From: Benjamin Kaduk Date: Wed, 18 Oct 2017 20:29:18 +0000 (-0500) Subject: Add an API to get the signer of an OCSP response X-Git-Tag: OpenSSL_1_1_0h~164 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=1f0067ec9a8d2ab71132604b4a1a5dd9ffab4f23;p=oweals%2Fopenssl.git Add an API to get the signer of an OCSP response Add a new function OCSP_resp_get0_signer() that looks in the certs bundled with the response as well as in additional certificates provided as a function argument, returning the certificate that signed the given response (if present). Reviewed-by: Rich Salz Reviewed-by: Tim Hudson (cherry picked from commit ce5886dda80b6f60fb30762381506d5c6f2d995c) Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/4723) --- diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 809f7f41e1..89147d93ae 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -138,6 +138,15 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, goto end; } +int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, + STACK_OF(X509) *extra_certs) +{ + int ret; + + ret = ocsp_find_signer(signer, bs, extra_certs, 0); + return (ret > 0) ? 1 : 0; +} + static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, unsigned long flags) { diff --git a/doc/crypto/OCSP_resp_find_status.pod b/doc/crypto/OCSP_resp_find_status.pod index 36f66a858f..3a6e747158 100644 --- a/doc/crypto/OCSP_resp_find_status.pod +++ b/doc/crypto/OCSP_resp_find_status.pod @@ -3,6 +3,7 @@ =head1 NAME OCSP_resp_get0_certs, +OCSP_resp_get0_signer, OCSP_resp_get0_id, OCSP_resp_get0_produced_at, OCSP_resp_find_status, OCSP_resp_count, OCSP_resp_get0, OCSP_resp_find, @@ -32,6 +33,9 @@ OCSP_single_get0_status, OCSP_check_validity const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs); + int OCSP_resp get0_signer(OCSP_BASICRESP *bs, X509 **signer, + STACK_OF(X509) *extra_certs); + int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, const ASN1_OCTET_STRING **pid, const X509_NAME **pname); @@ -72,7 +76,13 @@ single response B. OCSP_resp_get0_certs() returns any certificates included in B. -OCSP_resp_get0_id() gets the responder id of . If the responder ID is +OCSP_resp_get0_signer() attempts to retrive the certificate that directly +signed B. The OCSP protocol does not require that this certificate +is included in the B field of the response, so additional certificates +can be supplied in B if the certificates that may have +signed the response are known via some out-of-band mechanism. + +OCSP_resp_get0_id() gets the responder id of B. If the responder ID is a name then <*pname> is set to the name and B<*pid> is set to NULL. If the responder ID is by key ID then B<*pid> is set to the key ID and B<*pname> is set to NULL. @@ -99,6 +109,9 @@ B was not found. OCSP_single_get0_status() returns the status of B or -1 if an error occurred. +OCSP_resp_get0_signer() returns 1 if the signing certificate was located, +or 0 on error. + =head1 NOTES Applications will typically call OCSP_resp_find_status() using the certificate diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index f2281c08a2..90ebe5ccd0 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -194,6 +194,8 @@ int OCSP_response_status(OCSP_RESPONSE *resp); OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs); +int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, + STACK_OF(X509) *extra_certs); int OCSP_resp_count(OCSP_BASICRESP *bs); OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);