/* Serialize an OCSP request which will be sent to the responder at
* given URI to a memory BIO object, which is returned. */
static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri,
const apr_uri_t *proxy_uri)
{
BIO *bio;
int len;
len = i2d_OCSP_REQUEST(req, NULL);
bio = BIO_new(BIO_s_mem());
BIO_printf(bio, "POST ");
/* Use full URL instead of URI in case of a request through a proxy */
if (proxy_uri) {
BIO_printf(bio, "http://%s:%d",
uri->hostname, uri->port);
}
BIO_printf(bio, "%s%s%s HTTP/1.0\r\n"
"Host: %s:%d\r\n"
"Content-Type: application/ocsp-request\r\n"
"Content-Length: %d\r\n"
"\r\n",
uri->path ? uri->path : "/",
uri->query ? "?" : "", uri->query ? uri->query : "",
uri->hostname, uri->port, len);
if (i2d_OCSP_REQUEST_bio(bio, req) != 1) {
BIO_free(bio);
return NULL;
}
return bio;
}
/* Serialize an OCSP request which will be sent to the responder at
* given URI to a memory BIO object, which is returned. */
static BIO *serialize_request(OCSP_REQUEST *req, const apr_uri_t *uri)
{
BIO *bio;
int len;
len = i2d_OCSP_REQUEST(req, NULL);
bio = BIO_new(BIO_s_mem());
BIO_printf(bio, "POST %s%s%s HTTP/1.0\r\n"
"Host: %s:%d\r\n"
"Content-Type: application/ocsp-request\r\n"
"Content-Length: %d\r\n"
"\r\n",
uri->path ? uri->path : "/",
uri->query ? "?" : "", uri->query ? uri->query : "",
uri->hostname, uri->port, len);
if (i2d_OCSP_REQUEST_bio(bio, req) != 1) {
BIO_free(bio);
return NULL;
}
return bio;
}
OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req,
int maxline)
{
static char post_hdr[] = "POST %s HTTP/1.0\r\n"
"Content-Type: application/ocsp-request\r\n"
"Content-Length: %d\r\n\r\n";
OCSP_REQ_CTX *rctx;
rctx = OPENSSL_malloc(sizeof(OCSP_REQ_CTX));
rctx->state = OHS_FIRSTLINE;
rctx->mem = BIO_new(BIO_s_mem());
rctx->io = io;
if (maxline > 0)
rctx->iobuflen = maxline;
else
rctx->iobuflen = OCSP_MAX_LINE_LEN;
rctx->iobuf = OPENSSL_malloc(rctx->iobuflen);
if (!path)
path = "/";
if (BIO_printf(rctx->mem, post_hdr, path,
i2d_OCSP_REQUEST(req, NULL)) <= 0) {
rctx->state = OHS_ERROR;
return 0;
}
if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0) {
rctx->state = OHS_ERROR;
return 0;
}
rctx->state = OHS_ASN1_WRITE;
rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
return rctx;
}
static VALUE
ossl_ocspreq_to_der(VALUE self)
{
OCSP_REQUEST *req;
VALUE str;
unsigned char *p;
long len;
GetOCSPReq(self, req);
if((len = i2d_OCSP_REQUEST(req, NULL)) <= 0)
ossl_raise(eOCSPError, NULL);
str = rb_str_new(0, len);
p = RSTRING_PTR(str);
if(i2d_OCSP_REQUEST(req, &p) <= 0)
ossl_raise(eOCSPError, NULL);
ossl_str_adjust(str, p);
return str;
}
static VALUE
ossl_ocspreq_to_der(VALUE self, SEL sel)
{
OCSP_REQUEST *req;
VALUE str;
unsigned char *p;
long len;
GetOCSPReq(self, req);
if((len = i2d_OCSP_REQUEST(req, NULL)) <= 0)
ossl_raise(eOCSPError, NULL);
str = rb_bstr_new();
rb_bstr_resize(str, len);
p = (unsigned char *)rb_bstr_bytes(str);
if(i2d_OCSP_REQUEST(req, &p) <= 0)
ossl_raise(eOCSPError, NULL);
ossl_str_adjust(str, p);
return str;
}
int
OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req)
{
if (BIO_printf(rctx->mem, "Content-Type: application/ocsp-request\r\n"
"Content-Length: %d\r\n\r\n", i2d_OCSP_REQUEST(req, NULL)) <= 0)
return 0;
if (i2d_OCSP_REQUEST_bio(rctx->mem, req) <= 0)
return 0;
rctx->state = OHS_ASN1_WRITE;
rctx->asn1_len = BIO_get_mem_data(rctx->mem, NULL);
return 1;
}
int SslOcspStapling::getRequestData(unsigned char *pReqData)
{
int len = -1;
OCSP_REQUEST *ocsp;
OCSP_CERTID *id;
if (m_pCertId == NULL)
return LS_FAIL;
ocsp = OCSP_REQUEST_new();
if (ocsp == NULL)
return LS_FAIL;
id = OCSP_CERTID_dup(m_pCertId);
if (OCSP_request_add0_id(ocsp, id) != NULL)
{
len = i2d_OCSP_REQUEST(ocsp, &pReqData);
if (len > 0)
*pReqData = 0;
}
OCSP_REQUEST_free(ocsp);
return len;
}
static ngx_int_t
ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx)
{
int len;
u_char *p;
uintptr_t escape;
ngx_str_t binary, base64;
ngx_buf_t *b;
OCSP_CERTID *id;
OCSP_REQUEST *ocsp;
ocsp = OCSP_REQUEST_new();
if (ocsp == NULL) {
ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
"OCSP_REQUEST_new() failed");
return NGX_ERROR;
}
id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
if (id == NULL) {
ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
"OCSP_cert_to_id() failed");
goto failed;
}
if (OCSP_request_add0_id(ocsp, id) == NULL) {
ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
"OCSP_request_add0_id() failed");
OCSP_CERTID_free(id);
goto failed;
}
len = i2d_OCSP_REQUEST(ocsp, NULL);
if (len <= 0) {
ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
"i2d_OCSP_REQUEST() failed");
goto failed;
}
binary.len = len;
binary.data = ngx_palloc(ctx->pool, len);
if (binary.data == NULL) {
goto failed;
}
p = binary.data;
len = i2d_OCSP_REQUEST(ocsp, &p);
if (len <= 0) {
ngx_ssl_error(NGX_LOG_EMERG, ctx->log, 0,
"i2d_OCSP_REQUEST() failed");
goto failed;
}
base64.len = ngx_base64_encoded_length(binary.len);
base64.data = ngx_palloc(ctx->pool, base64.len);
if (base64.data == NULL) {
goto failed;
}
ngx_encode_base64(&base64, &binary);
escape = ngx_escape_uri(NULL, base64.data, base64.len,
NGX_ESCAPE_URI_COMPONENT);
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
"ssl ocsp request length %z, escape %d",
base64.len, (int) escape);
len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1
+ base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1
+ sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1
+ sizeof(CRLF) - 1;
b = ngx_create_temp_buf(ctx->pool, len);
if (b == NULL) {
goto failed;
}
p = b->last;
p = ngx_cpymem(p, "GET ", sizeof("GET ") - 1);
p = ngx_cpymem(p, ctx->uri.data, ctx->uri.len);
if (ctx->uri.data[ctx->uri.len - 1] != '/') {
*p++ = '/';
}
if (escape == 0) {
p = ngx_cpymem(p, base64.data, base64.len);
} else {
p = (u_char *) ngx_escape_uri(p, base64.data, base64.len,
NGX_ESCAPE_URI_COMPONENT);
}
p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1);
p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1);
p = ngx_cpymem(p, ctx->host.data, ctx->host.len);
*p++ = CR; *p++ = LF;
/* add "\r\n" at the header end */
*p++ = CR; *p++ = LF;
b->last = p;
ctx->request = b;
OCSP_REQUEST_free(ocsp);
return NGX_OK;
failed:
OCSP_REQUEST_free(ocsp);
return NGX_ERROR;
}
const char* bud_context_get_ocsp_req(bud_context_t* context,
size_t* size,
char** ocsp_request,
size_t* ocsp_request_len) {
STACK_OF(OPENSSL_STRING)* urls;
OCSP_REQUEST* req;
OCSP_CERTID* id;
char* encoded;
unsigned char* pencoded;
size_t encoded_len;
urls = NULL;
id = NULL;
encoded = NULL;
/* Cached url */
if (context->ocsp_url != NULL)
goto has_url;
urls = X509_get1_ocsp(context->cert);
if (urls == NULL)
goto done;
context->ocsp_url = sk_OPENSSL_STRING_pop(urls);
context->ocsp_url_len = strlen(context->ocsp_url);
has_url:
if (context->ocsp_url == NULL)
goto done;
id = OCSP_CERTID_dup(context->ocsp_id);
if (id == NULL)
goto done;
/* Create request */
req = OCSP_REQUEST_new();
if (req == NULL)
goto done;
if (!OCSP_request_add0_id(req, id))
goto done;
id = NULL;
encoded_len = i2d_OCSP_REQUEST(req, NULL);
encoded = malloc(encoded_len);
if (encoded == NULL)
goto done;
pencoded = (unsigned char*) encoded;
i2d_OCSP_REQUEST(req, &pencoded);
OCSP_REQUEST_free(req);
*ocsp_request = encoded;
*ocsp_request_len = encoded_len;
encoded = NULL;
done:
if (id != NULL)
OCSP_CERTID_free(id);
if (urls != NULL)
X509_email_free(urls);
if (encoded != NULL)
free(encoded);
*size = context->ocsp_url_len;
return context->ocsp_url;
}
