2 * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
13 #include <openssl/objects.h>
14 #include <openssl/ts.h>
15 #include <openssl/pkcs7.h>
16 #include <openssl/crypto.h>
18 #include "crypto/ess.h"
20 static ASN1_INTEGER
*def_serial_cb(struct TS_resp_ctx
*, void *);
21 static int def_time_cb(struct TS_resp_ctx
*, void *, long *sec
, long *usec
);
22 static int def_extension_cb(struct TS_resp_ctx
*, X509_EXTENSION
*, void *);
24 static void ts_RESP_CTX_init(TS_RESP_CTX
*ctx
);
25 static void ts_RESP_CTX_cleanup(TS_RESP_CTX
*ctx
);
26 static int ts_RESP_check_request(TS_RESP_CTX
*ctx
);
27 static ASN1_OBJECT
*ts_RESP_get_policy(TS_RESP_CTX
*ctx
);
28 static TS_TST_INFO
*ts_RESP_create_tst_info(TS_RESP_CTX
*ctx
,
30 static int ts_RESP_process_extensions(TS_RESP_CTX
*ctx
);
31 static int ts_RESP_sign(TS_RESP_CTX
*ctx
);
33 static int ts_TST_INFO_content_new(PKCS7
*p7
);
35 static ASN1_GENERALIZEDTIME
36 *TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME
*, long, long,
39 /* Default callback for response generation. */
40 static ASN1_INTEGER
*def_serial_cb(struct TS_resp_ctx
*ctx
, void *data
)
42 ASN1_INTEGER
*serial
= ASN1_INTEGER_new();
46 if (!ASN1_INTEGER_set(serial
, 1))
51 TSerr(TS_F_DEF_SERIAL_CB
, ERR_R_MALLOC_FAILURE
);
52 TS_RESP_CTX_set_status_info(ctx
, TS_STATUS_REJECTION
,
53 "Error during serial number generation.");
57 #if defined(OPENSSL_SYS_UNIX)
59 static int def_time_cb(struct TS_resp_ctx
*ctx
, void *data
,
60 long *sec
, long *usec
)
63 if (gettimeofday(&tv
, NULL
) != 0) {
64 TSerr(TS_F_DEF_TIME_CB
, TS_R_TIME_SYSCALL_ERROR
);
65 TS_RESP_CTX_set_status_info(ctx
, TS_STATUS_REJECTION
,
66 "Time is not available.");
67 TS_RESP_CTX_add_failure_info(ctx
, TS_INFO_TIME_NOT_AVAILABLE
);
78 static int def_time_cb(struct TS_resp_ctx
*ctx
, void *data
,
79 long *sec
, long *usec
)
82 if (time(&t
) == (time_t)-1) {
83 TSerr(TS_F_DEF_TIME_CB
, TS_R_TIME_SYSCALL_ERROR
);
84 TS_RESP_CTX_set_status_info(ctx
, TS_STATUS_REJECTION
,
85 "Time is not available.");
86 TS_RESP_CTX_add_failure_info(ctx
, TS_INFO_TIME_NOT_AVAILABLE
);
97 static int def_extension_cb(struct TS_resp_ctx
*ctx
, X509_EXTENSION
*ext
,
100 TS_RESP_CTX_set_status_info(ctx
, TS_STATUS_REJECTION
,
101 "Unsupported extension.");
102 TS_RESP_CTX_add_failure_info(ctx
, TS_INFO_UNACCEPTED_EXTENSION
);
106 /* TS_RESP_CTX management functions. */
108 TS_RESP_CTX
*TS_RESP_CTX_new(void)
112 if ((ctx
= OPENSSL_zalloc(sizeof(*ctx
))) == NULL
) {
113 TSerr(TS_F_TS_RESP_CTX_NEW
, ERR_R_MALLOC_FAILURE
);
117 ctx
->signer_md
= EVP_sha256();
119 ctx
->serial_cb
= def_serial_cb
;
120 ctx
->time_cb
= def_time_cb
;
121 ctx
->extension_cb
= def_extension_cb
;
126 void TS_RESP_CTX_free(TS_RESP_CTX
*ctx
)
131 X509_free(ctx
->signer_cert
);
132 EVP_PKEY_free(ctx
->signer_key
);
133 sk_X509_pop_free(ctx
->certs
, X509_free
);
134 sk_ASN1_OBJECT_pop_free(ctx
->policies
, ASN1_OBJECT_free
);
135 ASN1_OBJECT_free(ctx
->default_policy
);
136 sk_EVP_MD_free(ctx
->mds
); /* No EVP_MD_free method exists. */
137 ASN1_INTEGER_free(ctx
->seconds
);
138 ASN1_INTEGER_free(ctx
->millis
);
139 ASN1_INTEGER_free(ctx
->micros
);
143 int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX
*ctx
, X509
*signer
)
145 if (X509_check_purpose(signer
, X509_PURPOSE_TIMESTAMP_SIGN
, 0) != 1) {
146 TSerr(TS_F_TS_RESP_CTX_SET_SIGNER_CERT
,
147 TS_R_INVALID_SIGNER_CERTIFICATE_PURPOSE
);
150 X509_free(ctx
->signer_cert
);
151 ctx
->signer_cert
= signer
;
152 X509_up_ref(ctx
->signer_cert
);
156 int TS_RESP_CTX_set_signer_key(TS_RESP_CTX
*ctx
, EVP_PKEY
*key
)
158 EVP_PKEY_free(ctx
->signer_key
);
159 ctx
->signer_key
= key
;
160 EVP_PKEY_up_ref(ctx
->signer_key
);
165 int TS_RESP_CTX_set_signer_digest(TS_RESP_CTX
*ctx
, const EVP_MD
*md
)
171 int TS_RESP_CTX_set_def_policy(TS_RESP_CTX
*ctx
, const ASN1_OBJECT
*def_policy
)
173 ASN1_OBJECT_free(ctx
->default_policy
);
174 if ((ctx
->default_policy
= OBJ_dup(def_policy
)) == NULL
)
178 TSerr(TS_F_TS_RESP_CTX_SET_DEF_POLICY
, ERR_R_MALLOC_FAILURE
);
182 int TS_RESP_CTX_set_certs(TS_RESP_CTX
*ctx
, STACK_OF(X509
) *certs
)
185 sk_X509_pop_free(ctx
->certs
, X509_free
);
189 if ((ctx
->certs
= X509_chain_up_ref(certs
)) == NULL
) {
190 TSerr(TS_F_TS_RESP_CTX_SET_CERTS
, ERR_R_MALLOC_FAILURE
);
197 int TS_RESP_CTX_add_policy(TS_RESP_CTX
*ctx
, const ASN1_OBJECT
*policy
)
199 ASN1_OBJECT
*copy
= NULL
;
201 if (ctx
->policies
== NULL
202 && (ctx
->policies
= sk_ASN1_OBJECT_new_null()) == NULL
)
204 if ((copy
= OBJ_dup(policy
)) == NULL
)
206 if (!sk_ASN1_OBJECT_push(ctx
->policies
, copy
))
211 TSerr(TS_F_TS_RESP_CTX_ADD_POLICY
, ERR_R_MALLOC_FAILURE
);
212 ASN1_OBJECT_free(copy
);
216 int TS_RESP_CTX_add_md(TS_RESP_CTX
*ctx
, const EVP_MD
*md
)
219 && (ctx
->mds
= sk_EVP_MD_new_null()) == NULL
)
221 if (!sk_EVP_MD_push(ctx
->mds
, md
))
226 TSerr(TS_F_TS_RESP_CTX_ADD_MD
, ERR_R_MALLOC_FAILURE
);
230 #define TS_RESP_CTX_accuracy_free(ctx) \
231 ASN1_INTEGER_free(ctx->seconds); \
232 ctx->seconds = NULL; \
233 ASN1_INTEGER_free(ctx->millis); \
234 ctx->millis = NULL; \
235 ASN1_INTEGER_free(ctx->micros); \
238 int TS_RESP_CTX_set_accuracy(TS_RESP_CTX
*ctx
,
239 int secs
, int millis
, int micros
)
242 TS_RESP_CTX_accuracy_free(ctx
);
244 && ((ctx
->seconds
= ASN1_INTEGER_new()) == NULL
245 || !ASN1_INTEGER_set(ctx
->seconds
, secs
)))
248 && ((ctx
->millis
= ASN1_INTEGER_new()) == NULL
249 || !ASN1_INTEGER_set(ctx
->millis
, millis
)))
252 && ((ctx
->micros
= ASN1_INTEGER_new()) == NULL
253 || !ASN1_INTEGER_set(ctx
->micros
, micros
)))
258 TS_RESP_CTX_accuracy_free(ctx
);
259 TSerr(TS_F_TS_RESP_CTX_SET_ACCURACY
, ERR_R_MALLOC_FAILURE
);
263 void TS_RESP_CTX_add_flags(TS_RESP_CTX
*ctx
, int flags
)
268 void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX
*ctx
, TS_serial_cb cb
, void *data
)
271 ctx
->serial_cb_data
= data
;
274 void TS_RESP_CTX_set_time_cb(TS_RESP_CTX
*ctx
, TS_time_cb cb
, void *data
)
277 ctx
->time_cb_data
= data
;
280 void TS_RESP_CTX_set_extension_cb(TS_RESP_CTX
*ctx
,
281 TS_extension_cb cb
, void *data
)
283 ctx
->extension_cb
= cb
;
284 ctx
->extension_cb_data
= data
;
287 int TS_RESP_CTX_set_status_info(TS_RESP_CTX
*ctx
,
288 int status
, const char *text
)
290 TS_STATUS_INFO
*si
= NULL
;
291 ASN1_UTF8STRING
*utf8_text
= NULL
;
294 if ((si
= TS_STATUS_INFO_new()) == NULL
)
296 if (!ASN1_INTEGER_set(si
->status
, status
))
299 if ((utf8_text
= ASN1_UTF8STRING_new()) == NULL
300 || !ASN1_STRING_set(utf8_text
, text
, strlen(text
)))
303 && (si
->text
= sk_ASN1_UTF8STRING_new_null()) == NULL
)
305 if (!sk_ASN1_UTF8STRING_push(si
->text
, utf8_text
))
307 utf8_text
= NULL
; /* Ownership is lost. */
309 if (!TS_RESP_set_status_info(ctx
->response
, si
))
314 TSerr(TS_F_TS_RESP_CTX_SET_STATUS_INFO
, ERR_R_MALLOC_FAILURE
);
315 TS_STATUS_INFO_free(si
);
316 ASN1_UTF8STRING_free(utf8_text
);
320 int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX
*ctx
,
321 int status
, const char *text
)
324 TS_STATUS_INFO
*si
= ctx
->response
->status_info
;
326 if (ASN1_INTEGER_get(si
->status
) == TS_STATUS_GRANTED
) {
327 ret
= TS_RESP_CTX_set_status_info(ctx
, status
, text
);
332 int TS_RESP_CTX_add_failure_info(TS_RESP_CTX
*ctx
, int failure
)
334 TS_STATUS_INFO
*si
= ctx
->response
->status_info
;
335 if (si
->failure_info
== NULL
336 && (si
->failure_info
= ASN1_BIT_STRING_new()) == NULL
)
338 if (!ASN1_BIT_STRING_set_bit(si
->failure_info
, failure
, 1))
342 TSerr(TS_F_TS_RESP_CTX_ADD_FAILURE_INFO
, ERR_R_MALLOC_FAILURE
);
346 TS_REQ
*TS_RESP_CTX_get_request(TS_RESP_CTX
*ctx
)
351 TS_TST_INFO
*TS_RESP_CTX_get_tst_info(TS_RESP_CTX
*ctx
)
353 return ctx
->tst_info
;
356 int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX
*ctx
,
359 if (precision
> TS_MAX_CLOCK_PRECISION_DIGITS
)
361 ctx
->clock_precision_digits
= precision
;
365 /* Main entry method of the response generation. */
366 TS_RESP
*TS_RESP_create_response(TS_RESP_CTX
*ctx
, BIO
*req_bio
)
372 ts_RESP_CTX_init(ctx
);
374 if ((ctx
->response
= TS_RESP_new()) == NULL
) {
375 TSerr(TS_F_TS_RESP_CREATE_RESPONSE
, ERR_R_MALLOC_FAILURE
);
378 if ((ctx
->request
= d2i_TS_REQ_bio(req_bio
, NULL
)) == NULL
) {
379 TS_RESP_CTX_set_status_info(ctx
, TS_STATUS_REJECTION
,
380 "Bad request format or system error.");
381 TS_RESP_CTX_add_failure_info(ctx
, TS_INFO_BAD_DATA_FORMAT
);
384 if (!TS_RESP_CTX_set_status_info(ctx
, TS_STATUS_GRANTED
, NULL
))
386 if (!ts_RESP_check_request(ctx
))
388 if ((policy
= ts_RESP_get_policy(ctx
)) == NULL
)
390 if ((ctx
->tst_info
= ts_RESP_create_tst_info(ctx
, policy
)) == NULL
)
392 if (!ts_RESP_process_extensions(ctx
))
394 if (!ts_RESP_sign(ctx
))
400 TSerr(TS_F_TS_RESP_CREATE_RESPONSE
, TS_R_RESPONSE_SETUP_ERROR
);
401 if (ctx
->response
!= NULL
) {
402 if (TS_RESP_CTX_set_status_info_cond(ctx
,
404 "Error during response "
405 "generation.") == 0) {
406 TS_RESP_free(ctx
->response
);
407 ctx
->response
= NULL
;
411 response
= ctx
->response
;
412 ctx
->response
= NULL
; /* Ownership will be returned to caller. */
413 ts_RESP_CTX_cleanup(ctx
);
417 /* Initializes the variable part of the context. */
418 static void ts_RESP_CTX_init(TS_RESP_CTX
*ctx
)
421 ctx
->response
= NULL
;
422 ctx
->tst_info
= NULL
;
425 /* Cleans up the variable part of the context. */
426 static void ts_RESP_CTX_cleanup(TS_RESP_CTX
*ctx
)
428 TS_REQ_free(ctx
->request
);
430 TS_RESP_free(ctx
->response
);
431 ctx
->response
= NULL
;
432 TS_TST_INFO_free(ctx
->tst_info
);
433 ctx
->tst_info
= NULL
;
436 /* Checks the format and content of the request. */
437 static int ts_RESP_check_request(TS_RESP_CTX
*ctx
)
439 TS_REQ
*request
= ctx
->request
;
440 TS_MSG_IMPRINT
*msg_imprint
;
443 const ASN1_OCTET_STRING
*digest
;
444 const EVP_MD
*md
= NULL
;
447 if (TS_REQ_get_version(request
) != 1) {
448 TS_RESP_CTX_set_status_info(ctx
, TS_STATUS_REJECTION
,
449 "Bad request version.");
450 TS_RESP_CTX_add_failure_info(ctx
, TS_INFO_BAD_REQUEST
);
454 msg_imprint
= request
->msg_imprint
;
455 md_alg
= msg_imprint
->hash_algo
;
456 md_alg_id
= OBJ_obj2nid(md_alg
->algorithm
);
457 for (i
= 0; !md
&& i
< sk_EVP_MD_num(ctx
->mds
); ++i
) {
458 const EVP_MD
*current_md
= sk_EVP_MD_value(ctx
->mds
, i
);
459 if (md_alg_id
== EVP_MD_type(current_md
))
463 TS_RESP_CTX_set_status_info(ctx
, TS_STATUS_REJECTION
,
464 "Message digest algorithm is "
466 TS_RESP_CTX_add_failure_info(ctx
, TS_INFO_BAD_ALG
);
470 if (md_alg
->parameter
&& ASN1_TYPE_get(md_alg
->parameter
) != V_ASN1_NULL
) {
471 TS_RESP_CTX_set_status_info(ctx
, TS_STATUS_REJECTION
,
472 "Superfluous message digest "
474 TS_RESP_CTX_add_failure_info(ctx
, TS_INFO_BAD_ALG
);
477 digest
= msg_imprint
->hashed_msg
;
478 if (digest
->length
!= EVP_MD_size(md
)) {
479 TS_RESP_CTX_set_status_info(ctx
, TS_STATUS_REJECTION
,
480 "Bad message digest.");
481 TS_RESP_CTX_add_failure_info(ctx
, TS_INFO_BAD_DATA_FORMAT
);
488 /* Returns the TSA policy based on the requested and acceptable policies. */
489 static ASN1_OBJECT
*ts_RESP_get_policy(TS_RESP_CTX
*ctx
)
491 ASN1_OBJECT
*requested
= ctx
->request
->policy_id
;
492 ASN1_OBJECT
*policy
= NULL
;
495 if (ctx
->default_policy
== NULL
) {
496 TSerr(TS_F_TS_RESP_GET_POLICY
, TS_R_INVALID_NULL_POINTER
);
499 if (!requested
|| !OBJ_cmp(requested
, ctx
->default_policy
))
500 policy
= ctx
->default_policy
;
502 /* Check if the policy is acceptable. */
503 for (i
= 0; !policy
&& i
< sk_ASN1_OBJECT_num(ctx
->policies
); ++i
) {
504 ASN1_OBJECT
*current
= sk_ASN1_OBJECT_value(ctx
->policies
, i
);
505 if (!OBJ_cmp(requested
, current
))
508 if (policy
== NULL
) {
509 TSerr(TS_F_TS_RESP_GET_POLICY
, TS_R_UNACCEPTABLE_POLICY
);
510 TS_RESP_CTX_set_status_info(ctx
, TS_STATUS_REJECTION
,
511 "Requested policy is not " "supported.");
512 TS_RESP_CTX_add_failure_info(ctx
, TS_INFO_UNACCEPTED_POLICY
);
517 /* Creates the TS_TST_INFO object based on the settings of the context. */
518 static TS_TST_INFO
*ts_RESP_create_tst_info(TS_RESP_CTX
*ctx
,
522 TS_TST_INFO
*tst_info
= NULL
;
523 ASN1_INTEGER
*serial
= NULL
;
524 ASN1_GENERALIZEDTIME
*asn1_time
= NULL
;
526 TS_ACCURACY
*accuracy
= NULL
;
527 const ASN1_INTEGER
*nonce
;
528 GENERAL_NAME
*tsa_name
= NULL
;
530 if ((tst_info
= TS_TST_INFO_new()) == NULL
)
532 if (!TS_TST_INFO_set_version(tst_info
, 1))
534 if (!TS_TST_INFO_set_policy_id(tst_info
, policy
))
536 if (!TS_TST_INFO_set_msg_imprint(tst_info
, ctx
->request
->msg_imprint
))
538 if ((serial
= ctx
->serial_cb(ctx
, ctx
->serial_cb_data
)) == NULL
539 || !TS_TST_INFO_set_serial(tst_info
, serial
))
541 if (!ctx
->time_cb(ctx
, ctx
->time_cb_data
, &sec
, &usec
)
543 TS_RESP_set_genTime_with_precision(NULL
, sec
, usec
,
544 ctx
->clock_precision_digits
)) == NULL
545 || !TS_TST_INFO_set_time(tst_info
, asn1_time
))
548 if ((ctx
->seconds
|| ctx
->millis
|| ctx
->micros
)
549 && (accuracy
= TS_ACCURACY_new()) == NULL
)
551 if (ctx
->seconds
&& !TS_ACCURACY_set_seconds(accuracy
, ctx
->seconds
))
553 if (ctx
->millis
&& !TS_ACCURACY_set_millis(accuracy
, ctx
->millis
))
555 if (ctx
->micros
&& !TS_ACCURACY_set_micros(accuracy
, ctx
->micros
))
557 if (accuracy
&& !TS_TST_INFO_set_accuracy(tst_info
, accuracy
))
560 if ((ctx
->flags
& TS_ORDERING
)
561 && !TS_TST_INFO_set_ordering(tst_info
, 1))
564 if ((nonce
= ctx
->request
->nonce
) != NULL
565 && !TS_TST_INFO_set_nonce(tst_info
, nonce
))
568 if (ctx
->flags
& TS_TSA_NAME
) {
569 if ((tsa_name
= GENERAL_NAME_new()) == NULL
)
571 tsa_name
->type
= GEN_DIRNAME
;
573 X509_NAME_dup(X509_get_subject_name(ctx
->signer_cert
));
574 if (!tsa_name
->d
.dirn
)
576 if (!TS_TST_INFO_set_tsa(tst_info
, tsa_name
))
583 TS_TST_INFO_free(tst_info
);
585 TSerr(TS_F_TS_RESP_CREATE_TST_INFO
, TS_R_TST_INFO_SETUP_ERROR
);
586 TS_RESP_CTX_set_status_info_cond(ctx
, TS_STATUS_REJECTION
,
587 "Error during TSTInfo "
590 GENERAL_NAME_free(tsa_name
);
591 TS_ACCURACY_free(accuracy
);
592 ASN1_GENERALIZEDTIME_free(asn1_time
);
593 ASN1_INTEGER_free(serial
);
598 /* Processing the extensions of the request. */
599 static int ts_RESP_process_extensions(TS_RESP_CTX
*ctx
)
601 STACK_OF(X509_EXTENSION
) *exts
= ctx
->request
->extensions
;
605 for (i
= 0; ok
&& i
< sk_X509_EXTENSION_num(exts
); ++i
) {
606 X509_EXTENSION
*ext
= sk_X509_EXTENSION_value(exts
, i
);
608 * The last argument was previously (void *)ctx->extension_cb,
609 * but ISO C doesn't permit converting a function pointer to void *.
610 * For lack of better information, I'm placing a NULL there instead.
611 * The callback can pick its own address out from the ctx anyway...
613 ok
= (*ctx
->extension_cb
) (ctx
, ext
, NULL
);
619 /* Functions for signing the TS_TST_INFO structure of the context. */
620 static int ts_RESP_sign(TS_RESP_CTX
*ctx
)
624 PKCS7_SIGNER_INFO
*si
;
625 STACK_OF(X509
) *certs
; /* Certificates to include in sc. */
626 ESS_SIGNING_CERT_V2
*sc2
= NULL
;
627 ESS_SIGNING_CERT
*sc
= NULL
;
632 if (!X509_check_private_key(ctx
->signer_cert
, ctx
->signer_key
)) {
633 TSerr(TS_F_TS_RESP_SIGN
, TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE
);
637 if ((p7
= PKCS7_new()) == NULL
) {
638 TSerr(TS_F_TS_RESP_SIGN
, ERR_R_MALLOC_FAILURE
);
641 if (!PKCS7_set_type(p7
, NID_pkcs7_signed
))
643 if (!ASN1_INTEGER_set(p7
->d
.sign
->version
, 3))
646 if (ctx
->request
->cert_req
) {
647 PKCS7_add_certificate(p7
, ctx
->signer_cert
);
649 for (i
= 0; i
< sk_X509_num(ctx
->certs
); ++i
) {
650 X509
*cert
= sk_X509_value(ctx
->certs
, i
);
651 PKCS7_add_certificate(p7
, cert
);
656 if ((si
= PKCS7_add_signature(p7
, ctx
->signer_cert
,
657 ctx
->signer_key
, ctx
->signer_md
)) == NULL
) {
658 TSerr(TS_F_TS_RESP_SIGN
, TS_R_PKCS7_ADD_SIGNATURE_ERROR
);
662 oid
= OBJ_nid2obj(NID_id_smime_ct_TSTInfo
);
663 if (!PKCS7_add_signed_attribute(si
, NID_pkcs9_contentType
,
664 V_ASN1_OBJECT
, oid
)) {
665 TSerr(TS_F_TS_RESP_SIGN
, TS_R_PKCS7_ADD_SIGNED_ATTR_ERROR
);
669 certs
= ctx
->flags
& TS_ESS_CERT_ID_CHAIN
? ctx
->certs
: NULL
;
670 if (ctx
->ess_cert_id_digest
== NULL
671 || ctx
->ess_cert_id_digest
== EVP_sha1()) {
672 if ((sc
= ESS_SIGNING_CERT_new_init(ctx
->signer_cert
, certs
, 0)) == NULL
)
675 if (!ESS_SIGNING_CERT_add(si
, sc
)) {
676 TSerr(TS_F_TS_RESP_SIGN
, TS_R_ESS_ADD_SIGNING_CERT_ERROR
);
680 sc2
= ESS_SIGNING_CERT_V2_new_init(ctx
->ess_cert_id_digest
,
681 ctx
->signer_cert
, certs
, 0);
685 if (!ESS_SIGNING_CERT_V2_add(si
, sc2
)) {
686 TSerr(TS_F_TS_RESP_SIGN
, TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR
);
691 if (!ts_TST_INFO_content_new(p7
))
693 if ((p7bio
= PKCS7_dataInit(p7
, NULL
)) == NULL
) {
694 TSerr(TS_F_TS_RESP_SIGN
, ERR_R_MALLOC_FAILURE
);
697 if (!i2d_TS_TST_INFO_bio(p7bio
, ctx
->tst_info
)) {
698 TSerr(TS_F_TS_RESP_SIGN
, TS_R_TS_DATASIGN
);
701 if (!PKCS7_dataFinal(p7
, p7bio
)) {
702 TSerr(TS_F_TS_RESP_SIGN
, TS_R_TS_DATASIGN
);
705 TS_RESP_set_tst_info(ctx
->response
, p7
, ctx
->tst_info
);
706 p7
= NULL
; /* Ownership is lost. */
707 ctx
->tst_info
= NULL
; /* Ownership is lost. */
712 TS_RESP_CTX_set_status_info_cond(ctx
, TS_STATUS_REJECTION
,
713 "Error during signature "
716 ESS_SIGNING_CERT_V2_free(sc2
);
717 ESS_SIGNING_CERT_free(sc
);
722 static int ts_TST_INFO_content_new(PKCS7
*p7
)
725 ASN1_OCTET_STRING
*octet_string
= NULL
;
727 /* Create new encapsulated NID_id_smime_ct_TSTInfo content. */
728 if ((ret
= PKCS7_new()) == NULL
)
730 if ((ret
->d
.other
= ASN1_TYPE_new()) == NULL
)
732 ret
->type
= OBJ_nid2obj(NID_id_smime_ct_TSTInfo
);
733 if ((octet_string
= ASN1_OCTET_STRING_new()) == NULL
)
735 ASN1_TYPE_set(ret
->d
.other
, V_ASN1_OCTET_STRING
, octet_string
);
738 /* Add encapsulated content to signed PKCS7 structure. */
739 if (!PKCS7_set_content(p7
, ret
))
744 ASN1_OCTET_STRING_free(octet_string
);
749 static ASN1_GENERALIZEDTIME
*TS_RESP_set_genTime_with_precision(
750 ASN1_GENERALIZEDTIME
*asn1_time
, long sec
, long usec
,
753 time_t time_sec
= (time_t)sec
;
754 struct tm
*tm
= NULL
, tm_result
;
755 char genTime_str
[17 + TS_MAX_CLOCK_PRECISION_DIGITS
];
756 char *p
= genTime_str
;
757 char *p_end
= genTime_str
+ sizeof(genTime_str
);
759 if (precision
> TS_MAX_CLOCK_PRECISION_DIGITS
)
762 if ((tm
= OPENSSL_gmtime(&time_sec
, &tm_result
)) == NULL
)
766 * Put "genTime_str" in GeneralizedTime format. We work around the
767 * restrictions imposed by rfc3280 (i.e. "GeneralizedTime values MUST
768 * NOT include fractional seconds") and OpenSSL related functions to
769 * meet the rfc3161 requirement: "GeneralizedTime syntax can include
770 * fraction-of-second details".
772 p
+= BIO_snprintf(p
, p_end
- p
,
773 "%04d%02d%02d%02d%02d%02d",
774 tm
->tm_year
+ 1900, tm
->tm_mon
+ 1, tm
->tm_mday
,
775 tm
->tm_hour
, tm
->tm_min
, tm
->tm_sec
);
777 BIO_snprintf(p
, 2 + precision
, ".%06ld", usec
);
781 * To make things a bit harder, X.690 | ISO/IEC 8825-1 provides the
782 * following restrictions for a DER-encoding, which OpenSSL
783 * (specifically ASN1_GENERALIZEDTIME_check() function) doesn't
784 * support: "The encoding MUST terminate with a "Z" (which means
785 * "Zulu" time). The decimal point element, if present, MUST be the
786 * point option ".". The fractional-seconds elements, if present,
787 * MUST omit all trailing 0's; if the elements correspond to 0, they
788 * MUST be wholly omitted, and the decimal point element also MUST be
792 * Remove trailing zeros. The dot guarantees the exit condition of
793 * this loop even if all the digits are zero.
803 if (asn1_time
== NULL
804 && (asn1_time
= ASN1_GENERALIZEDTIME_new()) == NULL
)
806 if (!ASN1_GENERALIZEDTIME_set_string(asn1_time
, genTime_str
)) {
807 ASN1_GENERALIZEDTIME_free(asn1_time
);
813 TSerr(TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION
, TS_R_COULD_NOT_SET_TIME
);
817 int TS_RESP_CTX_set_ess_cert_id_digest(TS_RESP_CTX
*ctx
, const EVP_MD
*md
)
819 ctx
->ess_cert_id_digest
= md
;