diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2001-01-17 01:31:34 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2001-01-17 01:31:34 +0000 |
commit | 81f169e95c86fe9b2c3a7ba51a85f7a00763a0e7 (patch) | |
tree | 9c61e9161ee5332e99d091153a4cd242160b9180 /crypto/ocsp | |
parent | a068630a2038ff167d29cdaed828161719355531 (diff) | |
download | openssl-81f169e95c86fe9b2c3a7ba51a85f7a00763a0e7.tar.gz |
Initial OCSP certificate verify. Not complete,
it just supports a "trusted OCSP global root CA".
Diffstat (limited to 'crypto/ocsp')
-rw-r--r-- | crypto/ocsp/ocsp.h | 9 | ||||
-rw-r--r-- | crypto/ocsp/ocsp_err.c | 2 | ||||
-rw-r--r-- | crypto/ocsp/ocsp_lib.c | 11 | ||||
-rw-r--r-- | crypto/ocsp/ocsp_vfy.c | 63 |
4 files changed, 79 insertions, 6 deletions
diff --git a/crypto/ocsp/ocsp.h b/crypto/ocsp/ocsp.h index 60b843a2fa..1cb6eadfbb 100644 --- a/crypto/ocsp/ocsp.h +++ b/crypto/ocsp/ocsp.h @@ -79,6 +79,12 @@ extern "C" { #define OCSP_NOCERTS 0x1 #define OCSP_NOINTERN 0x2 #define OCSP_NOSIGS 0x4 +#define OCSP_NOCHAIN 0x8 +#define OCSP_NOVERIFY 0x10 +#define OCSP_NOEXPLICIT 0x20 +#define OCSP_NOCASIGN 0x40 +#define OCSP_NODELEGATED 0x80 +#define OCSP_NOCHECKS 0x100 /* CertID ::= SEQUENCE { * hashAlgorithm AlgorithmIdentifier, @@ -434,6 +440,7 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status, int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey); +int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b); int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b); OCSP_BASICRESP *OCSP_basic_response_new(int tag, @@ -565,6 +572,7 @@ void ERR_load_OCSP_strings(void); /* Reason codes. */ #define OCSP_R_BAD_DATA 108 #define OCSP_R_BAD_TAG 100 +#define OCSP_R_CERTIFICATE_VERIFY_ERROR 126 #define OCSP_R_DIGEST_ERR 101 #define OCSP_R_FAILED_TO_OPEN 109 #define OCSP_R_FAILED_TO_READ 110 @@ -579,6 +587,7 @@ void ERR_load_OCSP_strings(void); #define OCSP_R_NO_RESPONSE_DATA 104 #define OCSP_R_NO_SIGNATURE 105 #define OCSP_R_REVOKED_NO_TIME 106 +#define OCSP_R_ROOT_CA_NOT_TRUSTED 127 #define OCSP_R_SERVER_READ_ERROR 116 #define OCSP_R_SERVER_RESPONSE_ERROR 117 #define OCSP_R_SERVER_RESPONSE_PARSE_ERROR 118 diff --git a/crypto/ocsp/ocsp_err.c b/crypto/ocsp/ocsp_err.c index 70a27561b1..f4335d28c9 100644 --- a/crypto/ocsp/ocsp_err.c +++ b/crypto/ocsp/ocsp_err.c @@ -87,6 +87,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]= { {OCSP_R_BAD_DATA ,"bad data"}, {OCSP_R_BAD_TAG ,"bad tag"}, +{OCSP_R_CERTIFICATE_VERIFY_ERROR ,"certificate verify error"}, {OCSP_R_DIGEST_ERR ,"digest err"}, {OCSP_R_FAILED_TO_OPEN ,"failed to open"}, {OCSP_R_FAILED_TO_READ ,"failed to read"}, @@ -101,6 +102,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]= {OCSP_R_NO_RESPONSE_DATA ,"no response data"}, {OCSP_R_NO_SIGNATURE ,"no signature"}, {OCSP_R_REVOKED_NO_TIME ,"revoked no time"}, +{OCSP_R_ROOT_CA_NOT_TRUSTED ,"root ca not trusted"}, {OCSP_R_SERVER_READ_ERROR ,"server read error"}, {OCSP_R_SERVER_RESPONSE_ERROR ,"server response error"}, {OCSP_R_SERVER_RESPONSE_PARSE_ERROR ,"server response parse error"}, diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c index f9d2978402..bdd4cfccff 100644 --- a/crypto/ocsp/ocsp_lib.c +++ b/crypto/ocsp/ocsp_lib.c @@ -163,14 +163,21 @@ err: return NULL; } -int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) + +int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b) { int ret; ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm); if (ret) return ret; ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash); if (ret) return ret; - ret = ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash); + return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash); + } + +int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) + { + int ret; + ret = OCSP_id_issuer_cmp(a, b); if (ret) return ret; return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber); } diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 2ea3f4a923..6110825b19 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -68,13 +68,15 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { - X509 *signer; - int ret; + X509 *signer, *x; + STACK_OF(X509) *chain = NULL; + X509_STORE_CTX ctx; + int i, ret = 0; signer = ocsp_find_signer(bs, certs, st, flags); if (!signer) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); - return 0; + goto end; } if(!(flags & OCSP_NOSIGS)) { @@ -85,9 +87,62 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, if(ret <= 0) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); - return 0; + goto end; } } + if(!(flags & OCSP_NOVERIFY)) + { + if(flags & OCSP_NOCHAIN) + X509_STORE_CTX_init(&ctx, st, signer, NULL); + else + X509_STORE_CTX_init(&ctx, st, signer, bs->certs); + + X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER); + ret = X509_verify_cert(&ctx); + chain = X509_STORE_CTX_get1_chain(&ctx); + X509_STORE_CTX_cleanup(&ctx); + if (ret <= 0) + { + i = X509_STORE_CTX_get_error(&ctx); + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_CERTIFICATE_VERIFY_ERROR); + ERR_add_error_data(2, "Verify error:", + X509_verify_cert_error_string(i)); + goto end; + } + if(flags & OCSP_NOCHECKS) + { + ret = 1; + goto end; + } + /* At this point we have a valid certificate chain + * need to verify it against the OCSP criteria. + */ +#if 0 + if(ocsp_check_issuer(bs, chain, flags)) + { + ret = 1; + goto end; + } +#endif + + /* Easy case: explicitly trusted. Get root CA and + * check for explicit trust + */ + if(flags & OCSP_NOEXPLICIT) goto end; + + x = sk_X509_value(chain, sk_X509_num(chain) - 1); + if(X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) + { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,OCSP_R_ROOT_CA_NOT_TRUSTED); + goto end; + } + ret = 1; + } + + + + end: + if(chain) sk_X509_pop_free(chain, X509_free); return 1; } |