📄 ocsp_ext.c
字号:
if (data) { if ((i=i2d(data,NULL)) <= 0) goto err; if (!(b=p=OPENSSL_malloc((unsigned int)i))) goto err; if (i2d(data, &p) <= 0) goto err; } else if (sk) { if ((i=i2d_ASN1_SET_OF_ASN1_OBJECT(sk,NULL, (I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE))<=0) goto err; if (!(b=p=OPENSSL_malloc((unsigned int)i))) goto err; if (i2d_ASN1_SET_OF_ASN1_OBJECT(sk,&p,(I2D_OF(ASN1_OBJECT))i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, IS_SEQUENCE)<=0) goto err; } else { OCSPerr(OCSP_F_ASN1_STRING_ENCODE,OCSP_R_BAD_DATA); goto err; } if (!s && !(s = ASN1_STRING_new())) goto err; if (!(ASN1_STRING_set(s, b, i))) goto err; OPENSSL_free(b); return s;err: if (b) OPENSSL_free(b); return NULL; }/* Nonce handling functions *//* Add a nonce to an extension stack. A nonce can be specificed or if NULL * a random nonce will be generated. * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the * nonce, previous versions used the raw nonce. */static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len) { unsigned char *tmpval; ASN1_OCTET_STRING os; int ret = 0; if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH; /* Create the OCTET STRING manually by writing out the header and * appending the content octets. This avoids an extra memory allocation * operation in some cases. Applications should *NOT* do this because * it relies on library internals. */ os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING); os.data = OPENSSL_malloc(os.length); if (os.data == NULL) goto err; tmpval = os.data; ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); if (val) memcpy(tmpval, val, len); else RAND_pseudo_bytes(tmpval, len); if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, X509V3_ADD_REPLACE)) goto err; ret = 1; err: if (os.data) OPENSSL_free(os.data); return ret; }/* Add nonce to an OCSP request */int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len) { return ocsp_add1_nonce(&req->tbsRequest->requestExtensions, val, len); }/* Same as above but for a response */int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len) { return ocsp_add1_nonce(&resp->tbsResponseData->responseExtensions, val, len); }/* Check nonce validity in a request and response. * Return value reflects result: * 1: nonces present and equal. * 2: nonces both absent. * 3: nonce present in response only. * 0: nonces both present and not equal. * -1: nonce in request only. * * For most responders clients can check return > 0. * If responder doesn't handle nonces return != 0 may be * necessary. return == 0 is always an error. */int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs) { /* * Since we are only interested in the presence or absence of * the nonce and comparing its value there is no need to use * the X509V3 routines: this way we can avoid them allocating an * ASN1_OCTET_STRING structure for the value which would be * freed immediately anyway. */ int req_idx, resp_idx; X509_EXTENSION *req_ext, *resp_ext; req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1); resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1); /* Check both absent */ if((req_idx < 0) && (resp_idx < 0)) return 2; /* Check in request only */ if((req_idx >= 0) && (resp_idx < 0)) return -1; /* Check in response but not request */ if((req_idx < 0) && (resp_idx >= 0)) return 3; /* Otherwise nonce in request and response so retrieve the extensions */ req_ext = OCSP_REQUEST_get_ext(req, req_idx); resp_ext = OCSP_BASICRESP_get_ext(bs, resp_idx); if(ASN1_OCTET_STRING_cmp(req_ext->value, resp_ext->value)) return 0; return 1; }/* Copy the nonce value (if any) from an OCSP request to * a response. */int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req) { X509_EXTENSION *req_ext; int req_idx; /* Check for nonce in request */ req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1); /* If no nonce that's OK */ if (req_idx < 0) return 2; req_ext = OCSP_REQUEST_get_ext(req, req_idx); return OCSP_BASICRESP_add_ext(resp, req_ext, -1); }X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim) { X509_EXTENSION *x = NULL; OCSP_CRLID *cid = NULL; if (!(cid = OCSP_CRLID_new())) goto err; if (url) { if (!(cid->crlUrl = ASN1_IA5STRING_new())) goto err; if (!(ASN1_STRING_set(cid->crlUrl, url, -1))) goto err; } if (n) { if (!(cid->crlNum = ASN1_INTEGER_new())) goto err; if (!(ASN1_INTEGER_set(cid->crlNum, *n))) goto err; } if (tim) { if (!(cid->crlTime = ASN1_GENERALIZEDTIME_new())) goto err; if (!(ASN1_GENERALIZEDTIME_set_string(cid->crlTime, tim))) goto err; } if (!(x = X509_EXTENSION_new())) goto err; if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_CrlID))) goto err; if (!(ASN1_STRING_encode_of(OCSP_CRLID,x->value,i2d_OCSP_CRLID,cid, NULL))) goto err; OCSP_CRLID_free(cid); return x;err: if (x) X509_EXTENSION_free(x); if (cid) OCSP_CRLID_free(cid); return NULL; }/* AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER */X509_EXTENSION *OCSP_accept_responses_new(char **oids) { int nid; STACK_OF(ASN1_OBJECT) *sk = NULL; ASN1_OBJECT *o = NULL; X509_EXTENSION *x = NULL; if (!(sk = sk_ASN1_OBJECT_new_null())) goto err; while (oids && *oids) { if ((nid=OBJ_txt2nid(*oids))!=NID_undef&&(o=OBJ_nid2obj(nid))) sk_ASN1_OBJECT_push(sk, o); oids++; } if (!(x = X509_EXTENSION_new())) goto err; if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_acceptableResponses))) goto err; if (!(ASN1_STRING_encode_of(ASN1_OBJECT,x->value,i2d_ASN1_OBJECT,NULL, sk))) goto err; sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); return x;err: if (x) X509_EXTENSION_free(x); if (sk) sk_ASN1_OBJECT_pop_free(sk, ASN1_OBJECT_free); return NULL; }/* ArchiveCutoff ::= GeneralizedTime */X509_EXTENSION *OCSP_archive_cutoff_new(char* tim) { X509_EXTENSION *x=NULL; ASN1_GENERALIZEDTIME *gt = NULL; if (!(gt = ASN1_GENERALIZEDTIME_new())) goto err; if (!(ASN1_GENERALIZEDTIME_set_string(gt, tim))) goto err; if (!(x = X509_EXTENSION_new())) goto err; if (!(x->object=OBJ_nid2obj(NID_id_pkix_OCSP_archiveCutoff)))goto err; if (!(ASN1_STRING_encode_of(ASN1_GENERALIZEDTIME,x->value, i2d_ASN1_GENERALIZEDTIME,gt,NULL))) goto err; ASN1_GENERALIZEDTIME_free(gt); return x;err: if (gt) ASN1_GENERALIZEDTIME_free(gt); if (x) X509_EXTENSION_free(x); return NULL; }/* per ACCESS_DESCRIPTION parameter are oids, of which there are currently * two--NID_ad_ocsp, NID_id_ad_caIssuers--and GeneralName value. This * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String. */X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls) { X509_EXTENSION *x = NULL; ASN1_IA5STRING *ia5 = NULL; OCSP_SERVICELOC *sloc = NULL; ACCESS_DESCRIPTION *ad = NULL; if (!(sloc = OCSP_SERVICELOC_new())) goto err; if (!(sloc->issuer = X509_NAME_dup(issuer))) goto err; if (urls && *urls && !(sloc->locator = sk_ACCESS_DESCRIPTION_new_null())) goto err; while (urls && *urls) { if (!(ad = ACCESS_DESCRIPTION_new())) goto err; if (!(ad->method=OBJ_nid2obj(NID_ad_OCSP))) goto err; if (!(ad->location = GENERAL_NAME_new())) goto err; if (!(ia5 = ASN1_IA5STRING_new())) goto err; if (!ASN1_STRING_set((ASN1_STRING*)ia5, *urls, -1)) goto err; ad->location->type = GEN_URI; ad->location->d.ia5 = ia5; if (!sk_ACCESS_DESCRIPTION_push(sloc->locator, ad)) goto err; urls++; } if (!(x = X509_EXTENSION_new())) goto err; if (!(x->object = OBJ_nid2obj(NID_id_pkix_OCSP_serviceLocator))) goto err; if (!(ASN1_STRING_encode_of(OCSP_SERVICELOC,x->value, i2d_OCSP_SERVICELOC,sloc,NULL))) goto err; OCSP_SERVICELOC_free(sloc); return x;err: if (x) X509_EXTENSION_free(x); if (sloc) OCSP_SERVICELOC_free(sloc); return NULL; }⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -