/* Create an OCSP response and encode an optional basic response */ OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs) { OCSP_RESPONSE *rsp = NULL; if (!(rsp = OCSP_RESPONSE_new())) goto err; if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err; if (!bs) return rsp; if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err; rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic); if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response)) goto err; return rsp; err: if (rsp) OCSP_RESPONSE_free(rsp); return NULL; }
/*! \brief Signs a PKI_X509_OCSP_RESP, for a simpler API use PKI_X509_OCSP_RESP_sign_tk */ int PKI_X509_OCSP_RESP_sign ( PKI_X509_OCSP_RESP *resp, PKI_X509_KEYPAIR *keypair, PKI_X509_CERT *cert, PKI_X509_CERT *issuer, PKI_X509_CERT_STACK * otherCerts, PKI_DIGEST_ALG *digest, PKI_X509_OCSP_RESPID_TYPE respidType ) { OCSP_RESPID *rid; PKI_OCSP_RESP *r = NULL; if (!resp || !resp->value || !keypair || !keypair->value) { PKI_ERROR(PKI_ERR_PARAM_NULL, NULL); return PKI_ERR; } // Let's get the value r = resp->value; // if (!r->resp) { PKI_ERROR(PKI_ERR_PARAM_NULL, NULL); return PKI_ERR; } // If there is no bs, no need to sign the response // we do not consider this to be an error if (!r->bs) { PKI_ERROR(PKI_ERR_PARAM_NULL, NULL); return PKI_ERR; } // Checks the certificates if (!cert || !cert->value ) { PKI_log(PKI_LOG_WARNING,"Signing an OCSP_RESP without a cert"); } if (!issuer || !issuer->value ) { PKI_log( PKI_LOG_WARNING, "Signing an OCSP_RESP without the " "issuer's certificate!"); } // Let's get the responderId rid = r->bs->tbsResponseData->responderId; // Sets the responderId if (cert && respidType == PKI_X509_OCSP_RESPID_TYPE_BY_NAME) { if (!cert) { PKI_log_err("PKI_OCSP_RESPID_TYPE_BY_NAME requires signer's certificate"); return PKI_ERR; } if (!X509_NAME_set(&rid->value.byName, X509_get_subject_name(cert->value))) { PKI_log_err("Internal Error"); return PKI_ERR; } rid->type = V_OCSP_RESPID_NAME; } else { PKI_DIGEST *dgst = PKI_X509_KEYPAIR_pub_digest(keypair, PKI_DIGEST_ALG_SHA1); if (!dgst) { PKI_log_err("Can not get Keypair Sha-1 value!"); return PKI_ERR; } rid->type = V_OCSP_RESPID_KEY; if((rid->value.byKey = ASN1_OCTET_STRING_new()) == NULL) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); PKI_DIGEST_free(dgst); return PKI_ERR; } if(!ASN1_OCTET_STRING_set(rid->value.byKey, dgst->digest, (int) dgst->size)) { PKI_log_err("Can not assign Responder Id by Key (Internal Error!)"); PKI_DIGEST_free(dgst); return PKI_ERR; } // All done here. PKI_DIGEST_free(dgst); } if(X509_gmtime_adj(r->bs->tbsResponseData->producedAt, 0) == 0) { PKI_log_err("Error adding signed time to response"); } if (!(r->resp->responseBytes = OCSP_RESPBYTES_new())) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); return PKI_ERR; } if((r->resp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic)) == NULL ) { PKI_log_debug("id-pkix-ocsp-basic OID error"); return PKI_ERR; } /* If there's old certs, let's clean the stack */ if( r->bs->certs ) { PKI_X509_CERT_VALUE *tmp_cert = NULL; while ( (tmp_cert = sk_X509_pop( r->bs->certs )) != NULL ) { X509_free ( tmp_cert ); } } else { if((r->bs->certs = sk_X509_new_null()) == NULL) { PKI_log_debug("ERROR, Can not Create stack of certs in signature!"); return( PKI_ERR ); } } /* Let's push the signer's certificate */ if ( cert ) OCSP_basic_add1_cert(r->bs, cert->value); // Let's now perform the real signing operation return PKI_X509_OCSP_RESP_DATA_sign(resp, keypair, digest); }
int PKI_X509_OCSP_RESP_DATA_sign (PKI_X509_OCSP_RESP *resp, PKI_X509_KEYPAIR *k, PKI_DIGEST_ALG *md ) { int ret = 0; OCSP_BASICRESP *bsrp = NULL; PKI_X509_OCSP_RESP_VALUE *resp_val = NULL; PKI_OCSP_RESP *r = NULL; if (!resp || !resp->value || !k || !k->value) { PKI_ERROR(PKI_ERR_PARAM_NULL, NULL); return PKI_ERR; } r = resp->value; if (r->bs == NULL) { PKI_ERROR(PKI_ERR_OCSP_RESP_SIGN, NULL); return PKI_ERR; } // If no digest is given, let's use the default one if (!md) md = PKI_DIGEST_ALG_SHA1; // DEBUG ONLY: Use this to check correctness /* PKI_X509_KEYPAIR_VALUE *key_val = NULL; key_val = PKI_X509_get_value(k); if (!OCSP_BASICRESP_sign(r->bs, key_val, md, 0)) { PKI_log_debug("ERROR: Can not sign with OCSP_BASICRESP_sign! %s!", ERR_error_string(ERR_get_error(), NULL)); return PKI_ERR; } */ // Using the generic signing function ret = PKI_X509_sign(resp, md, k); if (ret == PKI_ERR) { PKI_ERROR(PKI_ERR_OCSP_RESP_SIGN, ERR_error_string(ERR_get_error(), NULL)); r->bs->signature = NULL; return PKI_ERR; } resp_val = r->resp; bsrp = r->bs; // In case the responseBytes are not already set, let's generate them ourselves if (!resp_val->responseBytes) { if (!(resp_val->responseBytes = OCSP_RESPBYTES_new())) { PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL); return PKI_ERR; } resp_val->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic); } /* Now add the encoded data to the request bytes */ if (!ASN1_item_pack(bsrp, ASN1_ITEM_rptr(OCSP_BASICRESP), &resp_val->responseBytes->response)) { PKI_ERROR(PKI_ERR_OCSP_RESP_ENCODE, NULL); return PKI_ERR; } return ( PKI_OK ); }