summaryrefslogtreecommitdiff
path: root/libdigidoc/DigiDocOCSP.c
diff options
context:
space:
mode:
Diffstat (limited to 'libdigidoc/DigiDocOCSP.c')
-rw-r--r--libdigidoc/DigiDocOCSP.c279
1 files changed, 146 insertions, 133 deletions
diff --git a/libdigidoc/DigiDocOCSP.c b/libdigidoc/DigiDocOCSP.c
index 48973e7..5c48aac 100644
--- a/libdigidoc/DigiDocOCSP.c
+++ b/libdigidoc/DigiDocOCSP.c
@@ -59,6 +59,58 @@ static int password_callback(char *buf, int bufsiz, int verify, void *cb_data)
}
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10010000L
+static int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, const ASN1_OCTET_STRING **pid, const X509_NAME **pname)
+{
+ *pid = NULL;
+ *pname = NULL;
+ const OCSP_RESPID *rid = bs->tbsResponseData->responderId;
+ if (rid->type == V_OCSP_RESPID_NAME)
+ *pname = rid->value.byName;
+ else if (rid->type == V_OCSP_RESPID_KEY)
+ *pid = rid->value.byKey;
+ else
+ return 0;
+ return 1;
+}
+
+static const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(const OCSP_BASICRESP* bs)
+{
+ return bs->tbsResponseData->producedAt;
+}
+
+static const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
+{
+ return single->certId;
+}
+
+static const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
+{
+ return bs->signature;
+}
+
+static const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x)
+{
+ return x->cert_info->extensions;
+}
+
+static const ASN1_TIME *X509_get0_notBefore(const X509 *x)
+{
+ return x->cert_info->validity->notBefore;
+}
+
+static const ASN1_TIME *X509_get0_notAfter(const X509 *x)
+{
+ return x->cert_info->validity->notAfter;
+}
+#else
+# define BIO_R_BAD_HOSTNAME_LOOKUP 102
+# define OCSP_R_NO_CONTENT 106
+# define OCSP_F_OCSP_SENDREQ_BIO 112
+# define OCSP_R_SERVER_READ_ERROR 113
+# define OCSP_R_SERVER_WRITE_ERROR 116
+#endif
+
//================< OCSP functions> =================================
static int ddocOcspProxyAuthInfo(char *authinfo, const char *user, const char *pass)
@@ -309,20 +361,21 @@ int calcNotaryDigest(SignedDoc* pSigDoc, NotaryInfo* pNotary)
int initializeNotaryInfoWithOCSP(SignedDoc *pSigDoc, NotaryInfo *pNotary,
OCSP_RESPONSE *resp, X509 *notCert, int initDigest)
{
- int n, err = ERR_OK;
+ int n, err = ERR_OK, status = 0;
char buf[500];
OCSP_RESPBYTES *rb = NULL;
OCSP_BASICRESP *br = NULL;
- OCSP_RESPDATA *rd = NULL;
- OCSP_RESPID *rid = NULL;
- // OCSP_CERTSTATUS *cst = NULL;
OCSP_SINGLERESP *single = NULL;
- OCSP_CERTID *cid = NULL;
+ const OCSP_CERTID *cid = NULL;
X509_EXTENSION *nonce;
+ const ASN1_GENERALIZEDTIME *producedAt = NULL;
//AM 26.09.08
DigiDocMemBuf mbuf1;
mbuf1.pMem = 0;
mbuf1.nLen = 0;
+ const ASN1_OCTET_STRING *id = NULL;
+ const X509_NAME *name = NULL;
+ ASN1_OBJECT *hashAlgorithm = NULL;
RETURN_IF_NULL_PARAM(pNotary);
@@ -348,69 +401,66 @@ int initializeNotaryInfoWithOCSP(SignedDoc *pSigDoc, NotaryInfo *pNotary,
default:
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_UNSUCCESSFUL);
}
- RETURN_IF_NULL_PARAM(resp->responseBytes);
- rb = resp->responseBytes;
- if(OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
- SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_UNKNOWN_TYPE);
if((br = OCSP_response_get1_basic(resp)) == NULL)
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_BASIC_RESP);
ddocDebug(4, "initializeNotaryInfoWithOCSP", "test2");
- rd = br->tbsResponseData;
- if(ASN1_INTEGER_get(rd->version) != 0)
- SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_WRONG_VERSION);
- n = sk_OCSP_SINGLERESP_num(rd->responses);
+ n = OCSP_resp_count(br);
if(n != 1)
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_ONE_RESPONSE);
- single = sk_OCSP_SINGLERESP_value(rd->responses, 0);
+ single = OCSP_resp_get0(br, 0);
RETURN_IF_NULL(single);
- cid = single->certId;
+ cid = OCSP_SINGLERESP_get0_id(single);
RETURN_IF_NULL(cid);
- ddocDebug(4, "initializeNotaryInfoWithOCSP", "CertStatus-type: %d", single->certStatus->type);
+ status = OCSP_single_get0_status(single, NULL, NULL, NULL, NULL);
+ ddocDebug(4, "initializeNotaryInfoWithOCSP", "CertStatus-type: %d", status);
//printf("TYPE: %d\n", single->certStatus->type);
- if(single->certStatus->type != 0) {
- ddocDebug(4, "initializeNotaryInfoWithOCSP", "errcode: %d", handleOCSPCertStatus(single->certStatus->type));
- SET_LAST_ERROR_RETURN_CODE(handleOCSPCertStatus(single->certStatus->type));
+ if(status != 0) {
+ ddocDebug(4, "initializeNotaryInfoWithOCSP", "errcode: %d", handleOCSPCertStatus(status));
+ SET_LAST_ERROR_RETURN_CODE(handleOCSPCertStatus(status));
}
//Removed 31.10.2003
//if(single->singleExtensions)
// SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_SINGLE_EXT);
- if(!rd->responseExtensions ||
- (sk_X509_EXTENSION_num(rd->responseExtensions) != 1) ||
- ((nonce = sk_X509_EXTENSION_value(rd->responseExtensions, 0)) == NULL))
+ if((OCSP_BASICRESP_get_ext_count(br) != 1) ||
+ ((nonce = OCSP_BASICRESP_get_ext(br, 0)) == NULL))
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_NONCE);
- i2t_ASN1_OBJECT(buf,sizeof(buf),nonce->object);
+ i2t_ASN1_OBJECT(buf,sizeof(buf), X509_EXTENSION_get_object(nonce));
if(strcmp(buf, OCSP_NONCE_NAME))
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_NONCE);
- rid = rd->responderId;
- if(rid->type == V_OCSP_RESPID_NAME) {
+ OCSP_resp_get0_id(br, &id, &name);
+ if(name) {
pNotary->nRespIdType = RESPID_NAME_TYPE;
- } else if(rid->type == V_OCSP_RESPID_KEY) {
+ } else if(id) {
pNotary->nRespIdType = RESPID_KEY_TYPE;
} else {
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_WRONG_RESPID);
}
// producedAt
- err = asn1time2str(pSigDoc, rd->producedAt, buf, sizeof(buf));
+ producedAt = OCSP_resp_get0_produced_at(br);
+ err = asn1time2str(pSigDoc, (ASN1_GENERALIZEDTIME*)producedAt, buf, sizeof(buf));
setString(&(pNotary->timeProduced), buf, -1);
n = sizeof(buf);
- if(rid->type == V_OCSP_RESPID_NAME){
+ if(name){
//X509_NAME_oneline(rid->value.byName,buf,n);
- err = ddocCertGetDNFromName(rid->value.byName, &mbuf1);
+ err = ddocCertGetDNFromName((X509_NAME*)name, &mbuf1);
err = ddocNotInfo_SetResponderId(pNotary, (char*)mbuf1.pMem, -1);
ddocMemBuf_free(&mbuf1);
}
- if(rid->type == V_OCSP_RESPID_KEY) {
- err = ddocNotInfo_SetResponderId(pNotary, (const char*)rid->value.byKey->data, rid->value.byKey->length);
+ if(id) {
+ err = ddocNotInfo_SetResponderId(pNotary, (const char*)id->data, id->length);
}
+ OCSP_id_get0_info(NULL, &hashAlgorithm, NULL, NULL, (OCSP_CERTID*)cid);
// digest type
- i2t_ASN1_OBJECT(buf,sizeof(buf),cid->hashAlgorithm->algorithm);
+ i2t_ASN1_OBJECT(buf,sizeof(buf),hashAlgorithm);
//AM 24.11.09 why its needed? added if. 08.12.09 used for gen
if(!pNotary->szDigestType){
setString(&(pNotary->szDigestType), buf, -1);
}
+#if OPENSSL_VERSION_NUMBER < 0x10010000L
// signature algorithm
i2t_ASN1_OBJECT(buf,sizeof(buf),br->signatureAlgorithm->algorithm);
setString(&(pNotary->szSigType), buf, -1);
+#endif
// notary cert
if(notCert && !err)
err = addNotaryInfoCert(pSigDoc, pNotary, notCert);
@@ -427,20 +477,22 @@ int initializeNotaryInfoWithOCSP(SignedDoc *pSigDoc, NotaryInfo *pNotary,
int initializeNotaryInfoWithOCSP2(SignedDoc *pSigDoc, NotaryInfo *pNotary,
OCSP_RESPONSE *resp, X509 *notCert, int initDigest)
{
- int n, err = ERR_OK;
+ int n, err = ERR_OK, status = 0;
char buf[500];
OCSP_RESPBYTES *rb = NULL;
OCSP_BASICRESP *br = NULL;
- OCSP_RESPDATA *rd = NULL;
- OCSP_RESPID *rid = NULL;
// OCSP_CERTSTATUS *cst = NULL;
OCSP_SINGLERESP *single = NULL;
- OCSP_CERTID *cid = NULL;
+ const OCSP_CERTID *cid = NULL;
X509_EXTENSION *nonce;
+ const ASN1_GENERALIZEDTIME *producedAt = NULL;
//AM 26.09.08
DigiDocMemBuf mbuf1;
mbuf1.pMem = 0;
mbuf1.nLen = 0;
+ const ASN1_OCTET_STRING *id = NULL;
+ const X509_NAME *name = NULL;
+ ASN1_OBJECT *hashAlgorithm = NULL;
RETURN_IF_NULL_PARAM(pNotary);
@@ -462,23 +514,17 @@ int initializeNotaryInfoWithOCSP2(SignedDoc *pSigDoc, NotaryInfo *pNotary,
default:
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_UNSUCCESSFUL);
}
- RETURN_IF_NULL_PARAM(resp->responseBytes);;
- rb = resp->responseBytes;
- if(OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic)
- SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_UNKNOWN_TYPE);
if((br = OCSP_response_get1_basic(resp)) == NULL)
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_BASIC_RESP);
- rd = br->tbsResponseData;
- if(ASN1_INTEGER_get(rd->version) != 0)
- SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_WRONG_VERSION);
- n = sk_OCSP_SINGLERESP_num(rd->responses);
+ n = OCSP_resp_count(br);
if(n != 1)
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_ONE_RESPONSE);
- single = sk_OCSP_SINGLERESP_value(rd->responses, 0);
+ single = OCSP_resp_get0(br, 0);
RETURN_IF_NULL(single);
- cid = single->certId;
+ cid = OCSP_SINGLERESP_get0_id(single);
RETURN_IF_NULL(cid);
- ddocDebug(4, "initializeNotaryInfoWithOCSP", "CertStatus-type: %d", single->certStatus->type);
+ status = OCSP_single_get0_status(single, NULL, NULL, NULL, NULL);
+ ddocDebug(4, "initializeNotaryInfoWithOCSP", "CertStatus-type: %d", status);
//printf("TYPE: %d\n", single->certStatus->type);
//Am test
/*if(single->certStatus->type != 0) {
@@ -488,40 +534,43 @@ int initializeNotaryInfoWithOCSP2(SignedDoc *pSigDoc, NotaryInfo *pNotary,
//Removed 31.10.2003
//if(single->singleExtensions)
// SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_SINGLE_EXT);
- if(!rd->responseExtensions ||
- (sk_X509_EXTENSION_num(rd->responseExtensions) != 1) ||
- ((nonce = sk_X509_EXTENSION_value(rd->responseExtensions, 0)) == NULL))
+ if((OCSP_BASICRESP_get_ext_count(br) != 1) ||
+ ((nonce = OCSP_BASICRESP_get_ext(br, 0)) == NULL))
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_NONCE);
- i2t_ASN1_OBJECT(buf,sizeof(buf),nonce->object);
+ i2t_ASN1_OBJECT(buf,sizeof(buf),X509_EXTENSION_get_object(nonce));
if(strcmp(buf, OCSP_NONCE_NAME))
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_NONCE);
- rid = rd->responderId;
- if(rid->type == V_OCSP_RESPID_NAME) {
+ OCSP_resp_get0_id(br, &id, &name);
+ if(name) {
pNotary->nRespIdType = RESPID_NAME_TYPE;
- } else if(rid->type == V_OCSP_RESPID_KEY) {
+ } else if(id) {
pNotary->nRespIdType = RESPID_KEY_TYPE;
} else {
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_WRONG_RESPID);
}
// producedAt
- err = asn1time2str(pSigDoc, rd->producedAt, buf, sizeof(buf));
+ producedAt = OCSP_resp_get0_produced_at(br);
+ err = asn1time2str(pSigDoc, (ASN1_GENERALIZEDTIME*)producedAt, buf, sizeof(buf));
setString(&(pNotary->timeProduced), buf, -1);
n = sizeof(buf);
- if(rid->type == V_OCSP_RESPID_NAME){
- err = ddocCertGetDNFromName(rid->value.byName, &mbuf1);
+ if(name){
+ err = ddocCertGetDNFromName((X509_NAME*)name, &mbuf1);
RETURN_IF_NOT(err == ERR_OK, err);
err = ddocNotInfo_SetResponderId(pNotary, (char*)mbuf1.pMem, -1);
ddocMemBuf_free(&mbuf1);
}
- if(rid->type == V_OCSP_RESPID_KEY) {
- err = ddocNotInfo_SetResponderId(pNotary, (const char*)rid->value.byKey->data, rid->value.byKey->length);
+ if(id) {
+ err = ddocNotInfo_SetResponderId(pNotary, (const char*)id->data, id->length);
}
+ OCSP_id_get0_info(NULL, &hashAlgorithm, NULL, NULL, (OCSP_CERTID*)cid);
// digest type
- i2t_ASN1_OBJECT(buf,sizeof(buf),cid->hashAlgorithm->algorithm);
+ i2t_ASN1_OBJECT(buf,sizeof(buf),hashAlgorithm);
setString(&(pNotary->szDigestType), buf, -1);
+#if OPENSSL_VERSION_NUMBER < 0x10010000L
// signature algorithm
i2t_ASN1_OBJECT(buf,sizeof(buf),br->signatureAlgorithm->algorithm);
setString(&(pNotary->szSigType), buf, -1);
+#endif
// notary cert
if(notCert && !err)
err = addNotaryInfoCert(pSigDoc, pNotary, notCert);
@@ -716,6 +765,7 @@ unsigned char *get_authority_key(STACK_OF(X509_EXTENSION) *exts)
int i, found=0;
X509_EXTENSION *ex=0;
ASN1_OBJECT *obj;
+ ASN1_OCTET_STRING *data = NULL;
X509V3_EXT_METHOD *met;
void *st = NULL;
unsigned char *p;
@@ -738,10 +788,11 @@ unsigned char *get_authority_key(STACK_OF(X509_EXTENSION) *exts)
}
met = (X509V3_EXT_METHOD*)X509V3_EXT_get(ex);
- p = ex->value->data;
+ data = X509_EXTENSION_get_data(ex);
+ p = data->data;
#if OPENSSL_VERSION_NUMBER > 0x00908000
// crashes here!
- st = ASN1_item_d2i(NULL, (const unsigned char**)&p, ex->value->length, ASN1_ITEM_ptr(met->it));
+ st = ASN1_item_d2i(NULL, (const unsigned char**)&p, data->length, ASN1_ITEM_ptr(met->it));
#else
st = ASN1_item_d2i(NULL, &p, ex->value->length, ASN1_ITEM_ptr(met->it));
#endif
@@ -799,19 +850,12 @@ OCSP_CERTID* createOCSPCertid(X509 *cert, X509* pCACert)
{
OCSP_CERTID *pId = NULL;
X509_NAME *iname;
- unsigned char *ikey = NULL;
ASN1_INTEGER *sno;
- const EVP_MD *dgst;
- X509_ALGOR *alg;
- unsigned char md[EVP_MAX_MD_SIZE], buf1[100];
- unsigned int len;
- int l1;
DigiDocMemBuf mbuf1, mbuf2;
+ AUTHORITY_KEYID *val = NULL;
mbuf1.pMem = mbuf2.pMem = NULL;
mbuf1.nLen = mbuf2.nLen = 0;
- l1 = (int)sizeof(buf1);
- memset(buf1, 0, l1);
if(cert != NULL) {
ddocCertGetSubjectDN(cert, &mbuf1);
// standard variant would be
@@ -824,48 +868,19 @@ OCSP_CERTID* createOCSPCertid(X509 *cert, X509* pCACert)
} else { // CA unknown
ddocDebug(3, "createOCSPCertid", "Create ocsp id for cert: %s unknown CA", (char*)mbuf1.pMem);
// issuer name hashi arvutamine
- iname = X509_get_issuer_name(cert);
- dgst = EVP_sha1();
- len = sizeof(md);
- if(X509_NAME_digest(iname, dgst, md, &len)) {
- // issuer key hashi lugemine
- //ikey = get_authority_key(cert->cert_info->extensions);
- ikey = get_authority_key_from_cert(cert);
- if(ikey != NULL) {
- // serial numbri lugemine
- sno = X509_get_serialNumber(cert);
- // OCSP certid koostamine
- if((pId = OCSP_CERTID_new()) != NULL) {
- // replace default algorithm ???
- alg = pId->hashAlgorithm;
- if(alg->algorithm != NULL)
- ASN1_OBJECT_free(alg->algorithm);
- alg->algorithm = OBJ_nid2obj(EVP_MD_type(dgst));
- if((alg->parameter = ASN1_TYPE_new()) != NULL) {
- alg->parameter->type = V_ASN1_NULL;
- ASN1_INTEGER_free(pId->serialNumber);
- pId->serialNumber = ASN1_INTEGER_dup(sno);
- if(!ASN1_OCTET_STRING_set(pId->issuerNameHash, md, len) ||
- !ASN1_OCTET_STRING_set(pId->issuerKeyHash, ikey, strlen((const char*)ikey)) ||
- !pId->serialNumber)
- {
- fprintf(stderr, "Unable to fill in CID\n");
- OCSP_CERTID_free(pId);
- pId = NULL;
- }
- } // else - failed to create algorithm
- }
- // cleanup ikey
- free(ikey);
+ val = (AUTHORITY_KEYID*)X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL );
+ if(!val) {
+ ddocDebug(4, "get_authority_key_from_cert", "Extension not found");
+ return(NULL);
}
- } // else - SHA1 failed
+ sno = X509_get_serialNumber(cert);
+ iname = X509_get_issuer_name(cert);
+ pId = OCSP_cert_id_new(EVP_sha1(), iname, val->keyid, sno);
}
}
ddocMemBuf_free(&mbuf1);
ddocMemBuf_free(&mbuf2);
- if(pId)
- bin2hex((const byte*)pId->issuerKeyHash->data, pId->issuerKeyHash->length, (byte*)buf1, &l1);
- ddocDebug(3, "createOCSPCertid", "Created ocsp id %s issuer-key-hash: %s", (pId ? "OK" : "ERR"), buf1);
+ ddocDebug(3, "createOCSPCertid", "Created ocsp id %s issuer-key-hash", (pId ? "OK" : "ERR"));
return pId;
}
@@ -1310,8 +1325,8 @@ EXP_OPTION int signOCSPRequestPKCS12(OCSP_REQUEST *req, const char* filename, co
time(&tNow);
err = isCertValid(x509, tNow);
#else
- if( X509_cmp_current_time(x509->cert_info->validity->notBefore) >= 0 &&
- X509_cmp_current_time(x509->cert_info->validity->notAfter) <= 0)
+ if( X509_cmp_current_time(X509_get0_notBefore(x509)) >= 0 &&
+ X509_cmp_current_time(X509_get0_notAfter(x509)) <= 0)
err = ERR_CERT_INVALID;
#endif
if (err != ERR_OK)
@@ -1575,8 +1590,6 @@ int verifyOCSPResponse(OCSP_RESPONSE* pResp,
int err = ERR_OK;
RETURN_IF_NULL_PARAM(pResp);
- RETURN_IF_NOT(ASN1_ENUMERATED_get(pResp->responseStatus) == 0, ERR_OCSP_UNSUCCESSFUL);
- RETURN_IF_NOT(OBJ_obj2nid(pResp->responseBytes->responseType) == NID_id_pkix_OCSP_basic, ERR_OCSP_UNKNOWN_TYPE);
RETURN_IF_NOT(caCerts != NULL, ERR_OCSP_RESP_NOT_TRUSTED);
RETURN_IF_NOT(notCert != NULL, ERR_OCSP_CERT_NOTFOUND);
RETURN_IF_NOT((bs = OCSP_response_get1_basic(pResp)) != NULL, ERR_OCSP_NO_BASIC_RESP);
@@ -1607,61 +1620,61 @@ int verifyOCSPResponse(OCSP_RESPONSE* pResp,
int checkNonceAndCertbyOCSP(OCSP_RESPONSE* resp, X509* cert, byte* nonce1, int nonceLen)
{
- int err = ERR_OK, n;
+ int err = ERR_OK, n, status = 0;
char buf[100];
OCSP_BASICRESP *br = NULL;
- OCSP_RESPDATA *rd = NULL;
OCSP_SINGLERESP *single = NULL;
- OCSP_CERTID *cid = NULL;
+ const OCSP_CERTID *cid = NULL;
X509_EXTENSION *nonce;
X509_NAME *iname;
unsigned char *ikey;
+ ASN1_INTEGER *serialNumber = NULL;
+ ASN1_OCTET_STRING *issuerNameHash = NULL, *issuerKeyHash = NULL, *nonceValue = NULL;
RETURN_IF_NULL_PARAM(resp);
RETURN_IF_NULL_PARAM(cert);
if((br = OCSP_response_get1_basic(resp)) == NULL)
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_BASIC_RESP);
- rd = br->tbsResponseData;
- n = sk_OCSP_SINGLERESP_num(rd->responses);
+ n = OCSP_resp_count(br);
RETURN_IF_NOT(n == 1, ERR_OCSP_ONE_RESPONSE);
- single = sk_OCSP_SINGLERESP_value(rd->responses, 0);
+ single = OCSP_resp_get0(br, 0);
RETURN_IF_NOT(single, ERR_OCSP_ONE_RESPONSE);
- cid = single->certId;
+ cid = OCSP_SINGLERESP_get0_id(single);
RETURN_IF_NULL(cid);
- err = handleOCSPCertStatus(single->certStatus->type);
+ status = OCSP_single_get0_status(single, NULL, NULL, NULL, NULL);
+ err = handleOCSPCertStatus(status);
if(err)
SET_LAST_ERROR_RETURN_CODE(err);
- if(single->singleExtensions)
- SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_SINGLE_EXT);
- if(!rd->responseExtensions ||
- (sk_X509_EXTENSION_num(rd->responseExtensions) != 1) ||
- ((nonce = sk_X509_EXTENSION_value(rd->responseExtensions, 0)) == NULL))
+ if((OCSP_BASICRESP_get_ext_count(br) != 1) ||
+ ((nonce = OCSP_BASICRESP_get_ext(br, 0)) == NULL))
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_NONCE);
- i2t_ASN1_OBJECT(buf, sizeof(buf), nonce->object);
+ i2t_ASN1_OBJECT(buf, sizeof(buf), X509_EXTENSION_get_object(nonce));
if(strcmp(buf, OCSP_NONCE_NAME))
SET_LAST_ERROR_RETURN_CODE(ERR_OCSP_NO_NONCE);
// check serial number
- if(ASN1_INTEGER_cmp(X509_get_serialNumber(cert), cid->serialNumber) != 0)
+ OCSP_id_get0_info(&issuerNameHash, NULL, &issuerKeyHash, &serialNumber, (OCSP_CERTID*)cid);
+ if(ASN1_INTEGER_cmp(X509_get_serialNumber(cert), serialNumber) != 0)
SET_LAST_ERROR_RETURN_CODE(ERR_WRONG_CERT);
// check issuer name hash
iname = X509_get_issuer_name(cert);
n = sizeof(buf);
X509_NAME_digest(iname, EVP_sha1(), (byte*)buf, (unsigned int*)&n);
- err = compareByteArrays((byte*)buf, (unsigned int)n, cid->issuerNameHash->data, cid->issuerNameHash->length);
+ err = compareByteArrays((byte*)buf, (unsigned int)n, issuerNameHash->data, issuerNameHash->length);
RETURN_IF_NOT(err == ERR_OK, err);
// check issuer key hash
- if((ikey = get_authority_key(cert->cert_info->extensions)) != NULL) {
+ if((ikey = get_authority_key(X509_get0_extensions(cert))) != NULL) {
err = compareByteArrays(ikey, strlen((const char*)ikey),
- cid->issuerKeyHash->data, cid->issuerKeyHash->length);
+ issuerKeyHash->data, issuerKeyHash->length);
// cleanup ikey
free(ikey);
}
// verify nonce value
- if(nonce->value->length == DIGEST_LEN)
- err = compareByteArrays(nonce->value->data, nonce->value->length, nonce1, nonceLen);
+ nonceValue = X509_EXTENSION_get_data(nonce);
+ if(nonceValue->length == DIGEST_LEN)
+ err = compareByteArrays(nonceValue->data, nonceValue->length, nonce1, nonceLen);
else
- err = compareByteArrays(nonce->value->data + 2, nonce->value->length - 2, nonce1, nonceLen);
- ddocDebug(3, "checkNonceAndCertbyOCSP", "nonce1-len: %d nonce2-len: %d err: %d", nonce->value->length, nonceLen, err);
+ err = compareByteArrays(nonceValue->data + 2, nonceValue->length - 2, nonce1, nonceLen);
+ ddocDebug(3, "checkNonceAndCertbyOCSP", "nonce1-len: %d nonce2-len: %d err: %d", nonceValue->length, nonceLen, err);
if (err != ERR_OK) SET_LAST_ERROR(err);
if(br)
OCSP_BASICRESP_free(br);
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-24 07:19:30 +0000