]>
Commit | Line | Data |
---|---|---|
eb64730b RL |
1 | /* ocsp_lib.c */ |
2 | /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL | |
3 | * project. */ | |
4 | ||
5 | /* History: | |
6 | This file was transfered to Richard Levitte from CertCo by Kathy | |
7 | Weinhold in mid-spring 2000 to be included in OpenSSL or released | |
8 | as a patch kit. */ | |
9 | ||
10 | /* ==================================================================== | |
11 | * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. | |
12 | * | |
13 | * Redistribution and use in source and binary forms, with or without | |
14 | * modification, are permitted provided that the following conditions | |
15 | * are met: | |
16 | * | |
17 | * 1. Redistributions of source code must retain the above copyright | |
18 | * notice, this list of conditions and the following disclaimer. | |
19 | * | |
20 | * 2. Redistributions in binary form must reproduce the above copyright | |
21 | * notice, this list of conditions and the following disclaimer in | |
22 | * the documentation and/or other materials provided with the | |
23 | * distribution. | |
24 | * | |
25 | * 3. All advertising materials mentioning features or use of this | |
26 | * software must display the following acknowledgment: | |
27 | * "This product includes software developed by the OpenSSL Project | |
28 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" | |
29 | * | |
30 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
31 | * endorse or promote products derived from this software without | |
32 | * prior written permission. For written permission, please contact | |
33 | * openssl-core@openssl.org. | |
34 | * | |
35 | * 5. Products derived from this software may not be called "OpenSSL" | |
36 | * nor may "OpenSSL" appear in their names without prior written | |
37 | * permission of the OpenSSL Project. | |
38 | * | |
39 | * 6. Redistributions of any form whatsoever must retain the following | |
40 | * acknowledgment: | |
41 | * "This product includes software developed by the OpenSSL Project | |
42 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" | |
43 | * | |
44 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
45 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
46 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
47 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
48 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
49 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
50 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
51 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
52 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
53 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
54 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
55 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
56 | * ==================================================================== | |
57 | * | |
58 | * This product includes cryptographic software written by Eric Young | |
59 | * (eay@cryptsoft.com). This product includes software written by Tim | |
60 | * Hudson (tjh@cryptsoft.com). | |
61 | * | |
62 | */ | |
63 | ||
64 | #include <stdio.h> | |
65 | #include <cryptlib.h> | |
66 | #include <openssl/objects.h> | |
0b33bc65 | 67 | #include <openssl/rand.h> |
eb64730b RL |
68 | #include <openssl/x509.h> |
69 | #include <openssl/pem.h> | |
70 | #include <openssl/x509v3.h> | |
eb64730b RL |
71 | #include <openssl/ocsp.h> |
72 | ||
bf0d176e DSH |
73 | /* Convert a certificate and its issuer to an OCSP_CERTID */ |
74 | ||
75 | OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer) | |
76 | { | |
77 | X509_NAME *iname; | |
78 | ASN1_INTEGER *serial; | |
79 | ASN1_BIT_STRING *ikey; | |
cf1b7d96 | 80 | #ifndef OPENSSL_NO_SHA1 |
bf0d176e DSH |
81 | if(!dgst) dgst = EVP_sha1(); |
82 | #endif | |
83 | iname = X509_get_issuer_name(subject); | |
84 | serial = X509_get_serialNumber(subject); | |
88ce56f8 | 85 | ikey = X509_get0_pubkey_bitstr(issuer); |
bf0d176e DSH |
86 | return OCSP_cert_id_new(dgst, iname, ikey, serial); |
87 | } | |
eb64730b | 88 | |
eb64730b RL |
89 | |
90 | OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, | |
91 | X509_NAME *issuerName, | |
92 | ASN1_BIT_STRING* issuerKey, | |
93 | ASN1_INTEGER *serialNumber) | |
94 | { | |
95 | int nid; | |
96 | unsigned int i; | |
97 | X509_ALGOR *alg; | |
98 | OCSP_CERTID *cid = NULL; | |
99 | unsigned char md[EVP_MAX_MD_SIZE]; | |
eb64730b RL |
100 | |
101 | if (!(cid = OCSP_CERTID_new())) goto err; | |
102 | ||
103 | alg = cid->hashAlgorithm; | |
104 | if (alg->algorithm != NULL) ASN1_OBJECT_free(alg->algorithm); | |
105 | if ((nid = EVP_MD_type(dgst)) == NID_undef) | |
106 | { | |
107 | OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_UNKNOWN_NID); | |
108 | goto err; | |
109 | } | |
110 | if (!(alg->algorithm=OBJ_nid2obj(nid))) goto err; | |
111 | if ((alg->parameter=ASN1_TYPE_new()) == NULL) goto err; | |
112 | alg->parameter->type=V_ASN1_NULL; | |
113 | ||
114 | if (!X509_NAME_digest(issuerName, dgst, md, &i)) goto digerr; | |
115 | if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i))) goto err; | |
116 | ||
117 | /* Calculate the issuerKey hash, excluding tag and length */ | |
88ce56f8 | 118 | EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst); |
eb64730b RL |
119 | |
120 | if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i))) goto err; | |
121 | ||
122 | if (cid->serialNumber != NULL) ASN1_INTEGER_free(cid->serialNumber); | |
123 | if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber))) goto err; | |
124 | return cid; | |
125 | digerr: | |
126 | OCSPerr(OCSP_F_CERT_ID_NEW,OCSP_R_DIGEST_ERR); | |
127 | err: | |
128 | if (cid) OCSP_CERTID_free(cid); | |
129 | return NULL; | |
130 | } | |
131 | ||
81f169e9 | 132 | int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b) |
0b33bc65 DSH |
133 | { |
134 | int ret; | |
135 | ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm); | |
136 | if (ret) return ret; | |
137 | ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash); | |
138 | if (ret) return ret; | |
81f169e9 DSH |
139 | return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash); |
140 | } | |
141 | ||
142 | int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) | |
143 | { | |
144 | int ret; | |
145 | ret = OCSP_id_issuer_cmp(a, b); | |
0b33bc65 DSH |
146 | if (ret) return ret; |
147 | return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber); | |
eb64730b RL |
148 | } |
149 | ||
eb64730b RL |
150 | /* XXX assumes certs in signature are sorted root to leaf XXX */ |
151 | int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey) | |
152 | { | |
153 | STACK_OF(X509) *sk; | |
154 | ||
155 | if (!req->optionalSignature) return 0; | |
156 | if (pkey == NULL) | |
157 | { | |
158 | if (!(sk = req->optionalSignature->certs)) return 0; | |
159 | if (!(pkey=X509_get_pubkey(sk_X509_value(sk, sk_X509_num(sk)-1)))) | |
160 | { | |
161 | OCSPerr(OCSP_F_REQUEST_VERIFY,OCSP_R_NO_PUBLIC_KEY); | |
162 | return 0; | |
163 | } | |
164 | } | |
165 | return OCSP_REQUEST_verify(req, pkey); | |
166 | } | |
67c18019 DSH |
167 | |
168 | ||
169 | /* Parse a URL and split it up into host, port and path components and whether | |
170 | * it is SSL. | |
171 | */ | |
172 | ||
173 | int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl) | |
174 | { | |
175 | char *p, *buf; | |
176 | ||
177 | char *host, *port; | |
178 | ||
179 | /* dup the buffer since we are going to mess with it */ | |
180 | buf = BUF_strdup(url); | |
181 | if (!buf) goto mem_err; | |
182 | ||
183 | *phost = NULL; | |
184 | *pport = NULL; | |
185 | *ppath = NULL; | |
186 | ||
187 | /* Check for initial colon */ | |
188 | p = strchr(buf, ':'); | |
189 | ||
190 | if (!p) goto parse_err; | |
191 | ||
192 | *(p++) = '\0'; | |
193 | ||
194 | if (!strcmp(buf, "http")) | |
195 | { | |
196 | *pssl = 0; | |
197 | port = "80"; | |
198 | } | |
199 | else if (!strcmp(buf, "https")) | |
200 | { | |
201 | *pssl = 1; | |
202 | port = "443"; | |
203 | } | |
204 | else | |
205 | goto parse_err; | |
206 | ||
207 | /* Check for double slash */ | |
208 | if ((p[0] != '/') || (p[1] != '/')) | |
209 | goto parse_err; | |
210 | ||
211 | p += 2; | |
212 | ||
213 | host = p; | |
214 | ||
215 | /* Check for trailing part of path */ | |
216 | ||
217 | p = strchr(p, '/'); | |
218 | ||
219 | if (!p) | |
220 | *ppath = BUF_strdup("/"); | |
221 | else | |
222 | { | |
223 | *ppath = BUF_strdup(p); | |
224 | /* Set start of path to 0 so hostname is valid */ | |
225 | *p = '\0'; | |
226 | } | |
227 | ||
228 | if (!*ppath) goto mem_err; | |
229 | ||
230 | /* Look for optional ':' for port number */ | |
231 | if ((p = strchr(host, ':'))) | |
232 | { | |
233 | *p = 0; | |
234 | port = p + 1; | |
235 | } | |
236 | else | |
237 | { | |
238 | /* Not found: set default port */ | |
239 | if (*pssl) port = "443"; | |
240 | else port = "80"; | |
241 | } | |
242 | ||
243 | *pport = BUF_strdup(port); | |
244 | if (!*pport) goto mem_err; | |
245 | ||
246 | *phost = BUF_strdup(host); | |
247 | ||
248 | if (!*phost) goto mem_err; | |
249 | ||
250 | OPENSSL_free(buf); | |
251 | ||
252 | return 1; | |
253 | ||
254 | mem_err: | |
255 | OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE); | |
256 | goto err; | |
257 | ||
258 | parse_err: | |
259 | OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL); | |
260 | ||
261 | ||
262 | err: | |
263 | if (*ppath) OPENSSL_free(*ppath); | |
264 | if (*pport) OPENSSL_free(*pport); | |
265 | if (*phost) OPENSSL_free(*phost); | |
266 | return 0; | |
267 | ||
268 | } |