2 * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include <openssl/ocsp.h>
11 #include "ocsp_local.h"
12 #include <openssl/err.h>
15 DEFINE_STACK_OF(OCSP_ONEREQ)
17 DEFINE_STACK_OF(OCSP_SINGLERESP)
19 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
20 STACK_OF(X509) *certs, unsigned long flags);
21 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
22 static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain);
23 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp,
25 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
26 STACK_OF(OCSP_SINGLERESP) *sresp);
27 static int ocsp_check_delegated(X509 *x);
28 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
29 const X509_NAME *nm, STACK_OF(X509) *certs,
32 /* Verify a basic response message */
34 int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
35 X509_STORE *st, unsigned long flags)
38 STACK_OF(X509) *chain = NULL;
39 STACK_OF(X509) *untrusted = NULL;
40 X509_STORE_CTX *ctx = NULL;
41 int i, ret = ocsp_find_signer(&signer, bs, certs, flags);
44 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
45 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
48 ctx = X509_STORE_CTX_new();
50 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
53 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
54 flags |= OCSP_NOVERIFY;
55 if (!(flags & OCSP_NOSIGS)) {
57 skey = X509_get0_pubkey(signer);
59 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY);
62 ret = OCSP_BASICRESP_verify(bs, skey, 0);
64 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
68 if (!(flags & OCSP_NOVERIFY)) {
70 if (flags & OCSP_NOCHAIN) {
72 } else if (bs->certs && certs) {
73 untrusted = sk_X509_dup(bs->certs);
74 for (i = 0; i < sk_X509_num(certs); i++) {
75 if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
76 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
80 } else if (certs != NULL) {
83 untrusted = bs->certs;
85 init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted);
87 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
91 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
92 ret = X509_verify_cert(ctx);
93 chain = X509_STORE_CTX_get1_chain(ctx);
95 i = X509_STORE_CTX_get_error(ctx);
96 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
97 OCSP_R_CERTIFICATE_VERIFY_ERROR);
98 ERR_add_error_data(2, "Verify error:",
99 X509_verify_cert_error_string(i));
102 if (flags & OCSP_NOCHECKS) {
107 * At this point we have a valid certificate chain need to verify it
108 * against the OCSP issuer criteria.
110 ret = ocsp_check_issuer(bs, chain);
112 /* If fatal error or valid match then finish */
117 * Easy case: explicitly trusted. Get root CA and check for explicit
120 if (flags & OCSP_NOEXPLICIT)
123 x = sk_X509_value(chain, sk_X509_num(chain) - 1);
124 if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
125 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED);
131 X509_STORE_CTX_free(ctx);
132 sk_X509_pop_free(chain, X509_free);
133 if (bs->certs && certs)
134 sk_X509_free(untrusted);
145 int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
146 STACK_OF(X509) *extra_certs)
150 ret = ocsp_find_signer(signer, bs, extra_certs, 0);
151 return (ret > 0) ? 1 : 0;
154 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
155 STACK_OF(X509) *certs, unsigned long flags)
158 OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
159 if ((signer = ocsp_find_signer_sk(certs, rid))) {
163 if (!(flags & OCSP_NOINTERN) &&
164 (signer = ocsp_find_signer_sk(bs->certs, rid))) {
168 /* Maybe lookup from store if by subject name */
174 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
177 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
180 /* Easy if lookup by name */
181 if (id->type == V_OCSP_RESPID_NAME)
182 return X509_find_by_subject(certs, id->value.byName);
184 /* Lookup by key hash */
186 /* If key hash isn't SHA1 length then forget it */
187 if (id->value.byKey->length != SHA_DIGEST_LENGTH)
189 keyhash = id->value.byKey->data;
190 /* Calculate hash of each key and compare */
191 for (i = 0; i < sk_X509_num(certs); i++) {
192 x = sk_X509_value(certs, i);
193 X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
194 if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
200 static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain)
202 STACK_OF(OCSP_SINGLERESP) *sresp;
204 OCSP_CERTID *caid = NULL;
206 sresp = bs->tbsResponseData.responses;
208 if (sk_X509_num(chain) <= 0) {
209 OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
213 /* See if the issuer IDs match. */
214 i = ocsp_check_ids(sresp, &caid);
216 /* If ID mismatch or other error then return */
220 signer = sk_X509_value(chain, 0);
221 /* Check to see if OCSP responder CA matches request CA */
222 if (sk_X509_num(chain) > 1) {
223 sca = sk_X509_value(chain, 1);
224 i = ocsp_match_issuerid(sca, caid, sresp);
228 /* We have a match, if extensions OK then success */
229 if (ocsp_check_delegated(signer))
235 /* Otherwise check if OCSP request signed directly by request CA */
236 return ocsp_match_issuerid(signer, caid, sresp);
240 * Check the issuer certificate IDs for equality. If there is a mismatch with
241 * the same algorithm then there's no point trying to match any certificates
242 * against the issuer. If the issuer IDs all match then we just need to check
243 * equality against one of them.
246 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
248 OCSP_CERTID *tmpid, *cid;
251 idcount = sk_OCSP_SINGLERESP_num(sresp);
253 OCSPerr(OCSP_F_OCSP_CHECK_IDS,
254 OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
258 cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
262 for (i = 1; i < idcount; i++) {
263 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
264 /* Check to see if IDs match */
265 if (OCSP_id_issuer_cmp(cid, tmpid)) {
266 /* If algorithm mismatch let caller deal with it */
267 if (OBJ_cmp(tmpid->hashAlgorithm.algorithm,
268 cid->hashAlgorithm.algorithm))
275 /* All IDs match: only need to check one ID */
280 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
281 STACK_OF(OCSP_SINGLERESP) *sresp)
283 /* If only one ID to match then do it */
286 const X509_NAME *iname;
288 unsigned char md[EVP_MAX_MD_SIZE];
289 if ((dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm))
291 OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID,
292 OCSP_R_UNKNOWN_MESSAGE_DIGEST);
296 mdlen = EVP_MD_size(dgst);
299 if ((cid->issuerNameHash.length != mdlen) ||
300 (cid->issuerKeyHash.length != mdlen))
302 iname = X509_get_subject_name(cert);
303 if (!X509_NAME_digest(iname, dgst, md, NULL))
305 if (memcmp(md, cid->issuerNameHash.data, mdlen))
307 X509_pubkey_digest(cert, dgst, md, NULL);
308 if (memcmp(md, cid->issuerKeyHash.data, mdlen))
314 /* We have to match the whole lot */
317 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
318 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
319 ret = ocsp_match_issuerid(cert, tmpid, NULL);
328 static int ocsp_check_delegated(X509 *x)
330 if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE)
331 && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN))
333 OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
338 * Verify an OCSP request. This is fortunately much easier than OCSP response
339 * verify. Just find the signers certificate and verify it against a given
343 int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
344 X509_STORE *store, unsigned long flags)
350 X509_STORE_CTX *ctx = X509_STORE_CTX_new();
353 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_MALLOC_FAILURE);
357 if (!req->optionalSignature) {
358 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
361 gen = req->tbsRequest.requestorName;
362 if (!gen || gen->type != GEN_DIRNAME) {
363 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
364 OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
367 nm = gen->d.directoryName;
368 ret = ocsp_req_find_signer(&signer, req, nm, certs, flags);
370 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
371 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
374 if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
375 flags |= OCSP_NOVERIFY;
376 if (!(flags & OCSP_NOSIGS)) {
378 skey = X509_get0_pubkey(signer);
379 ret = OCSP_REQUEST_verify(req, skey);
381 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
385 if (!(flags & OCSP_NOVERIFY)) {
387 if (flags & OCSP_NOCHAIN)
388 init_res = X509_STORE_CTX_init(ctx, store, signer, NULL);
390 init_res = X509_STORE_CTX_init(ctx, store, signer,
391 req->optionalSignature->certs);
393 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB);
397 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
398 X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST);
399 ret = X509_verify_cert(ctx);
401 ret = X509_STORE_CTX_get_error(ctx);
402 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
403 OCSP_R_CERTIFICATE_VERIFY_ERROR);
404 ERR_add_error_data(2, "Verify error:",
405 X509_verify_cert_error_string(ret));
415 X509_STORE_CTX_free(ctx);
420 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
421 const X509_NAME *nm, STACK_OF(X509) *certs,
425 if (!(flags & OCSP_NOINTERN)) {
426 signer = X509_find_by_subject(req->optionalSignature->certs, nm);
433 signer = X509_find_by_subject(certs, nm);