/* Create an OCSP response and encode an optional basic response */
OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
{
OCSP_RESPONSE *rsp = NULL;
if (!(rsp = OCSP_RESPONSE_new())) goto err;
if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
if (!bs) return rsp;
if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
if (!ASN1_item_pack(bs, ASN1_ITEM_rptr(OCSP_BASICRESP), &rsp->responseBytes->response))
goto err;
return rsp;
err:
if (rsp) OCSP_RESPONSE_free(rsp);
return NULL;
}
/*! \brief Signs a PKI_X509_OCSP_RESP, for a simpler API use PKI_X509_OCSP_RESP_sign_tk */
int PKI_X509_OCSP_RESP_sign ( PKI_X509_OCSP_RESP *resp,
PKI_X509_KEYPAIR *keypair, PKI_X509_CERT *cert,
PKI_X509_CERT *issuer, PKI_X509_CERT_STACK * otherCerts,
PKI_DIGEST_ALG *digest, PKI_X509_OCSP_RESPID_TYPE respidType ) {
OCSP_RESPID *rid;
PKI_OCSP_RESP *r = NULL;
if (!resp || !resp->value || !keypair || !keypair->value)
{
PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
return PKI_ERR;
}
// Let's get the value
r = resp->value;
//
if (!r->resp)
{
PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
return PKI_ERR;
}
// If there is no bs, no need to sign the response
// we do not consider this to be an error
if (!r->bs)
{
PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
return PKI_ERR;
}
// Checks the certificates
if (!cert || !cert->value )
{
PKI_log(PKI_LOG_WARNING,"Signing an OCSP_RESP without a cert");
}
if (!issuer || !issuer->value )
{
PKI_log( PKI_LOG_WARNING, "Signing an OCSP_RESP without the "
"issuer's certificate!");
}
// Let's get the responderId
rid = r->bs->tbsResponseData->responderId;
// Sets the responderId
if (cert && respidType == PKI_X509_OCSP_RESPID_TYPE_BY_NAME)
{
if (!cert) {
PKI_log_err("PKI_OCSP_RESPID_TYPE_BY_NAME requires signer's certificate");
return PKI_ERR;
}
if (!X509_NAME_set(&rid->value.byName, X509_get_subject_name(cert->value)))
{
PKI_log_err("Internal Error");
return PKI_ERR;
}
rid->type = V_OCSP_RESPID_NAME;
}
else
{
PKI_DIGEST *dgst = PKI_X509_KEYPAIR_pub_digest(keypair, PKI_DIGEST_ALG_SHA1);
if (!dgst)
{
PKI_log_err("Can not get Keypair Sha-1 value!");
return PKI_ERR;
}
rid->type = V_OCSP_RESPID_KEY;
if((rid->value.byKey = ASN1_OCTET_STRING_new()) == NULL)
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
PKI_DIGEST_free(dgst);
return PKI_ERR;
}
if(!ASN1_OCTET_STRING_set(rid->value.byKey, dgst->digest, (int) dgst->size))
{
PKI_log_err("Can not assign Responder Id by Key (Internal Error!)");
PKI_DIGEST_free(dgst);
return PKI_ERR;
}
// All done here.
PKI_DIGEST_free(dgst);
}
if(X509_gmtime_adj(r->bs->tbsResponseData->producedAt, 0) == 0)
{
PKI_log_err("Error adding signed time to response");
}
if (!(r->resp->responseBytes = OCSP_RESPBYTES_new()))
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return PKI_ERR;
}
if((r->resp->responseBytes->responseType =
OBJ_nid2obj(NID_id_pkix_OCSP_basic)) == NULL )
{
PKI_log_debug("id-pkix-ocsp-basic OID error");
return PKI_ERR;
}
/* If there's old certs, let's clean the stack */
if( r->bs->certs )
{
PKI_X509_CERT_VALUE *tmp_cert = NULL;
while ( (tmp_cert = sk_X509_pop( r->bs->certs )) != NULL )
{
X509_free ( tmp_cert );
}
}
else
{
if((r->bs->certs = sk_X509_new_null()) == NULL)
{
PKI_log_debug("ERROR, Can not Create stack of certs in signature!");
return( PKI_ERR );
}
}
/* Let's push the signer's certificate */
if ( cert ) OCSP_basic_add1_cert(r->bs, cert->value);
// Let's now perform the real signing operation
return PKI_X509_OCSP_RESP_DATA_sign(resp, keypair, digest);
}
int PKI_X509_OCSP_RESP_DATA_sign (PKI_X509_OCSP_RESP *resp,
PKI_X509_KEYPAIR *k, PKI_DIGEST_ALG *md ) {
int ret = 0;
OCSP_BASICRESP *bsrp = NULL;
PKI_X509_OCSP_RESP_VALUE *resp_val = NULL;
PKI_OCSP_RESP *r = NULL;
if (!resp || !resp->value || !k || !k->value)
{
PKI_ERROR(PKI_ERR_PARAM_NULL, NULL);
return PKI_ERR;
}
r = resp->value;
if (r->bs == NULL)
{
PKI_ERROR(PKI_ERR_OCSP_RESP_SIGN, NULL);
return PKI_ERR;
}
// If no digest is given, let's use the default one
if (!md) md = PKI_DIGEST_ALG_SHA1;
// DEBUG ONLY: Use this to check correctness
/*
PKI_X509_KEYPAIR_VALUE *key_val = NULL;
key_val = PKI_X509_get_value(k);
if (!OCSP_BASICRESP_sign(r->bs, key_val, md, 0))
{
PKI_log_debug("ERROR: Can not sign with OCSP_BASICRESP_sign! %s!", ERR_error_string(ERR_get_error(), NULL));
return PKI_ERR;
}
*/
// Using the generic signing function
ret = PKI_X509_sign(resp, md, k);
if (ret == PKI_ERR)
{
PKI_ERROR(PKI_ERR_OCSP_RESP_SIGN, ERR_error_string(ERR_get_error(), NULL));
r->bs->signature = NULL;
return PKI_ERR;
}
resp_val = r->resp;
bsrp = r->bs;
// In case the responseBytes are not already set, let's generate them ourselves
if (!resp_val->responseBytes)
{
if (!(resp_val->responseBytes = OCSP_RESPBYTES_new()))
{
PKI_ERROR(PKI_ERR_MEMORY_ALLOC, NULL);
return PKI_ERR;
}
resp_val->responseBytes->responseType =
OBJ_nid2obj(NID_id_pkix_OCSP_basic);
}
/* Now add the encoded data to the request bytes */
if (!ASN1_item_pack(bsrp, ASN1_ITEM_rptr(OCSP_BASICRESP), &resp_val->responseBytes->response))
{
PKI_ERROR(PKI_ERR_OCSP_RESP_ENCODE, NULL);
return PKI_ERR;
}
return ( PKI_OK );
}
