[thirdparty/openssl.git] / crypto / ocsp / ocsp_cl.c

/*
 * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include <time.h>
#include "internal/cryptlib.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/ocsp.h>
#include "ocsp_lcl.h"

/*
 * Utility functions related to sending OCSP requests and extracting relevant
 * information from the response.
 */

/*
 * Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ pointer:
 * useful if we want to add extensions.
 */

OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
{
    OCSP_ONEREQ *one = NULL;

    if ((one = OCSP_ONEREQ_new()) == NULL)
        return NULL;
    OCSP_CERTID_free(one->reqCert);
    one->reqCert = cid;
    if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest.requestList, one)) {
        one->reqCert = NULL; /* do not free on error */
        goto err;
    }
    return one;
 err:
    OCSP_ONEREQ_free(one);
    return NULL;
}

/* Set requestorName from an X509_NAME structure */

int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
{
    GENERAL_NAME *gen;

    gen = GENERAL_NAME_new();
    if (gen == NULL)
        return 0;
    if (!X509_NAME_set(&gen->d.directoryName, nm)) {
        GENERAL_NAME_free(gen);
        return 0;
    }
    gen->type = GEN_DIRNAME;
    GENERAL_NAME_free(req->tbsRequest.requestorName);
    req->tbsRequest.requestorName = gen;
    return 1;
}

/* Add a certificate to an OCSP request */

int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
{
    OCSP_SIGNATURE *sig;
    if (req->optionalSignature == NULL)
        req->optionalSignature = OCSP_SIGNATURE_new();
    sig = req->optionalSignature;
    if (sig == NULL)
        return 0;
    if (cert == NULL)
        return 1;
    if (sig->certs == NULL
        && (sig->certs = sk_X509_new_null()) == NULL)
        return 0;

    if (!sk_X509_push(sig->certs, cert))
        return 0;
    X509_up_ref(cert);
    return 1;
}

/*
 * Sign an OCSP request set the requestorName to the subject name of an
 * optional signers certificate and include one or more optional certificates
 * in the request. Behaves like PKCS7_sign().
 */

int OCSP_request_sign(OCSP_REQUEST *req,
                      X509 *signer,
                      EVP_PKEY *key,
                      const EVP_MD *dgst,
                      STACK_OF(X509) *certs, unsigned long flags)
{
    int i;
    X509 *x;

    if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
        goto err;

    if ((req->optionalSignature = OCSP_SIGNATURE_new()) == NULL)
        goto err;
    if (key) {
        if (!X509_check_private_key(signer, key)) {
            OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
                    OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
            goto err;
        }
        if (!OCSP_REQUEST_sign(req, key, dgst))
            goto err;
    }

    if (!(flags & OCSP_NOCERTS)) {
        if (!OCSP_request_add1_cert(req, signer))
            goto err;
        for (i = 0; i < sk_X509_num(certs); i++) {
            x = sk_X509_value(certs, i);
            if (!OCSP_request_add1_cert(req, x))
                goto err;
        }
    }

    return 1;
 err:
    OCSP_SIGNATURE_free(req->optionalSignature);
    req->optionalSignature = NULL;
    return 0;
}

/* Get response status */

int OCSP_response_status(OCSP_RESPONSE *resp)
{
    return ASN1_ENUMERATED_get(resp->responseStatus);
}

/*
 * Extract basic response from OCSP_RESPONSE or NULL if no basic response
 * present.
 */

OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
{
    OCSP_RESPBYTES *rb;
    rb = resp->responseBytes;
    if (!rb) {
        OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
        return NULL;
    }
    if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
        OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
        return NULL;
    }

    return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
}

ASN1_OCTET_STRING *OCSP_resp_get0_signature(OCSP_BASICRESP *bs)
{
    return bs->signature;
}

/*
 * Return number of OCSP_SINGLERESP responses present in a basic response.
 */

int OCSP_resp_count(OCSP_BASICRESP *bs)
{
    if (!bs)
        return -1;
    return sk_OCSP_SINGLERESP_num(bs->tbsResponseData.responses);
}

/* Extract an OCSP_SINGLERESP response with a given index */

OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
{
    if (!bs)
        return NULL;
    return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx);
}

ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(OCSP_BASICRESP* bs)
{
    if (!bs)
        return NULL;
    return bs->tbsResponseData.producedAt;
}

const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs)
{
    return bs->certs;
}

int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
                      const ASN1_OCTET_STRING **pid,
                      const X509_NAME **pname)

{
    const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
    if (rid->type == V_OCSP_RESPID_NAME) {
        *pname = rid->value.byName;
        *pid = NULL;
    } else if (rid->type == V_OCSP_RESPID_KEY) {
        *pid = rid->value.byKey;
        *pname = NULL;
    } else {
        return 0;
    }
    return 1;
}

/* Look single response matching a given certificate ID */

int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
{
    int i;
    STACK_OF(OCSP_SINGLERESP) *sresp;
    OCSP_SINGLERESP *single;
    if (!bs)
        return -1;
    if (last < 0)
        last = 0;
    else
        last++;
    sresp = bs->tbsResponseData.responses;
    for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
        single = sk_OCSP_SINGLERESP_value(sresp, i);
        if (!OCSP_id_cmp(id, single->certId))
            return i;
    }
    return -1;
}

/*
 * Extract status information from an OCSP_SINGLERESP structure. Note: the
 * revtime and reason values are only set if the certificate status is
 * revoked. Returns numerical value of status.
 */

int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
                            ASN1_GENERALIZEDTIME **revtime,
                            ASN1_GENERALIZEDTIME **thisupd,
                            ASN1_GENERALIZEDTIME **nextupd)
{
    int ret;
    OCSP_CERTSTATUS *cst;
    if (!single)
        return -1;
    cst = single->certStatus;
    ret = cst->type;
    if (ret == V_OCSP_CERTSTATUS_REVOKED) {
        OCSP_REVOKEDINFO *rev = cst->value.revoked;
        if (revtime)
            *revtime = rev->revocationTime;
        if (reason) {
            if (rev->revocationReason)
                *reason = ASN1_ENUMERATED_get(rev->revocationReason);
            else
                *reason = -1;
        }
    }
    if (thisupd)
        *thisupd = single->thisUpdate;
    if (nextupd)
        *nextupd = single->nextUpdate;
    return ret;
}

/*
 * This function combines the previous ones: look up a certificate ID and if
 * found extract status information. Return 0 is successful.
 */

int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
                          int *reason,
                          ASN1_GENERALIZEDTIME **revtime,
                          ASN1_GENERALIZEDTIME **thisupd,
                          ASN1_GENERALIZEDTIME **nextupd)
{
    int i;
    OCSP_SINGLERESP *single;
    i = OCSP_resp_find(bs, id, -1);
    /* Maybe check for multiple responses and give an error? */
    if (i < 0)
        return 0;
    single = OCSP_resp_get0(bs, i);
    i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
    if (status)
        *status = i;
    return 1;
}

/*
 * Check validity of thisUpdate and nextUpdate fields. It is possible that
 * the request will take a few seconds to process and/or the time wont be
 * totally accurate. Therefore to avoid rejecting otherwise valid time we
 * allow the times to be within 'nsec' of the current time. Also to avoid
 * accepting very old responses without a nextUpdate field an optional maxage
 * parameter specifies the maximum age the thisUpdate field can be.
 */

int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                        ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
{
    int ret = 1;
    time_t t_now, t_tmp;
    time(&t_now);
    /* Check thisUpdate is valid and not more than nsec in the future */
    if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
        ret = 0;
    } else {
        t_tmp = t_now + nsec;
        if (X509_cmp_time(thisupd, &t_tmp) > 0) {
            OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
            ret = 0;
        }

        /*
         * If maxsec specified check thisUpdate is not more than maxsec in
         * the past
         */
        if (maxsec >= 0) {
            t_tmp = t_now - maxsec;
            if (X509_cmp_time(thisupd, &t_tmp) < 0) {
                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
                ret = 0;
            }
        }
    }

    if (!nextupd)
        return ret;

    /* Check nextUpdate is valid and not more than nsec in the past */
    if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
        ret = 0;
    } else {
        t_tmp = t_now - nsec;
        if (X509_cmp_time(nextupd, &t_tmp) < 0) {
            OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
            ret = 0;
        }
    }

    /* Also don't allow nextUpdate to precede thisUpdate */
    if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
                OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
        ret = 0;
    }

    return ret;
}

OCSP_CERTID *OCSP_SINGLERESP_get0_id(OCSP_SINGLERESP *single)
{
    return single->certId;
}
Commit	Line	Data
0f113f3e	1	/*
b1322259	2	* Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
0b33bc65	3	*
b1322259 RS	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
0b33bc65 DSH	8	*/
	9
	10	#include <stdio.h>
f1965221	11	#include <time.h>
b39fc560	12	#include "internal/cryptlib.h"
0b33bc65	13	#include <openssl/objects.h>
0b33bc65 DSH	14	#include <openssl/x509.h>
	15	#include <openssl/pem.h>
	16	#include <openssl/x509v3.h>
	17	#include <openssl/ocsp.h>
6ef869d7	18	#include "ocsp_lcl.h"
0b33bc65	19
0f113f3e MC	20	/*
	21	* Utility functions related to sending OCSP requests and extracting relevant
	22	* information from the response.
0b33bc65 DSH	23	*/
0b33bc65 DSH	24
0f113f3e MC	25	/*
	26	* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ pointer:
	27	* useful if we want to add extensions.
0b33bc65 DSH	28	*/
	29
	30	OCSP_ONEREQ OCSP_request_add0_id(OCSP_REQUEST req, OCSP_CERTID *cid)
0f113f3e MC	31	{
	32	OCSP_ONEREQ *one = NULL;
	33
75ebbd9a	34	if ((one = OCSP_ONEREQ_new()) == NULL)
68efafc5	35	return NULL;
25aaa98a	36	OCSP_CERTID_free(one->reqCert);
0f113f3e	37	one->reqCert = cid;
415e7c48 TS	38	if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest.requestList, one)) {
415e7c48 TS	39	one->reqCert = NULL; /* do not free on error */
0f113f3e	40	goto err;
415e7c48	41	}
0f113f3e MC	42	return one;
	43	err:
	44	OCSP_ONEREQ_free(one);
	45	return NULL;
	46	}
0b33bc65 DSH	47
	48	/* Set requestorName from an X509_NAME structure */
	49
	50	int OCSP_request_set1_name(OCSP_REQUEST req, X509_NAME nm)
0f113f3e MC	51	{
0f113f3e MC	52	GENERAL_NAME *gen;
25aaa98a	53
0f113f3e MC	54	gen = GENERAL_NAME_new();
	55	if (gen == NULL)
	56	return 0;
	57	if (!X509_NAME_set(&gen->d.directoryName, nm)) {
	58	GENERAL_NAME_free(gen);
	59	return 0;
	60	}
	61	gen->type = GEN_DIRNAME;
a332635e DSH	62	GENERAL_NAME_free(req->tbsRequest.requestorName);
a332635e DSH	63	req->tbsRequest.requestorName = gen;
0f113f3e MC	64	return 1;
0f113f3e MC	65	}
0b33bc65 DSH	66
	67	/* Add a certificate to an OCSP request */
	68
	69	int OCSP_request_add1_cert(OCSP_REQUEST req, X509 cert)
0f113f3e MC	70	{
0f113f3e MC	71	OCSP_SIGNATURE *sig;
90945fa3	72	if (req->optionalSignature == NULL)
0f113f3e MC	73	req->optionalSignature = OCSP_SIGNATURE_new();
0f113f3e MC	74	sig = req->optionalSignature;
90945fa3	75	if (sig == NULL)
0f113f3e	76	return 0;
90945fa3	77	if (cert == NULL)
0f113f3e	78	return 1;
75ebbd9a RS	79	if (sig->certs == NULL
75ebbd9a RS	80	&& (sig->certs = sk_X509_new_null()) == NULL)
0f113f3e MC	81	return 0;
	82
	83	if (!sk_X509_push(sig->certs, cert))
	84	return 0;
05f0fb9f	85	X509_up_ref(cert);
0f113f3e MC	86	return 1;
	87	}
	88
	89	/*
0d4fb843	90	* Sign an OCSP request set the requestorName to the subject name of an
0f113f3e MC	91	* optional signers certificate and include one or more optional certificates
0f113f3e MC	92	* in the request. Behaves like PKCS7_sign().
0b33bc65 DSH	93	*/
0b33bc65 DSH	94
0f113f3e MC	95	int OCSP_request_sign(OCSP_REQUEST *req,
	96	X509 *signer,
	97	EVP_PKEY *key,
	98	const EVP_MD *dgst,
	99	STACK_OF(X509) *certs, unsigned long flags)
	100	{
	101	int i;
	102	X509 *x;
	103
	104	if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
	105	goto err;
	106
75ebbd9a	107	if ((req->optionalSignature = OCSP_SIGNATURE_new()) == NULL)
0f113f3e MC	108	goto err;
	109	if (key) {
	110	if (!X509_check_private_key(signer, key)) {
	111	OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
	112	OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
	113	goto err;
	114	}
	115	if (!OCSP_REQUEST_sign(req, key, dgst))
	116	goto err;
	117	}
	118
	119	if (!(flags & OCSP_NOCERTS)) {
	120	if (!OCSP_request_add1_cert(req, signer))
	121	goto err;
	122	for (i = 0; i < sk_X509_num(certs); i++) {
	123	x = sk_X509_value(certs, i);
	124	if (!OCSP_request_add1_cert(req, x))
	125	goto err;
	126	}
	127	}
	128
	129	return 1;
	130	err:
	131	OCSP_SIGNATURE_free(req->optionalSignature);
	132	req->optionalSignature = NULL;
	133	return 0;
	134	}
0b33bc65 DSH	135
	136	/* Get response status */
	137
	138	int OCSP_response_status(OCSP_RESPONSE *resp)
0f113f3e MC	139	{
	140	return ASN1_ENUMERATED_get(resp->responseStatus);
	141	}
0b33bc65	142
0f113f3e MC	143	/*
	144	* Extract basic response from OCSP_RESPONSE or NULL if no basic response
	145	* present.
0b33bc65	146	*/
0b33bc65 DSH	147
0b33bc65 DSH	148	OCSP_BASICRESP OCSP_response_get1_basic(OCSP_RESPONSE resp)
0f113f3e MC	149	{
	150	OCSP_RESPBYTES *rb;
	151	rb = resp->responseBytes;
	152	if (!rb) {
	153	OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
	154	return NULL;
	155	}
	156	if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
	157	OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
	158	return NULL;
	159	}
	160
	161	return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
	162	}
	163
6ef869d7 DSH	164	ASN1_OCTET_STRING OCSP_resp_get0_signature(OCSP_BASICRESP bs)
	165	{
	166	return bs->signature;
	167	}
	168
0f113f3e	169	/*
0d4fb843	170	* Return number of OCSP_SINGLERESP responses present in a basic response.
0b33bc65 DSH	171	*/
	172
	173	int OCSP_resp_count(OCSP_BASICRESP *bs)
0f113f3e MC	174	{
	175	if (!bs)
	176	return -1;
a332635e	177	return sk_OCSP_SINGLERESP_num(bs->tbsResponseData.responses);
0f113f3e	178	}
0b33bc65 DSH	179
	180	/* Extract an OCSP_SINGLERESP response with a given index */
	181
	182	OCSP_SINGLERESP OCSP_resp_get0(OCSP_BASICRESP bs, int idx)
0f113f3e MC	183	{
	184	if (!bs)
	185	return NULL;
a332635e	186	return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx);
0f113f3e	187	}
0b33bc65	188
213f60bf	189	ASN1_GENERALIZEDTIME OCSP_resp_get0_produced_at(OCSP_BASICRESP bs)
9e5cd4ba RS	190	{
	191	if (!bs)
	192	return NULL;
	193	return bs->tbsResponseData.producedAt;
	194	}
	195
02fb7cfe DSH	196	const STACK_OF(X509) OCSP_resp_get0_certs(const OCSP_BASICRESP bs)
	197	{
	198	return bs->certs;
	199	}
	200
	201	int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
	202	const ASN1_OCTET_STRING **pid,
	203	const X509_NAME **pname)
	204
	205	{
	206	const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
	207	if (rid->type == V_OCSP_RESPID_NAME) {
	208	*pname = rid->value.byName;
	209	*pid = NULL;
	210	} else if (rid->type == V_OCSP_RESPID_KEY) {
	211	*pid = rid->value.byKey;
	212	*pname = NULL;
	213	} else {
	214	return 0;
	215	}
	216	return 1;
	217	}
	218
0b33bc65 DSH	219	/* Look single response matching a given certificate ID */
	220
	221	int OCSP_resp_find(OCSP_BASICRESP bs, OCSP_CERTID id, int last)
0f113f3e MC	222	{
	223	int i;
	224	STACK_OF(OCSP_SINGLERESP) *sresp;
	225	OCSP_SINGLERESP *single;
	226	if (!bs)
	227	return -1;
	228	if (last < 0)
	229	last = 0;
	230	else
	231	last++;
a332635e	232	sresp = bs->tbsResponseData.responses;
0f113f3e MC	233	for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
	234	single = sk_OCSP_SINGLERESP_value(sresp, i);
	235	if (!OCSP_id_cmp(id, single->certId))
	236	return i;
	237	}
	238	return -1;
	239	}
	240
	241	/*
	242	* Extract status information from an OCSP_SINGLERESP structure. Note: the
	243	* revtime and reason values are only set if the certificate status is
	244	* revoked. Returns numerical value of status.
0b33bc65 DSH	245	*/
	246
	247	int OCSP_single_get0_status(OCSP_SINGLERESP single, int reason,
0f113f3e MC	248	ASN1_GENERALIZEDTIME **revtime,
	249	ASN1_GENERALIZEDTIME **thisupd,
	250	ASN1_GENERALIZEDTIME **nextupd)
	251	{
	252	int ret;
	253	OCSP_CERTSTATUS *cst;
	254	if (!single)
	255	return -1;
	256	cst = single->certStatus;
	257	ret = cst->type;
	258	if (ret == V_OCSP_CERTSTATUS_REVOKED) {
	259	OCSP_REVOKEDINFO *rev = cst->value.revoked;
	260	if (revtime)
	261	*revtime = rev->revocationTime;
	262	if (reason) {
	263	if (rev->revocationReason)
	264	*reason = ASN1_ENUMERATED_get(rev->revocationReason);
	265	else
	266	*reason = -1;
	267	}
	268	}
	269	if (thisupd)
	270	*thisupd = single->thisUpdate;
	271	if (nextupd)
	272	*nextupd = single->nextUpdate;
	273	return ret;
	274	}
	275
	276	/*
	277	* This function combines the previous ones: look up a certificate ID and if
	278	* found extract status information. Return 0 is successful.
0b33bc65 DSH	279	*/
	280
	281	int OCSP_resp_find_status(OCSP_BASICRESP bs, OCSP_CERTID id, int *status,
0f113f3e MC	282	int *reason,
	283	ASN1_GENERALIZEDTIME **revtime,
	284	ASN1_GENERALIZEDTIME **thisupd,
	285	ASN1_GENERALIZEDTIME **nextupd)
	286	{
	287	int i;
	288	OCSP_SINGLERESP *single;
	289	i = OCSP_resp_find(bs, id, -1);
	290	/* Maybe check for multiple responses and give an error? */
	291	if (i < 0)
	292	return 0;
	293	single = OCSP_resp_get0(bs, i);
	294	i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
	295	if (status)
	296	*status = i;
	297	return 1;
	298	}
	299
	300	/*
	301	* Check validity of thisUpdate and nextUpdate fields. It is possible that
	302	* the request will take a few seconds to process and/or the time wont be
	303	* totally accurate. Therefore to avoid rejecting otherwise valid time we
	304	* allow the times to be within 'nsec' of the current time. Also to avoid
	305	* accepting very old responses without a nextUpdate field an optional maxage
f1965221 DSH	306	* parameter specifies the maximum age the thisUpdate field can be.
	307	*/
	308
0f113f3e MC	309	int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
	310	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
	311	{
	312	int ret = 1;
	313	time_t t_now, t_tmp;
	314	time(&t_now);
	315	/* Check thisUpdate is valid and not more than nsec in the future */
	316	if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
	317	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
	318	ret = 0;
	319	} else {
	320	t_tmp = t_now + nsec;
	321	if (X509_cmp_time(thisupd, &t_tmp) > 0) {
	322	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
	323	ret = 0;
	324	}
	325
	326	/*
	327	* If maxsec specified check thisUpdate is not more than maxsec in
	328	* the past
	329	*/
	330	if (maxsec >= 0) {
	331	t_tmp = t_now - maxsec;
	332	if (X509_cmp_time(thisupd, &t_tmp) < 0) {
	333	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
	334	ret = 0;
	335	}
	336	}
	337	}
	338
	339	if (!nextupd)
	340	return ret;
	341
	342	/* Check nextUpdate is valid and not more than nsec in the past */
	343	if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
	344	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
	345	ret = 0;
	346	} else {
	347	t_tmp = t_now - nsec;
	348	if (X509_cmp_time(nextupd, &t_tmp) < 0) {
	349	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
	350	ret = 0;
	351	}
	352	}
	353
	354	/* Also don't allow nextUpdate to precede thisUpdate */
	355	if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
	356	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
	357	OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
	358	ret = 0;
	359	}
	360
	361	return ret;
	362	}
9e5cd4ba RS	363
	364	OCSP_CERTID OCSP_SINGLERESP_get0_id(OCSP_SINGLERESP single)
	365	{
	366	return single->certId;
	367	}