2 * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/ocsp.h>
12 #include <openssl/err.h>
13 #include "internal/sizes.h"
14 #include "ocsp_local.h"
16 static int ocsp_find_signer(X509
**psigner
, OCSP_BASICRESP
*bs
,
17 STACK_OF(X509
) *certs
, unsigned long flags
);
18 static X509
*ocsp_find_signer_sk(STACK_OF(X509
) *certs
, OCSP_RESPID
*id
);
19 static int ocsp_check_issuer(OCSP_BASICRESP
*bs
, STACK_OF(X509
) *chain
);
20 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP
) *sresp
,
22 static int ocsp_match_issuerid(X509
*cert
, OCSP_CERTID
*cid
,
23 STACK_OF(OCSP_SINGLERESP
) *sresp
);
24 static int ocsp_check_delegated(X509
*x
);
25 static int ocsp_req_find_signer(X509
**psigner
, OCSP_REQUEST
*req
,
26 const X509_NAME
*nm
, STACK_OF(X509
) *certs
,
29 /* Returns 1 on success, 0 on failure, or -1 on fatal error */
30 static int ocsp_verify_signer(X509
*signer
, int response
,
31 X509_STORE
*st
, unsigned long flags
,
32 STACK_OF(X509
) *untrusted
, STACK_OF(X509
) **chain
)
34 X509_STORE_CTX
*ctx
= X509_STORE_CTX_new();
35 X509_VERIFY_PARAM
*vp
;
39 ERR_raise(ERR_LIB_OCSP
, ERR_R_MALLOC_FAILURE
);
42 if (!X509_STORE_CTX_init(ctx
, st
, signer
, untrusted
)) {
43 ERR_raise(ERR_LIB_OCSP
, ERR_R_X509_LIB
);
46 if ((vp
= X509_STORE_CTX_get0_param(ctx
)) == NULL
)
48 if ((flags
& OCSP_PARTIAL_CHAIN
) != 0)
49 X509_VERIFY_PARAM_set_flags(vp
, X509_V_FLAG_PARTIAL_CHAIN
);
51 && X509_get_ext_by_NID(signer
, NID_id_pkix_OCSP_noCheck
, -1) >= 0)
53 * Locally disable revocation status checking for OCSP responder cert.
54 * Done here for CRLs; TODO should be done also for OCSP-based checks.
56 X509_VERIFY_PARAM_clear_flags(vp
, X509_V_FLAG_CRL_CHECK
);
57 X509_STORE_CTX_set_purpose(ctx
, X509_PURPOSE_OCSP_HELPER
);
58 X509_STORE_CTX_set_trust(ctx
, X509_TRUST_OCSP_REQUEST
);
59 /* TODO: why is X509_TRUST_OCSP_REQUEST set? Seems to get ignored. */
61 ret
= X509_verify_cert(ctx
);
63 ret
= X509_STORE_CTX_get_error(ctx
);
64 ERR_raise_data(ERR_LIB_OCSP
, OCSP_R_CERTIFICATE_VERIFY_ERROR
,
65 "Verify error: %s", X509_verify_cert_error_string(ret
));
69 *chain
= X509_STORE_CTX_get1_chain(ctx
);
72 X509_STORE_CTX_free(ctx
);
76 static int ocsp_verify(OCSP_REQUEST
*req
, OCSP_BASICRESP
*bs
,
77 X509
*signer
, unsigned long flags
)
82 if ((flags
& OCSP_NOSIGS
) == 0) {
83 if ((skey
= X509_get0_pubkey(signer
)) == NULL
) {
84 ERR_raise(ERR_LIB_OCSP
, OCSP_R_NO_SIGNER_KEY
);
88 ret
= OCSP_REQUEST_verify(req
, skey
, signer
->libctx
, signer
->propq
);
90 ret
= OCSP_BASICRESP_verify(bs
, skey
, signer
->libctx
, signer
->propq
);
92 ERR_raise(ERR_LIB_OCSP
, OCSP_R_SIGNATURE_FAILURE
);
97 /* Verify a basic response message */
98 int OCSP_basic_verify(OCSP_BASICRESP
*bs
, STACK_OF(X509
) *certs
,
99 X509_STORE
*st
, unsigned long flags
)
102 STACK_OF(X509
) *chain
= NULL
;
103 STACK_OF(X509
) *untrusted
= NULL
;
104 int ret
= ocsp_find_signer(&signer
, bs
, certs
, flags
);
107 ERR_raise(ERR_LIB_OCSP
, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND
);
110 if ((ret
== 2) && (flags
& OCSP_TRUSTOTHER
) != 0)
111 flags
|= OCSP_NOVERIFY
;
113 if ((ret
= ocsp_verify(NULL
, bs
, signer
, flags
)) <= 0)
115 if ((flags
& OCSP_NOVERIFY
) == 0) {
117 if ((flags
& OCSP_NOCHAIN
) == 0) {
118 if ((untrusted
= sk_X509_dup(bs
->certs
)) == NULL
)
120 if (!X509_add_certs(untrusted
, certs
, X509_ADD_FLAG_DEFAULT
))
123 ret
= ocsp_verify_signer(signer
, 1, st
, flags
, untrusted
, &chain
);
126 if ((flags
& OCSP_NOCHECKS
) != 0) {
131 * At this point we have a valid certificate chain need to verify it
132 * against the OCSP issuer criteria.
134 ret
= ocsp_check_issuer(bs
, chain
);
136 /* If fatal error or valid match then finish */
141 * Easy case: explicitly trusted. Get root CA and check for explicit
144 if ((flags
& OCSP_NOEXPLICIT
) != 0)
147 x
= sk_X509_value(chain
, sk_X509_num(chain
) - 1);
148 if (X509_check_trust(x
, NID_OCSP_sign
, 0) != X509_TRUST_TRUSTED
) {
149 ERR_raise(ERR_LIB_OCSP
, OCSP_R_ROOT_CA_NOT_TRUSTED
);
157 sk_X509_pop_free(chain
, X509_free
);
158 sk_X509_free(untrusted
);
162 int OCSP_resp_get0_signer(OCSP_BASICRESP
*bs
, X509
**signer
,
163 STACK_OF(X509
) *extra_certs
)
165 return ocsp_find_signer(signer
, bs
, extra_certs
, 0) > 0;
168 static int ocsp_find_signer(X509
**psigner
, OCSP_BASICRESP
*bs
,
169 STACK_OF(X509
) *certs
, unsigned long flags
)
172 OCSP_RESPID
*rid
= &bs
->tbsResponseData
.responderId
;
174 if ((signer
= ocsp_find_signer_sk(certs
, rid
)) != NULL
) {
178 if ((flags
& OCSP_NOINTERN
) == 0 &&
179 (signer
= ocsp_find_signer_sk(bs
->certs
, rid
))) {
183 /* Maybe lookup from store if by subject name */
189 static X509
*ocsp_find_signer_sk(STACK_OF(X509
) *certs
, OCSP_RESPID
*id
)
192 unsigned char tmphash
[SHA_DIGEST_LENGTH
], *keyhash
;
196 /* Easy if lookup by name */
197 if (id
->type
== V_OCSP_RESPID_NAME
)
198 return X509_find_by_subject(certs
, id
->value
.byName
);
200 /* Lookup by key hash */
202 /* If key hash isn't SHA1 length then forget it */
203 if (id
->value
.byKey
->length
!= SHA_DIGEST_LENGTH
)
205 keyhash
= id
->value
.byKey
->data
;
206 /* Calculate hash of each key and compare */
207 for (i
= 0; i
< sk_X509_num(certs
); i
++) {
208 if ((x
= sk_X509_value(certs
, i
)) != NULL
) {
209 if ((md
= EVP_MD_fetch(x
->libctx
, SN_sha1
, x
->propq
)) == NULL
)
211 r
= X509_pubkey_digest(x
, md
, tmphash
, NULL
);
215 if (memcmp(keyhash
, tmphash
, SHA_DIGEST_LENGTH
) == 0)
222 static int ocsp_check_issuer(OCSP_BASICRESP
*bs
, STACK_OF(X509
) *chain
)
224 STACK_OF(OCSP_SINGLERESP
) *sresp
= bs
->tbsResponseData
.responses
;
226 OCSP_CERTID
*caid
= NULL
;
229 if (sk_X509_num(chain
) <= 0) {
230 ERR_raise(ERR_LIB_OCSP
, OCSP_R_NO_CERTIFICATES_IN_CHAIN
);
234 /* See if the issuer IDs match. */
235 ret
= ocsp_check_ids(sresp
, &caid
);
237 /* If ID mismatch or other error then return */
241 signer
= sk_X509_value(chain
, 0);
242 /* Check to see if OCSP responder CA matches request CA */
243 if (sk_X509_num(chain
) > 1) {
244 sca
= sk_X509_value(chain
, 1);
245 ret
= ocsp_match_issuerid(sca
, caid
, sresp
);
249 /* We have a match, if extensions OK then success */
250 if (ocsp_check_delegated(signer
))
256 /* Otherwise check if OCSP request signed directly by request CA */
257 return ocsp_match_issuerid(signer
, caid
, sresp
);
261 * Check the issuer certificate IDs for equality. If there is a mismatch with
262 * the same algorithm then there's no point trying to match any certificates
263 * against the issuer. If the issuer IDs all match then we just need to check
264 * equality against one of them.
267 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP
) *sresp
, OCSP_CERTID
**ret
)
269 OCSP_CERTID
*tmpid
, *cid
;
272 idcount
= sk_OCSP_SINGLERESP_num(sresp
);
274 ERR_raise(ERR_LIB_OCSP
, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA
);
278 cid
= sk_OCSP_SINGLERESP_value(sresp
, 0)->certId
;
281 for (i
= 1; i
< idcount
; i
++) {
282 tmpid
= sk_OCSP_SINGLERESP_value(sresp
, i
)->certId
;
283 /* Check to see if IDs match */
284 if (OCSP_id_issuer_cmp(cid
, tmpid
)) {
285 /* If algorithm mismatch let caller deal with it */
286 if (OBJ_cmp(tmpid
->hashAlgorithm
.algorithm
,
287 cid
->hashAlgorithm
.algorithm
))
294 /* All IDs match: only need to check one ID */
300 * Match the certificate issuer ID.
301 * Returns -1 on fatal error, 0 if there is no match and 1 if there is a match.
303 static int ocsp_match_issuerid(X509
*cert
, OCSP_CERTID
*cid
,
304 STACK_OF(OCSP_SINGLERESP
) *sresp
)
309 /* If only one ID to match then do it */
311 char name
[OSSL_MAX_NAME_SIZE
];
312 const X509_NAME
*iname
;
314 unsigned char md
[EVP_MAX_MD_SIZE
];
316 OBJ_obj2txt(name
, sizeof(name
), cid
->hashAlgorithm
.algorithm
, 0);
318 (void)ERR_set_mark();
319 dgst
= EVP_MD_fetch(NULL
, name
, NULL
);
321 dgst
= (EVP_MD
*)EVP_get_digestbyname(name
);
324 (void)ERR_clear_last_mark();
325 ERR_raise(ERR_LIB_OCSP
, OCSP_R_UNKNOWN_MESSAGE_DIGEST
);
328 (void)ERR_pop_to_mark();
330 mdlen
= EVP_MD_size(dgst
);
332 ERR_raise(ERR_LIB_OCSP
, OCSP_R_DIGEST_SIZE_ERR
);
335 if (cid
->issuerNameHash
.length
!= mdlen
||
336 cid
->issuerKeyHash
.length
!= mdlen
) {
340 iname
= X509_get_subject_name(cert
);
341 if (!X509_NAME_digest(iname
, dgst
, md
, NULL
))
343 if (memcmp(md
, cid
->issuerNameHash
.data
, mdlen
) != 0) {
347 if (!X509_pubkey_digest(cert
, dgst
, md
, NULL
)) {
348 ERR_raise(ERR_LIB_OCSP
, OCSP_R_DIGEST_ERR
);
351 ret
= memcmp(md
, cid
->issuerKeyHash
.data
, mdlen
) == 0;
354 /* We have to match the whole lot */
358 for (i
= 0; i
< sk_OCSP_SINGLERESP_num(sresp
); i
++) {
359 tmpid
= sk_OCSP_SINGLERESP_value(sresp
, i
)->certId
;
360 ret
= ocsp_match_issuerid(cert
, tmpid
, NULL
);
371 static int ocsp_check_delegated(X509
*x
)
373 if ((X509_get_extension_flags(x
) & EXFLAG_XKUSAGE
)
374 && (X509_get_extended_key_usage(x
) & XKU_OCSP_SIGN
))
376 ERR_raise(ERR_LIB_OCSP
, OCSP_R_MISSING_OCSPSIGNING_USAGE
);
381 * Verify an OCSP request. This is much easier than OCSP response verify.
382 * Just find the signer's certificate and verify it against a given trust value.
383 * Returns 1 on success, 0 on failure and on fatal error.
385 int OCSP_request_verify(OCSP_REQUEST
*req
, STACK_OF(X509
) *certs
,
386 X509_STORE
*store
, unsigned long flags
)
393 if (!req
->optionalSignature
) {
394 ERR_raise(ERR_LIB_OCSP
, OCSP_R_REQUEST_NOT_SIGNED
);
397 gen
= req
->tbsRequest
.requestorName
;
398 if (!gen
|| gen
->type
!= GEN_DIRNAME
) {
399 ERR_raise(ERR_LIB_OCSP
, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE
);
400 return 0; /* not returning -1 here for backward compatibility*/
402 nm
= gen
->d
.directoryName
;
403 ret
= ocsp_req_find_signer(&signer
, req
, nm
, certs
, flags
);
405 ERR_raise(ERR_LIB_OCSP
, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND
);
406 return 0; /* not returning -1 here for backward compatibility*/
408 if ((ret
== 2) && (flags
& OCSP_TRUSTOTHER
) != 0)
409 flags
|= OCSP_NOVERIFY
;
411 if ((ret
= ocsp_verify(req
, NULL
, signer
, flags
)) <= 0)
412 return 0; /* not returning 'ret' here for backward compatibility*/
413 if ((flags
& OCSP_NOVERIFY
) != 0)
415 return ocsp_verify_signer(signer
, 0, store
, flags
,
416 (flags
& OCSP_NOCHAIN
) != 0 ?
417 NULL
: req
->optionalSignature
->certs
, NULL
) > 0;
418 /* using '> 0' here to avoid breaking backward compatibility returning -1 */
421 static int ocsp_req_find_signer(X509
**psigner
, OCSP_REQUEST
*req
,
422 const X509_NAME
*nm
, STACK_OF(X509
) *certs
,
427 if ((flags
& OCSP_NOINTERN
) == 0) {
428 signer
= X509_find_by_subject(req
->optionalSignature
->certs
, nm
);
429 if (signer
!= NULL
) {
435 if ((signer
= X509_find_by_subject(certs
, nm
)) != NULL
) {