Various OCSP responder utility functions.
authorDr. Stephen Henson <steve@openssl.org>
Sat, 3 Feb 2001 19:20:45 +0000 (19:20 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sat, 3 Feb 2001 19:20:45 +0000 (19:20 +0000)
Delete obsolete OCSP functions.

Largely untested at present...

CHANGES
crypto/asn1/a_time.c
crypto/asn1/asn1.h
crypto/ocsp/Makefile.ssl
crypto/ocsp/ocsp.h
crypto/ocsp/ocsp_err.c
crypto/ocsp/ocsp_lib.c
crypto/ocsp/ocsp_srv.c [new file with mode: 0644]

diff --git a/CHANGES b/CHANGES
index 8ccb3b9c08ae8aa30ac47647a5defac1b2f70111..dc68c9c179ae86e39537375a070ea41f962fdff0 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,19 @@
 
  Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
 
+  *) Functions for OCSP responders. OCSP_request_onereq_count(),
+     OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
+     extract information from a certificate request. OCSP_response_create()
+     creates a response and optionally adds a basic response structure.
+     OCSP_basic_add1_status() adds a complete single response to a basic
+     reponse and returns the OCSP_SINGLERESP structure just added (to allow
+     extensions to be included for example). OCSP_basic_add1_cert() adds a
+     certificate to a basic response and OCSP_basic_sign() signs a basic
+     response with various flags. New helper functions ASN1_TIME_check()
+     (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
+     (converts ASN1_TIME to GeneralizedTime).
+     [Steve Henson]
+
   *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
      in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
      structure from a certificate. X509_pubkey_digest() digests tha public_key
index edc4929c361c0512ec4c9eaff19a9939a51fb050..03788a7d62a67ccba0709d306b0295c26efc78ba 100644 (file)
@@ -112,3 +112,49 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
                                        return ASN1_UTCTIME_set(s, t);
        return ASN1_GENERALIZEDTIME_set(s,t);
        }
+
+int ASN1_TIME_check(ASN1_TIME *t)
+       {
+       if (t->type == V_ASN1_GENERALIZEDTIME)
+               return ASN1_GENERALIZEDTIME_check(t);
+       else if (t->type == V_ASN1_UTCTIME)
+               return ASN1_UTCTIME_check(t);
+       return 0;
+       }
+
+/* Convert an ASN1_TIME structure to GeneralizedTime */
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)
+       {
+       ASN1_GENERALIZEDTIME *ret;
+       char *str;
+
+       if (!ASN1_TIME_check(t)) return NULL;
+
+       if (!out || !*out)
+               {
+               if (!(ret = ASN1_GENERALIZEDTIME_new ()))
+                       return NULL;
+               if (out) *out = ret;
+               }
+       else ret = *out;
+
+       /* If already GeneralizedTime just copy across */
+       if (t->type == V_ASN1_GENERALIZEDTIME)
+               {
+               if(!ASN1_STRING_set(ret, t->data, t->length))
+                       return NULL;
+               return ret;
+               }
+
+       /* grow the string */
+       if (!ASN1_STRING_set(ret, NULL, t->length + 2))
+               return NULL;
+       /* Work out the century and prepend */
+       str = (char *)t->data;
+       if (*str >= '5') strcpy(str, "19");
+       else strcpy(str, "20");
+
+       strcat(str, (char *)t->data);
+
+       return ret;
+       }
index 2d0539b61291f47233630e1c0d130a3b7355fb1b..6ee0871394886ee02889876b27436627852223cd 100644 (file)
@@ -756,6 +756,8 @@ DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
 DECLARE_ASN1_FUNCTIONS(ASN1_TIME)
 
 ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t);
+int ASN1_TIME_check(ASN1_TIME *t);
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);
 
 int            i2d_ASN1_SET(STACK *a, unsigned char **pp,
                        int (*func)(), int ex_tag, int ex_class, int is_set);
index e693e31ad07fed5f64dbc3ecb15d056ed2f3d120..b6780bfd72616fd661373fd41bc821fb2e17675b 100644 (file)
@@ -23,10 +23,10 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC= ocsp_asn.c ocsp_ext.c ocsp_ht.c ocsp_lib.c ocsp_cl.c \
-       ocsp_prn.c ocsp_vfy.c ocsp_err.c
+       ocsp_srv.c ocsp_prn.c ocsp_vfy.c ocsp_err.c
 
 LIBOBJ= ocsp_asn.o ocsp_ext.o ocsp_ht.o ocsp_lib.o ocsp_cl.o \
-       ocsp_prn.o ocsp_vfy.o ocsp_err.o
+       ocsp_srv.o ocsp_prn.o ocsp_vfy.o ocsp_err.o
 
 SRC= $(LIBSRC)
 
index ff81521509bc31f5fc0a196fc608f47012bc52bd..ca748a0fedec74f4776c5369273709034723b9a9 100644 (file)
@@ -86,6 +86,8 @@ extern "C" {
 #define OCSP_NODELEGATED               0x80
 #define OCSP_NOCHECKS                  0x100
 #define OCSP_TRUSTOTHER                        0x200
+#define OCSP_RESPID_KEY                        0x400
+#define OCSP_NOTIME                    0x800
 
 /*   CertID ::= SEQUENCE {
  *       hashAlgorithm            AlgorithmIdentifier,
@@ -446,29 +448,21 @@ int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey);
 int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
 int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
 
-OCSP_BASICRESP *OCSP_basic_response_new(int tag,
-                                       X509* cert);
-
-int OCSP_basic_response_add(OCSP_BASICRESP           *rsp,
-                           OCSP_CERTID              *cid,
-                           OCSP_CERTSTATUS          *cst,
-                           char                     *thisUpdate,
-                           char                     *nextUpdate);
-
-int OCSP_basic_response_sign(OCSP_BASICRESP *brsp, 
-                            EVP_PKEY       *key,
-                            const EVP_MD   *dgst,
-                            STACK_OF(X509) *certs);
-
-int OCSP_response_verify(OCSP_RESPONSE *rsp, EVP_PKEY *pkey);
-
-int OCSP_basic_response_verify(OCSP_BASICRESP *rsp, EVP_PKEY *pkey);
-
-
-OCSP_RESPONSE *OCSP_response_new(int status,
-                                int nid,
-                                int (*i2d)(),
-                                char *data);
+int OCSP_request_onereq_count(OCSP_REQUEST *req);
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
+int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+                       ASN1_OCTET_STRING **pikeyHash,
+                       ASN1_INTEGER **pserial, OCSP_CERTID *cid);
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+                                               OCSP_CERTID *cid,
+                                               int status, int reason,
+                                               ASN1_TIME *revtime,
+                                       ASN1_TIME *thisupd, ASN1_TIME *nextupd);
+int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
+int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+                       X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+                       STACK_OF(X509) *certs, unsigned long flags);
 
 ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
                                char *data, STACK_OF(ASN1_OBJECT) *sk);
@@ -567,6 +561,7 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_F_CERT_ID_NEW                              102
 #define OCSP_F_CERT_STATUS_NEW                          103
 #define OCSP_F_D2I_OCSP_NONCE                           109
+#define OCSP_F_OCSP_BASIC_ADD1_STATUS                   118
 #define OCSP_F_OCSP_BASIC_VERIFY                        113
 #define OCSP_F_OCSP_CHECK_DELEGATED                     117
 #define OCSP_F_OCSP_CHECK_IDS                           114
@@ -598,6 +593,7 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_R_NO_CONTENT                               115
 #define OCSP_R_NO_PUBLIC_KEY                            103
 #define OCSP_R_NO_RESPONSE_DATA                                 104
+#define OCSP_R_NO_REVOKED_TIME                          132
 #define OCSP_R_NO_SIGNATURE                             105
 #define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA     129
 #define OCSP_R_REVOKED_NO_TIME                          106
index b860872cde8c80c8149ad88f3a42514034f0caf5..e1b2e3444d12ef3502e22c495369dae89d9d07d6 100644 (file)
@@ -72,6 +72,7 @@ static ERR_STRING_DATA OCSP_str_functs[]=
 {ERR_PACK(0,OCSP_F_CERT_ID_NEW,0),     "CERT_ID_NEW"},
 {ERR_PACK(0,OCSP_F_CERT_STATUS_NEW,0), "CERT_STATUS_NEW"},
 {ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),  "D2I_OCSP_NONCE"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),  "OCSP_basic_add1_status"},
 {ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),       "OCSP_basic_verify"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),    "OCSP_CHECK_DELEGATED"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),  "OCSP_CHECK_IDS"},
@@ -106,6 +107,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
 {OCSP_R_NO_CONTENT                       ,"no content"},
 {OCSP_R_NO_PUBLIC_KEY                    ,"no public key"},
 {OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},
+{OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},
 {OCSP_R_NO_SIGNATURE                     ,"no signature"},
 {OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
 {OCSP_R_REVOKED_NO_TIME                  ,"revoked no time"},
index 825d023e053ea359388f95cc736768243db6f4cb..18511e4fd89266348e306b7b7190a4a2ea646fb7 100644 (file)
@@ -129,38 +129,6 @@ err:
        return NULL;
        }
 
-OCSP_CERTSTATUS *OCSP_cert_status_new(int status, int reason, char *tim)
-        {
-       OCSP_REVOKEDINFO *ri;
-       OCSP_CERTSTATUS *cs = NULL;
-
-       if (!(cs = OCSP_CERTSTATUS_new())) goto err;
-       if ((cs->type = status) == V_OCSP_CERTSTATUS_REVOKED)
-               {
-               if (!time)
-                       {
-                       OCSPerr(OCSP_F_CERT_STATUS_NEW,OCSP_R_REVOKED_NO_TIME);
-                       goto err;
-                       }
-               if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
-               if (!ASN1_GENERALIZEDTIME_set_string(ri->revocationTime,tim))
-                       goto err;       
-               if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
-                       {
-                       if (!(ri->revocationReason = ASN1_ENUMERATED_new())) 
-                               goto err;
-                       if (!(ASN1_ENUMERATED_set(ri->revocationReason, 
-                                                 reason)))
-                               goto err;       
-                       }
-               }
-       return cs;
-err:
-       if (cs) OCSP_CERTSTATUS_free(cs);
-       return NULL;
-       }
-
-
 int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
        {
        int ret;
@@ -179,124 +147,6 @@ int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
        return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
        }
 
-OCSP_BASICRESP *OCSP_basic_response_new(int type, X509* cert)
-        {
-       time_t t;
-       OCSP_RESPID *rid;
-       OCSP_BASICRESP *rsp = NULL;
-       unsigned char md[SHA_DIGEST_LENGTH];
-       
-       if (!(rsp = OCSP_BASICRESP_new())) goto err;
-       rid = rsp->tbsResponseData->responderId;
-       switch (rid->type = type)
-               {
-               case V_OCSP_RESPID_NAME:
-                       /* cert is user cert */
-                       if (!(rid->value.byName =
-                                 X509_NAME_dup(X509_get_subject_name(cert))))
-                               goto err;
-                       break;
-               case V_OCSP_RESPID_KEY:
-                       /* cert is issuer cert */
-                       /* SHA-1 hash of responder's public key
-                         * (excluding the tag and length fields)
-                        */
-                       X509_pubkey_digest(cert, EVP_sha1(), md, NULL);
-                       if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
-                               goto err;
-                       if (!(ASN1_OCTET_STRING_set(rid->value.byKey,
-                                                   md, sizeof md)))
-                               goto err;
-                       break;
-               default:
-                       OCSPerr(OCSP_F_BASIC_RESPONSE_NEW,OCSP_R_BAD_TAG);
-                       goto err;
-                       break;
-               }
-       time(&t);
-       if (!(ASN1_GENERALIZEDTIME_set(rsp->tbsResponseData->producedAt, t)))
-               goto err;
-       if (!(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new(NULL))) goto err;
-       return rsp;
-err:
-       if (rsp) OCSP_BASICRESP_free(rsp);
-       return NULL;
-       }
-
-int OCSP_basic_response_add(OCSP_BASICRESP           *rsp,
-                           OCSP_CERTID              *cid,
-                           OCSP_CERTSTATUS          *cst,
-                           char                     *this,
-                           char                     *next)
-        {
-       OCSP_SINGLERESP *single = NULL;
-
-       if (!(single = OCSP_SINGLERESP_new())) goto err;
-       if (single->certId) OCSP_CERTID_free(single->certId);
-       if (!(single->certId = OCSP_CERTID_dup(cid))) goto err;
-       if (single->certStatus) OCSP_CERTSTATUS_free(single->certStatus);
-       if (!(single->certStatus = OCSP_CERTSTATUS_dup(cst))) goto err;
-       if (!ASN1_GENERALIZEDTIME_set_string(single->thisUpdate,this))goto err;
-       if (next)
-                { 
-               if (!(single->nextUpdate = ASN1_GENERALIZEDTIME_new()))
-                       goto err;
-               if (!ASN1_GENERALIZEDTIME_set_string(single->nextUpdate,next))
-                       goto err;
-               }
-       if (!sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses,single)) goto err;
-       return 1;
-err:
-       if (single) OCSP_SINGLERESP_free(single);
-       return 0;
-       }
-
-int OCSP_basic_response_sign(OCSP_BASICRESP *brsp, 
-                            EVP_PKEY       *key,
-                            const EVP_MD   *dgst,
-                            STACK_OF(X509) *certs)
-        {
-       int i;
-
-       /* Right now, I think that not doing double hashing is the right
-          thing.       -- Richard Levitte */
-       if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
-       if (certs)
-               {
-               if (!(brsp->certs = sk_X509_dup(certs))) goto err;
-               for (i = 0; i < sk_X509_num(brsp->certs); i++)
-                       {
-                       sk_X509_set(brsp->certs, i,
-                              X509_dup(sk_X509_value(certs, i)));
-                       if (! sk_X509_value(brsp->certs, i))
-                               goto err;
-                       }
-               }
-       return 1;
-err:
-       return 0;
-       }
-
-OCSP_RESPONSE *OCSP_response_new(int status,
-                                int nid,
-                                int (*i2d)(),
-                                char *data)
-        {
-        OCSP_RESPONSE *rsp = NULL;
-
-       if (!(rsp = OCSP_RESPONSE_new())) goto err;
-       if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
-       if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
-       if (rsp->responseBytes->responseType) ASN1_OBJECT_free(rsp->responseBytes->responseType);
-       if (!(rsp->responseBytes->responseType = OBJ_nid2obj(nid))) goto err;
-       if (!ASN1_STRING_encode((ASN1_STRING*)rsp->responseBytes->response,
-                               i2d, data, NULL)) goto err;
-       return rsp;
-err:
-       if (rsp) OCSP_RESPONSE_free(rsp);
-       return NULL;
-       }
-
 /* XXX assumes certs in signature are sorted root to leaf XXX */
 int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey)
         {
@@ -314,55 +164,3 @@ int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey)
                }
        return OCSP_REQUEST_verify(req, pkey);
         }
-
-int OCSP_response_verify(OCSP_RESPONSE *rsp, EVP_PKEY *pkey)
-        {
-       int i, r;
-       unsigned char *p;
-       OCSP_RESPBYTES *rb;
-       OCSP_BASICRESP *br = NULL;
-
-       if ((rb = rsp->responseBytes) == NULL) 
-               {
-               OCSPerr(OCSP_F_RESPONSE_VERIFY,OCSP_R_NO_RESPONSE_DATA);
-                return 0;
-               }
-       if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) 
-               {
-               OCSPerr(OCSP_F_RESPONSE_VERIFY,OCSP_R_BAD_TAG);
-                return 0;
-               }
-       p = ASN1_STRING_data(rb->response);
-       i = ASN1_STRING_length(rb->response);
-       if (!(d2i_OCSP_BASICRESP(&br, &p, i))) return 0;
-       r = OCSP_basic_response_verify(br, pkey);
-       OCSP_BASICRESP_free(br);
-       return r;
-        }
-
-int OCSP_basic_response_verify(OCSP_BASICRESP *rsp, EVP_PKEY *pkey)
-        {
-       STACK_OF(X509) *sk;
-       int ret;
-
-       if (!rsp->signature) 
-               {
-               OCSPerr(OCSP_F_BASIC_RESPONSE_VERIFY,OCSP_R_NO_SIGNATURE);
-                return 0;
-               }
-       if (pkey == NULL)
-               {
-               if (!(sk = rsp->certs))
-                       {
-                       OCSPerr(OCSP_F_BASIC_RESPONSE_VERIFY,OCSP_R_NO_CERTIFICATE);
-                       return 0;
-                       }
-               if (!(pkey=X509_get_pubkey(sk_X509_value(sk, sk_X509_num(sk)-1))))
-                       {
-                       OCSPerr(OCSP_F_BASIC_RESPONSE_VERIFY,OCSP_R_NO_PUBLIC_KEY);
-                       return 0;
-                       }
-               }
-       ret = OCSP_BASICRESP_verify(rsp, pkey, 0);
-       return ret;
-        }
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
new file mode 100644 (file)
index 0000000..b839928
--- /dev/null
@@ -0,0 +1,250 @@
+/* ocsp_srv.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Utility functions related to sending OCSP responses and extracting
+ * relevant information from the request.
+ */
+
+int OCSP_request_onereq_count(OCSP_REQUEST *req)
+       {
+       return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
+       }
+
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
+       {
+       return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
+       }
+
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
+       {
+       return one->reqCert;
+       }
+
+int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+                       ASN1_OCTET_STRING **pikeyHash,
+                       ASN1_INTEGER **pserial, OCSP_CERTID *cid)
+       {
+       if (!cid) return 0;
+       if (pmd) *pmd = cid->hashAlgorithm->algorithm;
+       if(piNameHash) *piNameHash = cid->issuerNameHash;
+       if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
+       if (pserial) *pserial = cid->serialNumber;
+       return 1;
+       }
+
+/* Create an OCSP response and encode an optional basic response */
+OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
+        {
+        OCSP_RESPONSE *rsp = NULL;
+
+       if (!(rsp = OCSP_RESPONSE_new())) goto err;
+       if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
+       if (!bs) return rsp;
+       if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
+       rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
+       if (!ASN1_item_pack(bs, &OCSP_BASICRESP_it, &rsp->responseBytes->response))
+                               goto err;
+       return rsp;
+err:
+       if (rsp) OCSP_RESPONSE_free(rsp);
+       return NULL;
+       }
+
+
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+                                               OCSP_CERTID *cid,
+                                               int status, int reason,
+                                               ASN1_TIME *revtime,
+                                       ASN1_TIME *thisupd, ASN1_TIME *nextupd)
+       {
+       OCSP_SINGLERESP *single = NULL;
+       OCSP_CERTSTATUS *cs;
+       OCSP_REVOKEDINFO *ri;
+
+       if(!rsp->tbsResponseData->responses &&
+           !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
+               goto err;
+
+       if (!(single = OCSP_SINGLERESP_new()))
+               goto err;
+
+
+
+       if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
+               goto err;
+       if (nextupd &&
+               !ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
+               goto err;
+
+       OCSP_CERTID_free(single->certId);
+
+       if(!(single->certId = OCSP_CERTID_dup(cid)))
+               goto err;
+
+       cs = single->certStatus;
+       switch(cs->type = status)
+               {
+       case V_OCSP_CERTSTATUS_REVOKED:
+               if (!revtime)
+                       {
+                       OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
+                       goto err;
+                       }
+               if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
+               if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
+                       goto err;       
+               if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
+                       {
+                       if (!(ri->revocationReason = ASN1_ENUMERATED_new())) 
+                               goto err;
+                       if (!(ASN1_ENUMERATED_set(ri->revocationReason, 
+                                                 reason)))
+                               goto err;       
+                       }
+               break;
+
+       case V_OCSP_CERTSTATUS_GOOD:
+               cs->value.good = ASN1_NULL_new();
+               break;
+
+       case V_OCSP_CERTSTATUS_UNKNOWN:
+               cs->value.unknown = ASN1_NULL_new();
+               break;
+
+       default:
+               goto err;
+
+               }
+       if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
+               goto err;
+       return single;
+err:
+       OCSP_SINGLERESP_free(single);
+       return NULL;
+       }
+
+/* Add a certificate to an OCSP request */
+
+int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
+       {
+       if (!resp->certs && !(resp->certs = sk_X509_new_null()))
+               return 0;
+
+       if(!sk_X509_push(resp->certs, cert)) return 0;
+       CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+       return 1;
+       }
+
+int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+                       X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+                       STACK_OF(X509) *certs, unsigned long flags)
+        {
+       int i;
+       OCSP_RESPID *rid;
+
+       if(!(flags & OCSP_NOCERTS) && !OCSP_basic_add1_cert(brsp, signer))
+               goto err;
+
+       for (i = 0; i < sk_X509_num(certs); i++)
+               {
+               X509 *tmpcert = sk_X509_value(certs, i);
+               if(!OCSP_basic_add1_cert(brsp, tmpcert))
+                               goto err;
+               }
+
+       rid = brsp->tbsResponseData->responderId;
+       if (flags & OCSP_RESPID_KEY)
+               {
+               unsigned char md[SHA_DIGEST_LENGTH];
+               X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
+               if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
+                       goto err;
+               if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
+                               goto err;
+               rid->type = V_OCSP_RESPID_KEY;
+               }
+       else
+               {
+               if (!X509_NAME_set(&rid->value.byName,
+                                       X509_get_subject_name(signer)))
+                               goto err;
+               rid->type = V_OCSP_RESPID_NAME;
+               }
+
+       if (!(flags & OCSP_NOTIME) &&
+               !X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
+               goto err;
+
+       /* Right now, I think that not doing double hashing is the right
+          thing.       -- Richard Levitte */
+
+       if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
+
+       return 1;
+err:
+       return 0;
+       }