2 * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
12 #include <openssl/err.h>
15 static int ocsp_find_signer(X509
**psigner
, OCSP_BASICRESP
*bs
,
16 STACK_OF(X509
) *certs
, unsigned long flags
);
17 static X509
*ocsp_find_signer_sk(STACK_OF(X509
) *certs
, OCSP_RESPID
*id
);
18 static int ocsp_check_issuer(OCSP_BASICRESP
*bs
, STACK_OF(X509
) *chain
);
19 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP
) *sresp
,
21 static int ocsp_match_issuerid(X509
*cert
, OCSP_CERTID
*cid
,
22 STACK_OF(OCSP_SINGLERESP
) *sresp
);
23 static int ocsp_check_delegated(X509
*x
);
24 static int ocsp_req_find_signer(X509
**psigner
, OCSP_REQUEST
*req
,
25 X509_NAME
*nm
, STACK_OF(X509
) *certs
,
28 /* Verify a basic response message */
30 int OCSP_basic_verify(OCSP_BASICRESP
*bs
, STACK_OF(X509
) *certs
,
31 X509_STORE
*st
, unsigned long flags
)
34 STACK_OF(X509
) *chain
= NULL
;
35 STACK_OF(X509
) *untrusted
= NULL
;
36 X509_STORE_CTX
*ctx
= NULL
;
37 int i
, ret
= ocsp_find_signer(&signer
, bs
, certs
, flags
);
40 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY
,
41 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND
);
44 ctx
= X509_STORE_CTX_new();
46 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY
, ERR_R_MALLOC_FAILURE
);
49 if ((ret
== 2) && (flags
& OCSP_TRUSTOTHER
))
50 flags
|= OCSP_NOVERIFY
;
51 if (!(flags
& OCSP_NOSIGS
)) {
53 skey
= X509_get0_pubkey(signer
);
55 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY
, OCSP_R_NO_SIGNER_KEY
);
58 ret
= OCSP_BASICRESP_verify(bs
, skey
, 0);
60 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY
, OCSP_R_SIGNATURE_FAILURE
);
64 if (!(flags
& OCSP_NOVERIFY
)) {
66 if (flags
& OCSP_NOCHAIN
) {
68 } else if (bs
->certs
&& certs
) {
69 untrusted
= sk_X509_dup(bs
->certs
);
70 for (i
= 0; i
< sk_X509_num(certs
); i
++) {
71 if (!sk_X509_push(untrusted
, sk_X509_value(certs
, i
))) {
72 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY
, ERR_R_MALLOC_FAILURE
);
77 untrusted
= bs
->certs
;
79 init_res
= X509_STORE_CTX_init(ctx
, st
, signer
, untrusted
);
81 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY
, ERR_R_X509_LIB
);
85 X509_STORE_CTX_set_purpose(ctx
, X509_PURPOSE_OCSP_HELPER
);
86 ret
= X509_verify_cert(ctx
);
87 chain
= X509_STORE_CTX_get1_chain(ctx
);
89 i
= X509_STORE_CTX_get_error(ctx
);
90 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY
,
91 OCSP_R_CERTIFICATE_VERIFY_ERROR
);
92 ERR_add_error_data(2, "Verify error:",
93 X509_verify_cert_error_string(i
));
96 if (flags
& OCSP_NOCHECKS
) {
101 * At this point we have a valid certificate chain need to verify it
102 * against the OCSP issuer criteria.
104 ret
= ocsp_check_issuer(bs
, chain
);
106 /* If fatal error or valid match then finish */
111 * Easy case: explicitly trusted. Get root CA and check for explicit
114 if (flags
& OCSP_NOEXPLICIT
)
117 x
= sk_X509_value(chain
, sk_X509_num(chain
) - 1);
118 if (X509_check_trust(x
, NID_OCSP_sign
, 0) != X509_TRUST_TRUSTED
) {
119 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY
, OCSP_R_ROOT_CA_NOT_TRUSTED
);
125 X509_STORE_CTX_free(ctx
);
126 sk_X509_pop_free(chain
, X509_free
);
127 if (bs
->certs
&& certs
)
128 sk_X509_free(untrusted
);
139 static int ocsp_find_signer(X509
**psigner
, OCSP_BASICRESP
*bs
,
140 STACK_OF(X509
) *certs
, unsigned long flags
)
143 OCSP_RESPID
*rid
= &bs
->tbsResponseData
.responderId
;
144 if ((signer
= ocsp_find_signer_sk(certs
, rid
))) {
148 if (!(flags
& OCSP_NOINTERN
) &&
149 (signer
= ocsp_find_signer_sk(bs
->certs
, rid
))) {
153 /* Maybe lookup from store if by subject name */
159 static X509
*ocsp_find_signer_sk(STACK_OF(X509
) *certs
, OCSP_RESPID
*id
)
162 unsigned char tmphash
[SHA_DIGEST_LENGTH
], *keyhash
;
165 /* Easy if lookup by name */
166 if (id
->type
== V_OCSP_RESPID_NAME
)
167 return X509_find_by_subject(certs
, id
->value
.byName
);
169 /* Lookup by key hash */
171 /* If key hash isn't SHA1 length then forget it */
172 if (id
->value
.byKey
->length
!= SHA_DIGEST_LENGTH
)
174 keyhash
= id
->value
.byKey
->data
;
175 /* Calculate hash of each key and compare */
176 for (i
= 0; i
< sk_X509_num(certs
); i
++) {
177 x
= sk_X509_value(certs
, i
);
178 X509_pubkey_digest(x
, EVP_sha1(), tmphash
, NULL
);
179 if (!memcmp(keyhash
, tmphash
, SHA_DIGEST_LENGTH
))
185 static int ocsp_check_issuer(OCSP_BASICRESP
*bs
, STACK_OF(X509
) *chain
)
187 STACK_OF(OCSP_SINGLERESP
) *sresp
;
189 OCSP_CERTID
*caid
= NULL
;
191 sresp
= bs
->tbsResponseData
.responses
;
193 if (sk_X509_num(chain
) <= 0) {
194 OCSPerr(OCSP_F_OCSP_CHECK_ISSUER
, OCSP_R_NO_CERTIFICATES_IN_CHAIN
);
198 /* See if the issuer IDs match. */
199 i
= ocsp_check_ids(sresp
, &caid
);
201 /* If ID mismatch or other error then return */
205 signer
= sk_X509_value(chain
, 0);
206 /* Check to see if OCSP responder CA matches request CA */
207 if (sk_X509_num(chain
) > 1) {
208 sca
= sk_X509_value(chain
, 1);
209 i
= ocsp_match_issuerid(sca
, caid
, sresp
);
213 /* We have a match, if extensions OK then success */
214 if (ocsp_check_delegated(signer
))
220 /* Otherwise check if OCSP request signed directly by request CA */
221 return ocsp_match_issuerid(signer
, caid
, sresp
);
225 * Check the issuer certificate IDs for equality. If there is a mismatch with
226 * the same algorithm then there's no point trying to match any certificates
227 * against the issuer. If the issuer IDs all match then we just need to check
228 * equality against one of them.
231 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP
) *sresp
, OCSP_CERTID
**ret
)
233 OCSP_CERTID
*tmpid
, *cid
;
236 idcount
= sk_OCSP_SINGLERESP_num(sresp
);
238 OCSPerr(OCSP_F_OCSP_CHECK_IDS
,
239 OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA
);
243 cid
= sk_OCSP_SINGLERESP_value(sresp
, 0)->certId
;
247 for (i
= 1; i
< idcount
; i
++) {
248 tmpid
= sk_OCSP_SINGLERESP_value(sresp
, i
)->certId
;
249 /* Check to see if IDs match */
250 if (OCSP_id_issuer_cmp(cid
, tmpid
)) {
251 /* If algorithm mismatch let caller deal with it */
252 if (OBJ_cmp(tmpid
->hashAlgorithm
.algorithm
,
253 cid
->hashAlgorithm
.algorithm
))
260 /* All IDs match: only need to check one ID */
265 static int ocsp_match_issuerid(X509
*cert
, OCSP_CERTID
*cid
,
266 STACK_OF(OCSP_SINGLERESP
) *sresp
)
268 /* If only one ID to match then do it */
273 unsigned char md
[EVP_MAX_MD_SIZE
];
274 if ((dgst
= EVP_get_digestbyobj(cid
->hashAlgorithm
.algorithm
))
276 OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID
,
277 OCSP_R_UNKNOWN_MESSAGE_DIGEST
);
281 mdlen
= EVP_MD_size(dgst
);
284 if ((cid
->issuerNameHash
.length
!= mdlen
) ||
285 (cid
->issuerKeyHash
.length
!= mdlen
))
287 iname
= X509_get_subject_name(cert
);
288 if (!X509_NAME_digest(iname
, dgst
, md
, NULL
))
290 if (memcmp(md
, cid
->issuerNameHash
.data
, mdlen
))
292 X509_pubkey_digest(cert
, dgst
, md
, NULL
);
293 if (memcmp(md
, cid
->issuerKeyHash
.data
, mdlen
))
299 /* We have to match the whole lot */
302 for (i
= 0; i
< sk_OCSP_SINGLERESP_num(sresp
); i
++) {
303 tmpid
= sk_OCSP_SINGLERESP_value(sresp
, i
)->certId
;
304 ret
= ocsp_match_issuerid(cert
, tmpid
, NULL
);
313 static int ocsp_check_delegated(X509
*x
)
315 if ((X509_get_extension_flags(x
) & EXFLAG_XKUSAGE
)
316 && (X509_get_extended_key_usage(x
) & XKU_OCSP_SIGN
))
318 OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED
, OCSP_R_MISSING_OCSPSIGNING_USAGE
);
323 * Verify an OCSP request. This is fortunately much easier than OCSP response
324 * verify. Just find the signers certificate and verify it against a given
328 int OCSP_request_verify(OCSP_REQUEST
*req
, STACK_OF(X509
) *certs
,
329 X509_STORE
*store
, unsigned long flags
)
335 X509_STORE_CTX
*ctx
= X509_STORE_CTX_new();
338 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY
, ERR_R_MALLOC_FAILURE
);
342 if (!req
->optionalSignature
) {
343 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY
, OCSP_R_REQUEST_NOT_SIGNED
);
346 gen
= req
->tbsRequest
.requestorName
;
347 if (!gen
|| gen
->type
!= GEN_DIRNAME
) {
348 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY
,
349 OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE
);
352 nm
= gen
->d
.directoryName
;
353 ret
= ocsp_req_find_signer(&signer
, req
, nm
, certs
, flags
);
355 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY
,
356 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND
);
359 if ((ret
== 2) && (flags
& OCSP_TRUSTOTHER
))
360 flags
|= OCSP_NOVERIFY
;
361 if (!(flags
& OCSP_NOSIGS
)) {
363 skey
= X509_get0_pubkey(signer
);
364 ret
= OCSP_REQUEST_verify(req
, skey
);
366 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY
, OCSP_R_SIGNATURE_FAILURE
);
370 if (!(flags
& OCSP_NOVERIFY
)) {
372 if (flags
& OCSP_NOCHAIN
)
373 init_res
= X509_STORE_CTX_init(ctx
, store
, signer
, NULL
);
375 init_res
= X509_STORE_CTX_init(ctx
, store
, signer
,
376 req
->optionalSignature
->certs
);
378 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY
, ERR_R_X509_LIB
);
382 X509_STORE_CTX_set_purpose(ctx
, X509_PURPOSE_OCSP_HELPER
);
383 X509_STORE_CTX_set_trust(ctx
, X509_TRUST_OCSP_REQUEST
);
384 ret
= X509_verify_cert(ctx
);
386 ret
= X509_STORE_CTX_get_error(ctx
);
387 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY
,
388 OCSP_R_CERTIFICATE_VERIFY_ERROR
);
389 ERR_add_error_data(2, "Verify error:",
390 X509_verify_cert_error_string(ret
));
400 X509_STORE_CTX_free(ctx
);
405 static int ocsp_req_find_signer(X509
**psigner
, OCSP_REQUEST
*req
,
406 X509_NAME
*nm
, STACK_OF(X509
) *certs
,
410 if (!(flags
& OCSP_NOINTERN
)) {
411 signer
= X509_find_by_subject(req
->optionalSignature
->certs
, nm
);
418 signer
= X509_find_by_subject(certs
, nm
);