[thirdparty/openssl.git] / crypto / ocsp / ocsp_ext.c

/*
 * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/ocsp.h>
#include "ocsp_lcl.h"
#include <openssl/rand.h>
#include <openssl/x509v3.h>

/* Standard wrapper functions for extensions */

/* OCSP request extensions */

int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
{
    return (X509v3_get_ext_count(x->tbsRequest.requestExtensions));
}

int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
{
    return (X509v3_get_ext_by_NID
            (x->tbsRequest.requestExtensions, nid, lastpos));
}

int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj,
                                int lastpos)
{
    return (X509v3_get_ext_by_OBJ
            (x->tbsRequest.requestExtensions, obj, lastpos));
}

int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
{
    return (X509v3_get_ext_by_critical
            (x->tbsRequest.requestExtensions, crit, lastpos));
}

X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
{
    return (X509v3_get_ext(x->tbsRequest.requestExtensions, loc));
}

X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
{
    return (X509v3_delete_ext(x->tbsRequest.requestExtensions, loc));
}

void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
{
    return X509V3_get_d2i(x->tbsRequest.requestExtensions, nid, crit, idx);
}

int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
                              unsigned long flags)
{
    return X509V3_add1_i2d(&x->tbsRequest.requestExtensions, nid, value,
                           crit, flags);
}

int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->tbsRequest.requestExtensions), ex, loc) !=
            NULL);
}

/* Single extensions */

int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
{
    return (X509v3_get_ext_count(x->singleRequestExtensions));
}

int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
{
    return (X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos));
}

int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos)
{
    return (X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos));
}

int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
{
    return (X509v3_get_ext_by_critical
            (x->singleRequestExtensions, crit, lastpos));
}

X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
{
    return (X509v3_get_ext(x->singleRequestExtensions, loc));
}

X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
{
    return (X509v3_delete_ext(x->singleRequestExtensions, loc));
}

void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
{
    return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
}

int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
                             unsigned long flags)
{
    return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
                           flags);
}

int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL);
}

/* OCSP Basic response */

int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
{
    return (X509v3_get_ext_count(x->tbsResponseData.responseExtensions));
}

int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
{
    return (X509v3_get_ext_by_NID
            (x->tbsResponseData.responseExtensions, nid, lastpos));
}

int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj,
                                  int lastpos)
{
    return (X509v3_get_ext_by_OBJ
            (x->tbsResponseData.responseExtensions, obj, lastpos));
}

int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
                                       int lastpos)
{
    return (X509v3_get_ext_by_critical
            (x->tbsResponseData.responseExtensions, crit, lastpos));
}

X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
{
    return (X509v3_get_ext(x->tbsResponseData.responseExtensions, loc));
}

X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
{
    return (X509v3_delete_ext(x->tbsResponseData.responseExtensions, loc));
}

void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
                                  int *idx)
{
    return X509V3_get_d2i(x->tbsResponseData.responseExtensions, nid, crit,
                          idx);
}

int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
                                int crit, unsigned long flags)
{
    return X509V3_add1_i2d(&x->tbsResponseData.responseExtensions, nid,
                           value, crit, flags);
}

int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->tbsResponseData.responseExtensions), ex, loc)
            != NULL);
}

/* OCSP single response extensions */

int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
{
    return (X509v3_get_ext_count(x->singleExtensions));
}

int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
{
    return (X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos));
}

int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj,
                                   int lastpos)
{
    return (X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos));
}

int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
                                        int lastpos)
{
    return (X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos));
}

X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
{
    return (X509v3_get_ext(x->singleExtensions, loc));
}

X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
{
    return (X509v3_delete_ext(x->singleExtensions, loc));
}

void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
                                   int *idx)
{
    return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
}

int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
                                 int crit, unsigned long flags)
{
    return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
}

int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL);
}

/* also CRL Entry Extensions */

/* Nonce handling functions */

/*
 * Add a nonce to an extension stack. A nonce can be specified or if NULL a
 * random nonce will be generated. Note: OpenSSL 0.9.7d and later create an
 * OCTET STRING containing the nonce, previous versions used the raw nonce.
 */

static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
                           unsigned char *val, int len)
{
    unsigned char *tmpval;
    ASN1_OCTET_STRING os;
    int ret = 0;
    if (len <= 0)
        len = OCSP_DEFAULT_NONCE_LENGTH;
    /*
     * Create the OCTET STRING manually by writing out the header and
     * appending the content octets. This avoids an extra memory allocation
     * operation in some cases. Applications should *NOT* do this because it
     * relies on library internals.
     */
    os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
    os.data = OPENSSL_malloc(os.length);
    if (os.data == NULL)
        goto err;
    tmpval = os.data;
    ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
    if (val)
        memcpy(tmpval, val, len);
    else if (RAND_bytes(tmpval, len) <= 0)
        goto err;
    if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
                         &os, 0, X509V3_ADD_REPLACE))
        goto err;
    ret = 1;
 err:
    OPENSSL_free(os.data);
    return ret;
}

/* Add nonce to an OCSP request */

int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
{
    return ocsp_add1_nonce(&req->tbsRequest.requestExtensions, val, len);
}

/* Same as above but for a response */

int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
{
    return ocsp_add1_nonce(&resp->tbsResponseData.responseExtensions, val,
                           len);
}

/*-
 * Check nonce validity in a request and response.
 * Return value reflects result:
 *  1: nonces present and equal.
 *  2: nonces both absent.
 *  3: nonce present in response only.
 *  0: nonces both present and not equal.
 * -1: nonce in request only.
 *
 *  For most responders clients can check return > 0.
 *  If responder doesn't handle nonces return != 0 may be
 *  necessary. return == 0 is always an error.
 */

int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
{
    /*
     * Since we are only interested in the presence or absence of
     * the nonce and comparing its value there is no need to use
     * the X509V3 routines: this way we can avoid them allocating an
     * ASN1_OCTET_STRING structure for the value which would be
     * freed immediately anyway.
     */

    int req_idx, resp_idx;
    X509_EXTENSION *req_ext, *resp_ext;
    req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
    resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
    /* Check both absent */
    if ((req_idx < 0) && (resp_idx < 0))
        return 2;
    /* Check in request only */
    if ((req_idx >= 0) && (resp_idx < 0))
        return -1;
    /* Check in response but not request */
    if ((req_idx < 0) && (resp_idx >= 0))
        return 3;
    /*
     * Otherwise nonce in request and response so retrieve the extensions
     */
    req_ext = OCSP_REQUEST_get_ext(req, req_idx);
    resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
    if (ASN1_OCTET_STRING_cmp(X509_EXTENSION_get_data(req_ext),
                              X509_EXTENSION_get_data(resp_ext)))
        return 0;
    return 1;
}

/*
 * Copy the nonce value (if any) from an OCSP request to a response.
 */

int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
{
    X509_EXTENSION *req_ext;
    int req_idx;
    /* Check for nonce in request */
    req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
    /* If no nonce that's OK */
    if (req_idx < 0)
        return 2;
    req_ext = OCSP_REQUEST_get_ext(req, req_idx);
    return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
}

X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim)
{
    X509_EXTENSION *x = NULL;
    OCSP_CRLID *cid = NULL;

    if ((cid = OCSP_CRLID_new()) == NULL)
        goto err;
    if (url) {
        if ((cid->crlUrl = ASN1_IA5STRING_new()) == NULL)
            goto err;
        if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
            goto err;
    }
    if (n) {
        if ((cid->crlNum = ASN1_INTEGER_new()) == NULL)
            goto err;
        if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
            goto err;
    }
    if (tim) {
        if ((cid->crlTime = ASN1_GENERALIZEDTIME_new()) == NULL)
            goto err;
        if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
            goto err;
    }
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
 err:
    OCSP_CRLID_free(cid);
    return x;
}

/*   AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
X509_EXTENSION *OCSP_accept_responses_new(char **oids)
{
    int nid;
    STACK_OF(ASN1_OBJECT) *sk = NULL;
    ASN1_OBJECT *o = NULL;
    X509_EXTENSION *x = NULL;

    if ((sk = sk_ASN1_OBJECT_new_null()) == NULL)
        goto err;
    while (oids && *oids) {
        if ((nid = OBJ_txt2nid(*oids)) != NID_undef && (o = OBJ_nid2obj(nid)))
            sk_ASN1_OBJECT_push(sk, o);
        oids++;
    }
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
 err:
    sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
    return x;
}

/*  ArchiveCutoff ::= GeneralizedTime */
X509_EXTENSION *OCSP_archive_cutoff_new(char *tim)
{
    X509_EXTENSION *x = NULL;
    ASN1_GENERALIZEDTIME *gt = NULL;

    if ((gt = ASN1_GENERALIZEDTIME_new()) == NULL)
        goto err;
    if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
        goto err;
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
 err:
    ASN1_GENERALIZEDTIME_free(gt);
    return x;
}

/*
 * per ACCESS_DESCRIPTION parameter are oids, of which there are currently
 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value.  This method
 * forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
 */
X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, char **urls)
{
    X509_EXTENSION *x = NULL;
    ASN1_IA5STRING *ia5 = NULL;
    OCSP_SERVICELOC *sloc = NULL;
    ACCESS_DESCRIPTION *ad = NULL;

    if ((sloc = OCSP_SERVICELOC_new()) == NULL)
        goto err;
    if ((sloc->issuer = X509_NAME_dup(issuer)) == NULL)
        goto err;
    if (urls && *urls
        && (sloc->locator = sk_ACCESS_DESCRIPTION_new_null()) == NULL)
        goto err;
    while (urls && *urls) {
        if ((ad = ACCESS_DESCRIPTION_new()) == NULL)
            goto err;
        if ((ad->method = OBJ_nid2obj(NID_ad_OCSP)) == NULL)
            goto err;
        if ((ad->location = GENERAL_NAME_new()) == NULL)
            goto err;
        if ((ia5 = ASN1_IA5STRING_new()) == NULL)
            goto err;
        if (!ASN1_STRING_set((ASN1_STRING *)ia5, *urls, -1))
            goto err;
        ad->location->type = GEN_URI;
        ad->location->d.ia5 = ia5;
        ia5 = NULL;
        if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
            goto err;
        ad = NULL;
        urls++;
    }
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
 err:
    ASN1_IA5STRING_free(ia5);
    ACCESS_DESCRIPTION_free(ad);
    OCSP_SERVICELOC_free(sloc);
    return x;
}
Commit	Line	Data
0f113f3e	1	/*
b1322259	2	* Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
eb64730b	3	*
b1322259 RS	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
eb64730b RL	8	*/
	9
	10	#include <stdio.h>
b39fc560	11	#include "internal/cryptlib.h"
eb64730b	12	#include <openssl/objects.h>
eb64730b RL	13	#include <openssl/x509.h>
eb64730b RL	14	#include <openssl/ocsp.h>
6ef869d7	15	#include "ocsp_lcl.h"
0b33bc65	16	#include <openssl/rand.h>
eb64730b RL	17	#include <openssl/x509v3.h>
eb64730b RL	18
ec558b65 DSH	19	/* Standard wrapper functions for extensions */
	20
	21	/* OCSP request extensions */
	22
	23	int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
0f113f3e	24	{
a332635e	25	return (X509v3_get_ext_count(x->tbsRequest.requestExtensions));
0f113f3e	26	}
ec558b65 DSH	27
ec558b65 DSH	28	int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
0f113f3e MC	29	{
0f113f3e MC	30	return (X509v3_get_ext_by_NID
a332635e	31	(x->tbsRequest.requestExtensions, nid, lastpos));
0f113f3e MC	32	}
	33
	34	int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST x, ASN1_OBJECT obj,
	35	int lastpos)
	36	{
	37	return (X509v3_get_ext_by_OBJ
a332635e	38	(x->tbsRequest.requestExtensions, obj, lastpos));
0f113f3e	39	}
ec558b65 DSH	40
ec558b65 DSH	41	int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
0f113f3e MC	42	{
0f113f3e MC	43	return (X509v3_get_ext_by_critical
a332635e	44	(x->tbsRequest.requestExtensions, crit, lastpos));
0f113f3e	45	}
ec558b65 DSH	46
ec558b65 DSH	47	X509_EXTENSION OCSP_REQUEST_get_ext(OCSP_REQUEST x, int loc)
0f113f3e	48	{
a332635e	49	return (X509v3_get_ext(x->tbsRequest.requestExtensions, loc));
0f113f3e	50	}
ec558b65 DSH	51
ec558b65 DSH	52	X509_EXTENSION OCSP_REQUEST_delete_ext(OCSP_REQUEST x, int loc)
0f113f3e	53	{
a332635e	54	return (X509v3_delete_ext(x->tbsRequest.requestExtensions, loc));
0f113f3e	55	}
ec558b65 DSH	56
ec558b65 DSH	57	void OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST x, int nid, int crit, int idx)
0f113f3e	58	{
a332635e	59	return X509V3_get_d2i(x->tbsRequest.requestExtensions, nid, crit, idx);
0f113f3e	60	}
ec558b65 DSH	61
ec558b65 DSH	62	int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST x, int nid, void value, int crit,
0f113f3e MC	63	unsigned long flags)
0f113f3e MC	64	{
a332635e	65	return X509V3_add1_i2d(&x->tbsRequest.requestExtensions, nid, value,
0f113f3e MC	66	crit, flags);
0f113f3e MC	67	}
ec558b65 DSH	68
ec558b65 DSH	69	int OCSP_REQUEST_add_ext(OCSP_REQUEST x, X509_EXTENSION ex, int loc)
0f113f3e	70	{
a332635e	71	return (X509v3_add_ext(&(x->tbsRequest.requestExtensions), ex, loc) !=
0f113f3e MC	72	NULL);
0f113f3e MC	73	}
ec558b65 DSH	74
	75	/* Single extensions */
	76
	77	int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
0f113f3e MC	78	{
	79	return (X509v3_get_ext_count(x->singleRequestExtensions));
	80	}
ec558b65 DSH	81
ec558b65 DSH	82	int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
0f113f3e MC	83	{
	84	return (X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos));
	85	}
ec558b65 DSH	86
ec558b65 DSH	87	int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ x, ASN1_OBJECT obj, int lastpos)
0f113f3e MC	88	{
	89	return (X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos));
	90	}
ec558b65 DSH	91
ec558b65 DSH	92	int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
0f113f3e MC	93	{
	94	return (X509v3_get_ext_by_critical
	95	(x->singleRequestExtensions, crit, lastpos));
	96	}
ec558b65 DSH	97
ec558b65 DSH	98	X509_EXTENSION OCSP_ONEREQ_get_ext(OCSP_ONEREQ x, int loc)
0f113f3e MC	99	{
	100	return (X509v3_get_ext(x->singleRequestExtensions, loc));
	101	}
ec558b65 DSH	102
ec558b65 DSH	103	X509_EXTENSION OCSP_ONEREQ_delete_ext(OCSP_ONEREQ x, int loc)
0f113f3e MC	104	{
	105	return (X509v3_delete_ext(x->singleRequestExtensions, loc));
	106	}
ec558b65 DSH	107
ec558b65 DSH	108	void OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ x, int nid, int crit, int idx)
0f113f3e MC	109	{
	110	return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
	111	}
ec558b65 DSH	112
ec558b65 DSH	113	int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ x, int nid, void value, int crit,
0f113f3e MC	114	unsigned long flags)
	115	{
	116	return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
	117	flags);
	118	}
ec558b65 DSH	119
ec558b65 DSH	120	int OCSP_ONEREQ_add_ext(OCSP_ONEREQ x, X509_EXTENSION ex, int loc)
0f113f3e MC	121	{
	122	return (X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL);
	123	}
ec558b65 DSH	124
	125	/* OCSP Basic response */
	126
	127	int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
0f113f3e	128	{
a332635e	129	return (X509v3_get_ext_count(x->tbsResponseData.responseExtensions));
0f113f3e	130	}
ec558b65 DSH	131
ec558b65 DSH	132	int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
0f113f3e MC	133	{
0f113f3e MC	134	return (X509v3_get_ext_by_NID
a332635e	135	(x->tbsResponseData.responseExtensions, nid, lastpos));
0f113f3e MC	136	}
	137
	138	int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP x, ASN1_OBJECT obj,
	139	int lastpos)
	140	{
	141	return (X509v3_get_ext_by_OBJ
a332635e	142	(x->tbsResponseData.responseExtensions, obj, lastpos));
0f113f3e MC	143	}
	144
	145	int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
	146	int lastpos)
	147	{
	148	return (X509v3_get_ext_by_critical
a332635e	149	(x->tbsResponseData.responseExtensions, crit, lastpos));
0f113f3e	150	}
ec558b65 DSH	151
ec558b65 DSH	152	X509_EXTENSION OCSP_BASICRESP_get_ext(OCSP_BASICRESP x, int loc)
0f113f3e	153	{
a332635e	154	return (X509v3_get_ext(x->tbsResponseData.responseExtensions, loc));
0f113f3e	155	}
ec558b65 DSH	156
ec558b65 DSH	157	X509_EXTENSION OCSP_BASICRESP_delete_ext(OCSP_BASICRESP x, int loc)
0f113f3e	158	{
a332635e	159	return (X509v3_delete_ext(x->tbsResponseData.responseExtensions, loc));
0f113f3e MC	160	}
	161
	162	void OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP x, int nid, int *crit,
	163	int *idx)
	164	{
a332635e	165	return X509V3_get_d2i(x->tbsResponseData.responseExtensions, nid, crit,
0f113f3e MC	166	idx);
	167	}
	168
	169	int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP x, int nid, void value,
	170	int crit, unsigned long flags)
	171	{
a332635e	172	return X509V3_add1_i2d(&x->tbsResponseData.responseExtensions, nid,
0f113f3e MC	173	value, crit, flags);
0f113f3e MC	174	}
ec558b65 DSH	175
ec558b65 DSH	176	int OCSP_BASICRESP_add_ext(OCSP_BASICRESP x, X509_EXTENSION ex, int loc)
0f113f3e	177	{
a332635e	178	return (X509v3_add_ext(&(x->tbsResponseData.responseExtensions), ex, loc)
0f113f3e MC	179	!= NULL);
0f113f3e MC	180	}
ec558b65 DSH	181
	182	/* OCSP single response extensions */
	183
	184	int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
0f113f3e MC	185	{
	186	return (X509v3_get_ext_count(x->singleExtensions));
	187	}
ec558b65 DSH	188
ec558b65 DSH	189	int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
0f113f3e MC	190	{
	191	return (X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos));
	192	}
	193
	194	int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP x, ASN1_OBJECT obj,
	195	int lastpos)
	196	{
	197	return (X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos));
	198	}
	199
	200	int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
	201	int lastpos)
	202	{
	203	return (X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos));
	204	}
ec558b65 DSH	205
ec558b65 DSH	206	X509_EXTENSION OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP x, int loc)
0f113f3e MC	207	{
	208	return (X509v3_get_ext(x->singleExtensions, loc));
	209	}
ec558b65 DSH	210
ec558b65 DSH	211	X509_EXTENSION OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP x, int loc)
0f113f3e MC	212	{
	213	return (X509v3_delete_ext(x->singleExtensions, loc));
	214	}
	215
	216	void OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP x, int nid, int *crit,
	217	int *idx)
	218	{
	219	return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
	220	}
	221
	222	int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP x, int nid, void value,
	223	int crit, unsigned long flags)
	224	{
	225	return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
	226	}
ec558b65 DSH	227
ec558b65 DSH	228	int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP x, X509_EXTENSION ex, int loc)
0f113f3e MC	229	{
	230	return (X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL);
	231	}
eb64730b RL	232
eb64730b RL	233	/* also CRL Entry Extensions */
eb64730b	234
0b33bc65 DSH	235	/* Nonce handling functions */
0b33bc65 DSH	236
0f113f3e	237	/*
0d4fb843	238	* Add a nonce to an extension stack. A nonce can be specified or if NULL a
0f113f3e MC	239	* random nonce will be generated. Note: OpenSSL 0.9.7d and later create an
0f113f3e MC	240	* OCTET STRING containing the nonce, previous versions used the raw nonce.
0b33bc65 DSH	241	*/
0b33bc65 DSH	242
0f113f3e MC	243	static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
	244	unsigned char *val, int len)
	245	{
	246	unsigned char *tmpval;
	247	ASN1_OCTET_STRING os;
	248	int ret = 0;
	249	if (len <= 0)
	250	len = OCSP_DEFAULT_NONCE_LENGTH;
	251	/*
	252	* Create the OCTET STRING manually by writing out the header and
	253	* appending the content octets. This avoids an extra memory allocation
	254	* operation in some cases. Applications should NOT do this because it
	255	* relies on library internals.
	256	*/
	257	os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
	258	os.data = OPENSSL_malloc(os.length);
	259	if (os.data == NULL)
	260	goto err;
	261	tmpval = os.data;
	262	ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
	263	if (val)
	264	memcpy(tmpval, val, len);
266483d2 MC	265	else if (RAND_bytes(tmpval, len) <= 0)
266483d2 MC	266	goto err;
0f113f3e MC	267	if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
	268	&os, 0, X509V3_ADD_REPLACE))
	269	goto err;
	270	ret = 1;
	271	err:
b548a1f1	272	OPENSSL_free(os.data);
0f113f3e MC	273	return ret;
0f113f3e MC	274	}
46a58ab9 DSH	275
	276	/* Add nonce to an OCSP request */
	277
	278	int OCSP_request_add1_nonce(OCSP_REQUEST req, unsigned char val, int len)
0f113f3e	279	{
a332635e	280	return ocsp_add1_nonce(&req->tbsRequest.requestExtensions, val, len);
0f113f3e	281	}
46a58ab9 DSH	282
	283	/* Same as above but for a response */
	284
	285	int OCSP_basic_add1_nonce(OCSP_BASICRESP resp, unsigned char val, int len)
0f113f3e	286	{
a332635e	287	return ocsp_add1_nonce(&resp->tbsResponseData.responseExtensions, val,
0f113f3e MC	288	len);
0f113f3e MC	289	}
46a58ab9	290
3a83462d MC	291	/*-
3a83462d MC	292	* Check nonce validity in a request and response.
46a58ab9 DSH	293	* Return value reflects result:
	294	* 1: nonces present and equal.
	295	* 2: nonces both absent.
	296	* 3: nonce present in response only.
	297	* 0: nonces both present and not equal.
	298	* -1: nonce in request only.
	299	*
	300	* For most responders clients can check return > 0.
	301	* If responder doesn't handle nonces return != 0 may be
	302	* necessary. return == 0 is always an error.
0b33bc65	303	*/
46a58ab9	304
0b33bc65	305	int OCSP_check_nonce(OCSP_REQUEST req, OCSP_BASICRESP bs)
0f113f3e MC	306	{
	307	/*
	308	* Since we are only interested in the presence or absence of
	309	* the nonce and comparing its value there is no need to use
	310	* the X509V3 routines: this way we can avoid them allocating an
	311	* ASN1_OCTET_STRING structure for the value which would be
	312	* freed immediately anyway.
	313	*/
	314
	315	int req_idx, resp_idx;
	316	X509_EXTENSION req_ext, resp_ext;
	317	req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
	318	resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
	319	/* Check both absent */
	320	if ((req_idx < 0) && (resp_idx < 0))
	321	return 2;
	322	/* Check in request only */
	323	if ((req_idx >= 0) && (resp_idx < 0))
	324	return -1;
	325	/* Check in response but not request */
	326	if ((req_idx < 0) && (resp_idx >= 0))
	327	return 3;
	328	/*
	329	* Otherwise nonce in request and response so retrieve the extensions
	330	*/
	331	req_ext = OCSP_REQUEST_get_ext(req, req_idx);
	332	resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
4903abd5 DSH	333	if (ASN1_OCTET_STRING_cmp(X509_EXTENSION_get_data(req_ext),
4903abd5 DSH	334	X509_EXTENSION_get_data(resp_ext)))
0f113f3e MC	335	return 0;
	336	return 1;
	337	}
	338
	339	/*
	340	* Copy the nonce value (if any) from an OCSP request to a response.
26e083cc DSH	341	*/
	342
	343	int OCSP_copy_nonce(OCSP_BASICRESP resp, OCSP_REQUEST req)
0f113f3e MC	344	{
	345	X509_EXTENSION *req_ext;
	346	int req_idx;
	347	/* Check for nonce in request */
	348	req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
	349	/* If no nonce that's OK */
	350	if (req_idx < 0)
	351	return 2;
	352	req_ext = OCSP_REQUEST_get_ext(req, req_idx);
	353	return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
	354	}
eb64730b RL	355
eb64730b RL	356	X509_EXTENSION OCSP_crlID_new(char url, long n, char tim)
0f113f3e MC	357	{
	358	X509_EXTENSION *x = NULL;
	359	OCSP_CRLID *cid = NULL;
	360
75ebbd9a	361	if ((cid = OCSP_CRLID_new()) == NULL)
0f113f3e MC	362	goto err;
0f113f3e MC	363	if (url) {
75ebbd9a	364	if ((cid->crlUrl = ASN1_IA5STRING_new()) == NULL)
0f113f3e MC	365	goto err;
	366	if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
	367	goto err;
	368	}
	369	if (n) {
75ebbd9a	370	if ((cid->crlNum = ASN1_INTEGER_new()) == NULL)
0f113f3e MC	371	goto err;
	372	if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
	373	goto err;
	374	}
	375	if (tim) {
75ebbd9a	376	if ((cid->crlTime = ASN1_GENERALIZEDTIME_new()) == NULL)
0f113f3e MC	377	goto err;
	378	if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
	379	goto err;
	380	}
	381	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
	382	err:
25aaa98a	383	OCSP_CRLID_free(cid);
0f113f3e MC	384	return x;
0f113f3e MC	385	}
eb64730b RL	386
	387	/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
	388	X509_EXTENSION OCSP_accept_responses_new(char *oids)
0f113f3e MC	389	{
	390	int nid;
	391	STACK_OF(ASN1_OBJECT) *sk = NULL;
	392	ASN1_OBJECT *o = NULL;
	393	X509_EXTENSION *x = NULL;
	394
75ebbd9a	395	if ((sk = sk_ASN1_OBJECT_new_null()) == NULL)
0f113f3e MC	396	goto err;
	397	while (oids && *oids) {
	398	if ((nid = OBJ_txt2nid(*oids)) != NID_undef && (o = OBJ_nid2obj(nid)))
	399	sk_ASN1_OBJECT_push(sk, o);
	400	oids++;
	401	}
	402	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
	403	err:
2ace7450	404	sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
0f113f3e MC	405	return x;
0f113f3e MC	406	}
eb64730b RL	407
eb64730b RL	408	/* ArchiveCutoff ::= GeneralizedTime */
0f113f3e MC	409	X509_EXTENSION OCSP_archive_cutoff_new(char tim)
	410	{
	411	X509_EXTENSION *x = NULL;
	412	ASN1_GENERALIZEDTIME *gt = NULL;
	413
75ebbd9a	414	if ((gt = ASN1_GENERALIZEDTIME_new()) == NULL)
0f113f3e MC	415	goto err;
	416	if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
	417	goto err;
	418	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
	419	err:
2ace7450	420	ASN1_GENERALIZEDTIME_free(gt);
0f113f3e MC	421	return x;
	422	}
	423
	424	/*
	425	* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
	426	* two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This method
	427	* forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
eb64730b	428	*/
0f113f3e MC	429	X509_EXTENSION OCSP_url_svcloc_new(X509_NAME issuer, char **urls)
	430	{
	431	X509_EXTENSION *x = NULL;
	432	ASN1_IA5STRING *ia5 = NULL;
	433	OCSP_SERVICELOC *sloc = NULL;
	434	ACCESS_DESCRIPTION *ad = NULL;
	435
75ebbd9a	436	if ((sloc = OCSP_SERVICELOC_new()) == NULL)
0f113f3e	437	goto err;
75ebbd9a	438	if ((sloc->issuer = X509_NAME_dup(issuer)) == NULL)
0f113f3e	439	goto err;
75ebbd9a RS	440	if (urls && *urls
75ebbd9a RS	441	&& (sloc->locator = sk_ACCESS_DESCRIPTION_new_null()) == NULL)
0f113f3e MC	442	goto err;
0f113f3e MC	443	while (urls && *urls) {
75ebbd9a	444	if ((ad = ACCESS_DESCRIPTION_new()) == NULL)
0f113f3e	445	goto err;
75ebbd9a	446	if ((ad->method = OBJ_nid2obj(NID_ad_OCSP)) == NULL)
0f113f3e	447	goto err;
75ebbd9a	448	if ((ad->location = GENERAL_NAME_new()) == NULL)
0f113f3e	449	goto err;
75ebbd9a	450	if ((ia5 = ASN1_IA5STRING_new()) == NULL)
0f113f3e MC	451	goto err;
	452	if (!ASN1_STRING_set((ASN1_STRING )ia5, urls, -1))
	453	goto err;
	454	ad->location->type = GEN_URI;
	455	ad->location->d.ia5 = ia5;
a4e584a6	456	ia5 = NULL;
0f113f3e MC	457	if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
0f113f3e MC	458	goto err;
a4e584a6	459	ad = NULL;
0f113f3e MC	460	urls++;
	461	}
	462	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
	463	err:
a4e584a6 MC	464	ASN1_IA5STRING_free(ia5);
a4e584a6 MC	465	ACCESS_DESCRIPTION_free(ad);
25aaa98a	466	OCSP_SERVICELOC_free(sloc);
0f113f3e MC	467	return x;
0f113f3e MC	468	}