PKI_OCSP_RESP *d2i_PKI_OCSP_RESP_bio ( PKI_IO *bp, PKI_OCSP_RESP **p ) {
PKI_OCSP_RESP *ret = NULL;
if (( ret = (PKI_OCSP_RESP *)
PKI_Malloc ( sizeof( PKI_OCSP_RESP ))) == NULL ) {
return NULL;
}
#if OPENSSL_VERSION_NUMBER < 0x0090800fL
ret->resp = (PKI_X509_OCSP_RESP_VALUE *) ASN1_d2i_bio(
(char *(*)(void))OCSP_RESPONSE_new,
(char *(*)(void **, const unsigned char **, long))
d2i_OCSP_RESPONSE,
bp, (unsigned char **) NULL);
#else
ret->resp = (PKI_X509_OCSP_RESP_VALUE *) ASN1_d2i_bio(
(void *(*)(void))OCSP_RESPONSE_new,
(void *(*)(void **, const unsigned char **, long))
d2i_OCSP_RESPONSE,
bp, (void **) NULL);
#endif
if ( !ret->resp ) {
PKI_Free ( ret );
return NULL;
}
ret->bs = OCSP_response_get1_basic(ret->resp);
return ret;
}
/* PEM <-> INTERNAL Macros --- fix for errors in OpenSSL */
PKI_OCSP_RESP *PEM_read_bio_PKI_OCSP_RESP( PKI_IO *bp, void *a,
void *b, void *c ) {
PKI_OCSP_RESP *ret = NULL;
if (( ret = (PKI_OCSP_RESP *)
PKI_Malloc ( sizeof( PKI_OCSP_RESP ))) == NULL ) {
return NULL;
}
#if OPENSSL_VERSION_NUMBER < 0x0090800fL
ret->resp = (PKI_X509_OCSP_RESP_VALUE *) PEM_ASN1_read_bio(
(char *(*)()) d2i_OCSP_RESPONSE,
PEM_STRING_OCSP_RESPONSE, bp, NULL, NULL, NULL);
#else
ret->resp = (PKI_X509_OCSP_RESP_VALUE *) PEM_ASN1_read_bio(
(void *(*)()) d2i_OCSP_RESPONSE,
PEM_STRING_OCSP_RESPONSE, bp, NULL, NULL, NULL);
#endif
if ( ret->resp == NULL ) {
PKI_Free ( ret );
return NULL;
}
ret->bs = OCSP_response_get1_basic(ret->resp);
return ret;
}
static VALUE
ossl_ocspres_get_basic(VALUE self)
{
OCSP_RESPONSE *res;
OCSP_BASICRESP *bs;
VALUE ret;
GetOCSPRes(self, res);
if(!(bs = OCSP_response_get1_basic(res)))
return Qnil;
WrapOCSPBasicRes(cOCSPBasicRes, ret, bs);
return ret;
}
int SslOcspStapling::verifyRespFile(int iNeedVerify)
{
int iResult = -1;
BIO *pBio;
OCSP_RESPONSE *pResponse;
OCSP_BASICRESP *pBasicResp;
X509_STORE *pXstore;
if (iNeedVerify)
pBio = BIO_new_file(m_sRespfileTmp.c_str(), "r");
else
pBio = BIO_new_file(m_sRespfile.c_str(), "r");
if (pBio == NULL)
return LS_FAIL;
pResponse = d2i_OCSP_RESPONSE_bio(pBio, NULL);
BIO_free(pBio);
if (pResponse == NULL)
return LS_FAIL;
if (OCSP_response_status(pResponse) == OCSP_RESPONSE_STATUS_SUCCESSFUL)
{
if (iNeedVerify)
{
pBasicResp = OCSP_response_get1_basic(pResponse);
if (pBasicResp != NULL)
{
pXstore = SSL_CTX_get_cert_store(m_pCtx);
if (pXstore)
iResult = certVerify(pResponse, pBasicResp, pXstore);
OCSP_BASICRESP_free(pBasicResp);
}
}
else
{
updateRespData(pResponse);
iResult = 0;
}
}
OCSP_RESPONSE_free(pResponse);
return iResult;
}
int main(int argc, char *argv[]) {
int sd, ocsp_status;
const unsigned char *p;
long len;
OCSP_RESPONSE *rsp = NULL;
OCSP_BASICRESP *br = NULL;
X509_STORE *st = NULL;
STACK_OF(X509) *ch = NULL;
char *host, *port;
#ifdef _PATH_SSL_CA_FILE
char *cafile = _PATH_SSL_CA_FILE;
#else
char *cafile = "/etc/ssl/cert.pem";
#endif
SSL *ssl;
SSL_CTX *ctx;
SSL_library_init();
SSL_load_error_strings();
ctx = SSL_CTX_new(SSLv23_client_method());
if (!SSL_CTX_load_verify_locations(ctx, cafile, NULL)) {
printf("failed to load %s\n", cafile);
exit(-1);
}
if (argc != 3)
errx(-1, "need a host and port to connect to");
else {
host = argv[1];
port = argv[2];
}
sd = tcp_connect(host, port);
ssl = SSL_new(ctx);
SSL_set_fd(ssl, (int) sd);
SSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp);
if (SSL_connect(ssl) <= 0) {
printf("SSL connect error\n");
exit(-1);
}
if (SSL_get_verify_result(ssl) != X509_V_OK) {
printf("Certificate doesn't verify from host %s port %s\n", host, port);
exit(-1);
}
/* ==== VERIFY OCSP RESPONSE ==== */
len = SSL_get_tlsext_status_ocsp_resp(ssl, &p);
if (!p) {
printf("No OCSP response received for %s port %s\n", host, port);
exit(-1);
}
rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
if (!rsp) {
puts("Invalid OCSP response");
exit(-1);
}
ocsp_status = OCSP_response_status(rsp);
if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
printf("Invalid OCSP response status: %s (%d)",
OCSP_response_status_str(ocsp_status), ocsp_status);
exit(-1);
}
br = OCSP_response_get1_basic(rsp);
if (!br) {
puts("Invalid OCSP response");
exit(-1);
}
ch = SSL_get_peer_cert_chain(ssl);
st = SSL_CTX_get_cert_store(ctx);
if (OCSP_basic_verify(br, ch, st, 0) <= 0) {
puts("OCSP response verification failed");
exit(-1);
}
printf("OCSP validated from %s %s\n", host, port);
return 0;
}
static void
ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
{
#if OPENSSL_VERSION_NUMBER >= 0x0090707fL
const
#endif
u_char *p;
int n;
size_t len;
time_t now, valid;
ngx_str_t response;
X509_STORE *store;
STACK_OF(X509) *chain;
OCSP_CERTID *id;
OCSP_RESPONSE *ocsp;
OCSP_BASICRESP *basic;
ngx_ssl_stapling_t *staple;
ASN1_GENERALIZEDTIME *thisupdate, *nextupdate;
staple = ctx->data;
now = ngx_time();
ocsp = NULL;
basic = NULL;
id = NULL;
if (ctx->code != 200) {
goto error;
}
/* check the response */
len = ctx->response->last - ctx->response->pos;
p = ctx->response->pos;
ocsp = d2i_OCSP_RESPONSE(NULL, &p, len);
if (ocsp == NULL) {
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"d2i_OCSP_RESPONSE() failed");
goto error;
}
n = OCSP_response_status(ocsp);
if (n != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP response not successful (%d: %s)",
n, OCSP_response_status_str(n));
goto error;
}
basic = OCSP_response_get1_basic(ocsp);
if (basic == NULL) {
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_response_get1_basic() failed");
goto error;
}
store = SSL_CTX_get_cert_store(staple->ssl_ctx);
if (store == NULL) {
ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
"SSL_CTX_get_cert_store() failed");
goto error;
}
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
SSL_CTX_get_extra_chain_certs(staple->ssl_ctx, &chain);
#else
chain = staple->ssl_ctx->extra_certs;
#endif
if (OCSP_basic_verify(basic, chain, store,
staple->verify ? OCSP_TRUSTOTHER : OCSP_NOVERIFY)
!= 1)
{
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_basic_verify() failed");
goto error;
}
id = OCSP_cert_to_id(NULL, ctx->cert, ctx->issuer);
if (id == NULL) {
ngx_ssl_error(NGX_LOG_CRIT, ctx->log, 0,
"OCSP_cert_to_id() failed");
goto error;
}
if (OCSP_resp_find_status(basic, id, &n, NULL, NULL,
&thisupdate, &nextupdate)
!= 1)
{
ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
"certificate status not found in the OCSP response");
goto error;
}
if (n != V_OCSP_CERTSTATUS_GOOD) {
ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
"certificate status \"%s\" in the OCSP response",
OCSP_cert_status_str(n));
goto error;
}
if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_check_validity() failed");
goto error;
}
if (nextupdate) {
valid = ngx_ssl_stapling_time(nextupdate);
if (valid == (time_t) NGX_ERROR) {
ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
"invalid nextUpdate time in certificate status");
goto error;
}
} else {
valid = NGX_MAX_TIME_T_VALUE;
}
OCSP_CERTID_free(id);
OCSP_BASICRESP_free(basic);
OCSP_RESPONSE_free(ocsp);
id = NULL;
basic = NULL;
ocsp = NULL;
/* copy the response to memory not in ctx->pool */
response.len = len;
response.data = ngx_alloc(response.len, ctx->log);
if (response.data == NULL) {
goto error;
}
ngx_memcpy(response.data, ctx->response->pos, response.len);
ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
"ssl ocsp response, %s, %uz",
OCSP_cert_status_str(n), response.len);
if (staple->staple.data) {
ngx_free(staple->staple.data);
}
staple->staple = response;
staple->valid = valid;
/*
* refresh before the response expires,
* but not earlier than in 5 minutes, and at least in an hour
*/
staple->loading = 0;
staple->refresh = ngx_max(ngx_min(valid - 300, now + 3600), now + 300);
ngx_ssl_ocsp_done(ctx);
return;
error:
staple->loading = 0;
staple->refresh = now + 300;
if (id) {
OCSP_CERTID_free(id);
}
if (basic) {
OCSP_BASICRESP_free(basic);
}
if (ocsp) {
OCSP_RESPONSE_free(ocsp);
}
ngx_ssl_ocsp_done(ctx);
}
int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
{
int i, ret = 0;
long l;
OCSP_CERTID *cid = NULL;
OCSP_BASICRESP *br = NULL;
OCSP_RESPID *rid = NULL;
OCSP_RESPDATA *rd = NULL;
OCSP_CERTSTATUS *cst = NULL;
OCSP_REVOKEDINFO *rev = NULL;
OCSP_SINGLERESP *single = NULL;
OCSP_RESPBYTES *rb = o->responseBytes;
if (BIO_puts(bp,"OCSP Response Data:\n") <= 0) goto err;
l=ASN1_ENUMERATED_get(o->responseStatus);
if (BIO_printf(bp," OCSP Response Status: %s (0x%lx)\n",
OCSP_response_status_str(l), l) <= 0) goto err;
if (rb == NULL) return 1;
if (BIO_puts(bp," Response Type: ") <= 0)
goto err;
if(i2a_ASN1_OBJECT(bp, rb->responseType) <= 0)
goto err;
if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
{
BIO_puts(bp," (unknown response type)\n");
return 1;
}
i = ASN1_STRING_length(rb->response);
if (!(br = OCSP_response_get1_basic(o))) goto err;
rd = br->tbsResponseData;
l=ASN1_INTEGER_get(rd->version);
if (BIO_printf(bp,"\n Version: %lu (0x%lx)\n",
l+1,l) <= 0) goto err;
if (BIO_puts(bp," Responder Id: ") <= 0) goto err;
rid = rd->responderId;
switch (rid->type)
{
case V_OCSP_RESPID_NAME:
X509_NAME_print_ex(bp, rid->value.byName, 0, XN_FLAG_ONELINE);
break;
case V_OCSP_RESPID_KEY:
i2a_ASN1_STRING(bp, rid->value.byKey, V_ASN1_OCTET_STRING);
break;
}
if (BIO_printf(bp,"\n Produced At: ")<=0) goto err;
if (!ASN1_GENERALIZEDTIME_print(bp, rd->producedAt)) goto err;
if (BIO_printf(bp,"\n Responses:\n") <= 0) goto err;
for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++)
{
if (! sk_OCSP_SINGLERESP_value(rd->responses, i)) continue;
single = sk_OCSP_SINGLERESP_value(rd->responses, i);
cid = single->certId;
if(ocsp_certid_print(bp, cid, 4) <= 0) goto err;
cst = single->certStatus;
if (BIO_printf(bp," Cert Status: %s",
OCSP_cert_status_str(cst->type)) <= 0)
goto err;
if (cst->type == V_OCSP_CERTSTATUS_REVOKED)
{
rev = cst->value.revoked;
if (BIO_printf(bp, "\n Revocation Time: ") <= 0)
goto err;
if (!ASN1_GENERALIZEDTIME_print(bp,
rev->revocationTime))
goto err;
if (rev->revocationReason)
{
l=ASN1_ENUMERATED_get(rev->revocationReason);
if (BIO_printf(bp,
"\n Revocation Reason: %s (0x%lx)",
OCSP_crl_reason_str(l), l) <= 0)
goto err;
}
}
if (BIO_printf(bp,"\n This Update: ") <= 0) goto err;
if (!ASN1_GENERALIZEDTIME_print(bp, single->thisUpdate))
goto err;
if (single->nextUpdate)
{
if (BIO_printf(bp,"\n Next Update: ") <= 0)goto err;
if (!ASN1_GENERALIZEDTIME_print(bp,single->nextUpdate))
goto err;
}
if (BIO_write(bp,"\n",1) <= 0) goto err;
if (!X509V3_extensions_print(bp,
"Response Single Extensions",
single->singleExtensions, flags, 8))
goto err;
if (BIO_write(bp,"\n",1) <= 0) goto err;
}
if (!X509V3_extensions_print(bp, "Response Extensions",
rd->responseExtensions, flags, 4))
goto err;
if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
goto err;
for (i=0; i<sk_X509_num(br->certs); i++)
{
X509_print(bp, sk_X509_value(br->certs,i));
PEM_write_bio_X509(bp,sk_X509_value(br->certs,i));
}
ret = 1;
err:
OCSP_BASICRESP_free(br);
return ret;
}
GTlsCertificateFlags
g_tls_database_openssl_verify_ocsp_response (GTlsDatabaseOpenssl *self,
GTlsCertificate *chain,
OCSP_RESPONSE *resp)
{
GTlsCertificateFlags errors = 0;
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_NO_OCSP)
GTlsDatabaseOpensslPrivate *priv;
STACK_OF(X509) *chain_openssl = NULL;
OCSP_BASICRESP *basic_resp = NULL;
int ocsp_status = 0;
int i;
ocsp_status = OCSP_response_status (resp);
if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL)
{
errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
goto end;
}
basic_resp = OCSP_response_get1_basic (resp);
if (basic_resp == NULL)
{
errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
goto end;
}
chain_openssl = convert_certificate_chain_to_openssl (G_TLS_CERTIFICATE_OPENSSL (chain));
priv = g_tls_database_openssl_get_instance_private (self);
if ((chain_openssl == NULL) ||
(priv->store == NULL))
{
errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
goto end;
}
if (OCSP_basic_verify (basic_resp, chain_openssl, priv->store, 0) <= 0)
{
errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
goto end;
}
for (i = 0; i < OCSP_resp_count (basic_resp); i++)
{
OCSP_SINGLERESP *single_resp = OCSP_resp_get0 (basic_resp, i);
ASN1_GENERALIZEDTIME *revocation_time = NULL;
ASN1_GENERALIZEDTIME *this_update_time = NULL;
ASN1_GENERALIZEDTIME *next_update_time = NULL;
int crl_reason = 0;
int cert_status = 0;
if (single_resp == NULL)
continue;
cert_status = OCSP_single_get0_status (single_resp,
&crl_reason,
&revocation_time,
&this_update_time,
&next_update_time);
if (!OCSP_check_validity (this_update_time,
next_update_time,
300L,
-1L))
{
errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
goto end;
}
switch (cert_status)
{
case V_OCSP_CERTSTATUS_GOOD:
break;
case V_OCSP_CERTSTATUS_REVOKED:
errors = G_TLS_CERTIFICATE_REVOKED;
goto end;
case V_OCSP_CERTSTATUS_UNKNOWN:
errors = G_TLS_CERTIFICATE_GENERIC_ERROR;
goto end;
}
}
end:
if (basic_resp != NULL)
OCSP_BASICRESP_free (basic_resp);
if (resp != NULL)
OCSP_RESPONSE_free (resp);
#endif
return errors;
}
s2n_cert_validation_code s2n_x509_validator_validate_cert_stapled_ocsp_response(struct s2n_x509_validator *validator,
struct s2n_connection *conn,
const uint8_t *ocsp_response_raw,
uint32_t ocsp_response_length) {
if (validator->skip_cert_validation || !validator->check_stapled_ocsp) {
return S2N_CERT_OK;
}
#if !S2N_OCSP_STAPLING_SUPPORTED
/* Default to safety */
return S2N_CERT_ERR_UNTRUSTED;
#else
OCSP_RESPONSE *ocsp_response = NULL;
OCSP_BASICRESP *basic_response = NULL;
s2n_cert_validation_code ret_val = S2N_CERT_ERR_INVALID;
if (!ocsp_response_raw) {
return ret_val;
}
ocsp_response = d2i_OCSP_RESPONSE(NULL, &ocsp_response_raw, ocsp_response_length);
if (!ocsp_response) {
goto clean_up;
}
int ocsp_status = OCSP_response_status(ocsp_response);
if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
goto clean_up;
}
basic_response = OCSP_response_get1_basic(ocsp_response);
if (!basic_response) {
goto clean_up;
}
int i;
int certs_in_chain = sk_X509_num(validator->cert_chain);
int certs_in_ocsp = sk_X509_num(OCSP_GET_CERTS(basic_response));
if (certs_in_chain >= 2 && certs_in_ocsp >= 1) {
X509 *responder = sk_X509_value(OCSP_GET_CERTS(basic_response), certs_in_ocsp - 1);
/*check to see if one of the certs in the chain is an issuer of the cert in the ocsp response.*/
/*if so it needs to be added to the OCSP verification chain.*/
for (i = 0; i < certs_in_chain; i++) {
X509 *issuer = sk_X509_value(validator->cert_chain, i);
int issuer_value = X509_check_issued(issuer, responder);
if (issuer_value == X509_V_OK) {
if (!OCSP_basic_add1_cert(basic_response, issuer)) {
goto clean_up;
}
}
}
}
int ocsp_verify_err = OCSP_basic_verify(basic_response, validator->cert_chain, validator->trust_store->trust_store, 0);
/* do the crypto checks on the response.*/
if (!ocsp_verify_err) {
ret_val = S2N_CERT_ERR_EXPIRED;
goto clean_up;
}
/* for each response check the timestamps and the status. */
for (i = 0; i < OCSP_resp_count(basic_response); i++) {
int status_reason;
ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
OCSP_SINGLERESP *single_response = OCSP_resp_get0(basic_response, i);
if (!single_response) {
goto clean_up;
}
ocsp_status = OCSP_single_get0_status(single_response, &status_reason, &revtime,
&thisupd, &nextupd);
uint64_t this_update = 0;
int thisupd_err = s2n_asn1_time_to_nano_since_epoch_ticks((const char *) thisupd->data,
(uint32_t) thisupd->length, &this_update);
uint64_t next_update = 0;
int nextupd_err = s2n_asn1_time_to_nano_since_epoch_ticks((const char *) nextupd->data,
(uint32_t) nextupd->length, &next_update);
uint64_t current_time = 0;
int current_time_err = conn->config->wall_clock(conn->config->sys_clock_ctx, ¤t_time);
if (thisupd_err || nextupd_err || current_time_err) {
ret_val = S2N_CERT_ERR_UNTRUSTED;
goto clean_up;
}
if (current_time < this_update || current_time > next_update) {
ret_val = S2N_CERT_ERR_EXPIRED;
goto clean_up;
}
switch (ocsp_status) {
case V_OCSP_CERTSTATUS_GOOD:
break;
case V_OCSP_CERTSTATUS_REVOKED:
ret_val = S2N_CERT_ERR_REVOKED;
goto clean_up;
case V_OCSP_CERTSTATUS_UNKNOWN:
goto clean_up;
default:
goto clean_up;
}
}
ret_val = S2N_CERT_OK;
clean_up:
if (basic_response) {
OCSP_BASICRESP_free(basic_response);
}
if (ocsp_response) {
OCSP_RESPONSE_free(ocsp_response);
}
return ret_val;
#endif /* S2N_OCSP_STAPLING_SUPPORTED */
}
//============================================================
// Initializes NotaryInfo object with data from OCSP object
// pSigDoc - digidoc main object pointer
// pNotary - NotaryInfo object to be initialized
// resp - OCSP response object
// notCert - Notary cert object
// return error code
//============================================================
int initializeNotaryInfoWithOCSP(SignedDoc *pSigDoc, NotaryInfo *pNotary,
OCSP_RESPONSE *resp, X509 *notCert, int initDigest)
{
int n, err = ERR_OK;
char buf[500];
OCSP_RESPBYTES *rb = NULL;
OCSP_BASICRESP *br = NULL;
OCSP_RESPDATA *rd = NULL;
OCSP_RESPID *rid = NULL;
// OCSP_CERTSTATUS *cst = NULL;
OCSP_SINGLERESP *single = NULL;
OCSP_CERTID *cid = NULL;
X509_EXTENSION *nonce;
//AM 26.09.08
DigiDocMemBuf mbuf1;
mbuf1.pMem = 0;
mbuf1.nLen = 0;
RETURN_IF_NULL_PARAM(pNotary);
RETURN_IF_NULL_PARAM(resp);
// check the OCSP Response validity
switch(OCSP_response_status(resp)) {
case OCSP_RESPONSE_STATUS_SUCCESSFUL: // OK
break;
case OCSP_RESPONSE_STATUS_MALFORMEDREQUEST:
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_MALFORMED);
case OCSP_RESPONSE_STATUS_INTERNALERROR:
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_INTERNALERR);
case OCSP_RESPONSE_STATUS_TRYLATER:
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_TRYLATER);
case OCSP_RESPONSE_STATUS_SIGREQUIRED:
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_SIGREQUIRED);
case OCSP_RESPONSE_STATUS_UNAUTHORIZED:
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_UNAUTHORIZED);
default:
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_UNSUCCESSFUL);
}
RETURN_IF_NULL_PARAM(resp->responseBytes);;
rb = resp->responseBytes;
if(OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_UNKNOWN_TYPE);
if((br = OCSP_response_get1_basic(resp)) == NULL)
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_BASIC_RESP);
rd = br->tbsResponseData;
if(ASN1_INTEGER_get(rd->version) != 0)
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_WRONG_VERSION);
n = sk_OCSP_SINGLERESP_num(rd->responses);
if(n != 1)
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_ONE_RESPONSE);
single = sk_OCSP_SINGLERESP_value(rd->responses, 0);
RETURN_IF_NULL(single);
cid = single->certId;
RETURN_IF_NULL(cid);
ddocDebug(4, "initializeNotaryInfoWithOCSP", "CertStatus-type: %d", single->certStatus->type);
//printf("TYPE: %d\n", single->certStatus->type);
if(single->certStatus->type != 0) {
ddocDebug(4, "initializeNotaryInfoWithOCSP", "errcode: %d", handleOCSPCertStatus(single->certStatus->type));
SET_LAST_ERROR_RETURN_CODE(handleOCSPCertStatus(single->certStatus->type));
}
//Removed 31.10.2003
//if(single->singleExtensions)
// SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_SINGLE_EXT);
if(!rd->responseExtensions ||
(sk_X509_EXTENSION_num(rd->responseExtensions) != 1) ||
((nonce = sk_X509_EXTENSION_value(rd->responseExtensions, 0)) == NULL))
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_NONCE);
i2t_ASN1_OBJECT(buf,sizeof(buf),nonce->object);
if(strcmp(buf, OCSP_NONCE_NAME))
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_NONCE);
rid = rd->responderId;
if(rid->type == V_OCSP_RESPID_NAME) {
pNotary->nRespIdType = RESPID_NAME_TYPE;
} else if(rid->type == V_OCSP_RESPID_KEY) {
pNotary->nRespIdType = RESPID_KEY_TYPE;
} else {
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_WRONG_RESPID);
}
// producedAt
err = asn1time2str(pSigDoc, rd->producedAt, buf, sizeof(buf));
setString(&(pNotary->timeProduced), buf, -1);
n = sizeof(buf);
if(rid->type == V_OCSP_RESPID_NAME) {
//X509_NAME_oneline(rid->value.byName,buf,n);
//AM 26.09.08
err = ddocCertGetDNFromName(rid->value.byName, &mbuf1);
RETURN_IF_NOT(err == ERR_OK, err);
err = ddocNotInfo_SetResponderId(pNotary, (char*)mbuf1.pMem, -1);
ddocMemBuf_free(&mbuf1);
}
if(rid->type == V_OCSP_RESPID_KEY) {
err = ddocNotInfo_SetResponderId(pNotary, (const char*)rid->value.byKey->data, rid->value.byKey->length);
}
// digest type
i2t_ASN1_OBJECT(buf,sizeof(buf),cid->hashAlgorithm->algorithm);
setString(&(pNotary->szDigestType), buf, -1);
// signature algorithm
i2t_ASN1_OBJECT(buf,sizeof(buf),br->signatureAlgorithm->algorithm);
setString(&(pNotary->szSigType), buf, -1);
// notary cert
if(notCert && !err)
err = addNotaryInfoCert(pSigDoc, pNotary, notCert);
// save the response in memory
err = ddocNotInfo_SetOCSPResponse_Value(pNotary, resp);
// get the digest from original OCSP data
if(initDigest && notCert) {
err = calcNotaryDigest(pSigDoc, pNotary);
}
if(br != NULL)
OCSP_BASICRESP_free(br);
if (err != ERR_OK) SET_LAST_ERROR(err);
return err;
}
static int ocsp_check(CLI *c, X509_STORE_CTX *callback_ctx) {
int error, retval=0;
SOCKADDR_UNION addr;
X509 *cert;
X509 *issuer=NULL;
OCSP_CERTID *certID;
BIO *bio=NULL;
OCSP_REQUEST *request=NULL;
OCSP_RESPONSE *response=NULL;
OCSP_BASICRESP *basicResponse=NULL;
ASN1_GENERALIZEDTIME *revoked_at=NULL,
*this_update=NULL, *next_update=NULL;
int status, reason;
/* connect specified OCSP server (responder) */
c->fd=s_socket(c->opt->ocsp_addr.addr[0].sa.sa_family, SOCK_STREAM, 0,
0, "OCSP: socket (auth_user)");
if(c->fd<0)
return 0; /* reject connection */
memcpy(&addr, &c->opt->ocsp_addr.addr[0], sizeof addr);
if(connect_blocking(c, &addr, addr_len(addr)))
goto cleanup;
s_log(LOG_DEBUG, "OCSP: server connected");
/* get current certificate ID */
cert=X509_STORE_CTX_get_current_cert(callback_ctx); /* get current cert */
if(X509_STORE_CTX_get1_issuer(&issuer, callback_ctx, cert)!=1) {
sslerror("OCSP: X509_STORE_CTX_get1_issuer");
goto cleanup;
}
certID=OCSP_cert_to_id(0, cert, issuer);
if(!certID) {
sslerror("OCSP: OCSP_cert_to_id");
goto cleanup;
}
/* build request */
request=OCSP_REQUEST_new();
if(!request) {
sslerror("OCSP: OCSP_REQUEST_new");
goto cleanup;
}
if(!OCSP_request_add0_id(request, certID)) {
sslerror("OCSP: OCSP_request_add0_id");
goto cleanup;
}
OCSP_request_add1_nonce(request, 0, -1);
/* send the request and get a response */
/* FIXME: this code won't work with ucontext threading */
/* (blocking sockets are used) */
bio=BIO_new_fd(c->fd, BIO_NOCLOSE);
response=OCSP_sendreq_bio(bio, c->opt->ocsp_path, request);
if(!response) {
sslerror("OCSP: OCSP_sendreq_bio");
goto cleanup;
}
error=OCSP_response_status(response);
if(error!=OCSP_RESPONSE_STATUS_SUCCESSFUL) {
s_log(LOG_WARNING, "OCSP: Responder error: %d: %s",
error, OCSP_response_status_str(error));
goto cleanup;
}
s_log(LOG_DEBUG, "OCSP: Response received");
/* verify the response */
basicResponse=OCSP_response_get1_basic(response);
if(!basicResponse) {
sslerror("OCSP: OCSP_response_get1_basic");
goto cleanup;
}
if(OCSP_check_nonce(request, basicResponse)<=0) {
sslerror("OCSP: OCSP_check_nonce");
goto cleanup;
}
if(OCSP_basic_verify(basicResponse, NULL,
c->opt->revocation_store, c->opt->ocsp_flags)<=0) {
sslerror("OCSP: OCSP_basic_verify");
goto cleanup;
}
if(!OCSP_resp_find_status(basicResponse, certID, &status, &reason,
&revoked_at, &this_update, &next_update)) {
sslerror("OCSP: OCSP_resp_find_status");
goto cleanup;
}
s_log(LOG_NOTICE, "OCSP: Status: %d: %s",
status, OCSP_cert_status_str(status));
log_time(LOG_INFO, "OCSP: This update", this_update);
log_time(LOG_INFO, "OCSP: Next update", next_update);
/* check if the response is valid for at least one minute */
if(!OCSP_check_validity(this_update, next_update, 60, -1)) {
sslerror("OCSP: OCSP_check_validity");
goto cleanup;
}
if(status==V_OCSP_CERTSTATUS_REVOKED) {
if(reason==-1)
s_log(LOG_WARNING, "OCSP: Certificate revoked");
else
s_log(LOG_WARNING, "OCSP: Certificate revoked: %d: %s",
reason, OCSP_crl_reason_str(reason));
log_time(LOG_NOTICE, "OCSP: Revoked at", revoked_at);
goto cleanup;
}
retval=1; /* accept connection */
cleanup:
if(bio)
BIO_free_all(bio);
if(issuer)
X509_free(issuer);
if(request)
OCSP_REQUEST_free(request);
if(response)
OCSP_RESPONSE_free(response);
if(basicResponse)
OCSP_BASICRESP_free(basicResponse);
closesocket(c->fd);
c->fd=-1; /* avoid double close on cleanup */
return retval;
}
/* parse the actual OCSP response */
void
ocsp_parse_response(struct iked_ocsp *ocsp, OCSP_RESPONSE *resp)
{
int status;
X509_STORE *store = NULL;
STACK_OF(X509) *verify_other = NULL;
OCSP_BASICRESP *bs = NULL;
int verify_flags = 0;
ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
int reason = 0;
int error = 1;
if (!resp) {
log_warnx("%s: error querying OCSP responder", __func__);
goto done;
}
status = OCSP_response_status(resp);
if (status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
log_warnx("%s: responder error: %s (%i)\n", __func__,
OCSP_response_status_str(status), status);
goto done;
}
verify_other = ocsp_load_certs(IKED_OCSP_RESPCERT);
verify_flags |= OCSP_TRUSTOTHER;
if (!verify_other)
goto done;
bs = OCSP_response_get1_basic(resp);
if (!bs) {
log_warnx("%s: error parsing response", __func__);
goto done;
}
status = OCSP_check_nonce(ocsp->ocsp_req, bs);
if (status <= 0) {
if (status == -1)
log_warnx("%s: no nonce in response", __func__);
else {
log_warnx("%s: nonce verify error", __func__);
goto done;
}
}
store = X509_STORE_new();
status = OCSP_basic_verify(bs, verify_other, store, verify_flags);
if (status < 0)
status = OCSP_basic_verify(bs, NULL, store, 0);
if (status <= 0) {
ca_sslerror(__func__);
log_warnx("%s: response verify failure", __func__);
goto done;
} else
log_debug("%s: response verify ok", __func__);
if (!OCSP_resp_find_status(bs, ocsp->ocsp_id, &status, &reason,
&rev, &thisupd, &nextupd)) {
log_warnx("%s: no status found", __func__);
goto done;
}
log_debug("%s: status: %s", __func__, OCSP_cert_status_str(status));
if (status == V_OCSP_CERTSTATUS_GOOD)
error = 0;
done:
if (store)
X509_STORE_free(store);
if (verify_other)
sk_X509_pop_free(verify_other, X509_free);
if (resp)
OCSP_RESPONSE_free(resp);
if (bs)
OCSP_BASICRESP_free(bs);
ocsp_validate_finish(ocsp, error == 0);
}
static int ocsp_check(CLI *c, X509_STORE_CTX *callback_ctx) {
int error, retval=0;
X509 *cert;
X509 *issuer=NULL;
OCSP_CERTID *certID;
OCSP_REQUEST *request=NULL;
OCSP_RESPONSE *response=NULL;
OCSP_BASICRESP *basicResponse=NULL;
ASN1_GENERALIZEDTIME *revoked_at=NULL,
*this_update=NULL, *next_update=NULL;
int status, reason;
/* get current certificate ID */
cert=X509_STORE_CTX_get_current_cert(callback_ctx); /* get current cert */
if(X509_STORE_CTX_get1_issuer(&issuer, callback_ctx, cert)!=1) {
sslerror("OCSP: X509_STORE_CTX_get1_issuer");
goto cleanup;
}
certID=OCSP_cert_to_id(0, cert, issuer);
if(!certID) {
sslerror("OCSP: OCSP_cert_to_id");
goto cleanup;
}
/* build request */
request=OCSP_REQUEST_new();
if(!request) {
sslerror("OCSP: OCSP_REQUEST_new");
goto cleanup;
}
if(!OCSP_request_add0_id(request, certID)) {
sslerror("OCSP: OCSP_request_add0_id");
goto cleanup;
}
OCSP_request_add1_nonce(request, 0, -1);
/* send the request and get a response */
response=ocsp_get_response(c, request);
if(!response)
goto cleanup;
error=OCSP_response_status(response);
if(error!=OCSP_RESPONSE_STATUS_SUCCESSFUL) {
s_log(LOG_WARNING, "OCSP: Responder error: %d: %s",
error, OCSP_response_status_str(error));
goto cleanup;
}
s_log(LOG_DEBUG, "OCSP: Response received");
/* verify the response */
basicResponse=OCSP_response_get1_basic(response);
if(!basicResponse) {
sslerror("OCSP: OCSP_response_get1_basic");
goto cleanup;
}
if(OCSP_check_nonce(request, basicResponse)<=0) {
sslerror("OCSP: OCSP_check_nonce");
goto cleanup;
}
if(OCSP_basic_verify(basicResponse, NULL,
c->opt->revocation_store, c->opt->ocsp_flags)<=0) {
sslerror("OCSP: OCSP_basic_verify");
goto cleanup;
}
if(!OCSP_resp_find_status(basicResponse, certID, &status, &reason,
&revoked_at, &this_update, &next_update)) {
sslerror("OCSP: OCSP_resp_find_status");
goto cleanup;
}
s_log(LOG_NOTICE, "OCSP: Status: %d: %s",
status, OCSP_cert_status_str(status));
log_time(LOG_INFO, "OCSP: This update", this_update);
log_time(LOG_INFO, "OCSP: Next update", next_update);
/* check if the response is valid for at least one minute */
if(!OCSP_check_validity(this_update, next_update, 60, -1)) {
sslerror("OCSP: OCSP_check_validity");
goto cleanup;
}
if(status==V_OCSP_CERTSTATUS_REVOKED) {
if(reason==-1)
s_log(LOG_WARNING, "OCSP: Certificate revoked");
else
s_log(LOG_WARNING, "OCSP: Certificate revoked: %d: %s",
reason, OCSP_crl_reason_str(reason));
log_time(LOG_NOTICE, "OCSP: Revoked at", revoked_at);
goto cleanup;
}
retval=1; /* accept connection */
cleanup:
if(issuer)
X509_free(issuer);
if(request)
OCSP_REQUEST_free(request);
if(response)
OCSP_RESPONSE_free(response);
if(basicResponse)
OCSP_BASICRESP_free(basicResponse);
return retval;
}
/* returns one of:
* V_OCSP_CERTSTATUS_GOOD
* V_OCSP_CERTSTATUS_REVOKED
* V_OCSP_CERTSTATUS_UNKNOWN */
NOEXPORT int ocsp_request(CLI *c, X509_STORE_CTX *callback_ctx,
OCSP_CERTID *cert_id, char *url) {
int status=V_OCSP_CERTSTATUS_UNKNOWN;
int reason;
int ctx_err=X509_V_ERR_APPLICATION_VERIFICATION;
OCSP_REQUEST *request=NULL;
OCSP_RESPONSE *response=NULL;
OCSP_BASICRESP *basic_response=NULL;
ASN1_GENERALIZEDTIME *revoked_at=NULL,
*this_update=NULL, *next_update=NULL;
/* build request */
request=OCSP_REQUEST_new();
if(!request) {
sslerror("OCSP: OCSP_REQUEST_new");
goto cleanup;
}
if(!OCSP_request_add0_id(request, cert_id)) {
sslerror("OCSP: OCSP_request_add0_id");
goto cleanup;
}
OCSP_request_add1_nonce(request, NULL, -1);
/* send the request and get a response */
response=ocsp_get_response(c, request, url);
if(!response)
goto cleanup;
status=OCSP_response_status(response);
if(status!=OCSP_RESPONSE_STATUS_SUCCESSFUL) {
s_log(LOG_WARNING, "OCSP: Responder error: %d: %s",
status, OCSP_response_status_str(status));
goto cleanup;
}
s_log(LOG_DEBUG, "OCSP: Response received");
/* verify the response */
basic_response=OCSP_response_get1_basic(response);
if(!basic_response) {
sslerror("OCSP: OCSP_response_get1_basic");
goto cleanup;
}
if(OCSP_check_nonce(request, basic_response)<=0) {
s_log(LOG_WARNING, "OCSP: Invalid nonce");
goto cleanup;
}
if(OCSP_basic_verify(basic_response, NULL,
c->opt->revocation_store, c->opt->ocsp_flags)<=0) {
sslerror("OCSP: OCSP_basic_verify");
goto cleanup;
}
if(!OCSP_resp_find_status(basic_response, cert_id, &status, &reason,
&revoked_at, &this_update, &next_update)) {
sslerror("OCSP: OCSP_resp_find_status");
goto cleanup;
}
s_log(LOG_NOTICE, "OCSP: Status: %s", OCSP_cert_status_str(status));
log_time(LOG_INFO, "OCSP: This update", this_update);
log_time(LOG_INFO, "OCSP: Next update", next_update);
/* check if the response is valid for at least one minute */
if(!OCSP_check_validity(this_update, next_update, 60, -1)) {
sslerror("OCSP: OCSP_check_validity");
status=V_OCSP_CERTSTATUS_UNKNOWN;
goto cleanup;
}
switch(status) {
case V_OCSP_CERTSTATUS_GOOD:
break;
case V_OCSP_CERTSTATUS_REVOKED:
if(reason==-1)
s_log(LOG_WARNING, "OCSP: Certificate revoked");
else
s_log(LOG_WARNING, "OCSP: Certificate revoked: %d: %s",
reason, OCSP_crl_reason_str(reason));
log_time(LOG_NOTICE, "OCSP: Revoked at", revoked_at);
ctx_err=X509_V_ERR_CERT_REVOKED;
break;
case V_OCSP_CERTSTATUS_UNKNOWN:
s_log(LOG_WARNING, "OCSP: Unknown verification status");
}
cleanup:
if(request)
OCSP_REQUEST_free(request);
if(response)
OCSP_RESPONSE_free(response);
if(basic_response)
OCSP_BASICRESP_free(basic_response);
if(status!=V_OCSP_CERTSTATUS_GOOD)
X509_STORE_CTX_set_error(callback_ctx, ctx_err);
return status;
}
int
ocsp_main(int argc, char **argv)
{
char **args;
char *host = NULL, *port = NULL, *path = "/";
char *reqin = NULL, *respin = NULL;
char *reqout = NULL, *respout = NULL;
char *signfile = NULL, *keyfile = NULL;
char *rsignfile = NULL, *rkeyfile = NULL;
char *outfile = NULL;
int add_nonce = 1, noverify = 0, use_ssl = -1;
STACK_OF(CONF_VALUE) * headers = NULL;
OCSP_REQUEST *req = NULL;
OCSP_RESPONSE *resp = NULL;
OCSP_BASICRESP *bs = NULL;
X509 *issuer = NULL, *cert = NULL;
X509 *signer = NULL, *rsigner = NULL;
EVP_PKEY *key = NULL, *rkey = NULL;
BIO *acbio = NULL, *cbio = NULL;
BIO *derbio = NULL;
BIO *out = NULL;
int req_timeout = -1;
int req_text = 0, resp_text = 0;
long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
char *CAfile = NULL, *CApath = NULL;
X509_STORE *store = NULL;
STACK_OF(X509) * sign_other = NULL, *verify_other = NULL, *rother = NULL;
char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
int ret = 1;
int accept_count = -1;
int badarg = 0;
int i;
int ignore_err = 0;
STACK_OF(OPENSSL_STRING) * reqnames = NULL;
STACK_OF(OCSP_CERTID) * ids = NULL;
X509 *rca_cert = NULL;
char *ridx_filename = NULL;
char *rca_filename = NULL;
CA_DB *rdb = NULL;
int nmin = 0, ndays = -1;
const EVP_MD *cert_id_md = NULL;
const char *errstr = NULL;
args = argv + 1;
reqnames = sk_OPENSSL_STRING_new_null();
ids = sk_OCSP_CERTID_new_null();
while (!badarg && *args && *args[0] == '-') {
if (!strcmp(*args, "-out")) {
if (args[1]) {
args++;
outfile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-timeout")) {
if (args[1]) {
args++;
req_timeout = strtonum(*args, 0,
INT_MAX, &errstr);
if (errstr) {
BIO_printf(bio_err,
"Illegal timeout value %s: %s\n",
*args, errstr);
badarg = 1;
}
} else
badarg = 1;
} else if (!strcmp(*args, "-url")) {
if (args[1]) {
args++;
if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) {
BIO_printf(bio_err, "Error parsing URL\n");
badarg = 1;
}
} else
badarg = 1;
} else if (!strcmp(*args, "-host")) {
if (args[1]) {
args++;
host = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-port")) {
if (args[1]) {
args++;
port = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-header")) {
if (args[1] && args[2]) {
if (!X509V3_add_value(args[1], args[2], &headers))
goto end;
args += 2;
} else
badarg = 1;
} else if (!strcmp(*args, "-ignore_err"))
ignore_err = 1;
else if (!strcmp(*args, "-noverify"))
noverify = 1;
else if (!strcmp(*args, "-nonce"))
add_nonce = 2;
else if (!strcmp(*args, "-no_nonce"))
add_nonce = 0;
else if (!strcmp(*args, "-resp_no_certs"))
rflags |= OCSP_NOCERTS;
else if (!strcmp(*args, "-resp_key_id"))
rflags |= OCSP_RESPID_KEY;
else if (!strcmp(*args, "-no_certs"))
sign_flags |= OCSP_NOCERTS;
else if (!strcmp(*args, "-no_signature_verify"))
verify_flags |= OCSP_NOSIGS;
else if (!strcmp(*args, "-no_cert_verify"))
verify_flags |= OCSP_NOVERIFY;
else if (!strcmp(*args, "-no_chain"))
verify_flags |= OCSP_NOCHAIN;
else if (!strcmp(*args, "-no_cert_checks"))
verify_flags |= OCSP_NOCHECKS;
else if (!strcmp(*args, "-no_explicit"))
verify_flags |= OCSP_NOEXPLICIT;
else if (!strcmp(*args, "-trust_other"))
verify_flags |= OCSP_TRUSTOTHER;
else if (!strcmp(*args, "-no_intern"))
verify_flags |= OCSP_NOINTERN;
else if (!strcmp(*args, "-text")) {
req_text = 1;
resp_text = 1;
} else if (!strcmp(*args, "-req_text"))
req_text = 1;
else if (!strcmp(*args, "-resp_text"))
resp_text = 1;
else if (!strcmp(*args, "-reqin")) {
if (args[1]) {
args++;
reqin = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-respin")) {
if (args[1]) {
args++;
respin = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-signer")) {
if (args[1]) {
args++;
signfile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-VAfile")) {
if (args[1]) {
args++;
verify_certfile = *args;
verify_flags |= OCSP_TRUSTOTHER;
} else
badarg = 1;
} else if (!strcmp(*args, "-sign_other")) {
if (args[1]) {
args++;
sign_certfile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-verify_other")) {
if (args[1]) {
args++;
verify_certfile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-CAfile")) {
if (args[1]) {
args++;
CAfile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-CApath")) {
if (args[1]) {
args++;
CApath = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-validity_period")) {
if (args[1]) {
args++;
nsec = strtonum(*args, 0, LONG_MAX, &errstr);
if (errstr) {
BIO_printf(bio_err,
"Illegal validity period %s: %s\n",
*args, errstr);
badarg = 1;
}
} else
badarg = 1;
} else if (!strcmp(*args, "-status_age")) {
if (args[1]) {
args++;
maxage = strtonum(*args, 0, LONG_MAX, &errstr);
if (errstr) {
BIO_printf(bio_err,
"Illegal validity age %s: %s\n",
*args, errstr);
badarg = 1;
}
} else
badarg = 1;
} else if (!strcmp(*args, "-signkey")) {
if (args[1]) {
args++;
keyfile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-reqout")) {
if (args[1]) {
args++;
reqout = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-respout")) {
if (args[1]) {
args++;
respout = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-path")) {
if (args[1]) {
args++;
path = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-issuer")) {
if (args[1]) {
args++;
X509_free(issuer);
issuer = load_cert(bio_err, *args, FORMAT_PEM,
NULL, "issuer certificate");
if (!issuer)
goto end;
} else
badarg = 1;
} else if (!strcmp(*args, "-cert")) {
if (args[1]) {
args++;
X509_free(cert);
cert = load_cert(bio_err, *args, FORMAT_PEM,
NULL, "certificate");
if (!cert)
goto end;
if (!cert_id_md)
cert_id_md = EVP_sha1();
if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
goto end;
if (!sk_OPENSSL_STRING_push(reqnames, *args))
goto end;
} else
badarg = 1;
} else if (!strcmp(*args, "-serial")) {
if (args[1]) {
args++;
if (!cert_id_md)
cert_id_md = EVP_sha1();
if (!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids))
goto end;
if (!sk_OPENSSL_STRING_push(reqnames, *args))
goto end;
} else
badarg = 1;
} else if (!strcmp(*args, "-index")) {
if (args[1]) {
args++;
ridx_filename = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-CA")) {
if (args[1]) {
args++;
rca_filename = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-nmin")) {
if (args[1]) {
args++;
nmin = strtonum(*args, 0, INT_MAX, &errstr);
if (errstr) {
BIO_printf(bio_err,
"Illegal update period %s: %s\n",
*args, errstr);
badarg = 1;
}
}
if (ndays == -1)
ndays = 0;
else
badarg = 1;
} else if (!strcmp(*args, "-nrequest")) {
if (args[1]) {
args++;
accept_count = strtonum(*args, 0, INT_MAX, &errstr);
if (errstr) {
BIO_printf(bio_err,
"Illegal accept count %s: %s\n",
*args, errstr);
badarg = 1;
}
} else
badarg = 1;
} else if (!strcmp(*args, "-ndays")) {
if (args[1]) {
args++;
ndays = strtonum(*args, 0, INT_MAX, &errstr);
if (errstr) {
BIO_printf(bio_err,
"Illegal update period %s: %s\n",
*args, errstr);
badarg = 1;
}
} else
badarg = 1;
} else if (!strcmp(*args, "-rsigner")) {
if (args[1]) {
args++;
rsignfile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-rkey")) {
if (args[1]) {
args++;
rkeyfile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-rother")) {
if (args[1]) {
args++;
rcertfile = *args;
} else
badarg = 1;
} else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) {
badarg = 1;
}
args++;
}
/* Have we anything to do? */
if (!req && !reqin && !respin && !(port && ridx_filename))
badarg = 1;
if (badarg) {
BIO_printf(bio_err, "OCSP utility\n");
BIO_printf(bio_err, "Usage ocsp [options]\n");
BIO_printf(bio_err, "where options are\n");
BIO_printf(bio_err, "-out file output filename\n");
BIO_printf(bio_err, "-issuer file issuer certificate\n");
BIO_printf(bio_err, "-cert file certificate to check\n");
BIO_printf(bio_err, "-serial n serial number to check\n");
BIO_printf(bio_err, "-signer file certificate to sign OCSP request with\n");
BIO_printf(bio_err, "-signkey file private key to sign OCSP request with\n");
BIO_printf(bio_err, "-sign_other file additional certificates to include in signed request\n");
BIO_printf(bio_err, "-no_certs don't include any certificates in signed request\n");
BIO_printf(bio_err, "-req_text print text form of request\n");
BIO_printf(bio_err, "-resp_text print text form of response\n");
BIO_printf(bio_err, "-text print text form of request and response\n");
BIO_printf(bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n");
BIO_printf(bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
BIO_printf(bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n");
BIO_printf(bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
BIO_printf(bio_err, "-nonce add OCSP nonce to request\n");
BIO_printf(bio_err, "-no_nonce don't add OCSP nonce to request\n");
BIO_printf(bio_err, "-url URL OCSP responder URL\n");
BIO_printf(bio_err, "-host host:n send OCSP request to host on port n\n");
BIO_printf(bio_err, "-path path to use in OCSP request\n");
BIO_printf(bio_err, "-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "-CAfile file trusted certificates file\n");
BIO_printf(bio_err, "-VAfile file validator certificates file\n");
BIO_printf(bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
BIO_printf(bio_err, "-status_age n maximum status age in seconds\n");
BIO_printf(bio_err, "-noverify don't verify response at all\n");
BIO_printf(bio_err, "-verify_other file additional certificates to search for signer\n");
BIO_printf(bio_err, "-trust_other don't verify additional certificates\n");
BIO_printf(bio_err, "-no_intern don't search certificates contained in response for signer\n");
BIO_printf(bio_err, "-no_signature_verify don't check signature on response\n");
BIO_printf(bio_err, "-no_cert_verify don't check signing certificate\n");
BIO_printf(bio_err, "-no_chain don't chain verify response\n");
BIO_printf(bio_err, "-no_cert_checks don't do additional checks on signing certificate\n");
BIO_printf(bio_err, "-port num port to run responder on\n");
BIO_printf(bio_err, "-index file certificate status index file\n");
BIO_printf(bio_err, "-CA file CA certificate\n");
BIO_printf(bio_err, "-rsigner file responder certificate to sign responses with\n");
BIO_printf(bio_err, "-rkey file responder key to sign responses with\n");
BIO_printf(bio_err, "-rother file other certificates to include in response\n");
BIO_printf(bio_err, "-resp_no_certs don't include any certificates in response\n");
BIO_printf(bio_err, "-nmin n number of minutes before next update\n");
BIO_printf(bio_err, "-ndays n number of days before next update\n");
BIO_printf(bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
BIO_printf(bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
BIO_printf(bio_err, "-<dgst alg> use specified digest in the request\n");
goto end;
}
if (outfile)
out = BIO_new_file(outfile, "w");
else
out = BIO_new_fp(stdout, BIO_NOCLOSE);
if (!out) {
BIO_printf(bio_err, "Error opening output file\n");
goto end;
}
if (!req && (add_nonce != 2))
add_nonce = 0;
if (!req && reqin) {
derbio = BIO_new_file(reqin, "rb");
if (!derbio) {
BIO_printf(bio_err, "Error Opening OCSP request file\n");
goto end;
}
req = d2i_OCSP_REQUEST_bio(derbio, NULL);
BIO_free(derbio);
if (!req) {
BIO_printf(bio_err, "Error reading OCSP request\n");
goto end;
}
}
if (!req && port) {
acbio = init_responder(port);
if (!acbio)
goto end;
}
if (rsignfile && !rdb) {
if (!rkeyfile)
rkeyfile = rsignfile;
rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
NULL, "responder certificate");
if (!rsigner) {
BIO_printf(bio_err, "Error loading responder certificate\n");
goto end;
}
rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
NULL, "CA certificate");
if (rcertfile) {
rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
NULL, "responder other certificates");
if (!rother)
goto end;
}
rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL,
"responder private key");
if (!rkey)
goto end;
}
if (acbio)
BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
redo_accept:
if (acbio) {
if (!do_responder(&req, &cbio, acbio, port))
goto end;
if (!req) {
resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
send_ocsp_response(cbio, resp);
goto done_resp;
}
}
if (!req && (signfile || reqout || host || add_nonce || ridx_filename)) {
BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
goto end;
}
if (req && add_nonce)
OCSP_request_add1_nonce(req, NULL, -1);
if (signfile) {
if (!keyfile)
keyfile = signfile;
signer = load_cert(bio_err, signfile, FORMAT_PEM,
NULL, "signer certificate");
if (!signer) {
BIO_printf(bio_err, "Error loading signer certificate\n");
goto end;
}
if (sign_certfile) {
sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
NULL, "signer certificates");
if (!sign_other)
goto end;
}
key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL,
"signer private key");
if (!key)
goto end;
if (!OCSP_request_sign(req, signer, key, NULL, sign_other, sign_flags)) {
BIO_printf(bio_err, "Error signing OCSP request\n");
goto end;
}
}
if (req_text && req)
OCSP_REQUEST_print(out, req, 0);
if (reqout) {
derbio = BIO_new_file(reqout, "wb");
if (!derbio) {
BIO_printf(bio_err, "Error opening file %s\n", reqout);
goto end;
}
i2d_OCSP_REQUEST_bio(derbio, req);
BIO_free(derbio);
}
if (ridx_filename && (!rkey || !rsigner || !rca_cert)) {
BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
goto end;
}
if (ridx_filename && !rdb) {
rdb = load_index(ridx_filename, NULL);
if (!rdb)
goto end;
if (!index_index(rdb))
goto end;
}
if (rdb) {
i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
if (cbio)
send_ocsp_response(cbio, resp);
} else if (host) {
resp = process_responder(bio_err, req, host, path,
port, use_ssl, headers, req_timeout);
if (!resp)
goto end;
} else if (respin) {
derbio = BIO_new_file(respin, "rb");
if (!derbio) {
BIO_printf(bio_err, "Error Opening OCSP response file\n");
goto end;
}
resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
BIO_free(derbio);
if (!resp) {
BIO_printf(bio_err, "Error reading OCSP response\n");
goto end;
}
} else {
ret = 0;
goto end;
}
done_resp:
if (respout) {
derbio = BIO_new_file(respout, "wb");
if (!derbio) {
BIO_printf(bio_err, "Error opening file %s\n", respout);
goto end;
}
i2d_OCSP_RESPONSE_bio(derbio, resp);
BIO_free(derbio);
}
i = OCSP_response_status(resp);
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
BIO_printf(out, "Responder Error: %s (%d)\n",
OCSP_response_status_str(i), i);
if (ignore_err)
goto redo_accept;
ret = 0;
goto end;
}
if (resp_text)
OCSP_RESPONSE_print(out, resp, 0);
/* If running as responder don't verify our own response */
if (cbio) {
if (accept_count > 0)
accept_count--;
/* Redo if more connections needed */
if (accept_count) {
BIO_free_all(cbio);
cbio = NULL;
OCSP_REQUEST_free(req);
req = NULL;
OCSP_RESPONSE_free(resp);
resp = NULL;
goto redo_accept;
}
goto end;
}
if (!store)
store = setup_verify(bio_err, CAfile, CApath);
if (!store)
goto end;
if (verify_certfile) {
verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
NULL, "validator certificate");
if (!verify_other)
goto end;
}
bs = OCSP_response_get1_basic(resp);
if (!bs) {
BIO_printf(bio_err, "Error parsing response\n");
goto end;
}
if (!noverify) {
if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
if (i == -1)
BIO_printf(bio_err, "WARNING: no nonce in response\n");
else {
BIO_printf(bio_err, "Nonce Verify error\n");
goto end;
}
}
i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
if (i < 0)
i = OCSP_basic_verify(bs, NULL, store, 0);
if (i <= 0) {
BIO_printf(bio_err, "Response Verify Failure\n");
ERR_print_errors(bio_err);
} else
BIO_printf(bio_err, "Response verify OK\n");
}
if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
goto end;
ret = 0;
end:
ERR_print_errors(bio_err);
X509_free(signer);
X509_STORE_free(store);
EVP_PKEY_free(key);
EVP_PKEY_free(rkey);
X509_free(issuer);
X509_free(cert);
X509_free(rsigner);
X509_free(rca_cert);
free_index(rdb);
BIO_free_all(cbio);
BIO_free_all(acbio);
BIO_free(out);
OCSP_REQUEST_free(req);
OCSP_RESPONSE_free(resp);
OCSP_BASICRESP_free(bs);
sk_OPENSSL_STRING_free(reqnames);
sk_OCSP_CERTID_free(ids);
sk_X509_pop_free(sign_other, X509_free);
sk_X509_pop_free(verify_other, X509_free);
sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
if (use_ssl != -1) {
free(host);
free(port);
free(path);
}
return (ret);
}
/* Verify the OCSP status of given certificate. Returns
* V_OCSP_CERTSTATUS_* result code. */
static int verify_ocsp_status(X509 *cert, X509_STORE_CTX *ctx, conn_rec *c,
SSLSrvConfigRec *sc, server_rec *s,
apr_pool_t *pool)
{
int rc = V_OCSP_CERTSTATUS_GOOD;
OCSP_RESPONSE *response = NULL;
OCSP_BASICRESP *basicResponse = NULL;
OCSP_REQUEST *request = NULL;
OCSP_CERTID *certID = NULL;
apr_uri_t *ruri;
ruri = determine_responder_uri(sc, cert, c, pool);
if (!ruri) {
return V_OCSP_CERTSTATUS_UNKNOWN;
}
request = create_request(ctx, cert, &certID, s, pool, sc);
if (request) {
apr_interval_time_t to = sc->server->ocsp_responder_timeout == UNSET ?
apr_time_from_sec(DEFAULT_OCSP_TIMEOUT) :
sc->server->ocsp_responder_timeout;
response = modssl_dispatch_ocsp_request(ruri, to, request, c, pool);
}
if (!request || !response) {
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
int r = OCSP_response_status(response);
if (r != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01922)
"OCSP response not successful: %d", rc);
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
basicResponse = OCSP_response_get1_basic(response);
if (!basicResponse) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(01923)
"could not retrieve OCSP basic response");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
if (rc == V_OCSP_CERTSTATUS_GOOD &&
sc->server->ocsp_use_request_nonce != FALSE &&
OCSP_check_nonce(request, basicResponse) != 1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01924)
"Bad OCSP responder answer (bad nonce)");
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
/* TODO: allow flags configuration. */
if (OCSP_basic_verify(basicResponse, NULL, ctx->ctx, 0) != 1) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01925)
"failed to verify the OCSP response");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
if (rc == V_OCSP_CERTSTATUS_GOOD) {
int reason = -1, status;
ASN1_GENERALIZEDTIME *thisup = NULL, *nextup = NULL;
rc = OCSP_resp_find_status(basicResponse, certID, &status,
&reason, NULL, &thisup, &nextup);
if (rc != 1) {
ssl_log_cxerror(SSLLOG_MARK, APLOG_ERR, 0, c, cert, APLOGNO(02272)
"failed to retrieve OCSP response status");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
else {
rc = status;
}
/* Check whether the response is inside the defined validity
* period; otherwise fail. */
if (rc != V_OCSP_CERTSTATUS_UNKNOWN) {
long resptime_skew = sc->server->ocsp_resptime_skew == UNSET ?
DEFAULT_OCSP_MAX_SKEW : sc->server->ocsp_resptime_skew;
/* oscp_resp_maxage can be passed verbatim - UNSET (-1) means
* that responses can be of any age as long as nextup is in the
* future. */
int vrc = OCSP_check_validity(thisup, nextup, resptime_skew,
sc->server->ocsp_resp_maxage);
if (vrc != 1) {
ssl_log_cxerror(SSLLOG_MARK, APLOG_ERR, 0, c, cert, APLOGNO(02273)
"OCSP response outside validity period");
ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
rc = V_OCSP_CERTSTATUS_UNKNOWN;
}
}
{
int level =
(status == V_OCSP_CERTSTATUS_GOOD) ? APLOG_INFO : APLOG_ERR;
const char *result =
status == V_OCSP_CERTSTATUS_GOOD ? "good" :
(status == V_OCSP_CERTSTATUS_REVOKED ? "revoked" : "unknown");
ssl_log_cxerror(SSLLOG_MARK, level, 0, c, cert,
"OCSP validation completed, "
"certificate status: %s (%d, %d)",
result, status, reason);
}
}
if (request) OCSP_REQUEST_free(request);
if (response) OCSP_RESPONSE_free(response);
if (basicResponse) OCSP_BASICRESP_free(basicResponse);
/* certID is freed when the request is freed */
return rc;
}
/*
* This function sends a OCSP request to a defined OCSP responder
* and checks the OCSP response for correctness.
*/
static int ocsp_check(X509_STORE *store, X509 *issuer_cert, X509 *client_cert,
EAP_TLS_CONF *conf)
{
OCSP_CERTID *certid;
OCSP_REQUEST *req;
OCSP_RESPONSE *resp;
OCSP_BASICRESP *bresp = NULL;
char *host = NULL;
char *port = NULL;
char *path = NULL;
int use_ssl = -1;
BIO *cbio;
int ocsp_ok;
int status;
/*
* Create OCSP Request
*/
certid = OCSP_cert_to_id(NULL, client_cert, issuer_cert);
req = OCSP_REQUEST_new();
OCSP_request_add0_id(req, certid);
OCSP_request_add1_nonce(req, NULL, 8);
/*
* Send OCSP Request and get OCSP Response
*/
/* Get OCSP responder URL */
if(conf->ocsp_override_url) {
OCSP_parse_url(conf->ocsp_url, &host, &port, &path, &use_ssl);
}
else {
ocsp_parse_cert_url(client_cert, &host, &port, &path, &use_ssl);
}
DEBUG2("[ocsp] --> Responder URL = http://%s:%s%s", host, port, path);
/* Setup BIO socket to OCSP responder */
cbio = BIO_new_connect(host);
BIO_set_conn_port(cbio, port);
BIO_do_connect(cbio);
/* Send OCSP request and wait for response */
resp = OCSP_sendreq_bio(cbio, path, req);
if(resp==0) {
radlog(L_ERR, "Error: Couldn't get OCSP response");
ocsp_ok = 0;
goto ocsp_end;
}
/* Verify OCSP response */
status = OCSP_response_status(resp);
if(status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
radlog(L_ERR, "Error: OCSP response status: %s", OCSP_response_status_str(status));
ocsp_ok = 0;
goto ocsp_end;
}
bresp = OCSP_response_get1_basic(resp);
if(OCSP_check_nonce(req, bresp)!=1) {
radlog(L_ERR, "Error: OCSP response has wrong nonce value");
ocsp_ok = 0;
goto ocsp_end;
}
if(OCSP_basic_verify(bresp, NULL, store, 0)!=1){
radlog(L_ERR, "Error: Couldn't verify OCSP basic response");
ocsp_ok = 0;
goto ocsp_end;
}
ocsp_ok = 1;
ocsp_end:
/* Free OCSP Stuff */
OCSP_REQUEST_free(req);
OCSP_RESPONSE_free(resp);
free(host);
free(port);
free(path);
BIO_free_all(cbio);
OCSP_BASICRESP_free(bresp);
if (ocsp_ok) {
DEBUG2("[ocsp] --> Certificate is valid!");
} else {
DEBUG2("[ocsp] --> Certificate has been expired/revoked!");
}
return ocsp_ok;
}
int myproxy_ocsp_verify(X509 *cert, X509 *issuer) {
BIO *bio = 0;
int rc, reason, ssl, status;
char *host = 0, *path = 0, *port = 0, *certdir = 0;
char *aiaocspurl = 0, *chosenurl = 0;
SSL_CTX *ctx = 0;
X509_LOOKUP *lookup = NULL;
X509_STORE *store = 0;
OCSP_CERTID *id;
OCSP_REQUEST *req = 0;
OCSP_RESPONSE *resp = 0;
OCSP_BASICRESP *basic = 0;
myproxy_ocspresult_t result;
ASN1_GENERALIZEDTIME *producedAt, *thisUpdate, *nextUpdate;
globus_result_t res;
if (!policy && !responder_url) {
result = MYPROXY_OCSPRESULT_ERROR_NOTCONFIGURED;
goto end;
}
result = MYPROXY_OCSPRESULT_ERROR_UNKNOWN;
if (policy && strstr(policy, "aia")) {
aiaocspurl = myproxy_get_aia_ocsp_uri(cert);
}
if (!responder_url && !aiaocspurl) {
result = MYPROXY_OCSPRESULT_ERROR_NOTCONFIGURED;
goto end;
}
chosenurl = aiaocspurl ? aiaocspurl : responder_url;
if (!OCSP_parse_url(chosenurl, &host, &port, &path, &ssl)) {
result = MYPROXY_OCSPRESULT_ERROR_BADOCSPADDRESS;
goto end;
}
myproxy_log("querying OCSP responder at %s", chosenurl);
if (!(req = OCSP_REQUEST_new())) {
result = MYPROXY_OCSPRESULT_ERROR_OUTOFMEMORY;
goto end;
}
id = OCSP_cert_to_id(0, cert, issuer);
if (!id || !OCSP_request_add0_id(req, id)) goto end;
if (usenonce) OCSP_request_add1_nonce(req, 0, -1);
/* sign the request */
if (sign_cert && sign_key &&
!OCSP_request_sign(req, sign_cert, sign_key, EVP_sha1(), 0, 0)) {
result = MYPROXY_OCSPRESULT_ERROR_SIGNFAILURE;
goto end;
}
/* setup GSI context */
store=X509_STORE_new();
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
if (lookup == NULL) {
result = MYPROXY_OCSPRESULT_ERROR_OUTOFMEMORY;
goto end;
}
res = GLOBUS_GSI_SYSCONFIG_GET_CERT_DIR(&certdir);
if (res != GLOBUS_SUCCESS) {
verror_put_string("failed to find GSI CA cert directory");
globus_error_to_verror(res);
goto end;
}
X509_LOOKUP_add_dir(lookup, certdir, X509_FILETYPE_PEM);
ctx = SSL_CTX_new(SSLv23_client_method());
if (ctx == NULL) {
result = MYPROXY_OCSPRESULT_ERROR_OUTOFMEMORY;
goto end;
}
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
SSL_CTX_set_cert_store(ctx, store);
SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER,NULL);
/* establish a connection to the OCSP responder */
if (!(bio = my_connect(host, atoi(port), ssl, &ctx))) {
result = MYPROXY_OCSPRESULT_ERROR_CONNECTFAILURE;
goto end;
}
/* send the request and get a response */
resp = OCSP_sendreq_bio(bio, path, req);
if ((rc = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
switch (rc) {
case OCSP_RESPONSE_STATUS_MALFORMEDREQUEST:
result = MYPROXY_OCSPRESULT_ERROR_MALFORMEDREQUEST; break;
case OCSP_RESPONSE_STATUS_INTERNALERROR:
result = MYPROXY_OCSPRESULT_ERROR_INTERNALERROR; break;
case OCSP_RESPONSE_STATUS_TRYLATER:
result = MYPROXY_OCSPRESULT_ERROR_TRYLATER; break;
case OCSP_RESPONSE_STATUS_SIGREQUIRED:
result = MYPROXY_OCSPRESULT_ERROR_SIGREQUIRED; break;
case OCSP_RESPONSE_STATUS_UNAUTHORIZED:
result = MYPROXY_OCSPRESULT_ERROR_UNAUTHORIZED; break;
}
goto end;
}
/* verify the response */
result = MYPROXY_OCSPRESULT_ERROR_INVALIDRESPONSE;
if (!(basic = OCSP_response_get1_basic(resp))) goto end;
if (usenonce && OCSP_check_nonce(req, basic) <= 0) goto end;
if (!responder_cert ||
(rc = OCSP_basic_verify(basic, responder_cert, store,
OCSP_TRUSTOTHER)) <= 0)
if ((rc = OCSP_basic_verify(basic, NULL, store, 0)) <= 0)
goto end;
if (!OCSP_resp_find_status(basic, id, &status, &reason, &producedAt,
&thisUpdate, &nextUpdate))
goto end;
if (!OCSP_check_validity(thisUpdate, nextUpdate, skew, maxage))
goto end;
/* All done. Set the return code based on the status from the response. */
if (status == V_OCSP_CERTSTATUS_REVOKED) {
result = MYPROXY_OCSPRESULT_CERTIFICATE_REVOKED;
myproxy_log("OCSP status revoked!");
} else {
result = MYPROXY_OCSPRESULT_CERTIFICATE_VALID;
myproxy_log("OCSP status valid");
}
end:
if (result < 0 && result != MYPROXY_OCSPRESULT_ERROR_NOTCONFIGURED) {
ssl_error_to_verror();
myproxy_log("OCSP check failed");
myproxy_log_verror();
}
if (bio) BIO_free_all(bio);
if (host) OPENSSL_free(host);
if (port) OPENSSL_free(port);
if (path) OPENSSL_free(path);
if (req) OCSP_REQUEST_free(req);
if (resp) OCSP_RESPONSE_free(resp);
if (basic) OCSP_BASICRESP_free(basic);
if (ctx) SSL_CTX_free(ctx); /* this does X509_STORE_free(store) */
if (certdir) free(certdir);
if (aiaocspurl) free(aiaocspurl);
return result;
}
int ocsp_main(int argc, char **argv)
{
BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL;
const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
int trailing_md = 0;
CA_DB *rdb = NULL;
EVP_PKEY *key = NULL, *rkey = NULL;
OCSP_BASICRESP *bs = NULL;
OCSP_REQUEST *req = NULL;
OCSP_RESPONSE *resp = NULL;
STACK_OF(CONF_VALUE) *headers = NULL;
STACK_OF(OCSP_CERTID) *ids = NULL;
STACK_OF(OPENSSL_STRING) *reqnames = NULL;
STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
STACK_OF(X509) *issuers = NULL;
X509 *issuer = NULL, *cert = NULL;
STACK_OF(X509) *rca_cert = NULL;
X509 *signer = NULL, *rsigner = NULL;
X509_STORE *store = NULL;
X509_VERIFY_PARAM *vpm = NULL;
const char *CAfile = NULL, *CApath = NULL;
char *header, *value;
char *host = NULL, *port = NULL, *path = "/", *outfile = NULL;
char *rca_filename = NULL, *reqin = NULL, *respin = NULL;
char *reqout = NULL, *respout = NULL, *ridx_filename = NULL;
char *rsignfile = NULL, *rkeyfile = NULL;
char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
char *signfile = NULL, *keyfile = NULL;
char *thost = NULL, *tport = NULL, *tpath = NULL;
int noCAfile = 0, noCApath = 0;
int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;
int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;
int req_text = 0, resp_text = 0, ret = 1;
#ifndef OPENSSL_NO_SOCK
int req_timeout = -1;
#endif
long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
OPTION_CHOICE o;
char *prog;
reqnames = sk_OPENSSL_STRING_new_null();
if (reqnames == NULL)
goto end;
ids = sk_OCSP_CERTID_new_null();
if (ids == NULL)
goto end;
if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
return 1;
prog = opt_init(argc, argv, ocsp_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
ret = 0;
opt_help(ocsp_options);
goto end;
case OPT_OUTFILE:
outfile = opt_arg();
break;
case OPT_TIMEOUT:
#ifndef OPENSSL_NO_SOCK
req_timeout = atoi(opt_arg());
#endif
break;
case OPT_URL:
OPENSSL_free(thost);
OPENSSL_free(tport);
OPENSSL_free(tpath);
thost = tport = tpath = NULL;
if (!OCSP_parse_url(opt_arg(), &host, &port, &path, &use_ssl)) {
BIO_printf(bio_err, "%s Error parsing URL\n", prog);
goto end;
}
thost = host;
tport = port;
tpath = path;
break;
case OPT_HOST:
host = opt_arg();
break;
case OPT_PORT:
port = opt_arg();
break;
case OPT_IGNORE_ERR:
ignore_err = 1;
break;
case OPT_NOVERIFY:
noverify = 1;
break;
case OPT_NONCE:
add_nonce = 2;
break;
case OPT_NO_NONCE:
add_nonce = 0;
break;
case OPT_RESP_NO_CERTS:
rflags |= OCSP_NOCERTS;
break;
case OPT_RESP_KEY_ID:
rflags |= OCSP_RESPID_KEY;
break;
case OPT_NO_CERTS:
sign_flags |= OCSP_NOCERTS;
break;
case OPT_NO_SIGNATURE_VERIFY:
verify_flags |= OCSP_NOSIGS;
break;
case OPT_NO_CERT_VERIFY:
verify_flags |= OCSP_NOVERIFY;
break;
case OPT_NO_CHAIN:
verify_flags |= OCSP_NOCHAIN;
break;
case OPT_NO_CERT_CHECKS:
verify_flags |= OCSP_NOCHECKS;
break;
case OPT_NO_EXPLICIT:
verify_flags |= OCSP_NOEXPLICIT;
break;
case OPT_TRUST_OTHER:
verify_flags |= OCSP_TRUSTOTHER;
break;
case OPT_NO_INTERN:
verify_flags |= OCSP_NOINTERN;
break;
case OPT_BADSIG:
badsig = 1;
break;
case OPT_TEXT:
req_text = resp_text = 1;
break;
case OPT_REQ_TEXT:
req_text = 1;
break;
case OPT_RESP_TEXT:
resp_text = 1;
break;
case OPT_REQIN:
reqin = opt_arg();
break;
case OPT_RESPIN:
respin = opt_arg();
break;
case OPT_SIGNER:
signfile = opt_arg();
break;
case OPT_VAFILE:
verify_certfile = opt_arg();
verify_flags |= OCSP_TRUSTOTHER;
break;
case OPT_SIGN_OTHER:
sign_certfile = opt_arg();
break;
case OPT_VERIFY_OTHER:
verify_certfile = opt_arg();
break;
case OPT_CAFILE:
CAfile = opt_arg();
break;
case OPT_CAPATH:
CApath = opt_arg();
break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
case OPT_NOCAPATH:
noCApath = 1;
break;
case OPT_V_CASES:
if (!opt_verify(o, vpm))
goto end;
vpmtouched++;
break;
case OPT_VALIDITY_PERIOD:
opt_long(opt_arg(), &nsec);
break;
case OPT_STATUS_AGE:
opt_long(opt_arg(), &maxage);
break;
case OPT_SIGNKEY:
keyfile = opt_arg();
break;
case OPT_REQOUT:
reqout = opt_arg();
break;
case OPT_RESPOUT:
respout = opt_arg();
break;
case OPT_PATH:
path = opt_arg();
break;
case OPT_ISSUER:
issuer = load_cert(opt_arg(), FORMAT_PEM, "issuer certificate");
if (issuer == NULL)
goto end;
if (issuers == NULL) {
if ((issuers = sk_X509_new_null()) == NULL)
goto end;
}
sk_X509_push(issuers, issuer);
break;
case OPT_CERT:
X509_free(cert);
cert = load_cert(opt_arg(), FORMAT_PEM, "certificate");
if (cert == NULL)
goto end;
if (cert_id_md == NULL)
cert_id_md = EVP_sha1();
if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
goto end;
if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
goto end;
trailing_md = 0;
break;
case OPT_SERIAL:
if (cert_id_md == NULL)
cert_id_md = EVP_sha1();
if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids))
goto end;
if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
goto end;
trailing_md = 0;
break;
case OPT_INDEX:
ridx_filename = opt_arg();
break;
case OPT_CA:
rca_filename = opt_arg();
break;
case OPT_NMIN:
opt_int(opt_arg(), &nmin);
if (ndays == -1)
ndays = 0;
break;
case OPT_REQUEST:
opt_int(opt_arg(), &accept_count);
break;
case OPT_NDAYS:
ndays = atoi(opt_arg());
break;
case OPT_RSIGNER:
rsignfile = opt_arg();
break;
case OPT_RKEY:
rkeyfile = opt_arg();
break;
case OPT_ROTHER:
rcertfile = opt_arg();
break;
case OPT_RMD: /* Response MessageDigest */
if (!opt_md(opt_arg(), &rsign_md))
goto end;
break;
case OPT_HEADER:
header = opt_arg();
value = strchr(header, '=');
if (value == NULL) {
BIO_printf(bio_err, "Missing = in header key=value\n");
goto opthelp;
}
*value++ = '\0';
if (!X509V3_add_value(header, value, &headers))
goto end;
break;
case OPT_MD:
if (trailing_md) {
BIO_printf(bio_err,
"%s: Digest must be before -cert or -serial\n",
prog);
goto opthelp;
}
if (!opt_md(opt_unknown(), &cert_id_md))
goto opthelp;
trailing_md = 1;
break;
}
}
if (trailing_md) {
BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n",
prog);
goto opthelp;
}
argc = opt_num_rest();
if (argc != 0)
goto opthelp;
/* Have we anything to do? */
if (req == NULL&& reqin == NULL
&& respin == NULL && !(port != NULL && ridx_filename != NULL))
goto opthelp;
out = bio_open_default(outfile, 'w', FORMAT_TEXT);
if (out == NULL)
goto end;
if (req == NULL && (add_nonce != 2))
add_nonce = 0;
if (req == NULL && reqin != NULL) {
derbio = bio_open_default(reqin, 'r', FORMAT_ASN1);
if (derbio == NULL)
goto end;
req = d2i_OCSP_REQUEST_bio(derbio, NULL);
BIO_free(derbio);
if (req == NULL) {
BIO_printf(bio_err, "Error reading OCSP request\n");
goto end;
}
}
if (req == NULL && port != NULL) {
acbio = init_responder(port);
if (acbio == NULL)
goto end;
}
if (rsignfile != NULL) {
if (rkeyfile == NULL)
rkeyfile = rsignfile;
rsigner = load_cert(rsignfile, FORMAT_PEM, "responder certificate");
if (rsigner == NULL) {
BIO_printf(bio_err, "Error loading responder certificate\n");
goto end;
}
if (!load_certs(rca_filename, &rca_cert, FORMAT_PEM,
NULL, "CA certificate"))
goto end;
if (rcertfile != NULL) {
if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL,
"responder other certificates"))
goto end;
}
rkey = load_key(rkeyfile, FORMAT_PEM, 0, NULL, NULL,
"responder private key");
if (rkey == NULL)
goto end;
}
if (acbio != NULL)
BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
redo_accept:
if (acbio != NULL) {
if (!do_responder(&req, &cbio, acbio))
goto end;
if (req == NULL) {
resp =
OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
NULL);
send_ocsp_response(cbio, resp);
goto done_resp;
}
}
if (req == NULL
&& (signfile != NULL || reqout != NULL
|| host != NULL || add_nonce || ridx_filename != NULL)) {
BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
goto end;
}
if (req != NULL && add_nonce)
OCSP_request_add1_nonce(req, NULL, -1);
if (signfile != NULL) {
if (keyfile == NULL)
keyfile = signfile;
signer = load_cert(signfile, FORMAT_PEM, "signer certificate");
if (signer == NULL) {
BIO_printf(bio_err, "Error loading signer certificate\n");
goto end;
}
if (sign_certfile != NULL) {
if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL,
"signer certificates"))
goto end;
}
key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL,
"signer private key");
if (key == NULL)
goto end;
if (!OCSP_request_sign
(req, signer, key, NULL, sign_other, sign_flags)) {
BIO_printf(bio_err, "Error signing OCSP request\n");
goto end;
}
}
if (req_text && req != NULL)
OCSP_REQUEST_print(out, req, 0);
if (reqout != NULL) {
derbio = bio_open_default(reqout, 'w', FORMAT_ASN1);
if (derbio == NULL)
goto end;
i2d_OCSP_REQUEST_bio(derbio, req);
BIO_free(derbio);
}
if (ridx_filename != NULL
&& (rkey == NULL || rsigner == NULL || rca_cert == NULL)) {
BIO_printf(bio_err,
"Need a responder certificate, key and CA for this operation!\n");
goto end;
}
if (ridx_filename != NULL && rdb == NULL) {
rdb = load_index(ridx_filename, NULL);
if (rdb == NULL)
goto end;
if (!index_index(rdb))
goto end;
}
if (rdb != NULL) {
make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
rsign_md, rother, rflags, nmin, ndays, badsig);
if (cbio != NULL)
send_ocsp_response(cbio, resp);
} else if (host != NULL) {
# ifndef OPENSSL_NO_SOCK
resp = process_responder(req, host, path,
port, use_ssl, headers, req_timeout);
if (resp == NULL)
goto end;
# else
BIO_printf(bio_err,
"Error creating connect BIO - sockets not supported.\n");
goto end;
# endif
} else if (respin != NULL) {
derbio = bio_open_default(respin, 'r', FORMAT_ASN1);
if (derbio == NULL)
goto end;
resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
BIO_free(derbio);
if (resp == NULL) {
BIO_printf(bio_err, "Error reading OCSP response\n");
goto end;
}
} else {
ret = 0;
goto end;
}
done_resp:
if (respout != NULL) {
derbio = bio_open_default(respout, 'w', FORMAT_ASN1);
if (derbio == NULL)
goto end;
i2d_OCSP_RESPONSE_bio(derbio, resp);
BIO_free(derbio);
}
i = OCSP_response_status(resp);
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
BIO_printf(out, "Responder Error: %s (%d)\n",
OCSP_response_status_str(i), i);
if (ignore_err)
goto redo_accept;
ret = 0;
goto end;
}
if (resp_text)
OCSP_RESPONSE_print(out, resp, 0);
/* If running as responder don't verify our own response */
if (cbio != NULL) {
/* If not unlimited, see if we took all we should. */
if (accept_count != -1 && --accept_count <= 0) {
ret = 0;
goto end;
}
BIO_free_all(cbio);
cbio = NULL;
OCSP_REQUEST_free(req);
req = NULL;
OCSP_RESPONSE_free(resp);
resp = NULL;
goto redo_accept;
}
if (ridx_filename != NULL) {
ret = 0;
goto end;
}
if (store == NULL) {
store = setup_verify(CAfile, CApath, noCAfile, noCApath);
if (!store)
goto end;
}
if (vpmtouched)
X509_STORE_set1_param(store, vpm);
if (verify_certfile != NULL) {
if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL,
"validator certificate"))
goto end;
}
bs = OCSP_response_get1_basic(resp);
if (bs == NULL) {
BIO_printf(bio_err, "Error parsing response\n");
goto end;
}
ret = 0;
if (!noverify) {
if (req != NULL && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
if (i == -1)
BIO_printf(bio_err, "WARNING: no nonce in response\n");
else {
BIO_printf(bio_err, "Nonce Verify error\n");
ret = 1;
goto end;
}
}
i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
if (i <= 0 && issuers) {
i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER);
if (i > 0)
ERR_clear_error();
}
if (i <= 0) {
BIO_printf(bio_err, "Response Verify Failure\n");
ERR_print_errors(bio_err);
ret = 1;
} else {
BIO_printf(bio_err, "Response verify OK\n");
}
}
print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage);
end:
ERR_print_errors(bio_err);
X509_free(signer);
X509_STORE_free(store);
X509_VERIFY_PARAM_free(vpm);
EVP_PKEY_free(key);
EVP_PKEY_free(rkey);
X509_free(cert);
sk_X509_pop_free(issuers, X509_free);
X509_free(rsigner);
sk_X509_pop_free(rca_cert, X509_free);
free_index(rdb);
BIO_free_all(cbio);
BIO_free_all(acbio);
BIO_free(out);
OCSP_REQUEST_free(req);
OCSP_RESPONSE_free(resp);
OCSP_BASICRESP_free(bs);
sk_OPENSSL_STRING_free(reqnames);
sk_OCSP_CERTID_free(ids);
sk_X509_pop_free(sign_other, X509_free);
sk_X509_pop_free(verify_other, X509_free);
sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
OPENSSL_free(thost);
OPENSSL_free(tport);
OPENSSL_free(tpath);
return ret;
}
void OCSPResponseVerifier_impl::ProcessL()
{
if (!m_request || !m_response_der || m_response_length == 0 ||
!m_certificate_chain || !m_ca_storage)
LEAVE(OpStatus::ERR_OUT_OF_RANGE);
// Default value. Will be checked in the end of the function.
OP_STATUS status = OpStatus::ERR;
// Default verify status.
m_verify_status = CryptoCertificateChain::VERIFY_STATUS_UNKNOWN;
OCSP_RESPONSE* ocsp_response = 0;
OCSP_BASICRESP* ocsp_basicresp = 0;
do
{
const OCSPRequest_impl* request_impl =
static_cast <const OCSPRequest_impl*> (m_request);
const CryptoCertificateChain_impl* chain_impl =
static_cast <const CryptoCertificateChain_impl*> (m_certificate_chain);
const CryptoCertificateStorage_impl* storage_impl =
static_cast <const CryptoCertificateStorage_impl*> (m_ca_storage);
if (!request_impl || !chain_impl || !storage_impl)
{
status = OpStatus::ERR_OUT_OF_RANGE;
break;
}
OCSP_REQUEST* ocsp_request = request_impl->GetOCSP_REQUEST();
STACK_OF(X509)* x509_chain = chain_impl->GetStackOfX509();
X509_STORE* x509_store = storage_impl->GetX509Store();
OP_ASSERT(ocsp_request && x509_chain && x509_store);
// Both ocsp_request, x509_chain and x509_store are owned
// by their container objects.
// Temporary variable, according to the documentation.
const unsigned char* response_tmp = m_response_der;
ocsp_response = d2i_OCSP_RESPONSE(0, &response_tmp, m_response_length);
OPENSSL_VERIFY_OR_BREAK2(ocsp_response, status);
// Check that the OCSP responder was able to respond correctly.
int ocsp_response_status = OCSP_response_status(ocsp_response);
OPENSSL_BREAK2_IF(ocsp_response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL, status);
ocsp_basicresp = OCSP_response_get1_basic(ocsp_response);
OPENSSL_VERIFY_OR_BREAK2(ocsp_basicresp, status);
// Verify that the response is correctly signed.
int response_valid_status =
OCSP_basic_verify(ocsp_basicresp, x509_chain, x509_store, /* flags = */ 0);
OPENSSL_BREAK2_IF(response_valid_status != 1, status);
OP_ASSERT(ocsp_request->tbsRequest && ocsp_request->tbsRequest->requestList);
OCSP_ONEREQ* ocsp_onereq =
sk_OCSP_ONEREQ_value(ocsp_request->tbsRequest->requestList, 0);
OPENSSL_VERIFY_OR_BREAK(ocsp_onereq);
// ocsp_request owns ocsp_onereq.
OCSP_CERTID* ocsp_certid = ocsp_onereq->reqCert;
OPENSSL_VERIFY_OR_BREAK(ocsp_certid);
// ocsp_request owns ocsp_certid.
int revocation_code = -1, response_code = -1;
ASN1_GENERALIZEDTIME* thisupd = 0;
ASN1_GENERALIZEDTIME* nextupd = 0;
int err = OCSP_resp_find_status(
ocsp_basicresp, ocsp_certid, &response_code, &revocation_code,
0, &thisupd, &nextupd);
OPENSSL_BREAK2_IF(err != 1 || response_code < 0, status);
// Allow some difference in client and server clocks.
const long int CLOCK_SHARPNESS = 3600;
// Default age limit for responses without nextUpdate field.
const long int DEFAULT_MAXAGE = 100 * 24 * 3600;
err = OCSP_check_validity(thisupd, nextupd, CLOCK_SHARPNESS, DEFAULT_MAXAGE);
OPENSSL_BREAK2_IF(err != 1, status);
switch (response_code)
{
case V_OCSP_CERTSTATUS_GOOD:
m_verify_status = CryptoCertificateChain::OK_CHECKED_WITH_OCSP;
status = OpStatus::OK;
break;
case V_OCSP_CERTSTATUS_REVOKED:
m_verify_status = CryptoCertificateChain::CERTIFICATE_REVOKED;
status = OpStatus::OK;
break;
default:
OP_ASSERT(!"Unexpected OCSP response code!");
// fall-through
case V_OCSP_CERTSTATUS_UNKNOWN:
OP_ASSERT(m_verify_status == CryptoCertificateChain::VERIFY_STATUS_UNKNOWN);
break;
}
} while(0);
if(ocsp_basicresp)
OCSP_BASICRESP_free(ocsp_basicresp);
if(ocsp_response)
OCSP_RESPONSE_free(ocsp_response);
// There shouldn't be any errors.
OP_ASSERT(ERR_peek_error() == 0);
LEAVE_IF_ERROR(status);
}