[thirdparty/openssl.git] / crypto / ocsp / ocsp_cl.c

/*
 * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include <time.h>
#include "internal/cryptlib.h"
#include <openssl/asn1.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/ocsp.h>
#include "ocsp_local.h"

/*
 * Utility functions related to sending OCSP requests and extracting relevant
 * information from the response.
 */

/*
 * Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ pointer:
 * useful if we want to add extensions.
 */

OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
{
    OCSP_ONEREQ *one = NULL;

    if ((one = OCSP_ONEREQ_new()) == NULL)
        return NULL;
    OCSP_CERTID_free(one->reqCert);
    one->reqCert = cid;
    if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest.requestList, one)) {
        one->reqCert = NULL; /* do not free on error */
        goto err;
    }
    return one;
 err:
    OCSP_ONEREQ_free(one);
    return NULL;
}

/* Set requestorName from an X509_NAME structure */

int OCSP_request_set1_name(OCSP_REQUEST *req, const X509_NAME *nm)
{
    GENERAL_NAME *gen;

    gen = GENERAL_NAME_new();
    if (gen == NULL)
        return 0;
    if (!X509_NAME_set(&gen->d.directoryName, nm)) {
        GENERAL_NAME_free(gen);
        return 0;
    }
    gen->type = GEN_DIRNAME;
    GENERAL_NAME_free(req->tbsRequest.requestorName);
    req->tbsRequest.requestorName = gen;
    return 1;
}

/* Add a certificate to an OCSP request */

int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
{
    OCSP_SIGNATURE *sig;
    if (req->optionalSignature == NULL)
        req->optionalSignature = OCSP_SIGNATURE_new();
    sig = req->optionalSignature;
    if (sig == NULL)
        return 0;
    if (cert == NULL)
        return 1;
    return X509_add_cert_new(&sig->certs, cert, X509_ADD_FLAG_UP_REF);
}

/*
 * Sign an OCSP request set the requestorName to the subject name of an
 * optional signers certificate and include one or more optional certificates
 * in the request. Behaves like PKCS7_sign().
 */

int OCSP_request_sign(OCSP_REQUEST *req,
                      X509 *signer,
                      EVP_PKEY *key,
                      const EVP_MD *dgst,
                      STACK_OF(X509) *certs, unsigned long flags)
{
    int i;
    X509 *x;

    if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
        goto err;

    if ((req->optionalSignature = OCSP_SIGNATURE_new()) == NULL)
        goto err;
    if (key) {
        if (!X509_check_private_key(signer, key)) {
            OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
                    OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
            goto err;
        }
        if (!OCSP_REQUEST_sign(req, key, dgst))
            goto err;
    }

    if (!(flags & OCSP_NOCERTS)) {
        if (!OCSP_request_add1_cert(req, signer))
            goto err;
        for (i = 0; i < sk_X509_num(certs); i++) {
            x = sk_X509_value(certs, i);
            if (!OCSP_request_add1_cert(req, x))
                goto err;
        }
    }

    return 1;
 err:
    OCSP_SIGNATURE_free(req->optionalSignature);
    req->optionalSignature = NULL;
    return 0;
}

/* Get response status */

int OCSP_response_status(OCSP_RESPONSE *resp)
{
    return ASN1_ENUMERATED_get(resp->responseStatus);
}

/*
 * Extract basic response from OCSP_RESPONSE or NULL if no basic response
 * present.
 */

OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
{
    OCSP_RESPBYTES *rb;
    rb = resp->responseBytes;
    if (!rb) {
        OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
        return NULL;
    }
    if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
        OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
        return NULL;
    }

    return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
}

const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
{
    return bs->signature;
}

const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
{
    return &bs->signatureAlgorithm;
}

const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
{
    return &bs->tbsResponseData;
}

/*
 * Return number of OCSP_SINGLERESP responses present in a basic response.
 */

int OCSP_resp_count(OCSP_BASICRESP *bs)
{
    if (!bs)
        return -1;
    return sk_OCSP_SINGLERESP_num(bs->tbsResponseData.responses);
}

/* Extract an OCSP_SINGLERESP response with a given index */

OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
{
    if (!bs)
        return NULL;
    return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx);
}

const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs)
{
    return bs->tbsResponseData.producedAt;
}

const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs)
{
    return bs->certs;
}

int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
                      const ASN1_OCTET_STRING **pid,
                      const X509_NAME **pname)
{
    const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;

    if (rid->type == V_OCSP_RESPID_NAME) {
        *pname = rid->value.byName;
        *pid = NULL;
    } else if (rid->type == V_OCSP_RESPID_KEY) {
        *pid = rid->value.byKey;
        *pname = NULL;
    } else {
        return 0;
    }
    return 1;
}

int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
                      ASN1_OCTET_STRING **pid,
                      X509_NAME **pname)
{
    const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;

    if (rid->type == V_OCSP_RESPID_NAME) {
        *pname = X509_NAME_dup(rid->value.byName);
        *pid = NULL;
    } else if (rid->type == V_OCSP_RESPID_KEY) {
        *pid = ASN1_OCTET_STRING_dup(rid->value.byKey);
        *pname = NULL;
    } else {
        return 0;
    }
    if (*pname == NULL && *pid == NULL)
        return 0;
    return 1;
}

/* Look single response matching a given certificate ID */

int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
{
    int i;
    STACK_OF(OCSP_SINGLERESP) *sresp;
    OCSP_SINGLERESP *single;
    if (!bs)
        return -1;
    if (last < 0)
        last = 0;
    else
        last++;
    sresp = bs->tbsResponseData.responses;
    for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
        single = sk_OCSP_SINGLERESP_value(sresp, i);
        if (!OCSP_id_cmp(id, single->certId))
            return i;
    }
    return -1;
}

/*
 * Extract status information from an OCSP_SINGLERESP structure. Note: the
 * revtime and reason values are only set if the certificate status is
 * revoked. Returns numerical value of status.
 */

int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
                            ASN1_GENERALIZEDTIME **revtime,
                            ASN1_GENERALIZEDTIME **thisupd,
                            ASN1_GENERALIZEDTIME **nextupd)
{
    int ret;
    OCSP_CERTSTATUS *cst;
    if (!single)
        return -1;
    cst = single->certStatus;
    ret = cst->type;
    if (ret == V_OCSP_CERTSTATUS_REVOKED) {
        OCSP_REVOKEDINFO *rev = cst->value.revoked;
        if (revtime)
            *revtime = rev->revocationTime;
        if (reason) {
            if (rev->revocationReason)
                *reason = ASN1_ENUMERATED_get(rev->revocationReason);
            else
                *reason = -1;
        }
    }
    if (thisupd)
        *thisupd = single->thisUpdate;
    if (nextupd)
        *nextupd = single->nextUpdate;
    return ret;
}

/*
 * This function combines the previous ones: look up a certificate ID and if
 * found extract status information. Return 0 is successful.
 */

int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
                          int *reason,
                          ASN1_GENERALIZEDTIME **revtime,
                          ASN1_GENERALIZEDTIME **thisupd,
                          ASN1_GENERALIZEDTIME **nextupd)
{
    int i;
    OCSP_SINGLERESP *single;
    i = OCSP_resp_find(bs, id, -1);
    /* Maybe check for multiple responses and give an error? */
    if (i < 0)
        return 0;
    single = OCSP_resp_get0(bs, i);
    i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
    if (status)
        *status = i;
    return 1;
}

/*
 * Check validity of thisUpdate and nextUpdate fields. It is possible that
 * the request will take a few seconds to process and/or the time won't be
 * totally accurate. Therefore to avoid rejecting otherwise valid time we
 * allow the times to be within 'nsec' of the current time. Also to avoid
 * accepting very old responses without a nextUpdate field an optional maxage
 * parameter specifies the maximum age the thisUpdate field can be.
 */

int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                        ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
{
    int ret = 1;
    time_t t_now, t_tmp;
    time(&t_now);
    /* Check thisUpdate is valid and not more than nsec in the future */
    if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
        ret = 0;
    } else {
        t_tmp = t_now + nsec;
        if (X509_cmp_time(thisupd, &t_tmp) > 0) {
            OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
            ret = 0;
        }

        /*
         * If maxsec specified check thisUpdate is not more than maxsec in
         * the past
         */
        if (maxsec >= 0) {
            t_tmp = t_now - maxsec;
            if (X509_cmp_time(thisupd, &t_tmp) < 0) {
                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
                ret = 0;
            }
        }
    }

    if (!nextupd)
        return ret;

    /* Check nextUpdate is valid and not more than nsec in the past */
    if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
        ret = 0;
    } else {
        t_tmp = t_now - nsec;
        if (X509_cmp_time(nextupd, &t_tmp) < 0) {
            OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
            ret = 0;
        }
    }

    /* Also don't allow nextUpdate to precede thisUpdate */
    if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
                OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
        ret = 0;
    }

    return ret;
}

const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
{
    return single->certId;
}
Commit	Line	Data
0f113f3e	1	/*
33388b44	2	* Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
0b33bc65	3	*
0c496700	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
b1322259 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
0b33bc65 DSH	8	*/
	9
	10	#include <stdio.h>
f1965221	11	#include <time.h>
b39fc560	12	#include "internal/cryptlib.h"
db17e43d	13	#include <openssl/asn1.h>
0b33bc65	14	#include <openssl/objects.h>
0b33bc65 DSH	15	#include <openssl/x509.h>
	16	#include <openssl/pem.h>
	17	#include <openssl/x509v3.h>
	18	#include <openssl/ocsp.h>
706457b7	19	#include "ocsp_local.h"
0b33bc65	20
0f113f3e MC	21	/*
	22	* Utility functions related to sending OCSP requests and extracting relevant
	23	* information from the response.
0b33bc65 DSH	24	*/
0b33bc65 DSH	25
0f113f3e MC	26	/*
	27	* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ pointer:
	28	* useful if we want to add extensions.
0b33bc65 DSH	29	*/
	30
	31	OCSP_ONEREQ OCSP_request_add0_id(OCSP_REQUEST req, OCSP_CERTID *cid)
0f113f3e MC	32	{
	33	OCSP_ONEREQ *one = NULL;
	34
75ebbd9a	35	if ((one = OCSP_ONEREQ_new()) == NULL)
68efafc5	36	return NULL;
25aaa98a	37	OCSP_CERTID_free(one->reqCert);
0f113f3e	38	one->reqCert = cid;
415e7c48 TS	39	if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest.requestList, one)) {
415e7c48 TS	40	one->reqCert = NULL; /* do not free on error */
0f113f3e	41	goto err;
415e7c48	42	}
0f113f3e MC	43	return one;
	44	err:
	45	OCSP_ONEREQ_free(one);
	46	return NULL;
	47	}
0b33bc65 DSH	48
	49	/* Set requestorName from an X509_NAME structure */
	50
8cc86b81	51	int OCSP_request_set1_name(OCSP_REQUEST req, const X509_NAME nm)
0f113f3e MC	52	{
0f113f3e MC	53	GENERAL_NAME *gen;
25aaa98a	54
0f113f3e MC	55	gen = GENERAL_NAME_new();
	56	if (gen == NULL)
	57	return 0;
	58	if (!X509_NAME_set(&gen->d.directoryName, nm)) {
	59	GENERAL_NAME_free(gen);
	60	return 0;
	61	}
	62	gen->type = GEN_DIRNAME;
a332635e DSH	63	GENERAL_NAME_free(req->tbsRequest.requestorName);
a332635e DSH	64	req->tbsRequest.requestorName = gen;
0f113f3e MC	65	return 1;
0f113f3e MC	66	}
0b33bc65 DSH	67
	68	/* Add a certificate to an OCSP request */
	69
	70	int OCSP_request_add1_cert(OCSP_REQUEST req, X509 cert)
0f113f3e MC	71	{
0f113f3e MC	72	OCSP_SIGNATURE *sig;
90945fa3	73	if (req->optionalSignature == NULL)
0f113f3e MC	74	req->optionalSignature = OCSP_SIGNATURE_new();
0f113f3e MC	75	sig = req->optionalSignature;
90945fa3	76	if (sig == NULL)
0f113f3e	77	return 0;
90945fa3	78	if (cert == NULL)
0f113f3e	79	return 1;
eeccc237	80	return X509_add_cert_new(&sig->certs, cert, X509_ADD_FLAG_UP_REF);
0f113f3e MC	81	}
	82
	83	/*
0d4fb843	84	* Sign an OCSP request set the requestorName to the subject name of an
0f113f3e MC	85	* optional signers certificate and include one or more optional certificates
0f113f3e MC	86	* in the request. Behaves like PKCS7_sign().
0b33bc65 DSH	87	*/
0b33bc65 DSH	88
0f113f3e MC	89	int OCSP_request_sign(OCSP_REQUEST *req,
	90	X509 *signer,
	91	EVP_PKEY *key,
	92	const EVP_MD *dgst,
	93	STACK_OF(X509) *certs, unsigned long flags)
	94	{
	95	int i;
	96	X509 *x;
	97
	98	if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
	99	goto err;
	100
75ebbd9a	101	if ((req->optionalSignature = OCSP_SIGNATURE_new()) == NULL)
0f113f3e MC	102	goto err;
	103	if (key) {
	104	if (!X509_check_private_key(signer, key)) {
	105	OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
	106	OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
	107	goto err;
	108	}
	109	if (!OCSP_REQUEST_sign(req, key, dgst))
	110	goto err;
	111	}
	112
	113	if (!(flags & OCSP_NOCERTS)) {
	114	if (!OCSP_request_add1_cert(req, signer))
	115	goto err;
	116	for (i = 0; i < sk_X509_num(certs); i++) {
	117	x = sk_X509_value(certs, i);
	118	if (!OCSP_request_add1_cert(req, x))
	119	goto err;
	120	}
	121	}
	122
	123	return 1;
	124	err:
	125	OCSP_SIGNATURE_free(req->optionalSignature);
	126	req->optionalSignature = NULL;
	127	return 0;
	128	}
0b33bc65 DSH	129
	130	/* Get response status */
	131
	132	int OCSP_response_status(OCSP_RESPONSE *resp)
0f113f3e MC	133	{
	134	return ASN1_ENUMERATED_get(resp->responseStatus);
	135	}
0b33bc65	136
0f113f3e MC	137	/*
	138	* Extract basic response from OCSP_RESPONSE or NULL if no basic response
	139	* present.
0b33bc65	140	*/
0b33bc65 DSH	141
0b33bc65 DSH	142	OCSP_BASICRESP OCSP_response_get1_basic(OCSP_RESPONSE resp)
0f113f3e MC	143	{
	144	OCSP_RESPBYTES *rb;
	145	rb = resp->responseBytes;
	146	if (!rb) {
	147	OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
	148	return NULL;
	149	}
	150	if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
	151	OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
	152	return NULL;
	153	}
	154
	155	return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
	156	}
	157
79613ea8	158	const ASN1_OCTET_STRING OCSP_resp_get0_signature(const OCSP_BASICRESP bs)
6ef869d7 DSH	159	{
	160	return bs->signature;
	161	}
	162
20c36721 PK	163	const X509_ALGOR OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP bs)
	164	{
	165	return &bs->signatureAlgorithm;
	166	}
	167
	168	const OCSP_RESPDATA OCSP_resp_get0_respdata(const OCSP_BASICRESP bs)
	169	{
	170	return &bs->tbsResponseData;
	171	}
	172
0f113f3e	173	/*
0d4fb843	174	* Return number of OCSP_SINGLERESP responses present in a basic response.
0b33bc65 DSH	175	*/
	176
	177	int OCSP_resp_count(OCSP_BASICRESP *bs)
0f113f3e MC	178	{
	179	if (!bs)
	180	return -1;
a332635e	181	return sk_OCSP_SINGLERESP_num(bs->tbsResponseData.responses);
0f113f3e	182	}
0b33bc65 DSH	183
	184	/* Extract an OCSP_SINGLERESP response with a given index */
	185
	186	OCSP_SINGLERESP OCSP_resp_get0(OCSP_BASICRESP bs, int idx)
0f113f3e MC	187	{
	188	if (!bs)
	189	return NULL;
a332635e	190	return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx);
0f113f3e	191	}
0b33bc65	192
79613ea8	193	const ASN1_GENERALIZEDTIME OCSP_resp_get0_produced_at(const OCSP_BASICRESP bs)
9e5cd4ba	194	{
9e5cd4ba RS	195	return bs->tbsResponseData.producedAt;
	196	}
	197
02fb7cfe DSH	198	const STACK_OF(X509) OCSP_resp_get0_certs(const OCSP_BASICRESP bs)
	199	{
	200	return bs->certs;
	201	}
	202
	203	int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
	204	const ASN1_OCTET_STRING **pid,
	205	const X509_NAME **pname)
02fb7cfe DSH	206	{
02fb7cfe DSH	207	const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
db17e43d	208
02fb7cfe DSH	209	if (rid->type == V_OCSP_RESPID_NAME) {
	210	*pname = rid->value.byName;
	211	*pid = NULL;
	212	} else if (rid->type == V_OCSP_RESPID_KEY) {
	213	*pid = rid->value.byKey;
	214	*pname = NULL;
	215	} else {
	216	return 0;
	217	}
	218	return 1;
	219	}
	220
db17e43d SS	221	int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
	222	ASN1_OCTET_STRING **pid,
	223	X509_NAME **pname)
	224	{
	225	const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
	226
	227	if (rid->type == V_OCSP_RESPID_NAME) {
	228	*pname = X509_NAME_dup(rid->value.byName);
	229	*pid = NULL;
	230	} else if (rid->type == V_OCSP_RESPID_KEY) {
	231	*pid = ASN1_OCTET_STRING_dup(rid->value.byKey);
	232	*pname = NULL;
	233	} else {
	234	return 0;
	235	}
c91ec013	236	if (pname == NULL && pid == NULL)
db17e43d SS	237	return 0;
	238	return 1;
	239	}
	240
0b33bc65 DSH	241	/* Look single response matching a given certificate ID */
	242
	243	int OCSP_resp_find(OCSP_BASICRESP bs, OCSP_CERTID id, int last)
0f113f3e MC	244	{
	245	int i;
	246	STACK_OF(OCSP_SINGLERESP) *sresp;
	247	OCSP_SINGLERESP *single;
	248	if (!bs)
	249	return -1;
	250	if (last < 0)
	251	last = 0;
	252	else
	253	last++;
a332635e	254	sresp = bs->tbsResponseData.responses;
0f113f3e MC	255	for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
	256	single = sk_OCSP_SINGLERESP_value(sresp, i);
	257	if (!OCSP_id_cmp(id, single->certId))
	258	return i;
	259	}
	260	return -1;
	261	}
	262
	263	/*
	264	* Extract status information from an OCSP_SINGLERESP structure. Note: the
	265	* revtime and reason values are only set if the certificate status is
	266	* revoked. Returns numerical value of status.
0b33bc65 DSH	267	*/
	268
	269	int OCSP_single_get0_status(OCSP_SINGLERESP single, int reason,
0f113f3e MC	270	ASN1_GENERALIZEDTIME **revtime,
	271	ASN1_GENERALIZEDTIME **thisupd,
	272	ASN1_GENERALIZEDTIME **nextupd)
	273	{
	274	int ret;
	275	OCSP_CERTSTATUS *cst;
	276	if (!single)
	277	return -1;
	278	cst = single->certStatus;
	279	ret = cst->type;
	280	if (ret == V_OCSP_CERTSTATUS_REVOKED) {
	281	OCSP_REVOKEDINFO *rev = cst->value.revoked;
	282	if (revtime)
	283	*revtime = rev->revocationTime;
	284	if (reason) {
	285	if (rev->revocationReason)
	286	*reason = ASN1_ENUMERATED_get(rev->revocationReason);
	287	else
	288	*reason = -1;
	289	}
	290	}
	291	if (thisupd)
	292	*thisupd = single->thisUpdate;
	293	if (nextupd)
	294	*nextupd = single->nextUpdate;
	295	return ret;
	296	}
	297
	298	/*
	299	* This function combines the previous ones: look up a certificate ID and if
	300	* found extract status information. Return 0 is successful.
0b33bc65 DSH	301	*/
	302
	303	int OCSP_resp_find_status(OCSP_BASICRESP bs, OCSP_CERTID id, int *status,
0f113f3e MC	304	int *reason,
	305	ASN1_GENERALIZEDTIME **revtime,
	306	ASN1_GENERALIZEDTIME **thisupd,
	307	ASN1_GENERALIZEDTIME **nextupd)
	308	{
	309	int i;
	310	OCSP_SINGLERESP *single;
	311	i = OCSP_resp_find(bs, id, -1);
	312	/* Maybe check for multiple responses and give an error? */
	313	if (i < 0)
	314	return 0;
	315	single = OCSP_resp_get0(bs, i);
	316	i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
	317	if (status)
	318	*status = i;
	319	return 1;
	320	}
	321
	322	/*
	323	* Check validity of thisUpdate and nextUpdate fields. It is possible that
60250017	324	* the request will take a few seconds to process and/or the time won't be
0f113f3e MC	325	* totally accurate. Therefore to avoid rejecting otherwise valid time we
	326	* allow the times to be within 'nsec' of the current time. Also to avoid
	327	* accepting very old responses without a nextUpdate field an optional maxage
f1965221 DSH	328	* parameter specifies the maximum age the thisUpdate field can be.
	329	*/
	330
0f113f3e MC	331	int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
	332	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
	333	{
	334	int ret = 1;
	335	time_t t_now, t_tmp;
	336	time(&t_now);
	337	/* Check thisUpdate is valid and not more than nsec in the future */
	338	if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
	339	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
	340	ret = 0;
	341	} else {
	342	t_tmp = t_now + nsec;
	343	if (X509_cmp_time(thisupd, &t_tmp) > 0) {
	344	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
	345	ret = 0;
	346	}
	347
	348	/*
	349	* If maxsec specified check thisUpdate is not more than maxsec in
	350	* the past
	351	*/
	352	if (maxsec >= 0) {
	353	t_tmp = t_now - maxsec;
	354	if (X509_cmp_time(thisupd, &t_tmp) < 0) {
	355	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
	356	ret = 0;
	357	}
	358	}
	359	}
	360
	361	if (!nextupd)
	362	return ret;
	363
	364	/* Check nextUpdate is valid and not more than nsec in the past */
	365	if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
	366	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
	367	ret = 0;
	368	} else {
	369	t_tmp = t_now - nsec;
	370	if (X509_cmp_time(nextupd, &t_tmp) < 0) {
	371	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
	372	ret = 0;
	373	}
	374	}
	375
	376	/* Also don't allow nextUpdate to precede thisUpdate */
	377	if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
	378	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
	379	OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
	380	ret = 0;
	381	}
	382
	383	return ret;
	384	}
9e5cd4ba	385
79613ea8	386	const OCSP_CERTID OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP single)
9e5cd4ba RS	387	{
	388	return single->certId;
	389	}