]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/ts/ts_rsp_sign.c
Fix error handling in x509v3_cache_extensions and related functions
[thirdparty/openssl.git] / crypto / ts / ts_rsp_sign.c
CommitLineData
0f113f3e 1/*
ba4356ae 2 * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
c7235be6 3 *
4f22f405
RS
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
c7235be6
UM
8 */
9
4cff10dc 10#include "e_os.h"
b39fc560 11#include "internal/cryptlib.h"
c7235be6 12
c7235be6
UM
13#include <openssl/objects.h>
14#include <openssl/ts.h>
15#include <openssl/pkcs7.h>
98c03302 16#include <openssl/crypto.h>
b5acbf91 17#include "ts_local.h"
c7235be6 18
c7235be6
UM
19static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *);
20static int def_time_cb(struct TS_resp_ctx *, void *, long *sec, long *usec);
21static int def_extension_cb(struct TS_resp_ctx *, X509_EXTENSION *, void *);
22
9c422b5b
RS
23static void ts_RESP_CTX_init(TS_RESP_CTX *ctx);
24static void ts_RESP_CTX_cleanup(TS_RESP_CTX *ctx);
25static int ts_RESP_check_request(TS_RESP_CTX *ctx);
26static ASN1_OBJECT *ts_RESP_get_policy(TS_RESP_CTX *ctx);
27static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx,
0f113f3e 28 ASN1_OBJECT *policy);
9c422b5b
RS
29static int ts_RESP_process_extensions(TS_RESP_CTX *ctx);
30static int ts_RESP_sign(TS_RESP_CTX *ctx);
c7235be6 31
9c422b5b 32static ESS_SIGNING_CERT *ess_SIGNING_CERT_new_init(X509 *signcert,
0f113f3e 33 STACK_OF(X509) *certs);
9c422b5b
RS
34static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed);
35static int ts_TST_INFO_content_new(PKCS7 *p7);
f0ef20bf
MK
36static int ess_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
37
38static ESS_SIGNING_CERT_V2 *ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
39 X509 *signcert,
40 STACK_OF(X509)
41 *certs);
42static ESS_CERT_ID_V2 *ess_cert_id_v2_new_init(const EVP_MD *hash_alg,
43 X509 *cert, int issuer_needed);
44static int ess_add_signing_cert_v2(PKCS7_SIGNER_INFO *si,
45 ESS_SIGNING_CERT_V2 *sc);
c7235be6 46
0f113f3e
MC
47static ASN1_GENERALIZEDTIME
48*TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *, long, long,
49 unsigned);
c7235be6 50
18cd23df 51/* Default callback for response generation. */
c7235be6 52static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *ctx, void *data)
0f113f3e
MC
53{
54 ASN1_INTEGER *serial = ASN1_INTEGER_new();
18cd23df 55
90945fa3 56 if (serial == NULL)
0f113f3e
MC
57 goto err;
58 if (!ASN1_INTEGER_set(serial, 1))
59 goto err;
60 return serial;
18cd23df 61
c7235be6 62 err:
0f113f3e
MC
63 TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE);
64 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
65 "Error during serial number generation.");
66 return NULL;
67}
c7235be6
UM
68
69#if defined(OPENSSL_SYS_UNIX)
70
0f113f3e
MC
71static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
72 long *sec, long *usec)
73{
74 struct timeval tv;
75 if (gettimeofday(&tv, NULL) != 0) {
76 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR);
77 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
78 "Time is not available.");
79 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE);
80 return 0;
81 }
0f113f3e
MC
82 *sec = tv.tv_sec;
83 *usec = tv.tv_usec;
84
85 return 1;
86}
c7235be6
UM
87
88#else
89
0f113f3e
MC
90static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
91 long *sec, long *usec)
92{
93 time_t t;
94 if (time(&t) == (time_t)-1) {
95 TSerr(TS_F_DEF_TIME_CB, TS_R_TIME_SYSCALL_ERROR);
96 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
97 "Time is not available.");
98 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_TIME_NOT_AVAILABLE);
99 return 0;
100 }
0f113f3e
MC
101 *sec = (long)t;
102 *usec = 0;
103
104 return 1;
105}
c7235be6
UM
106
107#endif
108
109static int def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext,
0f113f3e
MC
110 void *data)
111{
0f113f3e
MC
112 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
113 "Unsupported extension.");
114 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_EXTENSION);
115 return 0;
116}
c7235be6
UM
117
118/* TS_RESP_CTX management functions. */
119
3cb7c5cf 120TS_RESP_CTX *TS_RESP_CTX_new(void)
0f113f3e
MC
121{
122 TS_RESP_CTX *ctx;
c7235be6 123
b51bce94 124 if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) {
0f113f3e
MC
125 TSerr(TS_F_TS_RESP_CTX_NEW, ERR_R_MALLOC_FAILURE);
126 return NULL;
127 }
c7235be6 128
e20b4727
DSH
129 ctx->signer_md = EVP_sha256();
130
0f113f3e
MC
131 ctx->serial_cb = def_serial_cb;
132 ctx->time_cb = def_time_cb;
133 ctx->extension_cb = def_extension_cb;
c7235be6 134
0f113f3e
MC
135 return ctx;
136}
c7235be6
UM
137
138void TS_RESP_CTX_free(TS_RESP_CTX *ctx)
0f113f3e
MC
139{
140 if (!ctx)
141 return;
142
143 X509_free(ctx->signer_cert);
144 EVP_PKEY_free(ctx->signer_key);
145 sk_X509_pop_free(ctx->certs, X509_free);
146 sk_ASN1_OBJECT_pop_free(ctx->policies, ASN1_OBJECT_free);
147 ASN1_OBJECT_free(ctx->default_policy);
148 sk_EVP_MD_free(ctx->mds); /* No EVP_MD_free method exists. */
149 ASN1_INTEGER_free(ctx->seconds);
150 ASN1_INTEGER_free(ctx->millis);
151 ASN1_INTEGER_free(ctx->micros);
152 OPENSSL_free(ctx);
153}
c7235be6
UM
154
155int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer)
0f113f3e
MC
156{
157 if (X509_check_purpose(signer, X509_PURPOSE_TIMESTAMP_SIGN, 0) != 1) {
158 TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT,
159 TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE);
160 return 0;
161 }
222561fe 162 X509_free(ctx->signer_cert);
0f113f3e 163 ctx->signer_cert = signer;
05f0fb9f 164 X509_up_ref(ctx->signer_cert);
0f113f3e
MC
165 return 1;
166}
c7235be6
UM
167
168int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key)
0f113f3e 169{
c5ba2d99 170 EVP_PKEY_free(ctx->signer_key);
0f113f3e 171 ctx->signer_key = key;
3aeb9348 172 EVP_PKEY_up_ref(ctx->signer_key);
c7235be6 173
0f113f3e
MC
174 return 1;
175}
c7235be6 176
e20b4727
DSH
177int TS_RESP_CTX_set_signer_digest(TS_RESP_CTX *ctx, const EVP_MD *md)
178{
179 ctx->signer_md = md;
180 return 1;
181}
182
c47ba4e9 183int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *def_policy)
0f113f3e 184{
2ace7450 185 ASN1_OBJECT_free(ctx->default_policy);
75ebbd9a 186 if ((ctx->default_policy = OBJ_dup(def_policy)) == NULL)
0f113f3e
MC
187 goto err;
188 return 1;
c7235be6 189 err:
0f113f3e
MC
190 TSerr(TS_F_TS_RESP_CTX_SET_DEF_POLICY, ERR_R_MALLOC_FAILURE);
191 return 0;
192}
c7235be6
UM
193
194int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs)
0f113f3e
MC
195{
196
222561fe
RS
197 sk_X509_pop_free(ctx->certs, X509_free);
198 ctx->certs = NULL;
0f113f3e
MC
199 if (!certs)
200 return 1;
75ebbd9a 201 if ((ctx->certs = X509_chain_up_ref(certs)) == NULL) {
0f113f3e
MC
202 TSerr(TS_F_TS_RESP_CTX_SET_CERTS, ERR_R_MALLOC_FAILURE);
203 return 0;
204 }
205
206 return 1;
207}
c7235be6 208
c47ba4e9 209int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *policy)
0f113f3e
MC
210{
211 ASN1_OBJECT *copy = NULL;
212
75ebbd9a
RS
213 if (ctx->policies == NULL
214 && (ctx->policies = sk_ASN1_OBJECT_new_null()) == NULL)
0f113f3e 215 goto err;
75ebbd9a 216 if ((copy = OBJ_dup(policy)) == NULL)
0f113f3e
MC
217 goto err;
218 if (!sk_ASN1_OBJECT_push(ctx->policies, copy))
219 goto err;
220
221 return 1;
c7235be6 222 err:
0f113f3e
MC
223 TSerr(TS_F_TS_RESP_CTX_ADD_POLICY, ERR_R_MALLOC_FAILURE);
224 ASN1_OBJECT_free(copy);
225 return 0;
226}
c7235be6
UM
227
228int TS_RESP_CTX_add_md(TS_RESP_CTX *ctx, const EVP_MD *md)
0f113f3e 229{
75ebbd9a
RS
230 if (ctx->mds == NULL
231 && (ctx->mds = sk_EVP_MD_new_null()) == NULL)
0f113f3e 232 goto err;
ac94c8fd 233 if (!sk_EVP_MD_push(ctx->mds, md))
0f113f3e
MC
234 goto err;
235
236 return 1;
c7235be6 237 err:
0f113f3e
MC
238 TSerr(TS_F_TS_RESP_CTX_ADD_MD, ERR_R_MALLOC_FAILURE);
239 return 0;
240}
241
242#define TS_RESP_CTX_accuracy_free(ctx) \
243 ASN1_INTEGER_free(ctx->seconds); \
244 ctx->seconds = NULL; \
245 ASN1_INTEGER_free(ctx->millis); \
246 ctx->millis = NULL; \
247 ASN1_INTEGER_free(ctx->micros); \
248 ctx->micros = NULL;
249
250int TS_RESP_CTX_set_accuracy(TS_RESP_CTX *ctx,
251 int secs, int millis, int micros)
252{
253
254 TS_RESP_CTX_accuracy_free(ctx);
75ebbd9a
RS
255 if (secs
256 && ((ctx->seconds = ASN1_INTEGER_new()) == NULL
257 || !ASN1_INTEGER_set(ctx->seconds, secs)))
0f113f3e 258 goto err;
75ebbd9a
RS
259 if (millis
260 && ((ctx->millis = ASN1_INTEGER_new()) == NULL
261 || !ASN1_INTEGER_set(ctx->millis, millis)))
0f113f3e 262 goto err;
75ebbd9a
RS
263 if (micros
264 && ((ctx->micros = ASN1_INTEGER_new()) == NULL
265 || !ASN1_INTEGER_set(ctx->micros, micros)))
0f113f3e
MC
266 goto err;
267
268 return 1;
c7235be6 269 err:
0f113f3e
MC
270 TS_RESP_CTX_accuracy_free(ctx);
271 TSerr(TS_F_TS_RESP_CTX_SET_ACCURACY, ERR_R_MALLOC_FAILURE);
272 return 0;
273}
c7235be6
UM
274
275void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags)
0f113f3e
MC
276{
277 ctx->flags |= flags;
278}
c7235be6
UM
279
280void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data)
0f113f3e
MC
281{
282 ctx->serial_cb = cb;
283 ctx->serial_cb_data = data;
284}
c7235be6
UM
285
286void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data)
0f113f3e
MC
287{
288 ctx->time_cb = cb;
289 ctx->time_cb_data = data;
290}
291
292void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX *ctx,
293 TS_extension_cb cb, void *data)
294{
295 ctx->extension_cb = cb;
296 ctx->extension_cb_data = data;
297}
298
299int TS_RESP_CTX_set_status_info(TS_RESP_CTX *ctx,
300 int status, const char *text)
301{
302 TS_STATUS_INFO *si = NULL;
303 ASN1_UTF8STRING *utf8_text = NULL;
304 int ret = 0;
305
75ebbd9a 306 if ((si = TS_STATUS_INFO_new()) == NULL)
0f113f3e
MC
307 goto err;
308 if (!ASN1_INTEGER_set(si->status, status))
309 goto err;
310 if (text) {
75ebbd9a 311 if ((utf8_text = ASN1_UTF8STRING_new()) == NULL
0f113f3e
MC
312 || !ASN1_STRING_set(utf8_text, text, strlen(text)))
313 goto err;
75ebbd9a
RS
314 if (si->text == NULL
315 && (si->text = sk_ASN1_UTF8STRING_new_null()) == NULL)
0f113f3e
MC
316 goto err;
317 if (!sk_ASN1_UTF8STRING_push(si->text, utf8_text))
318 goto err;
319 utf8_text = NULL; /* Ownership is lost. */
320 }
321 if (!TS_RESP_set_status_info(ctx->response, si))
322 goto err;
323 ret = 1;
c7235be6 324 err:
0f113f3e
MC
325 if (!ret)
326 TSerr(TS_F_TS_RESP_CTX_SET_STATUS_INFO, ERR_R_MALLOC_FAILURE);
327 TS_STATUS_INFO_free(si);
328 ASN1_UTF8STRING_free(utf8_text);
329 return ret;
330}
331
332int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx,
333 int status, const char *text)
334{
335 int ret = 1;
ca4a494c 336 TS_STATUS_INFO *si = ctx->response->status_info;
0f113f3e
MC
337
338 if (ASN1_INTEGER_get(si->status) == TS_STATUS_GRANTED) {
0f113f3e
MC
339 ret = TS_RESP_CTX_set_status_info(ctx, status, text);
340 }
341 return ret;
342}
c7235be6
UM
343
344int TS_RESP_CTX_add_failure_info(TS_RESP_CTX *ctx, int failure)
0f113f3e 345{
ca4a494c 346 TS_STATUS_INFO *si = ctx->response->status_info;
75ebbd9a
RS
347 if (si->failure_info == NULL
348 && (si->failure_info = ASN1_BIT_STRING_new()) == NULL)
0f113f3e
MC
349 goto err;
350 if (!ASN1_BIT_STRING_set_bit(si->failure_info, failure, 1))
351 goto err;
352 return 1;
c7235be6 353 err:
0f113f3e
MC
354 TSerr(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO, ERR_R_MALLOC_FAILURE);
355 return 0;
356}
c7235be6
UM
357
358TS_REQ *TS_RESP_CTX_get_request(TS_RESP_CTX *ctx)
0f113f3e
MC
359{
360 return ctx->request;
361}
c7235be6
UM
362
363TS_TST_INFO *TS_RESP_CTX_get_tst_info(TS_RESP_CTX *ctx)
0f113f3e
MC
364{
365 return ctx->tst_info;
366}
367
368int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
369 unsigned precision)
370{
371 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
372 return 0;
373 ctx->clock_precision_digits = precision;
374 return 1;
375}
c7235be6
UM
376
377/* Main entry method of the response generation. */
378TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio)
0f113f3e
MC
379{
380 ASN1_OBJECT *policy;
381 TS_RESP *response;
382 int result = 0;
383
9c422b5b 384 ts_RESP_CTX_init(ctx);
0f113f3e 385
75ebbd9a 386 if ((ctx->response = TS_RESP_new()) == NULL) {
0f113f3e
MC
387 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, ERR_R_MALLOC_FAILURE);
388 goto end;
389 }
75ebbd9a 390 if ((ctx->request = d2i_TS_REQ_bio(req_bio, NULL)) == NULL) {
0f113f3e 391 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
18cd23df 392 "Bad request format or system error.");
0f113f3e
MC
393 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
394 goto end;
395 }
0f113f3e
MC
396 if (!TS_RESP_CTX_set_status_info(ctx, TS_STATUS_GRANTED, NULL))
397 goto end;
9c422b5b 398 if (!ts_RESP_check_request(ctx))
0f113f3e 399 goto end;
9c422b5b 400 if ((policy = ts_RESP_get_policy(ctx)) == NULL)
0f113f3e 401 goto end;
9c422b5b 402 if ((ctx->tst_info = ts_RESP_create_tst_info(ctx, policy)) == NULL)
0f113f3e 403 goto end;
9c422b5b 404 if (!ts_RESP_process_extensions(ctx))
0f113f3e 405 goto end;
9c422b5b 406 if (!ts_RESP_sign(ctx))
0f113f3e 407 goto end;
0f113f3e 408 result = 1;
18cd23df 409
c7235be6 410 end:
0f113f3e
MC
411 if (!result) {
412 TSerr(TS_F_TS_RESP_CREATE_RESPONSE, TS_R_RESPONSE_SETUP_ERROR);
413 if (ctx->response != NULL) {
414 if (TS_RESP_CTX_set_status_info_cond(ctx,
415 TS_STATUS_REJECTION,
416 "Error during response "
417 "generation.") == 0) {
418 TS_RESP_free(ctx->response);
419 ctx->response = NULL;
420 }
421 }
422 }
423 response = ctx->response;
424 ctx->response = NULL; /* Ownership will be returned to caller. */
9c422b5b 425 ts_RESP_CTX_cleanup(ctx);
0f113f3e
MC
426 return response;
427}
c7235be6
UM
428
429/* Initializes the variable part of the context. */
9c422b5b 430static void ts_RESP_CTX_init(TS_RESP_CTX *ctx)
0f113f3e
MC
431{
432 ctx->request = NULL;
433 ctx->response = NULL;
434 ctx->tst_info = NULL;
435}
c7235be6
UM
436
437/* Cleans up the variable part of the context. */
9c422b5b 438static void ts_RESP_CTX_cleanup(TS_RESP_CTX *ctx)
0f113f3e
MC
439{
440 TS_REQ_free(ctx->request);
441 ctx->request = NULL;
442 TS_RESP_free(ctx->response);
443 ctx->response = NULL;
444 TS_TST_INFO_free(ctx->tst_info);
445 ctx->tst_info = NULL;
446}
c7235be6
UM
447
448/* Checks the format and content of the request. */
9c422b5b 449static int ts_RESP_check_request(TS_RESP_CTX *ctx)
0f113f3e
MC
450{
451 TS_REQ *request = ctx->request;
452 TS_MSG_IMPRINT *msg_imprint;
453 X509_ALGOR *md_alg;
454 int md_alg_id;
455 const ASN1_OCTET_STRING *digest;
ac94c8fd 456 const EVP_MD *md = NULL;
0f113f3e
MC
457 int i;
458
0f113f3e
MC
459 if (TS_REQ_get_version(request) != 1) {
460 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
461 "Bad request version.");
462 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_REQUEST);
463 return 0;
464 }
465
ca4a494c
RS
466 msg_imprint = request->msg_imprint;
467 md_alg = msg_imprint->hash_algo;
0f113f3e
MC
468 md_alg_id = OBJ_obj2nid(md_alg->algorithm);
469 for (i = 0; !md && i < sk_EVP_MD_num(ctx->mds); ++i) {
ac94c8fd 470 const EVP_MD *current_md = sk_EVP_MD_value(ctx->mds, i);
0f113f3e
MC
471 if (md_alg_id == EVP_MD_type(current_md))
472 md = current_md;
473 }
474 if (!md) {
475 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
476 "Message digest algorithm is "
477 "not supported.");
478 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG);
479 return 0;
480 }
481
0f113f3e
MC
482 if (md_alg->parameter && ASN1_TYPE_get(md_alg->parameter) != V_ASN1_NULL) {
483 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
484 "Superfluous message digest "
485 "parameter.");
486 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_ALG);
487 return 0;
488 }
ca4a494c 489 digest = msg_imprint->hashed_msg;
0f113f3e
MC
490 if (digest->length != EVP_MD_size(md)) {
491 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
492 "Bad message digest.");
493 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_BAD_DATA_FORMAT);
494 return 0;
495 }
496
497 return 1;
498}
c7235be6 499
b4e88ccb 500/* Returns the TSA policy based on the requested and acceptable policies. */
9c422b5b 501static ASN1_OBJECT *ts_RESP_get_policy(TS_RESP_CTX *ctx)
0f113f3e 502{
ca4a494c 503 ASN1_OBJECT *requested = ctx->request->policy_id;
0f113f3e
MC
504 ASN1_OBJECT *policy = NULL;
505 int i;
506
507 if (ctx->default_policy == NULL) {
508 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_INVALID_NULL_POINTER);
509 return NULL;
510 }
0f113f3e
MC
511 if (!requested || !OBJ_cmp(requested, ctx->default_policy))
512 policy = ctx->default_policy;
513
514 /* Check if the policy is acceptable. */
515 for (i = 0; !policy && i < sk_ASN1_OBJECT_num(ctx->policies); ++i) {
516 ASN1_OBJECT *current = sk_ASN1_OBJECT_value(ctx->policies, i);
517 if (!OBJ_cmp(requested, current))
518 policy = current;
519 }
520 if (!policy) {
521 TSerr(TS_F_TS_RESP_GET_POLICY, TS_R_UNACCEPTABLE_POLICY);
522 TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
523 "Requested policy is not " "supported.");
524 TS_RESP_CTX_add_failure_info(ctx, TS_INFO_UNACCEPTED_POLICY);
525 }
526 return policy;
527}
c7235be6
UM
528
529/* Creates the TS_TST_INFO object based on the settings of the context. */
9c422b5b 530static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx,
0f113f3e
MC
531 ASN1_OBJECT *policy)
532{
533 int result = 0;
534 TS_TST_INFO *tst_info = NULL;
535 ASN1_INTEGER *serial = NULL;
536 ASN1_GENERALIZEDTIME *asn1_time = NULL;
537 long sec, usec;
538 TS_ACCURACY *accuracy = NULL;
539 const ASN1_INTEGER *nonce;
540 GENERAL_NAME *tsa_name = NULL;
541
75ebbd9a 542 if ((tst_info = TS_TST_INFO_new()) == NULL)
0f113f3e
MC
543 goto end;
544 if (!TS_TST_INFO_set_version(tst_info, 1))
545 goto end;
546 if (!TS_TST_INFO_set_policy_id(tst_info, policy))
547 goto end;
548 if (!TS_TST_INFO_set_msg_imprint(tst_info, ctx->request->msg_imprint))
549 goto end;
75ebbd9a 550 if ((serial = ctx->serial_cb(ctx, ctx->serial_cb_data)) == NULL
0f113f3e
MC
551 || !TS_TST_INFO_set_serial(tst_info, serial))
552 goto end;
75ebbd9a
RS
553 if (!ctx->time_cb(ctx, ctx->time_cb_data, &sec, &usec)
554 || (asn1_time =
555 TS_RESP_set_genTime_with_precision(NULL, sec, usec,
556 ctx->clock_precision_digits)) == NULL
0f113f3e
MC
557 || !TS_TST_INFO_set_time(tst_info, asn1_time))
558 goto end;
559
0f113f3e 560 if ((ctx->seconds || ctx->millis || ctx->micros)
75ebbd9a 561 && (accuracy = TS_ACCURACY_new()) == NULL)
0f113f3e 562 goto end;
0f113f3e
MC
563 if (ctx->seconds && !TS_ACCURACY_set_seconds(accuracy, ctx->seconds))
564 goto end;
565 if (ctx->millis && !TS_ACCURACY_set_millis(accuracy, ctx->millis))
566 goto end;
567 if (ctx->micros && !TS_ACCURACY_set_micros(accuracy, ctx->micros))
568 goto end;
569 if (accuracy && !TS_TST_INFO_set_accuracy(tst_info, accuracy))
570 goto end;
571
0f113f3e
MC
572 if ((ctx->flags & TS_ORDERING)
573 && !TS_TST_INFO_set_ordering(tst_info, 1))
574 goto end;
575
ca4a494c 576 if ((nonce = ctx->request->nonce) != NULL
0f113f3e
MC
577 && !TS_TST_INFO_set_nonce(tst_info, nonce))
578 goto end;
579
0f113f3e 580 if (ctx->flags & TS_TSA_NAME) {
75ebbd9a 581 if ((tsa_name = GENERAL_NAME_new()) == NULL)
0f113f3e
MC
582 goto end;
583 tsa_name->type = GEN_DIRNAME;
584 tsa_name->d.dirn =
a8d8e06b 585 X509_NAME_dup(X509_get_subject_name(ctx->signer_cert));
0f113f3e
MC
586 if (!tsa_name->d.dirn)
587 goto end;
588 if (!TS_TST_INFO_set_tsa(tst_info, tsa_name))
589 goto end;
590 }
591
592 result = 1;
c7235be6 593 end:
0f113f3e
MC
594 if (!result) {
595 TS_TST_INFO_free(tst_info);
596 tst_info = NULL;
597 TSerr(TS_F_TS_RESP_CREATE_TST_INFO, TS_R_TST_INFO_SETUP_ERROR);
598 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
599 "Error during TSTInfo "
600 "generation.");
601 }
602 GENERAL_NAME_free(tsa_name);
603 TS_ACCURACY_free(accuracy);
604 ASN1_GENERALIZEDTIME_free(asn1_time);
605 ASN1_INTEGER_free(serial);
606
607 return tst_info;
608}
c7235be6
UM
609
610/* Processing the extensions of the request. */
9c422b5b 611static int ts_RESP_process_extensions(TS_RESP_CTX *ctx)
0f113f3e 612{
ca4a494c 613 STACK_OF(X509_EXTENSION) *exts = ctx->request->extensions;
0f113f3e
MC
614 int i;
615 int ok = 1;
616
617 for (i = 0; ok && i < sk_X509_EXTENSION_num(exts); ++i) {
618 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
619 /*
18cd23df 620 * The last argument was previously (void *)ctx->extension_cb,
0f113f3e
MC
621 * but ISO C doesn't permit converting a function pointer to void *.
622 * For lack of better information, I'm placing a NULL there instead.
623 * The callback can pick its own address out from the ctx anyway...
624 */
625 ok = (*ctx->extension_cb) (ctx, ext, NULL);
626 }
627
628 return ok;
629}
c7235be6
UM
630
631/* Functions for signing the TS_TST_INFO structure of the context. */
9c422b5b 632static int ts_RESP_sign(TS_RESP_CTX *ctx)
0f113f3e
MC
633{
634 int ret = 0;
635 PKCS7 *p7 = NULL;
636 PKCS7_SIGNER_INFO *si;
637 STACK_OF(X509) *certs; /* Certificates to include in sc. */
f0ef20bf 638 ESS_SIGNING_CERT_V2 *sc2 = NULL;
0f113f3e
MC
639 ESS_SIGNING_CERT *sc = NULL;
640 ASN1_OBJECT *oid;
641 BIO *p7bio = NULL;
642 int i;
643
0f113f3e
MC
644 if (!X509_check_private_key(ctx->signer_cert, ctx->signer_key)) {
645 TSerr(TS_F_TS_RESP_SIGN, TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
646 goto err;
647 }
648
75ebbd9a 649 if ((p7 = PKCS7_new()) == NULL) {
0f113f3e
MC
650 TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE);
651 goto err;
652 }
653 if (!PKCS7_set_type(p7, NID_pkcs7_signed))
654 goto err;
0f113f3e
MC
655 if (!ASN1_INTEGER_set(p7->d.sign->version, 3))
656 goto err;
657
ca4a494c 658 if (ctx->request->cert_req) {
0f113f3e
MC
659 PKCS7_add_certificate(p7, ctx->signer_cert);
660 if (ctx->certs) {
661 for (i = 0; i < sk_X509_num(ctx->certs); ++i) {
662 X509 *cert = sk_X509_value(ctx->certs, i);
663 PKCS7_add_certificate(p7, cert);
664 }
665 }
666 }
667
75ebbd9a 668 if ((si = PKCS7_add_signature(p7, ctx->signer_cert,
e20b4727 669 ctx->signer_key, ctx->signer_md)) == NULL) {
0f113f3e
MC
670 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNATURE_ERROR);
671 goto err;
672 }
673
0f113f3e
MC
674 oid = OBJ_nid2obj(NID_id_smime_ct_TSTInfo);
675 if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
676 V_ASN1_OBJECT, oid)) {
677 TSerr(TS_F_TS_RESP_SIGN, TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR);
678 goto err;
679 }
680
0f113f3e 681 certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
d597208c
RL
682 if (ctx->ess_cert_id_digest == NULL
683 || ctx->ess_cert_id_digest == EVP_sha1()) {
f0ef20bf
MK
684 if ((sc = ess_SIGNING_CERT_new_init(ctx->signer_cert, certs)) == NULL)
685 goto err;
686
687 if (!ess_add_signing_cert(si, sc)) {
688 TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR);
689 goto err;
690 }
691 } else {
692 sc2 = ess_signing_cert_v2_new_init(ctx->ess_cert_id_digest,
693 ctx->signer_cert, certs);
694 if (sc2 == NULL)
695 goto err;
696
697 if (!ess_add_signing_cert_v2(si, sc2)) {
698 TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR);
699 goto err;
700 }
0f113f3e
MC
701 }
702
9c422b5b 703 if (!ts_TST_INFO_content_new(p7))
0f113f3e 704 goto err;
75ebbd9a 705 if ((p7bio = PKCS7_dataInit(p7, NULL)) == NULL) {
0f113f3e
MC
706 TSerr(TS_F_TS_RESP_SIGN, ERR_R_MALLOC_FAILURE);
707 goto err;
708 }
0f113f3e
MC
709 if (!i2d_TS_TST_INFO_bio(p7bio, ctx->tst_info)) {
710 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN);
711 goto err;
712 }
0f113f3e
MC
713 if (!PKCS7_dataFinal(p7, p7bio)) {
714 TSerr(TS_F_TS_RESP_SIGN, TS_R_TS_DATASIGN);
715 goto err;
716 }
0f113f3e
MC
717 TS_RESP_set_tst_info(ctx->response, p7, ctx->tst_info);
718 p7 = NULL; /* Ownership is lost. */
719 ctx->tst_info = NULL; /* Ownership is lost. */
720
721 ret = 1;
c7235be6 722 err:
0f113f3e
MC
723 if (!ret)
724 TS_RESP_CTX_set_status_info_cond(ctx, TS_STATUS_REJECTION,
725 "Error during signature "
726 "generation.");
727 BIO_free_all(p7bio);
f0ef20bf 728 ESS_SIGNING_CERT_V2_free(sc2);
0f113f3e
MC
729 ESS_SIGNING_CERT_free(sc);
730 PKCS7_free(p7);
731 return ret;
732}
733
9c422b5b 734static ESS_SIGNING_CERT *ess_SIGNING_CERT_new_init(X509 *signcert,
0f113f3e
MC
735 STACK_OF(X509) *certs)
736{
737 ESS_CERT_ID *cid;
738 ESS_SIGNING_CERT *sc = NULL;
739 int i;
740
75ebbd9a 741 if ((sc = ESS_SIGNING_CERT_new()) == NULL)
0f113f3e 742 goto err;
75ebbd9a
RS
743 if (sc->cert_ids == NULL
744 && (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL)
0f113f3e
MC
745 goto err;
746
9c422b5b 747 if ((cid = ess_CERT_ID_new_init(signcert, 0)) == NULL
0f113f3e
MC
748 || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
749 goto err;
0f113f3e
MC
750 for (i = 0; i < sk_X509_num(certs); ++i) {
751 X509 *cert = sk_X509_value(certs, i);
9c422b5b 752 if ((cid = ess_CERT_ID_new_init(cert, 1)) == NULL
0f113f3e
MC
753 || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
754 goto err;
755 }
756
757 return sc;
758 err:
759 ESS_SIGNING_CERT_free(sc);
760 TSerr(TS_F_ESS_SIGNING_CERT_NEW_INIT, ERR_R_MALLOC_FAILURE);
761 return NULL;
762}
c7235be6 763
9c422b5b 764static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
0f113f3e
MC
765{
766 ESS_CERT_ID *cid = NULL;
767 GENERAL_NAME *name = NULL;
7e418832 768 unsigned char cert_sha1[SHA_DIGEST_LENGTH];
0f113f3e 769
109f8b5d 770 /* Call for side-effect of computing hash and caching extensions */
0f113f3e 771 X509_check_purpose(cert, -1, 0);
75ebbd9a 772 if ((cid = ESS_CERT_ID_new()) == NULL)
0f113f3e 773 goto err;
ba4356ae
BE
774 if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL))
775 goto err;
7e418832 776 if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH))
0f113f3e
MC
777 goto err;
778
779 /* Setting the issuer/serial if requested. */
780 if (issuer_needed) {
75ebbd9a
RS
781 if (cid->issuer_serial == NULL
782 && (cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
0f113f3e 783 goto err;
75ebbd9a 784 if ((name = GENERAL_NAME_new()) == NULL)
0f113f3e
MC
785 goto err;
786 name->type = GEN_DIRNAME;
a8d8e06b 787 if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
0f113f3e
MC
788 goto err;
789 if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
790 goto err;
791 name = NULL; /* Ownership is lost. */
0f113f3e
MC
792 ASN1_INTEGER_free(cid->issuer_serial->serial);
793 if (!(cid->issuer_serial->serial =
a8d8e06b 794 ASN1_INTEGER_dup(X509_get_serialNumber(cert))))
0f113f3e
MC
795 goto err;
796 }
797
798 return cid;
799 err:
800 GENERAL_NAME_free(name);
801 ESS_CERT_ID_free(cid);
802 TSerr(TS_F_ESS_CERT_ID_NEW_INIT, ERR_R_MALLOC_FAILURE);
803 return NULL;
804}
c7235be6 805
9c422b5b 806static int ts_TST_INFO_content_new(PKCS7 *p7)
0f113f3e
MC
807{
808 PKCS7 *ret = NULL;
809 ASN1_OCTET_STRING *octet_string = NULL;
810
811 /* Create new encapsulated NID_id_smime_ct_TSTInfo content. */
75ebbd9a 812 if ((ret = PKCS7_new()) == NULL)
0f113f3e 813 goto err;
75ebbd9a 814 if ((ret->d.other = ASN1_TYPE_new()) == NULL)
0f113f3e
MC
815 goto err;
816 ret->type = OBJ_nid2obj(NID_id_smime_ct_TSTInfo);
75ebbd9a 817 if ((octet_string = ASN1_OCTET_STRING_new()) == NULL)
0f113f3e
MC
818 goto err;
819 ASN1_TYPE_set(ret->d.other, V_ASN1_OCTET_STRING, octet_string);
820 octet_string = NULL;
821
822 /* Add encapsulated content to signed PKCS7 structure. */
823 if (!PKCS7_set_content(p7, ret))
824 goto err;
825
826 return 1;
c7235be6 827 err:
0f113f3e
MC
828 ASN1_OCTET_STRING_free(octet_string);
829 PKCS7_free(ret);
830 return 0;
831}
c7235be6 832
f0ef20bf 833static int ess_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
0f113f3e
MC
834{
835 ASN1_STRING *seq = NULL;
836 unsigned char *p, *pp = NULL;
837 int len;
838
839 len = i2d_ESS_SIGNING_CERT(sc, NULL);
75ebbd9a 840 if ((pp = OPENSSL_malloc(len)) == NULL) {
0f113f3e
MC
841 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE);
842 goto err;
843 }
844 p = pp;
845 i2d_ESS_SIGNING_CERT(sc, &p);
75ebbd9a 846 if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) {
0f113f3e
MC
847 TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE);
848 goto err;
849 }
850 OPENSSL_free(pp);
851 pp = NULL;
852 return PKCS7_add_signed_attribute(si,
853 NID_id_smime_aa_signingCertificate,
854 V_ASN1_SEQUENCE, seq);
c7235be6 855 err:
0f113f3e
MC
856 ASN1_STRING_free(seq);
857 OPENSSL_free(pp);
858
859 return 0;
860}
861
f0ef20bf
MK
862static ESS_SIGNING_CERT_V2 *ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
863 X509 *signcert,
864 STACK_OF(X509) *certs)
865{
866 ESS_CERT_ID_V2 *cid = NULL;
867 ESS_SIGNING_CERT_V2 *sc = NULL;
868 int i;
869
870 if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL)
871 goto err;
872 if ((cid = ess_cert_id_v2_new_init(hash_alg, signcert, 0)) == NULL)
873 goto err;
874 if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
875 goto err;
876 cid = NULL;
877
878 for (i = 0; i < sk_X509_num(certs); ++i) {
879 X509 *cert = sk_X509_value(certs, i);
880
881 if ((cid = ess_cert_id_v2_new_init(hash_alg, cert, 1)) == NULL)
882 goto err;
883 if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
884 goto err;
885 cid = NULL;
886 }
887
888 return sc;
889 err:
890 ESS_SIGNING_CERT_V2_free(sc);
891 ESS_CERT_ID_V2_free(cid);
892 TSerr(TS_F_ESS_SIGNING_CERT_V2_NEW_INIT, ERR_R_MALLOC_FAILURE);
893 return NULL;
894}
895
896static ESS_CERT_ID_V2 *ess_cert_id_v2_new_init(const EVP_MD *hash_alg,
897 X509 *cert, int issuer_needed)
898{
899 ESS_CERT_ID_V2 *cid = NULL;
900 GENERAL_NAME *name = NULL;
901 unsigned char hash[EVP_MAX_MD_SIZE];
902 unsigned int hash_len = sizeof(hash);
903 X509_ALGOR *alg = NULL;
904
905 memset(hash, 0, sizeof(hash));
906
907 if ((cid = ESS_CERT_ID_V2_new()) == NULL)
908 goto err;
909
910 if (hash_alg != EVP_sha256()) {
911 alg = X509_ALGOR_new();
912 if (alg == NULL)
913 goto err;
914 X509_ALGOR_set_md(alg, hash_alg);
915 if (alg->algorithm == NULL)
916 goto err;
917 cid->hash_alg = alg;
918 alg = NULL;
919 } else {
920 cid->hash_alg = NULL;
921 }
922
923 if (!X509_digest(cert, hash_alg, hash, &hash_len))
924 goto err;
925
926 if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len))
927 goto err;
928
929 if (issuer_needed) {
930 if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
931 goto err;
932 if ((name = GENERAL_NAME_new()) == NULL)
933 goto err;
934 name->type = GEN_DIRNAME;
935 if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
936 goto err;
937 if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
938 goto err;
939 name = NULL; /* Ownership is lost. */
940 ASN1_INTEGER_free(cid->issuer_serial->serial);
941 cid->issuer_serial->serial =
942 ASN1_INTEGER_dup(X509_get_serialNumber(cert));
943 if (cid->issuer_serial->serial == NULL)
944 goto err;
945 }
946
947 return cid;
948 err:
949 X509_ALGOR_free(alg);
950 GENERAL_NAME_free(name);
951 ESS_CERT_ID_V2_free(cid);
952 TSerr(TS_F_ESS_CERT_ID_V2_NEW_INIT, ERR_R_MALLOC_FAILURE);
953 return NULL;
954}
955
956static int ess_add_signing_cert_v2(PKCS7_SIGNER_INFO *si,
957 ESS_SIGNING_CERT_V2 *sc)
958{
959 ASN1_STRING *seq = NULL;
960 unsigned char *p, *pp = NULL;
961 int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
962
963 if ((pp = OPENSSL_malloc(len)) == NULL) {
964 TSerr(TS_F_ESS_ADD_SIGNING_CERT_V2, ERR_R_MALLOC_FAILURE);
965 goto err;
966 }
967
968 p = pp;
969 i2d_ESS_SIGNING_CERT_V2(sc, &p);
970 if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) {
971 TSerr(TS_F_ESS_ADD_SIGNING_CERT_V2, ERR_R_MALLOC_FAILURE);
972 goto err;
973 }
974
975 OPENSSL_free(pp);
976 pp = NULL;
977 return PKCS7_add_signed_attribute(si,
978 NID_id_smime_aa_signingCertificateV2,
979 V_ASN1_SEQUENCE, seq);
980 err:
981 ASN1_STRING_free(seq);
982 OPENSSL_free(pp);
983 return 0;
984}
985
986static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision(
987 ASN1_GENERALIZEDTIME *asn1_time, long sec, long usec,
988 unsigned precision)
0f113f3e
MC
989{
990 time_t time_sec = (time_t)sec;
98c03302 991 struct tm *tm = NULL, tm_result;
0f113f3e
MC
992 char genTime_str[17 + TS_MAX_CLOCK_PRECISION_DIGITS];
993 char *p = genTime_str;
994 char *p_end = genTime_str + sizeof(genTime_str);
995
996 if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
997 goto err;
998
98c03302 999 if ((tm = OPENSSL_gmtime(&time_sec, &tm_result)) == NULL)
0f113f3e
MC
1000 goto err;
1001
1002 /*
1003 * Put "genTime_str" in GeneralizedTime format. We work around the
1004 * restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST
1005 * NOT include fractional seconds") and OpenSSL related functions to
1006 * meet the rfc3161 requirement: "GeneralizedTime syntax can include
1007 * fraction-of-second details".
1008 */
1009 p += BIO_snprintf(p, p_end - p,
1010 "%04d%02d%02d%02d%02d%02d",
1011 tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
1012 tm->tm_hour, tm->tm_min, tm->tm_sec);
1013 if (precision > 0) {
0f113f3e 1014 BIO_snprintf(p, 2 + precision, ".%06ld", usec);
0f113f3e
MC
1015 p += strlen(p);
1016
1017 /*
1018 * To make things a bit harder, X.690 | ISO/IEC 8825-1 provides the
1019 * following restrictions for a DER-encoding, which OpenSSL
1020 * (specifically ASN1_GENERALIZEDTIME_check() function) doesn't
1021 * support: "The encoding MUST terminate with a "Z" (which means
1022 * "Zulu" time). The decimal point element, if present, MUST be the
1023 * point option ".". The fractional-seconds elements, if present,
1024 * MUST omit all trailing 0's; if the elements correspond to 0, they
1025 * MUST be wholly omitted, and the decimal point element also MUST be
1026 * omitted."
1027 */
1028 /*
1029 * Remove trailing zeros. The dot guarantees the exit condition of
1030 * this loop even if all the digits are zero.
1031 */
1032 while (*--p == '0')
18cd23df 1033 continue;
0f113f3e
MC
1034 if (*p != '.')
1035 ++p;
1036 }
0f113f3e
MC
1037 *p++ = 'Z';
1038 *p++ = '\0';
1039
75ebbd9a
RS
1040 if (asn1_time == NULL
1041 && (asn1_time = ASN1_GENERALIZEDTIME_new()) == NULL)
0f113f3e
MC
1042 goto err;
1043 if (!ASN1_GENERALIZEDTIME_set_string(asn1_time, genTime_str)) {
1044 ASN1_GENERALIZEDTIME_free(asn1_time);
1045 goto err;
1046 }
0f113f3e 1047 return asn1_time;
18cd23df 1048
c7235be6 1049 err:
0f113f3e
MC
1050 TSerr(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION, TS_R_COULD_NOT_SET_TIME);
1051 return NULL;
1052}
f0ef20bf
MK
1053
1054int TS_RESP_CTX_set_ess_cert_id_digest(TS_RESP_CTX *ctx, const EVP_MD *md)
1055{
1056 ctx->ess_cert_id_digest = md;
1057 return 1;
1058}