[thirdparty/openssl.git] / crypto / ocsp / ocsp_ext.c

/*
 * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/ocsp.h>
#include "ocsp_local.h"
#include <openssl/rand.h>
#include <openssl/x509v3.h>

DEFINE_STACK_OF(ASN1_OBJECT)
DEFINE_STACK_OF(ACCESS_DESCRIPTION)

/* Standard wrapper functions for extensions */

/* OCSP request extensions */

int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
{
    return X509v3_get_ext_count(x->tbsRequest.requestExtensions);
}

int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
{
    return (X509v3_get_ext_by_NID
            (x->tbsRequest.requestExtensions, nid, lastpos));
}

int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj,
                                int lastpos)
{
    return (X509v3_get_ext_by_OBJ
            (x->tbsRequest.requestExtensions, obj, lastpos));
}

int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
{
    return (X509v3_get_ext_by_critical
            (x->tbsRequest.requestExtensions, crit, lastpos));
}

X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
{
    return X509v3_get_ext(x->tbsRequest.requestExtensions, loc);
}

X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc)
{
    return X509v3_delete_ext(x->tbsRequest.requestExtensions, loc);
}

void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit, int *idx)
{
    return X509V3_get_d2i(x->tbsRequest.requestExtensions, nid, crit, idx);
}

int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
                              unsigned long flags)
{
    return X509V3_add1_i2d(&x->tbsRequest.requestExtensions, nid, value,
                           crit, flags);
}

int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->tbsRequest.requestExtensions), ex, loc) !=
            NULL);
}

/* Single extensions */

int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
{
    return X509v3_get_ext_count(x->singleRequestExtensions);
}

int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
{
    return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos);
}

int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj,
                               int lastpos)
{
    return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos);
}

int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
{
    return (X509v3_get_ext_by_critical
            (x->singleRequestExtensions, crit, lastpos));
}

X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
{
    return X509v3_get_ext(x->singleRequestExtensions, loc);
}

X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc)
{
    return X509v3_delete_ext(x->singleRequestExtensions, loc);
}

void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx)
{
    return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
}

int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
                             unsigned long flags)
{
    return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
                           flags);
}

int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL);
}

/* OCSP Basic response */

int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
{
    return X509v3_get_ext_count(x->tbsResponseData.responseExtensions);
}

int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
{
    return (X509v3_get_ext_by_NID
            (x->tbsResponseData.responseExtensions, nid, lastpos));
}

int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj,
                                  int lastpos)
{
    return (X509v3_get_ext_by_OBJ
            (x->tbsResponseData.responseExtensions, obj, lastpos));
}

int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
                                       int lastpos)
{
    return (X509v3_get_ext_by_critical
            (x->tbsResponseData.responseExtensions, crit, lastpos));
}

X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
{
    return X509v3_get_ext(x->tbsResponseData.responseExtensions, loc);
}

X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc)
{
    return X509v3_delete_ext(x->tbsResponseData.responseExtensions, loc);
}

void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
                                  int *idx)
{
    return X509V3_get_d2i(x->tbsResponseData.responseExtensions, nid, crit,
                          idx);
}

int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
                                int crit, unsigned long flags)
{
    return X509V3_add1_i2d(&x->tbsResponseData.responseExtensions, nid,
                           value, crit, flags);
}

int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->tbsResponseData.responseExtensions), ex, loc)
            != NULL);
}

/* OCSP single response extensions */

int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
{
    return X509v3_get_ext_count(x->singleExtensions);
}

int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
{
    return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos);
}

int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, const ASN1_OBJECT *obj,
                                   int lastpos)
{
    return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos);
}

int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
                                        int lastpos)
{
    return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos);
}

X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
{
    return X509v3_get_ext(x->singleExtensions, loc);
}

X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc)
{
    return X509v3_delete_ext(x->singleExtensions, loc);
}

void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
                                   int *idx)
{
    return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
}

int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
                                 int crit, unsigned long flags)
{
    return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
}

int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
{
    return (X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL);
}

/* also CRL Entry Extensions */

/* Nonce handling functions */

/*
 * Add a nonce to an extension stack. A nonce can be specified or if NULL a
 * random nonce will be generated. Note: OpenSSL 0.9.7d and later create an
 * OCTET STRING containing the nonce, previous versions used the raw nonce.
 */

static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
                           unsigned char *val, int len)
{
    unsigned char *tmpval;
    ASN1_OCTET_STRING os;
    int ret = 0;
    if (len <= 0)
        len = OCSP_DEFAULT_NONCE_LENGTH;
    /*
     * Create the OCTET STRING manually by writing out the header and
     * appending the content octets. This avoids an extra memory allocation
     * operation in some cases. Applications should *NOT* do this because it
     * relies on library internals.
     */
    os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
    if (os.length < 0)
        return 0;

    os.data = OPENSSL_malloc(os.length);
    if (os.data == NULL)
        goto err;
    tmpval = os.data;
    ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
    if (val)
        memcpy(tmpval, val, len);
    else if (RAND_bytes(tmpval, len) <= 0)
        goto err;
    if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
                         &os, 0, X509V3_ADD_REPLACE))
        goto err;
    ret = 1;
 err:
    OPENSSL_free(os.data);
    return ret;
}

/* Add nonce to an OCSP request */

int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len)
{
    return ocsp_add1_nonce(&req->tbsRequest.requestExtensions, val, len);
}

/* Same as above but for a response */

int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len)
{
    return ocsp_add1_nonce(&resp->tbsResponseData.responseExtensions, val,
                           len);
}

/*-
 * Check nonce validity in a request and response.
 * Return value reflects result:
 *  1: nonces present and equal.
 *  2: nonces both absent.
 *  3: nonce present in response only.
 *  0: nonces both present and not equal.
 * -1: nonce in request only.
 *
 *  For most responders clients can check return > 0.
 *  If responder doesn't handle nonces return != 0 may be
 *  necessary. return == 0 is always an error.
 */

int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
{
    /*
     * Since we are only interested in the presence or absence of
     * the nonce and comparing its value there is no need to use
     * the X509V3 routines: this way we can avoid them allocating an
     * ASN1_OCTET_STRING structure for the value which would be
     * freed immediately anyway.
     */

    int req_idx, resp_idx;
    X509_EXTENSION *req_ext, *resp_ext;
    req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
    resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
    /* Check both absent */
    if ((req_idx < 0) && (resp_idx < 0))
        return 2;
    /* Check in request only */
    if ((req_idx >= 0) && (resp_idx < 0))
        return -1;
    /* Check in response but not request */
    if ((req_idx < 0) && (resp_idx >= 0))
        return 3;
    /*
     * Otherwise nonce in request and response so retrieve the extensions
     */
    req_ext = OCSP_REQUEST_get_ext(req, req_idx);
    resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
    if (ASN1_OCTET_STRING_cmp(X509_EXTENSION_get_data(req_ext),
                              X509_EXTENSION_get_data(resp_ext)))
        return 0;
    return 1;
}

/*
 * Copy the nonce value (if any) from an OCSP request to a response.
 */

int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
{
    X509_EXTENSION *req_ext;
    int req_idx;
    /* Check for nonce in request */
    req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
    /* If no nonce that's OK */
    if (req_idx < 0)
        return 2;
    req_ext = OCSP_REQUEST_get_ext(req, req_idx);
    return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
}

X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim)
{
    X509_EXTENSION *x = NULL;
    OCSP_CRLID *cid = NULL;

    if ((cid = OCSP_CRLID_new()) == NULL)
        goto err;
    if (url) {
        if ((cid->crlUrl = ASN1_IA5STRING_new()) == NULL)
            goto err;
        if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
            goto err;
    }
    if (n) {
        if ((cid->crlNum = ASN1_INTEGER_new()) == NULL)
            goto err;
        if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
            goto err;
    }
    if (tim) {
        if ((cid->crlTime = ASN1_GENERALIZEDTIME_new()) == NULL)
            goto err;
        if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
            goto err;
    }
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
 err:
    OCSP_CRLID_free(cid);
    return x;
}

/*   AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
X509_EXTENSION *OCSP_accept_responses_new(char **oids)
{
    int nid;
    STACK_OF(ASN1_OBJECT) *sk = NULL;
    ASN1_OBJECT *o = NULL;
    X509_EXTENSION *x = NULL;

    if ((sk = sk_ASN1_OBJECT_new_null()) == NULL)
        goto err;
    while (oids && *oids) {
        if ((nid = OBJ_txt2nid(*oids)) != NID_undef && (o = OBJ_nid2obj(nid)))
            sk_ASN1_OBJECT_push(sk, o);
        oids++;
    }
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
 err:
    sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
    return x;
}

/*  ArchiveCutoff ::= GeneralizedTime */
X509_EXTENSION *OCSP_archive_cutoff_new(char *tim)
{
    X509_EXTENSION *x = NULL;
    ASN1_GENERALIZEDTIME *gt = NULL;

    if ((gt = ASN1_GENERALIZEDTIME_new()) == NULL)
        goto err;
    if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
        goto err;
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
 err:
    ASN1_GENERALIZEDTIME_free(gt);
    return x;
}

/*
 * per ACCESS_DESCRIPTION parameter are oids, of which there are currently
 * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value.  This method
 * forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
 */
X509_EXTENSION *OCSP_url_svcloc_new(const X509_NAME *issuer, const char **urls)
{
    X509_EXTENSION *x = NULL;
    ASN1_IA5STRING *ia5 = NULL;
    OCSP_SERVICELOC *sloc = NULL;
    ACCESS_DESCRIPTION *ad = NULL;

    if ((sloc = OCSP_SERVICELOC_new()) == NULL)
        goto err;
    X509_NAME_free(sloc->issuer);
    if ((sloc->issuer = X509_NAME_dup(issuer)) == NULL)
        goto err;
    if (urls && *urls
        && (sloc->locator = sk_ACCESS_DESCRIPTION_new_null()) == NULL)
        goto err;
    while (urls && *urls) {
        if ((ad = ACCESS_DESCRIPTION_new()) == NULL)
            goto err;
        if ((ad->method = OBJ_nid2obj(NID_ad_OCSP)) == NULL)
            goto err;
        if ((ia5 = ASN1_IA5STRING_new()) == NULL)
            goto err;
        if (!ASN1_STRING_set((ASN1_STRING *)ia5, *urls, -1))
            goto err;
        /* ad->location is allocated inside ACCESS_DESCRIPTION_new */
        ad->location->type = GEN_URI;
        ad->location->d.ia5 = ia5;
        ia5 = NULL;
        if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
            goto err;
        ad = NULL;
        urls++;
    }
    x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
 err:
    ASN1_IA5STRING_free(ia5);
    ACCESS_DESCRIPTION_free(ad);
    OCSP_SERVICELOC_free(sloc);
    return x;
}
Commit	Line	Data
0f113f3e	1	/*
33388b44	2	* Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
eb64730b	3	*
0c496700	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
b1322259 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
eb64730b RL	8	*/
	9
	10	#include <stdio.h>
b39fc560	11	#include "internal/cryptlib.h"
eb64730b	12	#include <openssl/objects.h>
eb64730b RL	13	#include <openssl/x509.h>
eb64730b RL	14	#include <openssl/ocsp.h>
706457b7	15	#include "ocsp_local.h"
0b33bc65	16	#include <openssl/rand.h>
eb64730b RL	17	#include <openssl/x509v3.h>
eb64730b RL	18
852c2ed2 RS	19	DEFINE_STACK_OF(ASN1_OBJECT)
	20	DEFINE_STACK_OF(ACCESS_DESCRIPTION)
	21
ec558b65 DSH	22	/* Standard wrapper functions for extensions */
	23
	24	/* OCSP request extensions */
	25
	26	int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x)
0f113f3e	27	{
26a7d938	28	return X509v3_get_ext_count(x->tbsRequest.requestExtensions);
0f113f3e	29	}
ec558b65 DSH	30
ec558b65 DSH	31	int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos)
0f113f3e MC	32	{
0f113f3e MC	33	return (X509v3_get_ext_by_NID
a332635e	34	(x->tbsRequest.requestExtensions, nid, lastpos));
0f113f3e MC	35	}
0f113f3e MC	36
c47ba4e9	37	int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST x, const ASN1_OBJECT obj,
0f113f3e MC	38	int lastpos)
	39	{
	40	return (X509v3_get_ext_by_OBJ
a332635e	41	(x->tbsRequest.requestExtensions, obj, lastpos));
0f113f3e	42	}
ec558b65 DSH	43
ec558b65 DSH	44	int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
0f113f3e MC	45	{
0f113f3e MC	46	return (X509v3_get_ext_by_critical
a332635e	47	(x->tbsRequest.requestExtensions, crit, lastpos));
0f113f3e	48	}
ec558b65 DSH	49
ec558b65 DSH	50	X509_EXTENSION OCSP_REQUEST_get_ext(OCSP_REQUEST x, int loc)
0f113f3e	51	{
26a7d938	52	return X509v3_get_ext(x->tbsRequest.requestExtensions, loc);
0f113f3e	53	}
ec558b65 DSH	54
ec558b65 DSH	55	X509_EXTENSION OCSP_REQUEST_delete_ext(OCSP_REQUEST x, int loc)
0f113f3e	56	{
26a7d938	57	return X509v3_delete_ext(x->tbsRequest.requestExtensions, loc);
0f113f3e	58	}
ec558b65 DSH	59
ec558b65 DSH	60	void OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST x, int nid, int crit, int idx)
0f113f3e	61	{
a332635e	62	return X509V3_get_d2i(x->tbsRequest.requestExtensions, nid, crit, idx);
0f113f3e	63	}
ec558b65 DSH	64
ec558b65 DSH	65	int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST x, int nid, void value, int crit,
0f113f3e MC	66	unsigned long flags)
0f113f3e MC	67	{
a332635e	68	return X509V3_add1_i2d(&x->tbsRequest.requestExtensions, nid, value,
0f113f3e MC	69	crit, flags);
0f113f3e MC	70	}
ec558b65 DSH	71
ec558b65 DSH	72	int OCSP_REQUEST_add_ext(OCSP_REQUEST x, X509_EXTENSION ex, int loc)
0f113f3e	73	{
a332635e	74	return (X509v3_add_ext(&(x->tbsRequest.requestExtensions), ex, loc) !=
0f113f3e MC	75	NULL);
0f113f3e MC	76	}
ec558b65 DSH	77
	78	/* Single extensions */
	79
	80	int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x)
0f113f3e	81	{
26a7d938	82	return X509v3_get_ext_count(x->singleRequestExtensions);
0f113f3e	83	}
ec558b65 DSH	84
ec558b65 DSH	85	int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos)
0f113f3e	86	{
26a7d938	87	return X509v3_get_ext_by_NID(x->singleRequestExtensions, nid, lastpos);
0f113f3e	88	}
ec558b65	89
c47ba4e9 F	90	int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ x, const ASN1_OBJECT obj,
c47ba4e9 F	91	int lastpos)
0f113f3e	92	{
26a7d938	93	return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos);
0f113f3e	94	}
ec558b65 DSH	95
ec558b65 DSH	96	int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
0f113f3e MC	97	{
	98	return (X509v3_get_ext_by_critical
	99	(x->singleRequestExtensions, crit, lastpos));
	100	}
ec558b65 DSH	101
ec558b65 DSH	102	X509_EXTENSION OCSP_ONEREQ_get_ext(OCSP_ONEREQ x, int loc)
0f113f3e	103	{
26a7d938	104	return X509v3_get_ext(x->singleRequestExtensions, loc);
0f113f3e	105	}
ec558b65 DSH	106
ec558b65 DSH	107	X509_EXTENSION OCSP_ONEREQ_delete_ext(OCSP_ONEREQ x, int loc)
0f113f3e	108	{
26a7d938	109	return X509v3_delete_ext(x->singleRequestExtensions, loc);
0f113f3e	110	}
ec558b65 DSH	111
ec558b65 DSH	112	void OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ x, int nid, int crit, int idx)
0f113f3e MC	113	{
	114	return X509V3_get_d2i(x->singleRequestExtensions, nid, crit, idx);
	115	}
ec558b65 DSH	116
ec558b65 DSH	117	int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ x, int nid, void value, int crit,
0f113f3e MC	118	unsigned long flags)
	119	{
	120	return X509V3_add1_i2d(&x->singleRequestExtensions, nid, value, crit,
	121	flags);
	122	}
ec558b65 DSH	123
ec558b65 DSH	124	int OCSP_ONEREQ_add_ext(OCSP_ONEREQ x, X509_EXTENSION ex, int loc)
0f113f3e MC	125	{
	126	return (X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL);
	127	}
ec558b65 DSH	128
	129	/* OCSP Basic response */
	130
	131	int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x)
0f113f3e	132	{
26a7d938	133	return X509v3_get_ext_count(x->tbsResponseData.responseExtensions);
0f113f3e	134	}
ec558b65 DSH	135
ec558b65 DSH	136	int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos)
0f113f3e MC	137	{
0f113f3e MC	138	return (X509v3_get_ext_by_NID
a332635e	139	(x->tbsResponseData.responseExtensions, nid, lastpos));
0f113f3e MC	140	}
0f113f3e MC	141
c47ba4e9	142	int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP x, const ASN1_OBJECT obj,
0f113f3e MC	143	int lastpos)
	144	{
	145	return (X509v3_get_ext_by_OBJ
a332635e	146	(x->tbsResponseData.responseExtensions, obj, lastpos));
0f113f3e MC	147	}
	148
	149	int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
	150	int lastpos)
	151	{
	152	return (X509v3_get_ext_by_critical
a332635e	153	(x->tbsResponseData.responseExtensions, crit, lastpos));
0f113f3e	154	}
ec558b65 DSH	155
ec558b65 DSH	156	X509_EXTENSION OCSP_BASICRESP_get_ext(OCSP_BASICRESP x, int loc)
0f113f3e	157	{
26a7d938	158	return X509v3_get_ext(x->tbsResponseData.responseExtensions, loc);
0f113f3e	159	}
ec558b65 DSH	160
ec558b65 DSH	161	X509_EXTENSION OCSP_BASICRESP_delete_ext(OCSP_BASICRESP x, int loc)
0f113f3e	162	{
26a7d938	163	return X509v3_delete_ext(x->tbsResponseData.responseExtensions, loc);
0f113f3e MC	164	}
	165
	166	void OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP x, int nid, int *crit,
	167	int *idx)
	168	{
a332635e	169	return X509V3_get_d2i(x->tbsResponseData.responseExtensions, nid, crit,
0f113f3e MC	170	idx);
	171	}
	172
	173	int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP x, int nid, void value,
	174	int crit, unsigned long flags)
	175	{
a332635e	176	return X509V3_add1_i2d(&x->tbsResponseData.responseExtensions, nid,
0f113f3e MC	177	value, crit, flags);
0f113f3e MC	178	}
ec558b65 DSH	179
ec558b65 DSH	180	int OCSP_BASICRESP_add_ext(OCSP_BASICRESP x, X509_EXTENSION ex, int loc)
0f113f3e	181	{
a332635e	182	return (X509v3_add_ext(&(x->tbsResponseData.responseExtensions), ex, loc)
0f113f3e MC	183	!= NULL);
0f113f3e MC	184	}
ec558b65 DSH	185
	186	/* OCSP single response extensions */
	187
	188	int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x)
0f113f3e	189	{
26a7d938	190	return X509v3_get_ext_count(x->singleExtensions);
0f113f3e	191	}
ec558b65 DSH	192
ec558b65 DSH	193	int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos)
0f113f3e	194	{
26a7d938	195	return X509v3_get_ext_by_NID(x->singleExtensions, nid, lastpos);
0f113f3e MC	196	}
0f113f3e MC	197
c47ba4e9	198	int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP x, const ASN1_OBJECT obj,
0f113f3e MC	199	int lastpos)
0f113f3e MC	200	{
26a7d938	201	return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos);
0f113f3e MC	202	}
	203
	204	int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
	205	int lastpos)
	206	{
26a7d938	207	return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos);
0f113f3e	208	}
ec558b65 DSH	209
ec558b65 DSH	210	X509_EXTENSION OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP x, int loc)
0f113f3e	211	{
26a7d938	212	return X509v3_get_ext(x->singleExtensions, loc);
0f113f3e	213	}
ec558b65 DSH	214
ec558b65 DSH	215	X509_EXTENSION OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP x, int loc)
0f113f3e	216	{
26a7d938	217	return X509v3_delete_ext(x->singleExtensions, loc);
0f113f3e MC	218	}
	219
	220	void OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP x, int nid, int *crit,
	221	int *idx)
	222	{
	223	return X509V3_get_d2i(x->singleExtensions, nid, crit, idx);
	224	}
	225
	226	int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP x, int nid, void value,
	227	int crit, unsigned long flags)
	228	{
	229	return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
	230	}
ec558b65 DSH	231
ec558b65 DSH	232	int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP x, X509_EXTENSION ex, int loc)
0f113f3e MC	233	{
	234	return (X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL);
	235	}
eb64730b RL	236
eb64730b RL	237	/* also CRL Entry Extensions */
eb64730b	238
0b33bc65 DSH	239	/* Nonce handling functions */
0b33bc65 DSH	240
0f113f3e	241	/*
0d4fb843	242	* Add a nonce to an extension stack. A nonce can be specified or if NULL a
0f113f3e MC	243	* random nonce will be generated. Note: OpenSSL 0.9.7d and later create an
0f113f3e MC	244	* OCTET STRING containing the nonce, previous versions used the raw nonce.
0b33bc65 DSH	245	*/
0b33bc65 DSH	246
0f113f3e MC	247	static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
	248	unsigned char *val, int len)
	249	{
	250	unsigned char *tmpval;
	251	ASN1_OCTET_STRING os;
	252	int ret = 0;
	253	if (len <= 0)
	254	len = OCSP_DEFAULT_NONCE_LENGTH;
	255	/*
	256	* Create the OCTET STRING manually by writing out the header and
	257	* appending the content octets. This avoids an extra memory allocation
	258	* operation in some cases. Applications should NOT do this because it
	259	* relies on library internals.
	260	*/
	261	os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
b197257d	262	if (os.length < 0)
cc069067	263	return 0;
b197257d	264
0f113f3e MC	265	os.data = OPENSSL_malloc(os.length);
	266	if (os.data == NULL)
	267	goto err;
	268	tmpval = os.data;
	269	ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
	270	if (val)
	271	memcpy(tmpval, val, len);
266483d2 MC	272	else if (RAND_bytes(tmpval, len) <= 0)
266483d2 MC	273	goto err;
0f113f3e MC	274	if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
	275	&os, 0, X509V3_ADD_REPLACE))
	276	goto err;
	277	ret = 1;
	278	err:
b548a1f1	279	OPENSSL_free(os.data);
0f113f3e MC	280	return ret;
0f113f3e MC	281	}
46a58ab9 DSH	282
	283	/* Add nonce to an OCSP request */
	284
	285	int OCSP_request_add1_nonce(OCSP_REQUEST req, unsigned char val, int len)
0f113f3e	286	{
a332635e	287	return ocsp_add1_nonce(&req->tbsRequest.requestExtensions, val, len);
0f113f3e	288	}
46a58ab9 DSH	289
	290	/* Same as above but for a response */
	291
	292	int OCSP_basic_add1_nonce(OCSP_BASICRESP resp, unsigned char val, int len)
0f113f3e	293	{
a332635e	294	return ocsp_add1_nonce(&resp->tbsResponseData.responseExtensions, val,
0f113f3e MC	295	len);
0f113f3e MC	296	}
46a58ab9	297
3a83462d MC	298	/*-
3a83462d MC	299	* Check nonce validity in a request and response.
46a58ab9 DSH	300	* Return value reflects result:
	301	* 1: nonces present and equal.
	302	* 2: nonces both absent.
	303	* 3: nonce present in response only.
	304	* 0: nonces both present and not equal.
	305	* -1: nonce in request only.
	306	*
	307	* For most responders clients can check return > 0.
	308	* If responder doesn't handle nonces return != 0 may be
	309	* necessary. return == 0 is always an error.
0b33bc65	310	*/
46a58ab9	311
0b33bc65	312	int OCSP_check_nonce(OCSP_REQUEST req, OCSP_BASICRESP bs)
0f113f3e MC	313	{
	314	/*
	315	* Since we are only interested in the presence or absence of
	316	* the nonce and comparing its value there is no need to use
	317	* the X509V3 routines: this way we can avoid them allocating an
	318	* ASN1_OCTET_STRING structure for the value which would be
	319	* freed immediately anyway.
	320	*/
	321
	322	int req_idx, resp_idx;
	323	X509_EXTENSION req_ext, resp_ext;
	324	req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
	325	resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
	326	/* Check both absent */
	327	if ((req_idx < 0) && (resp_idx < 0))
	328	return 2;
	329	/* Check in request only */
	330	if ((req_idx >= 0) && (resp_idx < 0))
	331	return -1;
	332	/* Check in response but not request */
	333	if ((req_idx < 0) && (resp_idx >= 0))
	334	return 3;
	335	/*
	336	* Otherwise nonce in request and response so retrieve the extensions
	337	*/
	338	req_ext = OCSP_REQUEST_get_ext(req, req_idx);
	339	resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx);
4903abd5 DSH	340	if (ASN1_OCTET_STRING_cmp(X509_EXTENSION_get_data(req_ext),
4903abd5 DSH	341	X509_EXTENSION_get_data(resp_ext)))
0f113f3e MC	342	return 0;
	343	return 1;
	344	}
	345
	346	/*
	347	* Copy the nonce value (if any) from an OCSP request to a response.
26e083cc DSH	348	*/
	349
	350	int OCSP_copy_nonce(OCSP_BASICRESP resp, OCSP_REQUEST req)
0f113f3e MC	351	{
	352	X509_EXTENSION *req_ext;
	353	int req_idx;
	354	/* Check for nonce in request */
	355	req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
	356	/* If no nonce that's OK */
	357	if (req_idx < 0)
	358	return 2;
	359	req_ext = OCSP_REQUEST_get_ext(req, req_idx);
	360	return OCSP_BASICRESP_add_ext(resp, req_ext, -1);
	361	}
eb64730b	362
a026fbf9	363	X509_EXTENSION OCSP_crlID_new(const char url, long n, char tim)
0f113f3e MC	364	{
	365	X509_EXTENSION *x = NULL;
	366	OCSP_CRLID *cid = NULL;
	367
75ebbd9a	368	if ((cid = OCSP_CRLID_new()) == NULL)
0f113f3e MC	369	goto err;
0f113f3e MC	370	if (url) {
75ebbd9a	371	if ((cid->crlUrl = ASN1_IA5STRING_new()) == NULL)
0f113f3e MC	372	goto err;
	373	if (!(ASN1_STRING_set(cid->crlUrl, url, -1)))
	374	goto err;
	375	}
	376	if (n) {
75ebbd9a	377	if ((cid->crlNum = ASN1_INTEGER_new()) == NULL)
0f113f3e MC	378	goto err;
	379	if (!(ASN1_INTEGER_set(cid->crlNum, *n)))
	380	goto err;
	381	}
	382	if (tim) {
75ebbd9a	383	if ((cid->crlTime = ASN1_GENERALIZEDTIME_new()) == NULL)
0f113f3e MC	384	goto err;
	385	if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim)))
	386	goto err;
	387	}
	388	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_CrlID, 0, cid);
	389	err:
25aaa98a	390	OCSP_CRLID_free(cid);
0f113f3e MC	391	return x;
0f113f3e MC	392	}
eb64730b RL	393
	394	/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */
	395	X509_EXTENSION OCSP_accept_responses_new(char *oids)
0f113f3e MC	396	{
	397	int nid;
	398	STACK_OF(ASN1_OBJECT) *sk = NULL;
	399	ASN1_OBJECT *o = NULL;
	400	X509_EXTENSION *x = NULL;
	401
75ebbd9a	402	if ((sk = sk_ASN1_OBJECT_new_null()) == NULL)
0f113f3e MC	403	goto err;
	404	while (oids && *oids) {
	405	if ((nid = OBJ_txt2nid(*oids)) != NID_undef && (o = OBJ_nid2obj(nid)))
	406	sk_ASN1_OBJECT_push(sk, o);
	407	oids++;
	408	}
	409	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_acceptableResponses, 0, sk);
	410	err:
2ace7450	411	sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free);
0f113f3e MC	412	return x;
0f113f3e MC	413	}
eb64730b RL	414
eb64730b RL	415	/* ArchiveCutoff ::= GeneralizedTime */
0f113f3e MC	416	X509_EXTENSION OCSP_archive_cutoff_new(char tim)
	417	{
	418	X509_EXTENSION *x = NULL;
	419	ASN1_GENERALIZEDTIME *gt = NULL;
	420
75ebbd9a	421	if ((gt = ASN1_GENERALIZEDTIME_new()) == NULL)
0f113f3e MC	422	goto err;
	423	if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim)))
	424	goto err;
	425	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_archiveCutoff, 0, gt);
	426	err:
2ace7450	427	ASN1_GENERALIZEDTIME_free(gt);
0f113f3e MC	428	return x;
	429	}
	430
	431	/*
	432	* per ACCESS_DESCRIPTION parameter are oids, of which there are currently
	433	* two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This method
	434	* forces NID_ad_ocsp and uniformResourceLocator [6] IA5String.
eb64730b	435	*/
8cc86b81	436	X509_EXTENSION OCSP_url_svcloc_new(const X509_NAME issuer, const char **urls)
0f113f3e MC	437	{
	438	X509_EXTENSION *x = NULL;
	439	ASN1_IA5STRING *ia5 = NULL;
	440	OCSP_SERVICELOC *sloc = NULL;
	441	ACCESS_DESCRIPTION *ad = NULL;
	442
75ebbd9a	443	if ((sloc = OCSP_SERVICELOC_new()) == NULL)
0f113f3e	444	goto err;
5b3accde	445	X509_NAME_free(sloc->issuer);
75ebbd9a	446	if ((sloc->issuer = X509_NAME_dup(issuer)) == NULL)
0f113f3e	447	goto err;
75ebbd9a RS	448	if (urls && *urls
75ebbd9a RS	449	&& (sloc->locator = sk_ACCESS_DESCRIPTION_new_null()) == NULL)
0f113f3e MC	450	goto err;
0f113f3e MC	451	while (urls && *urls) {
75ebbd9a	452	if ((ad = ACCESS_DESCRIPTION_new()) == NULL)
0f113f3e	453	goto err;
75ebbd9a	454	if ((ad->method = OBJ_nid2obj(NID_ad_OCSP)) == NULL)
0f113f3e	455	goto err;
75ebbd9a	456	if ((ia5 = ASN1_IA5STRING_new()) == NULL)
0f113f3e MC	457	goto err;
	458	if (!ASN1_STRING_set((ASN1_STRING )ia5, urls, -1))
	459	goto err;
5b3accde	460	/* ad->location is allocated inside ACCESS_DESCRIPTION_new */
0f113f3e MC	461	ad->location->type = GEN_URI;
0f113f3e MC	462	ad->location->d.ia5 = ia5;
a4e584a6	463	ia5 = NULL;
0f113f3e MC	464	if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad))
0f113f3e MC	465	goto err;
a4e584a6	466	ad = NULL;
0f113f3e MC	467	urls++;
	468	}
	469	x = X509V3_EXT_i2d(NID_id_pkix_OCSP_serviceLocator, 0, sloc);
	470	err:
a4e584a6 MC	471	ASN1_IA5STRING_free(ia5);
a4e584a6 MC	472	ACCESS_DESCRIPTION_free(ad);
25aaa98a	473	OCSP_SERVICELOC_free(sloc);
0f113f3e MC	474	return x;
0f113f3e MC	475	}