Fix ASN1_TIME_to_generlizedtime().

Add protoype for OCSP_response_create().

Add OCSP_request_sign() and OCSP_basic_sign()
private key and certificate checks and make
OCSP_NOCERTS consistent with PKCS7_NOCERTS

diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c
index 03788a7d62a67ccba0709d306b0295c26efc78ba..4c6b37ba06201a5a358682ed927cd54d68c5296c 100644 (file)
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -149,9 +149,9 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
        /* grow the string */
        if (!ASN1_STRING_set(ret, NULL, t->length + 2))
                return NULL;
+       str = (char *)ret->data;
        /* Work out the century and prepend */
-       str = (char *)t->data;
-       if (*str >= '5') strcpy(str, "19");
+       if (t->data[0] >= '5') strcpy(str, "19");
        else strcpy(str, "20");
 
        strcat(str, (char *)t->data);

diff --git a/crypto/ocsp/ocsp.h b/crypto/ocsp/ocsp.h
index ca748a0fedec74f4776c5369273709034723b9a9..f77c4fd039a90baa53396b1472c02a275af70c70 100644 (file)
--- a/crypto/ocsp/ocsp.h
+++ b/crypto/ocsp/ocsp.h
@@ -454,6 +454,7 @@ OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
 int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
                        ASN1_OCTET_STRING **pikeyHash,
                        ASN1_INTEGER **pserial, OCSP_CERTID *cid);
+OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
 OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
                                                OCSP_CERTID *cid,
                                                int status, int reason,
@@ -562,12 +563,14 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_F_CERT_STATUS_NEW                          103
 #define OCSP_F_D2I_OCSP_NONCE                           109
 #define OCSP_F_OCSP_BASIC_ADD1_STATUS                   118
+#define OCSP_F_OCSP_BASIC_SIGN                          119
 #define OCSP_F_OCSP_BASIC_VERIFY                        113
 #define OCSP_F_OCSP_CHECK_DELEGATED                     117
 #define OCSP_F_OCSP_CHECK_IDS                           114
 #define OCSP_F_OCSP_CHECK_ISSUER                        115
 #define OCSP_F_OCSP_CHECK_NONCE                                 112
 #define OCSP_F_OCSP_MATCH_ISSUERID                      116
+#define OCSP_F_OCSP_REQUEST_SIGN                        120
 #define OCSP_F_OCSP_RESPONSE_GET1_BASIC                         111
 #define OCSP_F_OCSP_SENDREQ_BIO                                 110
 #define OCSP_F_REQUEST_VERIFY                           104
@@ -595,6 +598,7 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_R_NO_RESPONSE_DATA                                 104
 #define OCSP_R_NO_REVOKED_TIME                          132
 #define OCSP_R_NO_SIGNATURE                             105
+#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE   133
 #define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA     129
 #define OCSP_R_REVOKED_NO_TIME                          106
 #define OCSP_R_ROOT_CA_NOT_TRUSTED                      127

diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index 34c3969bcc28913d545379131dcd999466c0e8dd..7b3e742e4aafb85b60980275550e9bc4273a9fcb 100644 (file)
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -148,22 +148,31 @@ int OCSP_request_sign(OCSP_REQUEST   *req,
        OCSP_SIGNATURE *sig;
        X509 *x;
 
-       if (signer &&
-               !OCSP_request_set1_name(req, X509_get_subject_name(signer)))
+       if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
                        goto err;
 
        if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
        if (!dgst) dgst = EVP_sha1();
-       if (key && !OCSP_REQUEST_sign(req, key, dgst)) goto err;
+       if (key)
+               {
+               if (!X509_check_private_key(signer, key))
+                       {
+                       OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+                       goto err;
+                       }
+               if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
+               }
+
        if (!(flags & OCSP_NOCERTS))
                {
-               if (!OCSP_request_add1_cert(req, signer)) goto err;
-               for (i = 0; i < sk_X509_num(certs); i++)
+               if(!OCSP_request_add1_cert(req, signer)) goto err;
+               for (i = 0; i < sk_X509_num(certs); i++)
                        {
                        x = sk_X509_value(certs, i);
                        if (!OCSP_request_add1_cert(req, x)) goto err;
                        }
                }
+
        return 1;
 err:
        OCSP_SIGNATURE_free(req->optionalSignature);

diff --git a/crypto/ocsp/ocsp_err.c b/crypto/ocsp/ocsp_err.c
index e1b2e3444d12ef3502e22c495369dae89d9d07d6..abf8307397401e67f16e39c117b12a43859cb10e 100644 (file)
--- a/crypto/ocsp/ocsp_err.c
+++ b/crypto/ocsp/ocsp_err.c
@@ -73,12 +73,14 @@ static ERR_STRING_DATA OCSP_str_functs[]=
 {ERR_PACK(0,OCSP_F_CERT_STATUS_NEW,0), "CERT_STATUS_NEW"},
 {ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),  "D2I_OCSP_NONCE"},
 {ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),  "OCSP_basic_add1_status"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0), "OCSP_basic_sign"},
 {ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),       "OCSP_basic_verify"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),    "OCSP_CHECK_DELEGATED"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),  "OCSP_CHECK_IDS"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0),       "OCSP_CHECK_ISSUER"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_NONCE,0),        "OCSP_check_nonce"},
 {ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0),     "OCSP_MATCH_ISSUERID"},
+{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0),       "OCSP_request_sign"},
 {ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0),        "OCSP_response_get1_basic"},
 {ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0),        "OCSP_sendreq_bio"},
 {ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0),  "REQUEST_VERIFY"},
@@ -109,6 +111,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
 {OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},
 {OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},
 {OCSP_R_NO_SIGNATURE                     ,"no signature"},
+{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
 {OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
 {OCSP_R_REVOKED_NO_TIME                  ,"revoked no time"},
 {OCSP_R_ROOT_CA_NOT_TRUSTED              ,"root ca not trusted"},

diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index b83992896fcf75fd2fcc942a9c8b616fc75bee4a..5743f9c7544e1ee96629569e69b1052d99051c75 100644 (file)
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -206,14 +206,22 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
        int i;
        OCSP_RESPID *rid;
 
-       if(!(flags & OCSP_NOCERTS) && !OCSP_basic_add1_cert(brsp, signer))
+       if (!X509_check_private_key(signer, key))
+               {
+               OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
                goto err;
+               }
 
-       for (i = 0; i < sk_X509_num(certs); i++)
+       if(!(flags & OCSP_NOCERTS))
                {
-               X509 *tmpcert = sk_X509_value(certs, i);
-               if(!OCSP_basic_add1_cert(brsp, tmpcert))
+               if(!OCSP_basic_add1_cert(brsp, signer))
+                       goto err;
+               for (i = 0; i < sk_X509_num(certs); i++)
+                       {
+                       X509 *tmpcert = sk_X509_value(certs, i);
+                       if(!OCSP_basic_add1_cert(brsp, tmpcert))
                                goto err;
+                       }
                }
 
        rid = brsp->tbsResponseData->responderId;