From 0494014781d2e348996f55acca0d179b09f9499f Mon Sep 17 00:00:00 2001 From: David Cooper Date: Tue, 23 Jan 2018 14:22:17 -0500 Subject: [PATCH] Make editorial changes suggested by Matt Caswell and fixed Travis failures. Reviewed-by: Rich Salz Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/4190) --- apps/ocsp.c | 6 +++--- crypto/err/openssl.txt | 3 ++- crypto/ocsp/ocsp_srv.c | 19 +++++++++++++++---- include/openssl/ocsperr.h | 2 +- 4 files changed, 21 insertions(+), 9 deletions(-) diff --git a/apps/ocsp.c b/apps/ocsp.c index b9bad81f24..4a68e52d74 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -78,7 +78,7 @@ typedef enum OPTION_choice { OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT, OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL, OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER, - OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_SIGOPT, OPT_HEADER, + OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_RSIGOPT, OPT_HEADER, OPT_V_ENUM, OPT_MD } OPTION_CHOICE; @@ -155,7 +155,7 @@ const OPTIONS ocsp_options[] = { {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"}, {"rother", OPT_ROTHER, '<', "Other certificates to include in response"}, {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"}, - {"rsigopt", OPT_SIGOPT, 's', "OCSP response signature parameter in n:v form"}, + {"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"}, {"header", OPT_HEADER, 's', "key=value header to add"}, {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"}, OPT_V_OPTIONS, @@ -422,7 +422,7 @@ int ocsp_main(int argc, char **argv) if (!opt_md(opt_arg(), &rsign_md)) goto end; break; - case OPT_SIGOPT: + case OPT_RSIGOPT: if (rsign_sigopts == NULL) rsign_sigopts = sk_OPENSSL_STRING_new_null(); if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg())) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 0ed1b09fe1..accd83cadc 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2017 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -735,6 +735,7 @@ OBJ_F_OBJ_NID2SN:104:OBJ_nid2sn OCSP_F_D2I_OCSP_NONCE:102:d2i_ocsp_nonce OCSP_F_OCSP_BASIC_ADD1_STATUS:103:OCSP_basic_add1_status OCSP_F_OCSP_BASIC_SIGN:104:OCSP_basic_sign +OCSP_F_OCSP_BASIC_SIGN_CTX:119:OCSP_basic_sign_ctx OCSP_F_OCSP_BASIC_VERIFY:105:OCSP_basic_verify OCSP_F_OCSP_CERT_ID_NEW:101:OCSP_cert_id_new OCSP_F_OCSP_CHECK_DELEGATED:106:ocsp_check_delegated diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index b459e695b9..9c7c81a1b0 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -1,5 +1,5 @@ /* - * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -168,16 +168,27 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert) return 1; } +/* + * Sign an OCSP response using the parameters contained in the digest context, + * set the responderID to the subject name in the signer's certificate, and + * include one or more optional certificates in the response. + */ + int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx, STACK_OF(X509) *certs, unsigned long flags) { int i; OCSP_RESPID *rid; + EVP_PKEY *pkey; + + if (ctx == NULL || EVP_MD_CTX_pkey_ctx(ctx) == NULL) { + OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX, OCSP_R_NO_SIGNER_KEY); + goto err; + } - if (ctx == NULL || EVP_MD_CTX_pkey_ctx(ctx) == NULL - || EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)) == NULL - || !X509_check_private_key(signer, EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)))) { + pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)); + if (pkey == NULL || !X509_check_private_key(signer, pkey)) { OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); goto err; diff --git a/include/openssl/ocsperr.h b/include/openssl/ocsperr.h index 4edb2b725f..08800d1ae8 100644 --- a/include/openssl/ocsperr.h +++ b/include/openssl/ocsperr.h @@ -25,7 +25,7 @@ int ERR_load_OCSP_strings(void); # define OCSP_F_D2I_OCSP_NONCE 102 # define OCSP_F_OCSP_BASIC_ADD1_STATUS 103 # define OCSP_F_OCSP_BASIC_SIGN 104 -# define OCSP_F_OCSP_BASIC_SIGN_CTX 131 +# define OCSP_F_OCSP_BASIC_SIGN_CTX 119 # define OCSP_F_OCSP_BASIC_VERIFY 105 # define OCSP_F_OCSP_CERT_ID_NEW 101 # define OCSP_F_OCSP_CHECK_DELEGATED 106 -- 2.25.1