1 /* $OpenBSD: ocsp_lib.c,v 1.25 2022/01/22 00:31:23 inoguchi Exp $ */
2 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3 * project. */
4
5 /* History:
6 This file was transfered to Richard Levitte from CertCo by Kathy
7 Weinhold in mid-spring 2000 to be included in OpenSSL or released
8 as a patch kit. */
9
10 /* ====================================================================
11 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
12 *
13 * Redistribution and use in source and binary forms, with or without
14 * modification, are permitted provided that the following conditions
15 * are met:
16 *
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 *
20 * 2. Redistributions in binary form must reproduce the above copyright
21 * notice, this list of conditions and the following disclaimer in
22 * the documentation and/or other materials provided with the
23 * distribution.
24 *
25 * 3. All advertising materials mentioning features or use of this
26 * software must display the following acknowledgment:
27 * "This product includes software developed by the OpenSSL Project
28 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
29 *
30 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
31 * endorse or promote products derived from this software without
32 * prior written permission. For written permission, please contact
33 * openssl-core@openssl.org.
34 *
35 * 5. Products derived from this software may not be called "OpenSSL"
36 * nor may "OpenSSL" appear in their names without prior written
37 * permission of the OpenSSL Project.
38 *
39 * 6. Redistributions of any form whatsoever must retain the following
40 * acknowledgment:
41 * "This product includes software developed by the OpenSSL Project
42 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
45 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
47 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
48 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
49 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
50 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
51 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
52 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
53 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
54 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
55 * OF THE POSSIBILITY OF SUCH DAMAGE.
56 * ====================================================================
57 *
58 * This product includes cryptographic software written by Eric Young
59 * (eay@cryptsoft.com). This product includes software written by Tim
60 * Hudson (tjh@cryptsoft.com).
61 *
62 */
63
64 #include <stdio.h>
65 #include <string.h>
66
67 #include <openssl/opensslconf.h>
68
69 #include <openssl/asn1t.h>
70 #include <openssl/err.h>
71 #include <openssl/objects.h>
72 #include <openssl/ocsp.h>
73 #include <openssl/pem.h>
74 #include <openssl/x509.h>
75 #include <openssl/x509v3.h>
76
77 #include "ocsp_local.h"
78
79 /* Convert a certificate and its issuer to an OCSP_CERTID */
80
81 OCSP_CERTID *
OCSP_cert_to_id(const EVP_MD * dgst,const X509 * subject,const X509 * issuer)82 OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, const X509 *issuer)
83 {
84 X509_NAME *iname;
85 const ASN1_INTEGER *serial;
86 ASN1_BIT_STRING *ikey;
87
88 #ifndef OPENSSL_NO_SHA1
89 if (!dgst)
90 dgst = EVP_sha1();
91 #endif
92 if (subject) {
93 iname = X509_get_issuer_name(subject);
94 serial = X509_get0_serialNumber(subject);
95 } else {
96 iname = X509_get_subject_name(issuer);
97 serial = NULL;
98 }
99 if ((ikey = X509_get0_pubkey_bitstr(issuer)) == NULL)
100 return NULL;
101
102 return OCSP_cert_id_new(dgst, iname, ikey, serial);
103 }
104
105 OCSP_CERTID *
OCSP_cert_id_new(const EVP_MD * dgst,const X509_NAME * issuerName,const ASN1_BIT_STRING * issuerKey,const ASN1_INTEGER * serialNumber)106 OCSP_cert_id_new(const EVP_MD *dgst, const X509_NAME *issuerName,
107 const ASN1_BIT_STRING *issuerKey, const ASN1_INTEGER *serialNumber)
108 {
109 int nid;
110 unsigned int i;
111 X509_ALGOR *alg;
112 OCSP_CERTID *cid = NULL;
113 unsigned char md[EVP_MAX_MD_SIZE];
114
115 if (!(cid = OCSP_CERTID_new()))
116 goto err;
117
118 alg = cid->hashAlgorithm;
119 if (alg->algorithm != NULL)
120 ASN1_OBJECT_free(alg->algorithm);
121 if ((nid = EVP_MD_type(dgst)) == NID_undef) {
122 OCSPerror(OCSP_R_UNKNOWN_NID);
123 goto err;
124 }
125 if (!(alg->algorithm = OBJ_nid2obj(nid)))
126 goto err;
127 if ((alg->parameter = ASN1_TYPE_new()) == NULL)
128 goto err;
129 alg->parameter->type = V_ASN1_NULL;
130
131 if (!X509_NAME_digest(issuerName, dgst, md, &i))
132 goto digerr;
133 if (!(ASN1_OCTET_STRING_set(cid->issuerNameHash, md, i)))
134 goto err;
135
136 /* Calculate the issuerKey hash, excluding tag and length */
137 if (!EVP_Digest(issuerKey->data, issuerKey->length, md, &i, dgst, NULL))
138 goto err;
139
140 if (!(ASN1_OCTET_STRING_set(cid->issuerKeyHash, md, i)))
141 goto err;
142
143 if (serialNumber) {
144 ASN1_INTEGER_free(cid->serialNumber);
145 if (!(cid->serialNumber = ASN1_INTEGER_dup(serialNumber)))
146 goto err;
147 }
148 return cid;
149
150 digerr:
151 OCSPerror(OCSP_R_DIGEST_ERR);
152 err:
153 if (cid)
154 OCSP_CERTID_free(cid);
155 return NULL;
156 }
157
158 int
OCSP_id_issuer_cmp(OCSP_CERTID * a,OCSP_CERTID * b)159 OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
160 {
161 int ret;
162
163 ret = OBJ_cmp(a->hashAlgorithm->algorithm, b->hashAlgorithm->algorithm);
164 if (ret)
165 return ret;
166 ret = ASN1_OCTET_STRING_cmp(a->issuerNameHash, b->issuerNameHash);
167 if (ret)
168 return ret;
169 return ASN1_OCTET_STRING_cmp(a->issuerKeyHash, b->issuerKeyHash);
170 }
171
172 int
OCSP_id_cmp(OCSP_CERTID * a,OCSP_CERTID * b)173 OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
174 {
175 int ret;
176
177 ret = OCSP_id_issuer_cmp(a, b);
178 if (ret)
179 return ret;
180 return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
181 }
182
183 /* Parse a URL and split it up into host, port and path components and whether
184 * it is SSL.
185 */
186 int
OCSP_parse_url(const char * url,char ** phost,char ** pport,char ** ppath,int * pssl)187 OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath,
188 int *pssl)
189 {
190 char *host, *path, *port, *tmp;
191
192 *phost = *pport = *ppath = NULL;
193 *pssl = 0;
194
195 if (strncmp(url, "https://", 8) == 0) {
196 *pssl = 1;
197 host = strdup(url + 8);
198 } else if (strncmp(url, "http://", 7) == 0)
199 host = strdup(url + 7);
200 else {
201 OCSPerror(OCSP_R_ERROR_PARSING_URL);
202 return 0;
203 }
204 if (host == NULL) {
205 OCSPerror(ERR_R_MALLOC_FAILURE);
206 return 0;
207 }
208
209 if ((tmp = strchr(host, '/')) != NULL) {
210 path = strdup(tmp);
211 *tmp = '\0';
212 } else
213 path = strdup("/");
214
215 if ((tmp = strchr(host, ':')) != NULL ) {
216 port = strdup(tmp + 1);
217 *tmp = '\0';
218 } else {
219 if (*pssl)
220 port = strdup("443");
221 else
222 port = strdup("80");
223 }
224
225 if (path == NULL || port == NULL) {
226 free(host);
227 free(path);
228 free(port);
229 OCSPerror(ERR_R_MALLOC_FAILURE);
230 return 0;
231 }
232
233 *phost = host;
234 *ppath = path;
235 *pport = port;
236 return 1;
237 }
238
239 OCSP_CERTID *
OCSP_CERTID_dup(OCSP_CERTID * x)240 OCSP_CERTID_dup(OCSP_CERTID *x)
241 {
242 return ASN1_item_dup(&OCSP_CERTID_it, x);
243 }
244