[thirdparty/openssl.git] / crypto / ocsp / ocsp_cl.c

/*
 * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include <time.h>
#include "internal/cryptlib.h"
#include <openssl/asn1.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
#include <openssl/ocsp.h>
#include "ocsp_lcl.h"

/*
 * Utility functions related to sending OCSP requests and extracting relevant
 * information from the response.
 */

/*
 * Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ pointer:
 * useful if we want to add extensions.
 */

OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid)
{
    OCSP_ONEREQ *one = NULL;

    if ((one = OCSP_ONEREQ_new()) == NULL)
        return NULL;
    OCSP_CERTID_free(one->reqCert);
    one->reqCert = cid;
    if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest.requestList, one)) {
        one->reqCert = NULL; /* do not free on error */
        goto err;
    }
    return one;
 err:
    OCSP_ONEREQ_free(one);
    return NULL;
}

/* Set requestorName from an X509_NAME structure */

int OCSP_request_set1_name(OCSP_REQUEST *req, X509_NAME *nm)
{
    GENERAL_NAME *gen;

    gen = GENERAL_NAME_new();
    if (gen == NULL)
        return 0;
    if (!X509_NAME_set(&gen->d.directoryName, nm)) {
        GENERAL_NAME_free(gen);
        return 0;
    }
    gen->type = GEN_DIRNAME;
    GENERAL_NAME_free(req->tbsRequest.requestorName);
    req->tbsRequest.requestorName = gen;
    return 1;
}

/* Add a certificate to an OCSP request */

int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
{
    OCSP_SIGNATURE *sig;
    if (req->optionalSignature == NULL)
        req->optionalSignature = OCSP_SIGNATURE_new();
    sig = req->optionalSignature;
    if (sig == NULL)
        return 0;
    if (cert == NULL)
        return 1;
    if (sig->certs == NULL
        && (sig->certs = sk_X509_new_null()) == NULL)
        return 0;

    if (!sk_X509_push(sig->certs, cert))
        return 0;
    X509_up_ref(cert);
    return 1;
}

/*
 * Sign an OCSP request set the requestorName to the subject name of an
 * optional signers certificate and include one or more optional certificates
 * in the request. Behaves like PKCS7_sign().
 */

int OCSP_request_sign(OCSP_REQUEST *req,
                      X509 *signer,
                      EVP_PKEY *key,
                      const EVP_MD *dgst,
                      STACK_OF(X509) *certs, unsigned long flags)
{
    int i;
    X509 *x;

    if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
        goto err;

    if ((req->optionalSignature = OCSP_SIGNATURE_new()) == NULL)
        goto err;
    if (key) {
        if (!X509_check_private_key(signer, key)) {
            OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
                    OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
            goto err;
        }
        if (!OCSP_REQUEST_sign(req, key, dgst))
            goto err;
    }

    if (!(flags & OCSP_NOCERTS)) {
        if (!OCSP_request_add1_cert(req, signer))
            goto err;
        for (i = 0; i < sk_X509_num(certs); i++) {
            x = sk_X509_value(certs, i);
            if (!OCSP_request_add1_cert(req, x))
                goto err;
        }
    }

    return 1;
 err:
    OCSP_SIGNATURE_free(req->optionalSignature);
    req->optionalSignature = NULL;
    return 0;
}

/* Get response status */

int OCSP_response_status(OCSP_RESPONSE *resp)
{
    return ASN1_ENUMERATED_get(resp->responseStatus);
}

/*
 * Extract basic response from OCSP_RESPONSE or NULL if no basic response
 * present.
 */

OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp)
{
    OCSP_RESPBYTES *rb;
    rb = resp->responseBytes;
    if (!rb) {
        OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
        return NULL;
    }
    if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
        OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
        return NULL;
    }

    return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
}

const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
{
    return bs->signature;
}

/*
 * Return number of OCSP_SINGLERESP responses present in a basic response.
 */

int OCSP_resp_count(OCSP_BASICRESP *bs)
{
    if (!bs)
        return -1;
    return sk_OCSP_SINGLERESP_num(bs->tbsResponseData.responses);
}

/* Extract an OCSP_SINGLERESP response with a given index */

OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx)
{
    if (!bs)
        return NULL;
    return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx);
}

const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs)
{
    return bs->tbsResponseData.producedAt;
}

const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs)
{
    return bs->certs;
}

int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
                      const ASN1_OCTET_STRING **pid,
                      const X509_NAME **pname)
{
    const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;

    if (rid->type == V_OCSP_RESPID_NAME) {
        *pname = rid->value.byName;
        *pid = NULL;
    } else if (rid->type == V_OCSP_RESPID_KEY) {
        *pid = rid->value.byKey;
        *pname = NULL;
    } else {
        return 0;
    }
    return 1;
}

int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
                      ASN1_OCTET_STRING **pid,
                      X509_NAME **pname)
{
    const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;

    if (rid->type == V_OCSP_RESPID_NAME) {
        *pname = X509_NAME_dup(rid->value.byName);
        *pid = NULL;
    } else if (rid->type == V_OCSP_RESPID_KEY) {
        *pid = ASN1_OCTET_STRING_dup(rid->value.byKey);
        *pname = NULL;
    } else {
        return 0;
    }
    if (pname == NULL && pid == NULL)
        return 0;
    return 1;
}

/* Look single response matching a given certificate ID */

int OCSP_resp_find(OCSP_BASICRESP *bs, OCSP_CERTID *id, int last)
{
    int i;
    STACK_OF(OCSP_SINGLERESP) *sresp;
    OCSP_SINGLERESP *single;
    if (!bs)
        return -1;
    if (last < 0)
        last = 0;
    else
        last++;
    sresp = bs->tbsResponseData.responses;
    for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
        single = sk_OCSP_SINGLERESP_value(sresp, i);
        if (!OCSP_id_cmp(id, single->certId))
            return i;
    }
    return -1;
}

/*
 * Extract status information from an OCSP_SINGLERESP structure. Note: the
 * revtime and reason values are only set if the certificate status is
 * revoked. Returns numerical value of status.
 */

int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
                            ASN1_GENERALIZEDTIME **revtime,
                            ASN1_GENERALIZEDTIME **thisupd,
                            ASN1_GENERALIZEDTIME **nextupd)
{
    int ret;
    OCSP_CERTSTATUS *cst;
    if (!single)
        return -1;
    cst = single->certStatus;
    ret = cst->type;
    if (ret == V_OCSP_CERTSTATUS_REVOKED) {
        OCSP_REVOKEDINFO *rev = cst->value.revoked;
        if (revtime)
            *revtime = rev->revocationTime;
        if (reason) {
            if (rev->revocationReason)
                *reason = ASN1_ENUMERATED_get(rev->revocationReason);
            else
                *reason = -1;
        }
    }
    if (thisupd)
        *thisupd = single->thisUpdate;
    if (nextupd)
        *nextupd = single->nextUpdate;
    return ret;
}

/*
 * This function combines the previous ones: look up a certificate ID and if
 * found extract status information. Return 0 is successful.
 */

int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
                          int *reason,
                          ASN1_GENERALIZEDTIME **revtime,
                          ASN1_GENERALIZEDTIME **thisupd,
                          ASN1_GENERALIZEDTIME **nextupd)
{
    int i;
    OCSP_SINGLERESP *single;
    i = OCSP_resp_find(bs, id, -1);
    /* Maybe check for multiple responses and give an error? */
    if (i < 0)
        return 0;
    single = OCSP_resp_get0(bs, i);
    i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
    if (status)
        *status = i;
    return 1;
}

/*
 * Check validity of thisUpdate and nextUpdate fields. It is possible that
 * the request will take a few seconds to process and/or the time won't be
 * totally accurate. Therefore to avoid rejecting otherwise valid time we
 * allow the times to be within 'nsec' of the current time. Also to avoid
 * accepting very old responses without a nextUpdate field an optional maxage
 * parameter specifies the maximum age the thisUpdate field can be.
 */

int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
                        ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
{
    int ret = 1;
    time_t t_now, t_tmp;
    time(&t_now);
    /* Check thisUpdate is valid and not more than nsec in the future */
    if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
        ret = 0;
    } else {
        t_tmp = t_now + nsec;
        if (X509_cmp_time(thisupd, &t_tmp) > 0) {
            OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
            ret = 0;
        }

        /*
         * If maxsec specified check thisUpdate is not more than maxsec in
         * the past
         */
        if (maxsec >= 0) {
            t_tmp = t_now - maxsec;
            if (X509_cmp_time(thisupd, &t_tmp) < 0) {
                OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
                ret = 0;
            }
        }
    }

    if (!nextupd)
        return ret;

    /* Check nextUpdate is valid and not more than nsec in the past */
    if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
        ret = 0;
    } else {
        t_tmp = t_now - nsec;
        if (X509_cmp_time(nextupd, &t_tmp) < 0) {
            OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
            ret = 0;
        }
    }

    /* Also don't allow nextUpdate to precede thisUpdate */
    if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
        OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
                OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
        ret = 0;
    }

    return ret;
}

const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
{
    return single->certId;
}
Commit	Line	Data
0f113f3e	1	/*
b1322259	2	* Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
0b33bc65	3	*
b1322259 RS	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
0b33bc65 DSH	8	*/
	9
	10	#include <stdio.h>
f1965221	11	#include <time.h>
b39fc560	12	#include "internal/cryptlib.h"
db17e43d	13	#include <openssl/asn1.h>
0b33bc65	14	#include <openssl/objects.h>
0b33bc65 DSH	15	#include <openssl/x509.h>
	16	#include <openssl/pem.h>
	17	#include <openssl/x509v3.h>
	18	#include <openssl/ocsp.h>
6ef869d7	19	#include "ocsp_lcl.h"
0b33bc65	20
0f113f3e MC	21	/*
	22	* Utility functions related to sending OCSP requests and extracting relevant
	23	* information from the response.
0b33bc65 DSH	24	*/
0b33bc65 DSH	25
0f113f3e MC	26	/*
	27	* Add an OCSP_CERTID to an OCSP request. Return new OCSP_ONEREQ pointer:
	28	* useful if we want to add extensions.
0b33bc65 DSH	29	*/
	30
	31	OCSP_ONEREQ OCSP_request_add0_id(OCSP_REQUEST req, OCSP_CERTID *cid)
0f113f3e MC	32	{
	33	OCSP_ONEREQ *one = NULL;
	34
75ebbd9a	35	if ((one = OCSP_ONEREQ_new()) == NULL)
68efafc5	36	return NULL;
25aaa98a	37	OCSP_CERTID_free(one->reqCert);
0f113f3e	38	one->reqCert = cid;
415e7c48 TS	39	if (req && !sk_OCSP_ONEREQ_push(req->tbsRequest.requestList, one)) {
415e7c48 TS	40	one->reqCert = NULL; /* do not free on error */
0f113f3e	41	goto err;
415e7c48	42	}
0f113f3e MC	43	return one;
	44	err:
	45	OCSP_ONEREQ_free(one);
	46	return NULL;
	47	}
0b33bc65 DSH	48
	49	/* Set requestorName from an X509_NAME structure */
	50
	51	int OCSP_request_set1_name(OCSP_REQUEST req, X509_NAME nm)
0f113f3e MC	52	{
0f113f3e MC	53	GENERAL_NAME *gen;
25aaa98a	54
0f113f3e MC	55	gen = GENERAL_NAME_new();
	56	if (gen == NULL)
	57	return 0;
	58	if (!X509_NAME_set(&gen->d.directoryName, nm)) {
	59	GENERAL_NAME_free(gen);
	60	return 0;
	61	}
	62	gen->type = GEN_DIRNAME;
a332635e DSH	63	GENERAL_NAME_free(req->tbsRequest.requestorName);
a332635e DSH	64	req->tbsRequest.requestorName = gen;
0f113f3e MC	65	return 1;
0f113f3e MC	66	}
0b33bc65 DSH	67
	68	/* Add a certificate to an OCSP request */
	69
	70	int OCSP_request_add1_cert(OCSP_REQUEST req, X509 cert)
0f113f3e MC	71	{
0f113f3e MC	72	OCSP_SIGNATURE *sig;
90945fa3	73	if (req->optionalSignature == NULL)
0f113f3e MC	74	req->optionalSignature = OCSP_SIGNATURE_new();
0f113f3e MC	75	sig = req->optionalSignature;
90945fa3	76	if (sig == NULL)
0f113f3e	77	return 0;
90945fa3	78	if (cert == NULL)
0f113f3e	79	return 1;
75ebbd9a RS	80	if (sig->certs == NULL
75ebbd9a RS	81	&& (sig->certs = sk_X509_new_null()) == NULL)
0f113f3e MC	82	return 0;
	83
	84	if (!sk_X509_push(sig->certs, cert))
	85	return 0;
05f0fb9f	86	X509_up_ref(cert);
0f113f3e MC	87	return 1;
	88	}
	89
	90	/*
0d4fb843	91	* Sign an OCSP request set the requestorName to the subject name of an
0f113f3e MC	92	* optional signers certificate and include one or more optional certificates
0f113f3e MC	93	* in the request. Behaves like PKCS7_sign().
0b33bc65 DSH	94	*/
0b33bc65 DSH	95
0f113f3e MC	96	int OCSP_request_sign(OCSP_REQUEST *req,
	97	X509 *signer,
	98	EVP_PKEY *key,
	99	const EVP_MD *dgst,
	100	STACK_OF(X509) *certs, unsigned long flags)
	101	{
	102	int i;
	103	X509 *x;
	104
	105	if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
	106	goto err;
	107
75ebbd9a	108	if ((req->optionalSignature = OCSP_SIGNATURE_new()) == NULL)
0f113f3e MC	109	goto err;
	110	if (key) {
	111	if (!X509_check_private_key(signer, key)) {
	112	OCSPerr(OCSP_F_OCSP_REQUEST_SIGN,
	113	OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
	114	goto err;
	115	}
	116	if (!OCSP_REQUEST_sign(req, key, dgst))
	117	goto err;
	118	}
	119
	120	if (!(flags & OCSP_NOCERTS)) {
	121	if (!OCSP_request_add1_cert(req, signer))
	122	goto err;
	123	for (i = 0; i < sk_X509_num(certs); i++) {
	124	x = sk_X509_value(certs, i);
	125	if (!OCSP_request_add1_cert(req, x))
	126	goto err;
	127	}
	128	}
	129
	130	return 1;
	131	err:
	132	OCSP_SIGNATURE_free(req->optionalSignature);
	133	req->optionalSignature = NULL;
	134	return 0;
	135	}
0b33bc65 DSH	136
	137	/* Get response status */
	138
	139	int OCSP_response_status(OCSP_RESPONSE *resp)
0f113f3e MC	140	{
	141	return ASN1_ENUMERATED_get(resp->responseStatus);
	142	}
0b33bc65	143
0f113f3e MC	144	/*
	145	* Extract basic response from OCSP_RESPONSE or NULL if no basic response
	146	* present.
0b33bc65	147	*/
0b33bc65 DSH	148
0b33bc65 DSH	149	OCSP_BASICRESP OCSP_response_get1_basic(OCSP_RESPONSE resp)
0f113f3e MC	150	{
	151	OCSP_RESPBYTES *rb;
	152	rb = resp->responseBytes;
	153	if (!rb) {
	154	OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NO_RESPONSE_DATA);
	155	return NULL;
	156	}
	157	if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) {
	158	OCSPerr(OCSP_F_OCSP_RESPONSE_GET1_BASIC, OCSP_R_NOT_BASIC_RESPONSE);
	159	return NULL;
	160	}
	161
	162	return ASN1_item_unpack(rb->response, ASN1_ITEM_rptr(OCSP_BASICRESP));
	163	}
	164
79613ea8	165	const ASN1_OCTET_STRING OCSP_resp_get0_signature(const OCSP_BASICRESP bs)
6ef869d7 DSH	166	{
	167	return bs->signature;
	168	}
	169
0f113f3e	170	/*
0d4fb843	171	* Return number of OCSP_SINGLERESP responses present in a basic response.
0b33bc65 DSH	172	*/
	173
	174	int OCSP_resp_count(OCSP_BASICRESP *bs)
0f113f3e MC	175	{
	176	if (!bs)
	177	return -1;
a332635e	178	return sk_OCSP_SINGLERESP_num(bs->tbsResponseData.responses);
0f113f3e	179	}
0b33bc65 DSH	180
	181	/* Extract an OCSP_SINGLERESP response with a given index */
	182
	183	OCSP_SINGLERESP OCSP_resp_get0(OCSP_BASICRESP bs, int idx)
0f113f3e MC	184	{
	185	if (!bs)
	186	return NULL;
a332635e	187	return sk_OCSP_SINGLERESP_value(bs->tbsResponseData.responses, idx);
0f113f3e	188	}
0b33bc65	189
79613ea8	190	const ASN1_GENERALIZEDTIME OCSP_resp_get0_produced_at(const OCSP_BASICRESP bs)
9e5cd4ba	191	{
9e5cd4ba RS	192	return bs->tbsResponseData.producedAt;
	193	}
	194
02fb7cfe DSH	195	const STACK_OF(X509) OCSP_resp_get0_certs(const OCSP_BASICRESP bs)
	196	{
	197	return bs->certs;
	198	}
	199
	200	int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
	201	const ASN1_OCTET_STRING **pid,
	202	const X509_NAME **pname)
02fb7cfe DSH	203	{
02fb7cfe DSH	204	const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
db17e43d	205
02fb7cfe DSH	206	if (rid->type == V_OCSP_RESPID_NAME) {
	207	*pname = rid->value.byName;
	208	*pid = NULL;
	209	} else if (rid->type == V_OCSP_RESPID_KEY) {
	210	*pid = rid->value.byKey;
	211	*pname = NULL;
	212	} else {
	213	return 0;
	214	}
	215	return 1;
	216	}
	217
db17e43d SS	218	int OCSP_resp_get1_id(const OCSP_BASICRESP *bs,
	219	ASN1_OCTET_STRING **pid,
	220	X509_NAME **pname)
	221	{
	222	const OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
	223
	224	if (rid->type == V_OCSP_RESPID_NAME) {
	225	*pname = X509_NAME_dup(rid->value.byName);
	226	*pid = NULL;
	227	} else if (rid->type == V_OCSP_RESPID_KEY) {
	228	*pid = ASN1_OCTET_STRING_dup(rid->value.byKey);
	229	*pname = NULL;
	230	} else {
	231	return 0;
	232	}
	233	if (pname == NULL && pid == NULL)
	234	return 0;
	235	return 1;
	236	}
	237
0b33bc65 DSH	238	/* Look single response matching a given certificate ID */
	239
	240	int OCSP_resp_find(OCSP_BASICRESP bs, OCSP_CERTID id, int last)
0f113f3e MC	241	{
	242	int i;
	243	STACK_OF(OCSP_SINGLERESP) *sresp;
	244	OCSP_SINGLERESP *single;
	245	if (!bs)
	246	return -1;
	247	if (last < 0)
	248	last = 0;
	249	else
	250	last++;
a332635e	251	sresp = bs->tbsResponseData.responses;
0f113f3e MC	252	for (i = last; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
	253	single = sk_OCSP_SINGLERESP_value(sresp, i);
	254	if (!OCSP_id_cmp(id, single->certId))
	255	return i;
	256	}
	257	return -1;
	258	}
	259
	260	/*
	261	* Extract status information from an OCSP_SINGLERESP structure. Note: the
	262	* revtime and reason values are only set if the certificate status is
	263	* revoked. Returns numerical value of status.
0b33bc65 DSH	264	*/
	265
	266	int OCSP_single_get0_status(OCSP_SINGLERESP single, int reason,
0f113f3e MC	267	ASN1_GENERALIZEDTIME **revtime,
	268	ASN1_GENERALIZEDTIME **thisupd,
	269	ASN1_GENERALIZEDTIME **nextupd)
	270	{
	271	int ret;
	272	OCSP_CERTSTATUS *cst;
	273	if (!single)
	274	return -1;
	275	cst = single->certStatus;
	276	ret = cst->type;
	277	if (ret == V_OCSP_CERTSTATUS_REVOKED) {
	278	OCSP_REVOKEDINFO *rev = cst->value.revoked;
	279	if (revtime)
	280	*revtime = rev->revocationTime;
	281	if (reason) {
	282	if (rev->revocationReason)
	283	*reason = ASN1_ENUMERATED_get(rev->revocationReason);
	284	else
	285	*reason = -1;
	286	}
	287	}
	288	if (thisupd)
	289	*thisupd = single->thisUpdate;
	290	if (nextupd)
	291	*nextupd = single->nextUpdate;
	292	return ret;
	293	}
	294
	295	/*
	296	* This function combines the previous ones: look up a certificate ID and if
	297	* found extract status information. Return 0 is successful.
0b33bc65 DSH	298	*/
	299
	300	int OCSP_resp_find_status(OCSP_BASICRESP bs, OCSP_CERTID id, int *status,
0f113f3e MC	301	int *reason,
	302	ASN1_GENERALIZEDTIME **revtime,
	303	ASN1_GENERALIZEDTIME **thisupd,
	304	ASN1_GENERALIZEDTIME **nextupd)
	305	{
	306	int i;
	307	OCSP_SINGLERESP *single;
	308	i = OCSP_resp_find(bs, id, -1);
	309	/* Maybe check for multiple responses and give an error? */
	310	if (i < 0)
	311	return 0;
	312	single = OCSP_resp_get0(bs, i);
	313	i = OCSP_single_get0_status(single, reason, revtime, thisupd, nextupd);
	314	if (status)
	315	*status = i;
	316	return 1;
	317	}
	318
	319	/*
	320	* Check validity of thisUpdate and nextUpdate fields. It is possible that
60250017	321	* the request will take a few seconds to process and/or the time won't be
0f113f3e MC	322	* totally accurate. Therefore to avoid rejecting otherwise valid time we
	323	* allow the times to be within 'nsec' of the current time. Also to avoid
	324	* accepting very old responses without a nextUpdate field an optional maxage
f1965221 DSH	325	* parameter specifies the maximum age the thisUpdate field can be.
	326	*/
	327
0f113f3e MC	328	int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
	329	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
	330	{
	331	int ret = 1;
	332	time_t t_now, t_tmp;
	333	time(&t_now);
	334	/* Check thisUpdate is valid and not more than nsec in the future */
	335	if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
	336	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_THISUPDATE_FIELD);
	337	ret = 0;
	338	} else {
	339	t_tmp = t_now + nsec;
	340	if (X509_cmp_time(thisupd, &t_tmp) > 0) {
	341	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_NOT_YET_VALID);
	342	ret = 0;
	343	}
	344
	345	/*
	346	* If maxsec specified check thisUpdate is not more than maxsec in
	347	* the past
	348	*/
	349	if (maxsec >= 0) {
	350	t_tmp = t_now - maxsec;
	351	if (X509_cmp_time(thisupd, &t_tmp) < 0) {
	352	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_TOO_OLD);
	353	ret = 0;
	354	}
	355	}
	356	}
	357
	358	if (!nextupd)
	359	return ret;
	360
	361	/* Check nextUpdate is valid and not more than nsec in the past */
	362	if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
	363	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
	364	ret = 0;
	365	} else {
	366	t_tmp = t_now - nsec;
	367	if (X509_cmp_time(nextupd, &t_tmp) < 0) {
	368	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY, OCSP_R_STATUS_EXPIRED);
	369	ret = 0;
	370	}
	371	}
	372
	373	/* Also don't allow nextUpdate to precede thisUpdate */
	374	if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
	375	OCSPerr(OCSP_F_OCSP_CHECK_VALIDITY,
	376	OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
	377	ret = 0;
	378	}
	379
	380	return ret;
	381	}
9e5cd4ba	382
79613ea8	383	const OCSP_CERTID OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP single)
9e5cd4ba RS	384	{
	385	return single->certId;
	386	}