[thirdparty/openssl.git] / crypto / ocsp / ocsp_ext.c

/*
 * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/ocsp.h>
#include "ocsp_local.h"
#include <openssl/rand.h>
#include <openssl/x509v3.h>

/* Standard wrapper functions for extensions */

/* OCSP request extensions */

int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
{
    return X509v3_get_ext_count(x->tbsRequest.requestExtensions);
}

int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
{
    return (X509v3_get_ext_by_NID
            (x->tbsRequest.requestExtensions, nid, lastpos));
}

int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj,
                                int lastpos)
{
    return (X509v3_get_ext_by_OBJ
            (x->tbsRequest.requestExtensions, obj, lastpos));
}

int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
{
    return (X509v3_get_ext_by_critical
            (x->tbsRequest.requestExtensions, crit, lastpos));
}

X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
{
    return X509v3_get_ext(x->tbsRequest.requestExtensions, loc);
}

X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
{
    return X509v3_delete_ext(x->tbsRequest.requestExtensions, loc);
}

void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
{
    return X509V3_get_d2i(x->tbsRequest.requestExtensions, nid, crit, idx);
}

int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
                              unsigned long flags)
{
    return X509V3_add1_i2d(&x->tbsRequest.requestExtensions, nid, value,
                           crit, flags);
}

int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->tbsRequest.requestExtensions), ex, loc) !=
            NULL);
}

/* Single extensions */

int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
{
    return X509v3_get_ext_count(x->singleRequestExtensions);
}

int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
{
    return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos);
}

int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj,
                               int lastpos)
{
    return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos);
}

int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
{
    return (X509v3_get_ext_by_critical
            (x->singleRequestExtensions, crit, lastpos));
}

X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
{
    return X509v3_get_ext(x->singleRequestExtensions, loc);
}

X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
{
    return X509v3_delete_ext(x->singleRequestExtensions, loc);
}

void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
{
    return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
}

int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
                             unsigned long flags)
{
    return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
                           flags);
}

int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL);
}

/* OCSP Basic response */

int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
{
    return X509v3_get_ext_count(x->tbsResponseData.responseExtensions);
}

int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
{
    return (X509v3_get_ext_by_NID
            (x->tbsResponseData.responseExtensions, nid, lastpos));
}

int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj,
                                  int lastpos)
{
    return (X509v3_get_ext_by_OBJ
            (x->tbsResponseData.responseExtensions, obj, lastpos));
}

int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
                                       int lastpos)
{
    return (X509v3_get_ext_by_critical
            (x->tbsResponseData.responseExtensions, crit, lastpos));
}

X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
{
    return X509v3_get_ext(x->tbsResponseData.responseExtensions, loc);
}

X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
{
    return X509v3_delete_ext(x->tbsResponseData.responseExtensions, loc);
}

void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
                                  int *idx)
{
    return X509V3_get_d2i(x->tbsResponseData.responseExtensions, nid, crit,
                          idx);
}

int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
                                int crit, unsigned long flags)
{
    return X509V3_add1_i2d(&x->tbsResponseData.responseExtensions, nid,
                           value, crit, flags);
}

int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->tbsResponseData.responseExtensions), ex, loc)
            != NULL);
}

/* OCSP single response extensions */

int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
{
    return X509v3_get_ext_count(x->singleExtensions);
}

int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
{
    return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos);
}

int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, const ASN1_OBJECT *obj,
                                   int lastpos)
{
    return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos);
}

int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
                                        int lastpos)
{
    return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos);
}

X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
{
    return X509v3_get_ext(x->singleExtensions, loc);
}

X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
{
    return X509v3_delete_ext(x->singleExtensions, loc);
}

void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
                                   int *idx)
{
    return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
}

int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
                                 int crit, unsigned long flags)
{
    return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
}

int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL);
}

/* also CRL Entry Extensions */

/* Nonce handling functions */

/*
 * Add a nonce to an extension stack. A nonce can be specified or if NULL a
 * random nonce will be generated. Note: OpenSSL 0.9.7d and later create an
 * OCTET STRING containing the nonce, previous versions used the raw nonce.
 */

static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
                           unsigned char *val, int len)
{
    unsigned char *tmpval;
    ASN1_OCTET_STRING os;
    int ret = 0;
    if (len <= 0)
        len = OCSP_DEFAULT_NONCE_LENGTH;
    /*
     * Create the OCTET STRING manually by writing out the header and
     * appending the content octets. This avoids an extra memory allocation
     * operation in some cases. Applications should *NOT* do this because it
     * relies on library internals.
     */
    os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
    if (os.length < 0)
        return 0;

    os.data = OPENSSL_malloc(os.length);
    if (os.data == NULL)
        goto err;
    tmpval = os.data;
    ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
    if (val)
        memcpy(tmpval, val, len);
    else if (RAND_bytes(tmpval, len) <= 0)
        goto err;
    if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
                         &os, 0, X509V3_ADD_REPLACE))
        goto err;
    ret = 1;
 err:
    OPENSSL_free(os.data);
    return ret;
}

/* Add nonce to an OCSP request */

int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
{
    return ocsp_add1_nonce(&req->tbsRequest.requestExtensions, val, len);
}

/* Same as above but for a response */

int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
{
    return ocsp_add1_nonce(&resp->tbsResponseData.responseExtensions, val,
                           len);
}

/*-
 * Check nonce validity in a request and response.
 * Return value reflects result:
 *  1: nonces present and equal.
 *  2: nonces both absent.
 *  3: nonce present in response only.
 *  0: nonces both present and not equal.
 * -1: nonce in request only.
 *
 *  For most responders clients can check return > 0.
 *  If responder doesn't handle nonces return != 0 may be
 *  necessary. return == 0 is always an error.
 */

int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
{
    /*
     * Since we are only interested in the presence or absence of
     * the nonce and comparing its value there is no need to use
     * the X509V3 routines: this way we can avoid them allocating an
     * ASN1_OCTET_STRING structure for the value which would be
     * freed immediately anyway.
     */

    int req_idx, resp_idx;
    X509_EXTENSION *req_ext, *resp_ext;
    req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
    resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
    /* Check both absent */
    if ((req_idx < 0) && (resp_idx < 0))
        return 2;
    /* Check in request only */
    if ((req_idx >= 0) && (resp_idx < 0))
        return -1;
    /* Check in response but not request */
    if ((req_idx < 0) && (resp_idx >= 0))
        return 3;
    /*
     * Otherwise nonce in request and response so retrieve the extensions
     */
    req_ext = OCSP_REQUEST_get_ext(req, req_idx);
    resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
    if (ASN1_OCTET_STRING_cmp(X509_EXTENSION_get_data(req_ext),
                              X509_EXTENSION_get_data(resp_ext)))
        return 0;
    return 1;
}

/*
 * Copy the nonce value (if any) from an OCSP request to a response.
 */

int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
{
    X509_EXTENSION *req_ext;
    int req_idx;
    /* Check for nonce in request */
    req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
    /* If no nonce that's OK */
    if (req_idx < 0)
        return 2;
    req_ext = OCSP_REQUEST_get_ext(req, req_idx);
    return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
}

X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim)
{
    X509_EXTENSION *x = NULL;
    OCSP_CRLID *cid = NULL;

    if ((cid = OCSP_CRLID_new()) == NULL)
        goto err;
    if (url) {
        if ((cid->crlUrl = ASN1_IA5STRING_new()) == NULL)
            goto err;
        if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
            goto err;
    }
    if (n) {
        if ((cid->crlNum = ASN1_INTEGER_new()) == NULL)
            goto err;
        if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
            goto err;
    }
    if (tim) {
        if ((cid->crlTime = ASN1_GENERALIZEDTIME_new()) == NULL)
            goto err;
        if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
            goto err;
    }
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
 err:
    OCSP_CRLID_free(cid);
    return x;
}

/*   AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
X509_EXTENSION *OCSP_accept_responses_new(char **oids)
{
    int nid;
    STACK_OF(ASN1_OBJECT) *sk = NULL;
    ASN1_OBJECT *o = NULL;
    X509_EXTENSION *x = NULL;

    if ((sk = sk_ASN1_OBJECT_new_null()) == NULL)
        goto err;
    while (oids && *oids) {
        if ((nid = OBJ_txt2nid(*oids)) != NID_undef && (o = OBJ_nid2obj(nid)))
            sk_ASN1_OBJECT_push(sk, o);
        oids++;
    }
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
 err:
    sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
    return x;
}

/*  ArchiveCutoff ::= GeneralizedTime */
X509_EXTENSION *OCSP_archive_cutoff_new(char *tim)
{
    X509_EXTENSION *x = NULL;
    ASN1_GENERALIZEDTIME *gt = NULL;

    if ((gt = ASN1_GENERALIZEDTIME_new()) == NULL)
        goto err;
    if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
        goto err;
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
 err:
    ASN1_GENERALIZEDTIME_free(gt);
    return x;
}

/*
 * per ACCESS_DESCRIPTION parameter are oids, of which there are currently
 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value.  This method
 * forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
 */
X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME *issuer, const char **urls)
{
    X509_EXTENSION *x = NULL;
    ASN1_IA5STRING *ia5 = NULL;
    OCSP_SERVICELOC *sloc = NULL;
    ACCESS_DESCRIPTION *ad = NULL;

    if ((sloc = OCSP_SERVICELOC_new()) == NULL)
        goto err;
    X509_NAME_free(sloc->issuer);
    if ((sloc->issuer = X509_NAME_dup(issuer)) == NULL)
        goto err;
    if (urls && *urls
        && (sloc->locator = sk_ACCESS_DESCRIPTION_new_null()) == NULL)
        goto err;
    while (urls && *urls) {
        if ((ad = ACCESS_DESCRIPTION_new()) == NULL)
            goto err;
        if ((ad->method = OBJ_nid2obj(NID_ad_OCSP)) == NULL)
            goto err;
        if ((ia5 = ASN1_IA5STRING_new()) == NULL)
            goto err;
        if (!ASN1_STRING_set((ASN1_STRING *)ia5, *urls, -1))
            goto err;
        /* ad->location is allocated inside ACCESS_DESCRIPTION_new */
        ad->location->type = GEN_URI;
        ad->location->d.ia5 = ia5;
        ia5 = NULL;
        if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
            goto err;
        ad = NULL;
        urls++;
    }
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
 err:
    ASN1_IA5STRING_free(ia5);
    ACCESS_DESCRIPTION_free(ad);
    OCSP_SERVICELOC_free(sloc);
    return x;
}
Commit	Line	Data
0f113f3e	1	/*
b1322259	2	* Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
eb64730b	3	*
0c496700	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
b1322259 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
eb64730b RL	8	*/
	9
	10	#include <stdio.h>
b39fc560	11	#include "internal/cryptlib.h"
eb64730b	12	#include <openssl/objects.h>
eb64730b RL	13	#include <openssl/x509.h>
eb64730b RL	14	#include <openssl/ocsp.h>
706457b7	15	#include "ocsp_local.h"
0b33bc65	16	#include <openssl/rand.h>
eb64730b RL	17	#include <openssl/x509v3.h>
eb64730b RL	18
ec558b65 DSH	19	/* Standard wrapper functions for extensions */
	20
	21	/* OCSP request extensions */
	22
	23	int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
0f113f3e	24	{
26a7d938	25	return X509v3_get_ext_count(x->tbsRequest.requestExtensions);
0f113f3e	26	}
ec558b65 DSH	27
ec558b65 DSH	28	int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
0f113f3e MC	29	{
0f113f3e MC	30	return (X509v3_get_ext_by_NID
a332635e	31	(x->tbsRequest.requestExtensions, nid, lastpos));
0f113f3e MC	32	}
0f113f3e MC	33
c47ba4e9	34	int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST x, const ASN1_OBJECT obj,
0f113f3e MC	35	int lastpos)
	36	{
	37	return (X509v3_get_ext_by_OBJ
a332635e	38	(x->tbsRequest.requestExtensions, obj, lastpos));
0f113f3e	39	}
ec558b65 DSH	40
ec558b65 DSH	41	int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
0f113f3e MC	42	{
0f113f3e MC	43	return (X509v3_get_ext_by_critical
a332635e	44	(x->tbsRequest.requestExtensions, crit, lastpos));
0f113f3e	45	}
ec558b65 DSH	46
ec558b65 DSH	47	X509_EXTENSION OCSP_REQUEST_get_ext(OCSP_REQUEST x, int loc)
0f113f3e	48	{
26a7d938	49	return X509v3_get_ext(x->tbsRequest.requestExtensions, loc);
0f113f3e	50	}
ec558b65 DSH	51
ec558b65 DSH	52	X509_EXTENSION OCSP_REQUEST_delete_ext(OCSP_REQUEST x, int loc)
0f113f3e	53	{
26a7d938	54	return X509v3_delete_ext(x->tbsRequest.requestExtensions, loc);
0f113f3e	55	}
ec558b65 DSH	56
ec558b65 DSH	57	void OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST x, int nid, int crit, int idx)
0f113f3e	58	{
a332635e	59	return X509V3_get_d2i(x->tbsRequest.requestExtensions, nid, crit, idx);
0f113f3e	60	}
ec558b65 DSH	61
ec558b65 DSH	62	int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST x, int nid, void value, int crit,
0f113f3e MC	63	unsigned long flags)
0f113f3e MC	64	{
a332635e	65	return X509V3_add1_i2d(&x->tbsRequest.requestExtensions, nid, value,
0f113f3e MC	66	crit, flags);
0f113f3e MC	67	}
ec558b65 DSH	68
ec558b65 DSH	69	int OCSP_REQUEST_add_ext(OCSP_REQUEST x, X509_EXTENSION ex, int loc)
0f113f3e	70	{
a332635e	71	return (X509v3_add_ext(&(x->tbsRequest.requestExtensions), ex, loc) !=
0f113f3e MC	72	NULL);
0f113f3e MC	73	}
ec558b65 DSH	74
	75	/* Single extensions */
	76
	77	int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
0f113f3e	78	{
26a7d938	79	return X509v3_get_ext_count(x->singleRequestExtensions);
0f113f3e	80	}
ec558b65 DSH	81
ec558b65 DSH	82	int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
0f113f3e	83	{
26a7d938	84	return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos);
0f113f3e	85	}
ec558b65	86
c47ba4e9 F	87	int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ x, const ASN1_OBJECT obj,
c47ba4e9 F	88	int lastpos)
0f113f3e	89	{
26a7d938	90	return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos);
0f113f3e	91	}
ec558b65 DSH	92
ec558b65 DSH	93	int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
0f113f3e MC	94	{
	95	return (X509v3_get_ext_by_critical
	96	(x->singleRequestExtensions, crit, lastpos));
	97	}
ec558b65 DSH	98
ec558b65 DSH	99	X509_EXTENSION OCSP_ONEREQ_get_ext(OCSP_ONEREQ x, int loc)
0f113f3e	100	{
26a7d938	101	return X509v3_get_ext(x->singleRequestExtensions, loc);
0f113f3e	102	}
ec558b65 DSH	103
ec558b65 DSH	104	X509_EXTENSION OCSP_ONEREQ_delete_ext(OCSP_ONEREQ x, int loc)
0f113f3e	105	{
26a7d938	106	return X509v3_delete_ext(x->singleRequestExtensions, loc);
0f113f3e	107	}
ec558b65 DSH	108
ec558b65 DSH	109	void OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ x, int nid, int crit, int idx)
0f113f3e MC	110	{
	111	return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
	112	}
ec558b65 DSH	113
ec558b65 DSH	114	int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ x, int nid, void value, int crit,
0f113f3e MC	115	unsigned long flags)
	116	{
	117	return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
	118	flags);
	119	}
ec558b65 DSH	120
ec558b65 DSH	121	int OCSP_ONEREQ_add_ext(OCSP_ONEREQ x, X509_EXTENSION ex, int loc)
0f113f3e MC	122	{
	123	return (X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL);
	124	}
ec558b65 DSH	125
	126	/* OCSP Basic response */
	127
	128	int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
0f113f3e	129	{
26a7d938	130	return X509v3_get_ext_count(x->tbsResponseData.responseExtensions);
0f113f3e	131	}
ec558b65 DSH	132
ec558b65 DSH	133	int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
0f113f3e MC	134	{
0f113f3e MC	135	return (X509v3_get_ext_by_NID
a332635e	136	(x->tbsResponseData.responseExtensions, nid, lastpos));
0f113f3e MC	137	}
0f113f3e MC	138
c47ba4e9	139	int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP x, const ASN1_OBJECT obj,
0f113f3e MC	140	int lastpos)
	141	{
	142	return (X509v3_get_ext_by_OBJ
a332635e	143	(x->tbsResponseData.responseExtensions, obj, lastpos));
0f113f3e MC	144	}
	145
	146	int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
	147	int lastpos)
	148	{
	149	return (X509v3_get_ext_by_critical
a332635e	150	(x->tbsResponseData.responseExtensions, crit, lastpos));
0f113f3e	151	}
ec558b65 DSH	152
ec558b65 DSH	153	X509_EXTENSION OCSP_BASICRESP_get_ext(OCSP_BASICRESP x, int loc)
0f113f3e	154	{
26a7d938	155	return X509v3_get_ext(x->tbsResponseData.responseExtensions, loc);
0f113f3e	156	}
ec558b65 DSH	157
ec558b65 DSH	158	X509_EXTENSION OCSP_BASICRESP_delete_ext(OCSP_BASICRESP x, int loc)
0f113f3e	159	{
26a7d938	160	return X509v3_delete_ext(x->tbsResponseData.responseExtensions, loc);
0f113f3e MC	161	}
	162
	163	void OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP x, int nid, int *crit,
	164	int *idx)
	165	{
a332635e	166	return X509V3_get_d2i(x->tbsResponseData.responseExtensions, nid, crit,
0f113f3e MC	167	idx);
	168	}
	169
	170	int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP x, int nid, void value,
	171	int crit, unsigned long flags)
	172	{
a332635e	173	return X509V3_add1_i2d(&x->tbsResponseData.responseExtensions, nid,
0f113f3e MC	174	value, crit, flags);
0f113f3e MC	175	}
ec558b65 DSH	176
ec558b65 DSH	177	int OCSP_BASICRESP_add_ext(OCSP_BASICRESP x, X509_EXTENSION ex, int loc)
0f113f3e	178	{
a332635e	179	return (X509v3_add_ext(&(x->tbsResponseData.responseExtensions), ex, loc)
0f113f3e MC	180	!= NULL);
0f113f3e MC	181	}
ec558b65 DSH	182
	183	/* OCSP single response extensions */
	184
	185	int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
0f113f3e	186	{
26a7d938	187	return X509v3_get_ext_count(x->singleExtensions);
0f113f3e	188	}
ec558b65 DSH	189
ec558b65 DSH	190	int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
0f113f3e	191	{
26a7d938	192	return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos);
0f113f3e MC	193	}
0f113f3e MC	194
c47ba4e9	195	int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP x, const ASN1_OBJECT obj,
0f113f3e MC	196	int lastpos)
0f113f3e MC	197	{
26a7d938	198	return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos);
0f113f3e MC	199	}
	200
	201	int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
	202	int lastpos)
	203	{
26a7d938	204	return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos);
0f113f3e	205	}
ec558b65 DSH	206
ec558b65 DSH	207	X509_EXTENSION OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP x, int loc)
0f113f3e	208	{
26a7d938	209	return X509v3_get_ext(x->singleExtensions, loc);
0f113f3e	210	}
ec558b65 DSH	211
ec558b65 DSH	212	X509_EXTENSION OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP x, int loc)
0f113f3e	213	{
26a7d938	214	return X509v3_delete_ext(x->singleExtensions, loc);
0f113f3e MC	215	}
	216
	217	void OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP x, int nid, int *crit,
	218	int *idx)
	219	{
	220	return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
	221	}
	222
	223	int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP x, int nid, void value,
	224	int crit, unsigned long flags)
	225	{
	226	return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
	227	}
ec558b65 DSH	228
ec558b65 DSH	229	int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP x, X509_EXTENSION ex, int loc)
0f113f3e MC	230	{
	231	return (X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL);
	232	}
eb64730b RL	233
eb64730b RL	234	/* also CRL Entry Extensions */
eb64730b	235
0b33bc65 DSH	236	/* Nonce handling functions */
0b33bc65 DSH	237
0f113f3e	238	/*
0d4fb843	239	* Add a nonce to an extension stack. A nonce can be specified or if NULL a
0f113f3e MC	240	* random nonce will be generated. Note: OpenSSL 0.9.7d and later create an
0f113f3e MC	241	* OCTET STRING containing the nonce, previous versions used the raw nonce.
0b33bc65 DSH	242	*/
0b33bc65 DSH	243
0f113f3e MC	244	static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
	245	unsigned char *val, int len)
	246	{
	247	unsigned char *tmpval;
	248	ASN1_OCTET_STRING os;
	249	int ret = 0;
	250	if (len <= 0)
	251	len = OCSP_DEFAULT_NONCE_LENGTH;
	252	/*
	253	* Create the OCTET STRING manually by writing out the header and
	254	* appending the content octets. This avoids an extra memory allocation
	255	* operation in some cases. Applications should NOT do this because it
	256	* relies on library internals.
	257	*/
	258	os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
b197257d	259	if (os.length < 0)
cc069067	260	return 0;
b197257d	261
0f113f3e MC	262	os.data = OPENSSL_malloc(os.length);
	263	if (os.data == NULL)
	264	goto err;
	265	tmpval = os.data;
	266	ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
	267	if (val)
	268	memcpy(tmpval, val, len);
266483d2 MC	269	else if (RAND_bytes(tmpval, len) <= 0)
266483d2 MC	270	goto err;
0f113f3e MC	271	if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
	272	&os, 0, X509V3_ADD_REPLACE))
	273	goto err;
	274	ret = 1;
	275	err:
b548a1f1	276	OPENSSL_free(os.data);
0f113f3e MC	277	return ret;
0f113f3e MC	278	}
46a58ab9 DSH	279
	280	/* Add nonce to an OCSP request */
	281
	282	int OCSP_request_add1_nonce(OCSP_REQUEST req, unsigned char val, int len)
0f113f3e	283	{
a332635e	284	return ocsp_add1_nonce(&req->tbsRequest.requestExtensions, val, len);
0f113f3e	285	}
46a58ab9 DSH	286
	287	/* Same as above but for a response */
	288
	289	int OCSP_basic_add1_nonce(OCSP_BASICRESP resp, unsigned char val, int len)
0f113f3e	290	{
a332635e	291	return ocsp_add1_nonce(&resp->tbsResponseData.responseExtensions, val,
0f113f3e MC	292	len);
0f113f3e MC	293	}
46a58ab9	294
3a83462d MC	295	/*-
3a83462d MC	296	* Check nonce validity in a request and response.
46a58ab9 DSH	297	* Return value reflects result:
	298	* 1: nonces present and equal.
	299	* 2: nonces both absent.
	300	* 3: nonce present in response only.
	301	* 0: nonces both present and not equal.
	302	* -1: nonce in request only.
	303	*
	304	* For most responders clients can check return > 0.
	305	* If responder doesn't handle nonces return != 0 may be
	306	* necessary. return == 0 is always an error.
0b33bc65	307	*/
46a58ab9	308
0b33bc65	309	int OCSP_check_nonce(OCSP_REQUEST req, OCSP_BASICRESP bs)
0f113f3e MC	310	{
	311	/*
	312	* Since we are only interested in the presence or absence of
	313	* the nonce and comparing its value there is no need to use
	314	* the X509V3 routines: this way we can avoid them allocating an
	315	* ASN1_OCTET_STRING structure for the value which would be
	316	* freed immediately anyway.
	317	*/
	318
	319	int req_idx, resp_idx;
	320	X509_EXTENSION req_ext, resp_ext;
	321	req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
	322	resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
	323	/* Check both absent */
	324	if ((req_idx < 0) && (resp_idx < 0))
	325	return 2;
	326	/* Check in request only */
	327	if ((req_idx >= 0) && (resp_idx < 0))
	328	return -1;
	329	/* Check in response but not request */
	330	if ((req_idx < 0) && (resp_idx >= 0))
	331	return 3;
	332	/*
	333	* Otherwise nonce in request and response so retrieve the extensions
	334	*/
	335	req_ext = OCSP_REQUEST_get_ext(req, req_idx);
	336	resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
4903abd5 DSH	337	if (ASN1_OCTET_STRING_cmp(X509_EXTENSION_get_data(req_ext),
4903abd5 DSH	338	X509_EXTENSION_get_data(resp_ext)))
0f113f3e MC	339	return 0;
	340	return 1;
	341	}
	342
	343	/*
	344	* Copy the nonce value (if any) from an OCSP request to a response.
26e083cc DSH	345	*/
	346
	347	int OCSP_copy_nonce(OCSP_BASICRESP resp, OCSP_REQUEST req)
0f113f3e MC	348	{
	349	X509_EXTENSION *req_ext;
	350	int req_idx;
	351	/* Check for nonce in request */
	352	req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
	353	/* If no nonce that's OK */
	354	if (req_idx < 0)
	355	return 2;
	356	req_ext = OCSP_REQUEST_get_ext(req, req_idx);
	357	return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
	358	}
eb64730b	359
a026fbf9	360	X509_EXTENSION OCSP_crlID_new(const char url, long n, char tim)
0f113f3e MC	361	{
	362	X509_EXTENSION *x = NULL;
	363	OCSP_CRLID *cid = NULL;
	364
75ebbd9a	365	if ((cid = OCSP_CRLID_new()) == NULL)
0f113f3e MC	366	goto err;
0f113f3e MC	367	if (url) {
75ebbd9a	368	if ((cid->crlUrl = ASN1_IA5STRING_new()) == NULL)
0f113f3e MC	369	goto err;
	370	if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
	371	goto err;
	372	}
	373	if (n) {
75ebbd9a	374	if ((cid->crlNum = ASN1_INTEGER_new()) == NULL)
0f113f3e MC	375	goto err;
	376	if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
	377	goto err;
	378	}
	379	if (tim) {
75ebbd9a	380	if ((cid->crlTime = ASN1_GENERALIZEDTIME_new()) == NULL)
0f113f3e MC	381	goto err;
	382	if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
	383	goto err;
	384	}
	385	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
	386	err:
25aaa98a	387	OCSP_CRLID_free(cid);
0f113f3e MC	388	return x;
0f113f3e MC	389	}
eb64730b RL	390
	391	/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
	392	X509_EXTENSION OCSP_accept_responses_new(char *oids)
0f113f3e MC	393	{
	394	int nid;
	395	STACK_OF(ASN1_OBJECT) *sk = NULL;
	396	ASN1_OBJECT *o = NULL;
	397	X509_EXTENSION *x = NULL;
	398
75ebbd9a	399	if ((sk = sk_ASN1_OBJECT_new_null()) == NULL)
0f113f3e MC	400	goto err;
	401	while (oids && *oids) {
	402	if ((nid = OBJ_txt2nid(*oids)) != NID_undef && (o = OBJ_nid2obj(nid)))
	403	sk_ASN1_OBJECT_push(sk, o);
	404	oids++;
	405	}
	406	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
	407	err:
2ace7450	408	sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
0f113f3e MC	409	return x;
0f113f3e MC	410	}
eb64730b RL	411
eb64730b RL	412	/* ArchiveCutoff ::= GeneralizedTime */
0f113f3e MC	413	X509_EXTENSION OCSP_archive_cutoff_new(char tim)
	414	{
	415	X509_EXTENSION *x = NULL;
	416	ASN1_GENERALIZEDTIME *gt = NULL;
	417
75ebbd9a	418	if ((gt = ASN1_GENERALIZEDTIME_new()) == NULL)
0f113f3e MC	419	goto err;
	420	if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
	421	goto err;
	422	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
	423	err:
2ace7450	424	ASN1_GENERALIZEDTIME_free(gt);
0f113f3e MC	425	return x;
	426	}
	427
	428	/*
	429	* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
	430	* two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This method
	431	* forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
eb64730b	432	*/
a026fbf9	433	X509_EXTENSION OCSP_url_svcloc_new(X509_NAME issuer, const char **urls)
0f113f3e MC	434	{
	435	X509_EXTENSION *x = NULL;
	436	ASN1_IA5STRING *ia5 = NULL;
	437	OCSP_SERVICELOC *sloc = NULL;
	438	ACCESS_DESCRIPTION *ad = NULL;
	439
75ebbd9a	440	if ((sloc = OCSP_SERVICELOC_new()) == NULL)
0f113f3e	441	goto err;
5b3accde	442	X509_NAME_free(sloc->issuer);
75ebbd9a	443	if ((sloc->issuer = X509_NAME_dup(issuer)) == NULL)
0f113f3e	444	goto err;
75ebbd9a RS	445	if (urls && *urls
75ebbd9a RS	446	&& (sloc->locator = sk_ACCESS_DESCRIPTION_new_null()) == NULL)
0f113f3e MC	447	goto err;
0f113f3e MC	448	while (urls && *urls) {
75ebbd9a	449	if ((ad = ACCESS_DESCRIPTION_new()) == NULL)
0f113f3e	450	goto err;
75ebbd9a	451	if ((ad->method = OBJ_nid2obj(NID_ad_OCSP)) == NULL)
0f113f3e	452	goto err;
75ebbd9a	453	if ((ia5 = ASN1_IA5STRING_new()) == NULL)
0f113f3e MC	454	goto err;
	455	if (!ASN1_STRING_set((ASN1_STRING )ia5, urls, -1))
	456	goto err;
5b3accde	457	/* ad->location is allocated inside ACCESS_DESCRIPTION_new */
0f113f3e MC	458	ad->location->type = GEN_URI;
0f113f3e MC	459	ad->location->d.ia5 = ia5;
a4e584a6	460	ia5 = NULL;
0f113f3e MC	461	if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
0f113f3e MC	462	goto err;
a4e584a6	463	ad = NULL;
0f113f3e MC	464	urls++;
	465	}
	466	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
	467	err:
a4e584a6 MC	468	ASN1_IA5STRING_free(ia5);
a4e584a6 MC	469	ACCESS_DESCRIPTION_free(ad);
25aaa98a	470	OCSP_SERVICELOC_free(sloc);
0f113f3e MC	471	return x;
0f113f3e MC	472	}