXIST::FUNCTION: +TS_VERIFY_CTS_set_certs 4952 EXIST::FUNCTION: X509_REQ_get_subject_name 4952 EXIST::FUNCTION: +TS_VERIFY_CTX_set_data 4953 EXIST::FUNCTION: X509_CRL_up_ref 4953 EXIST::FUNCTION: CRYPTO_zalloc 4954 EXIST::FUNCTION: -X509_get_extension_flags 4955 EXIST::FUNCTION: -X509_get_extended_key_usage 4956 EXIST::FUNCTION: -X509_get_key_usage 4957 EXIST::FUNCTION: -X509_CRL_get_issuer 4958 EXIST::FUNCTION: -X509_CRL_get_nextUpdate 4959 EXIST::FUNCTION: -X509_CRL_get0_signature 4960 EXIST::FUNCTION: -X509_CRL_get_REVOKED 4961 EXIST::FUNCTION: -X509_CRL_get_version 4962 EXIST::FUNCTION: -X509_CRL_get_lastUpdate 4963 EXIST::FUNCTION: +TS_VERIFY_CTX_set_store 4954 EXIST::FUNCTION: +X509_get_extension_flags 4954 EXIST::FUNCTION: +TS_VERIFY_CTX_add_flags 4955 EXIST::FUNCTION: +X509_get_extended_key_usage 4955 EXIST::FUNCTION: +X509_get_key_usage 4956 EXIST::FUNCTION: +X509_CRL_get_issuer 4957 EXIST::FUNCTION: +X509_CRL_get_nextUpdate 4958 EXIST::FUNCTION: +X509_CRL_get0_signature 4959 EXIST::FUNCTION: +X509_CRL_get_REVOKED 4960 EXIST::FUNCTION: +X509_CRL_get_version 4961 EXIST::FUNCTION: +X509_CRL_get_lastUpdate 4962 EXIST::FUNCTION: EVP_PBE_get 4964 EXIST::FUNCTION: -- 2.34.1