diff options
author | Matt Caswell <matt@openssl.org> | 2016-09-13 23:26:53 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-09-22 09:27:45 +0100 |
commit | a671b3e64abe782d37c705ae51e93f2013672f9d (patch) | |
tree | ed76a3fb6093b4d1640fe3d869c9bf99e89e25ed /crypto/ocsp/ocsp_srv.c | |
parent | e12c0beb5a652ba0c3a71e633a77fafbb4f86aa4 (diff) | |
download | openssl-a671b3e64abe782d37c705ae51e93f2013672f9d.tar.gz |
Add OCSP_RESPID_match()
Add a function for testing whether a given OCSP_RESPID matches with a
certificate.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/ocsp/ocsp_srv.c')
-rw-r--r-- | crypto/ocsp/ocsp_srv.c | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index 5d590bae85..46a4bf7852 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -239,7 +239,7 @@ int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert) if (byKey == NULL) return 0; - if (!(ASN1_OCTET_STRING_set(respid->value.byKey, md, SHA_DIGEST_LENGTH))) { + if (!(ASN1_OCTET_STRING_set(byKey, md, SHA_DIGEST_LENGTH))) { ASN1_OCTET_STRING_free(byKey); return 0; } @@ -249,3 +249,29 @@ int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert) return 1; } + +int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert) +{ + if (respid->type == V_OCSP_RESPID_KEY) { + unsigned char md[SHA_DIGEST_LENGTH]; + + if (respid->value.byKey == NULL) + return 0; + + /* RFC2560 requires SHA1 */ + if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL)) + return 0; + + return (ASN1_STRING_length(respid->value.byKey) == SHA_DIGEST_LENGTH) + && (memcmp(ASN1_STRING_get0_data(respid->value.byKey), md, + SHA_DIGEST_LENGTH) == 0); + } else if(respid->type == V_OCSP_RESPID_NAME) { + if (respid->value.byName == NULL) + return 0; + + return X509_NAME_cmp(respid->value.byName, + X509_get_subject_name(cert)) == 0; + } + + return 0; +} |