src/usr.bin/openssl/ocsp.c - diff

Return to ocsp.c CVS log

Up to [local] / src / usr.bin / openssl

Diff for /src/usr.bin/openssl/ocsp.c between version 1.18 and 1.19

version 1.18, 2020/09/09 13:08:38

version 1.19, 2020/09/09 13:57:36

Line 79

/* Maximum leeway in validity period: default 5 minutes */

#define MAX_VALIDITY_PERIOD (5 * 60)

static int

static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,

add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer,

const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids);

STACK_OF(OCSP_CERTID) *ids);

static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,

static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD *cert_id_md, X509 *issuer,

const EVP_MD *cert_id_md, X509 *issuer, STACK_OF(OCSP_CERTID) *ids);

STACK_OF(OCSP_CERTID) *ids);

static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,

STACK_OF(OPENSSL_STRING) *names,

STACK_OF(OPENSSL_STRING) *names, STACK_OF(OCSP_CERTID) *ids, long nsec,

STACK_OF(OCSP_CERTID) *ids, long nsec,

long maxage);

static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,

static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,

X509 *ca, X509 *rcert, EVP_PKEY *rkey,

CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother,

STACK_OF(X509) *rother, unsigned long flags,

unsigned long flags, int nmin, int ndays);

int nmin, int ndays);

static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);

static BIO *init_responder(char *port);

static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);

static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,

char *port);

static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);

static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,

STACK_OF(CONF_VALUE) *headers,

STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout);

OCSP_REQUEST *req, int req_timeout);

static struct {

int accept_count;

Line 780

Line 777

}

/* Have we anything to do? */

if (!ocsp_config.req && !ocsp_config.reqin && !ocsp_config.respin && !(ocsp_config.port && ocsp_config.ridx_filename))

if (!ocsp_config.req && !ocsp_config.reqin && !ocsp_config.respin &&

!(ocsp_config.port && ocsp_config.ridx_filename))

badarg = 1;

if (badarg) {

Line 802

Line 800

if (!ocsp_config.req && ocsp_config.reqin) {

derbio = BIO_new_file(ocsp_config.reqin, "rb");

if (!derbio) {

BIO_printf(bio_err, "Error Opening OCSP request file\n");

BIO_printf(bio_err,

"Error Opening OCSP request file\n");

goto end;

}

ocsp_config.req = d2i_OCSP_REQUEST_bio(derbio, NULL);

Line 823

Line 822

rsigner = load_cert(bio_err, ocsp_config.rsignfile, FORMAT_PEM,

NULL, "responder certificate");

if (!rsigner) {

BIO_printf(bio_err, "Error loading responder certificate\n");

BIO_printf(bio_err,

"Error loading responder certificate\n");

goto end;

}

rca_cert = load_cert(bio_err, ocsp_config.rca_filename, FORMAT_PEM,

rca_cert = load_cert(bio_err, ocsp_config.rca_filename,

NULL, "CA certificate");

FORMAT_PEM, NULL, "CA certificate");

if (ocsp_config.rcertfile) {

rother = load_certs(bio_err, ocsp_config.rcertfile, FORMAT_PEM,

rother = load_certs(bio_err, ocsp_config.rcertfile,

NULL, "responder other certificates");

FORMAT_PEM, NULL, "responder other certificates");

if (!rother)

goto end;

}

rkey = load_key(bio_err, ocsp_config.rkeyfile, FORMAT_PEM, 0, NULL,

rkey = load_key(bio_err, ocsp_config.rkeyfile, FORMAT_PEM, 0,

"responder private key");

NULL, "responder private key");

if (!rkey)

goto end;

}

if (acbio)

BIO_printf(bio_err, "Waiting for OCSP client connections...\n");

redo_accept:

if (acbio) {

if (!do_responder(&ocsp_config.req, &cbio, acbio, ocsp_config.port))

if (!do_responder(&ocsp_config.req, &cbio, acbio,

ocsp_config.port))

goto end;

if (!ocsp_config.req) {

resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);

resp = OCSP_response_create(

OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);

send_ocsp_response(cbio, resp);

goto done_resp;

}

if (!ocsp_config.req && (ocsp_config.signfile || ocsp_config.reqout || ocsp_config.host || ocsp_config.add_nonce || ocsp_config.ridx_filename)) {

if (!ocsp_config.req &&

BIO_printf(bio_err, "Need an OCSP request for this operation!\n");

(ocsp_config.signfile || ocsp_config.reqout || ocsp_config.host ||

ocsp_config.add_nonce || ocsp_config.ridx_filename)) {

BIO_printf(bio_err,

"Need an OCSP request for this operation!\n");

goto end;

}

if (ocsp_config.req && ocsp_config.add_nonce)

Line 866

Line 871

signer = load_cert(bio_err, ocsp_config.signfile, FORMAT_PEM,

NULL, "signer certificate");

if (!signer) {

BIO_printf(bio_err, "Error loading signer certificate\n");

BIO_printf(bio_err,

"Error loading signer certificate\n");

goto end;

}

if (ocsp_config.sign_certfile) {

sign_other = load_certs(bio_err, ocsp_config.sign_certfile, FORMAT_PEM,

sign_other = load_certs(bio_err,

NULL, "signer certificates");

ocsp_config.sign_certfile, FORMAT_PEM, NULL,

"signer certificates");

if (!sign_other)

goto end;

}

key = load_key(bio_err, ocsp_config.keyfile, FORMAT_PEM, 0, NULL,

key = load_key(bio_err, ocsp_config.keyfile, FORMAT_PEM, 0,

"signer private key");

NULL, "signer private key");

if (!key)

goto end;

if (!OCSP_request_sign(ocsp_config.req, signer, key, NULL, sign_other, ocsp_config.sign_flags)) {

if (!OCSP_request_sign(ocsp_config.req, signer, key, NULL,

sign_other, ocsp_config.sign_flags)) {

BIO_printf(bio_err, "Error signing OCSP request\n");

goto end;

}

Line 891

Line 899

if (ocsp_config.reqout) {

derbio = BIO_new_file(ocsp_config.reqout, "wb");

if (!derbio) {

BIO_printf(bio_err, "Error opening file %s\n", ocsp_config.reqout);

BIO_printf(bio_err, "Error opening file %s\n",

ocsp_config.reqout);

goto end;

}

i2d_OCSP_REQUEST_bio(derbio, ocsp_config.req);

BIO_free(derbio);

}

if (ocsp_config.ridx_filename && (!rkey || !rsigner || !rca_cert)) {

BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");

BIO_printf(bio_err,

"Need a responder certificate, key and CA for this operation!\n");

goto end;

}

if (ocsp_config.ridx_filename && !rdb) {

Line 909

Line 919

goto end;

}

if (rdb) {

i = make_ocsp_response(&resp, ocsp_config.req, rdb, rca_cert, rsigner, rkey, rother, ocsp_config.rflags, ocsp_config.nmin, ocsp_config.ndays);

i = make_ocsp_response(&resp, ocsp_config.req, rdb, rca_cert,

rsigner, rkey, rother, ocsp_config.rflags,

ocsp_config.nmin, ocsp_config.ndays);

if (cbio)

send_ocsp_response(cbio, resp);

} else if (ocsp_config.host) {

resp = process_responder(bio_err, ocsp_config.req, ocsp_config.host, ocsp_config.path ? ocsp_config.path : "/",

resp = process_responder(bio_err, ocsp_config.req,

ocsp_config.port, ocsp_config.use_ssl, ocsp_config.headers, ocsp_config.req_timeout);

ocsp_config.host,

ocsp_config.path ? ocsp_config.path : "/",

ocsp_config.port, ocsp_config.use_ssl, ocsp_config.headers,

ocsp_config.req_timeout);

if (!resp)

goto end;

} else if (ocsp_config.respin) {

derbio = BIO_new_file(ocsp_config.respin, "rb");

if (!derbio) {

BIO_printf(bio_err, "Error Opening OCSP response file\n");

BIO_printf(bio_err,

"Error Opening OCSP response file\n");

goto end;

}

resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);

Line 934

Line 950

goto end;

}

done_resp:

if (ocsp_config.respout) {

derbio = BIO_new_file(ocsp_config.respout, "wb");

if (!derbio) {

BIO_printf(bio_err, "Error opening file %s\n", ocsp_config.respout);

BIO_printf(bio_err, "Error opening file %s\n",

ocsp_config.respout);

goto end;

}

i2d_OCSP_RESPONSE_bio(derbio, resp);

Line 975

Line 992

goto end;

}

if (!store)

store = setup_verify(bio_err, ocsp_config.CAfile, ocsp_config.CApath);

store = setup_verify(bio_err, ocsp_config.CAfile,

ocsp_config.CApath);

if (!store)

goto end;

if (ocsp_config.verify_certfile) {

verify_other = load_certs(bio_err, ocsp_config.verify_certfile, FORMAT_PEM,

verify_other = load_certs(bio_err, ocsp_config.verify_certfile,

NULL, "validator certificate");

FORMAT_PEM, NULL, "validator certificate");

if (!verify_other)

goto end;

}

Line 991

Line 1009

goto end;

}

if (!ocsp_config.noverify) {

if (ocsp_config.req && ((i = OCSP_check_nonce(ocsp_config.req, bs)) <= 0)) {

if (ocsp_config.req &&

if (i == -1)

((i = OCSP_check_nonce(ocsp_config.req, bs)) <= 0)) {

BIO_printf(bio_err, "WARNING: no nonce in response\n");

if (i == -1) {

else {

BIO_printf(bio_err,

"WARNING: no nonce in response\n");

} else {

BIO_printf(bio_err, "Nonce Verify error\n");

goto end;

}

i = OCSP_basic_verify(bs, verify_other, store, ocsp_config.verify_flags);

i = OCSP_basic_verify(bs, verify_other, store,

ocsp_config.verify_flags);

if (i < 0)

i = OCSP_basic_verify(bs, NULL, store, 0);

if (i <= 0) {

BIO_printf(bio_err, "Response Verify Failure\n");

ERR_print_errors(bio_err);

} else

} else {

BIO_printf(bio_err, "Response verify OK\n");

}

if (!print_ocsp_summary(out, bs, ocsp_config.req, ocsp_config.reqnames, ocsp_config.ids, ocsp_config.nsec, ocsp_config.maxage))

if (!print_ocsp_summary(out, bs, ocsp_config.req, ocsp_config.reqnames,

ocsp_config.ids, ocsp_config.nsec, ocsp_config.maxage))

goto end;

ret = 0;

Line 1047

Line 1069

}

static int

add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer,

add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md,

STACK_OF(OCSP_CERTID) *ids)

X509 *issuer, STACK_OF(OCSP_CERTID) *ids)

{

OCSP_CERTID *id;

if (!issuer) {

BIO_printf(bio_err, "No issuer certificate specified\n");

return 0;

Line 1072

Line 1095

}

static int

add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD *cert_id_md, X509 *issuer,

add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD *cert_id_md,

STACK_OF(OCSP_CERTID) *ids)

X509 *issuer, STACK_OF(OCSP_CERTID) *ids)

{

OCSP_CERTID *id;

X509_NAME *iname;

ASN1_BIT_STRING *ikey;

ASN1_INTEGER *sno;

if (!issuer) {

BIO_printf(bio_err, "No issuer certificate specified\n");

return 0;

Line 1091

Line 1115

ikey = X509_get0_pubkey_bitstr(issuer);

sno = s2i_ASN1_INTEGER(NULL, serial);

if (!sno) {

BIO_printf(bio_err, "Error converting serial number %s\n", serial);

BIO_printf(bio_err, "Error converting serial number %s\n",

serial);

return 0;

}

id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);

Line 1109

Line 1134

static int

print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,

STACK_OF(OPENSSL_STRING) *names,

STACK_OF(OPENSSL_STRING) *names, STACK_OF(OCSP_CERTID) *ids, long nsec,

STACK_OF(OCSP_CERTID) *ids, long nsec,

long maxage)

{

OCSP_CERTID *id;

char *name;

int i;

int status, reason;

ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;

if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids))

if (!bs || !req || !sk_OPENSSL_STRING_num(names) ||

!sk_OCSP_CERTID_num(ids))

return 1;

for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) {

Line 1171

Line 1195

static int

make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,

X509 *ca, X509 *rcert, EVP_PKEY *rkey,

X509 *ca, X509 *rcert, EVP_PKEY *rkey, STACK_OF(X509) *rother,

STACK_OF(X509) *rother, unsigned long flags,

unsigned long flags, int nmin, int ndays)

int nmin, int ndays)

{

ASN1_TIME *thisupd = NULL, *nextupd = NULL;

OCSP_CERTID *cid, *ca_id = NULL;

Line 1183

Line 1206

id_count = OCSP_request_onereq_count(req);

if (id_count <= 0) {

*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);

*resp = OCSP_response_create(

OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);

goto end;

}

bs = OCSP_BASICRESP_new();

Line 1205

Line 1229

cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);

if (!cert_id_md) {

*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,

*resp = OCSP_response_create(

NULL);

OCSP_RESPONSE_STATUS_INTERNALERROR, NULL);

goto end;

}

OCSP_CERTID_free(ca_id);

Line 1215

Line 1239

/* Is this request about our CA? */

if (OCSP_id_issuer_cmp(ca_id, cid)) {

OCSP_basic_add1_status(bs, cid,

V_OCSP_CERTSTATUS_UNKNOWN,

V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL,

0, NULL,

thisupd, nextupd);

continue;

}

OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);

inf = lookup_serial(db, serial);

if (!inf)

if (!inf) {

OCSP_basic_add1_status(bs, cid,

V_OCSP_CERTSTATUS_UNKNOWN,

V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL,

0, NULL,

thisupd, nextupd);

else if (inf[DB_type][0] == DB_TYPE_VAL)

} else if (inf[DB_type][0] == DB_TYPE_VAL) {

OCSP_basic_add1_status(bs, cid,

V_OCSP_CERTSTATUS_GOOD,

V_OCSP_CERTSTATUS_GOOD, 0, NULL,

0, NULL,

thisupd, nextupd);

else if (inf[DB_type][0] == DB_TYPE_REV) {

} else if (inf[DB_type][0] == DB_TYPE_REV) {

ASN1_OBJECT *inst = NULL;

ASN1_TIME *revtm = NULL;

ASN1_GENERALIZEDTIME *invtm = NULL;

OCSP_SINGLERESP *single;

int reason = -1;

unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);

unpack_revinfo(&revtm, &reason, &inst, &invtm,

inf[DB_rev_date]);

single = OCSP_basic_add1_status(bs, cid,

V_OCSP_CERTSTATUS_REVOKED,

reason, revtm,

thisupd, nextupd);

if (invtm)

OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);

OCSP_SINGLERESP_add1_ext_i2d(single,

NID_invalidity_date, invtm, 0, 0);

else if (inst)

OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);

OCSP_SINGLERESP_add1_ext_i2d(single,

NID_hold_instruction_code, inst, 0, 0);

ASN1_OBJECT_free(inst);

ASN1_TIME_free(revtm);

ASN1_GENERALIZEDTIME_free(invtm);

Line 1265

Line 1290

OCSP_CERTID_free(ca_id);

OCSP_BASICRESP_free(bs);

return ret;

}

static char **

Line 1274

Line 1298

int i;

BIGNUM *bn = NULL;

char *itmp, *row[DB_NUMBER], **rrow;

for (i = 0; i < DB_NUMBER; i++)

row[i] = NULL;

bn = ASN1_INTEGER_to_BN(ser, NULL);

Line 1296

Line 1321

init_responder(char *port)

{

BIO *acbio = NULL, *bufbio = NULL;

bufbio = BIO_new(BIO_f_buffer());

if (!bufbio)

goto err;

Line 1362

Line 1388

*preq = req;

return 1;

}

static int

Line 1371

Line 1396

static const char http_resp[] =

"HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"

"Content-Length: %d\r\n\r\n";

if (!cbio)

return 0;

BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));

Line 1380

Line 1406

}

static OCSP_RESPONSE *

query_responder(BIO *err, BIO *cbio, char *path,

query_responder(BIO *err, BIO *cbio, char *path, STACK_OF(CONF_VALUE) *headers,

STACK_OF(CONF_VALUE) *headers,

OCSP_REQUEST *req, int req_timeout)

{

int fd;

Line 1437

Line 1462

if (req_timeout == -1)

continue;

pfd[0].fd = fd;

if (BIO_should_read(cbio))

if (BIO_should_read(cbio)) {

pfd[0].events = POLLIN;

else if (BIO_should_write(cbio))

} else if (BIO_should_write(cbio)) {

pfd[0].events = POLLOUT;

else {

} else {

BIO_puts(err, "Unexpected retry condition\n");

goto err;

}

Line 1455

Line 1480

break;

}

err:

OCSP_REQ_CTX_free(ctx);

return rsp;

}

OCSP_RESPONSE *

process_responder(BIO *err, OCSP_REQUEST *req,

process_responder(BIO *err, OCSP_REQUEST *req, char *host, char *path,

char *host, char *path, char *port, int use_ssl,

char *port, int use_ssl, STACK_OF(CONF_VALUE) *headers, int req_timeout)

STACK_OF(CONF_VALUE) *headers,

int req_timeout)

{

BIO *cbio = NULL;

SSL_CTX *ctx = NULL;

OCSP_RESPONSE *resp = NULL;

cbio = BIO_new_connect(host);

if (!cbio) {

BIO_printf(err, "Error creating connect BIO\n");

Line 1491

Line 1515

resp = query_responder(err, cbio, path, headers, req, req_timeout);

if (!resp)

BIO_printf(bio_err, "Error querying OCSP responder\n");

end:

BIO_free_all(cbio);

SSL_CTX_free(ctx);