| blob | 0857e33acf2175ed77d5b123918118c86eb0599b |
1 /*
2 * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3 * Author: Simon Josefsson
4 *
5 * This file is part of GnuTLS.
6 *
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 3 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
19 *
20 */
22 /* Online Certificate Status Protocol - RFC 2560
23 */
25 #include <gnutls_int.h>
26 #include <gnutls_global.h>
27 #include <gnutls_errors.h>
28 #include <libtasn1.h>
29 #include <gnutls_pk.h>
34 #include <gnutls/ocsp.h>
35 #include <auth/cert.h>
38 {
39 ASN1_TYPE req;
43 {
44 ASN1_TYPE resp;
45 gnutls_datum_t response_type_oid;
46 ASN1_TYPE basicresp;
49 #define MAX_TIME 64
51 /**
52 * gnutls_ocsp_req_init:
53 * @req: The structure to be initialized
54 *
55 * This function will initialize an OCSP request structure.
56 *
57 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
58 * negative error value.
59 **/
60 int
62 {
72 {
76 }
81 }
83 /**
84 * gnutls_ocsp_req_deinit:
85 * @req: The structure to be deinitialized
86 *
87 * This function will deinitialize a OCSP request structure.
88 **/
89 void
91 {
101 }
103 /**
104 * gnutls_ocsp_resp_init:
105 * @resp: The structure to be initialized
106 *
107 * This function will initialize an OCSP response structure.
108 *
109 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
110 * negative error value.
111 **/
112 int
114 {
124 {
128 }
133 {
138 }
143 }
145 /**
146 * gnutls_ocsp_resp_deinit:
147 * @resp: The structure to be deinitialized
148 *
149 * This function will deinitialize a OCSP response structure.
150 **/
151 void
153 {
168 }
170 /**
171 * gnutls_ocsp_req_import:
172 * @req: The structure to store the parsed request.
173 * @data: DER encoded OCSP request.
174 *
175 * This function will convert the given DER encoded OCSP request to
176 * the native #gnutls_ocsp_req_t format. The output will be stored in
177 * @req.
178 *
179 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
180 * negative error value.
181 **/
182 int
185 {
189 {
192 }
195 {
196 /* Any earlier asn1_der_decoding will modify the ASN.1
197 structure, so we need to replace it with a fresh
198 structure. */
204 {
207 }
208 }
212 {
215 }
218 }
220 /**
221 * gnutls_ocsp_resp_import:
222 * @resp: The structure to store the parsed response.
223 * @data: DER encoded OCSP response.
224 *
225 * This function will convert the given DER encoded OCSP response to
226 * the native #gnutls_ocsp_resp_t format. It also decodes the Basic
227 * OCSP Response part, if any. The output will be stored in @resp.
228 *
229 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
230 * negative error value.
231 **/
232 int
235 {
239 {
242 }
245 {
246 /* Any earlier asn1_der_decoding will modify the ASN.1
247 structure, so we need to replace it with a fresh
248 structure. */
254 {
257 }
258 }
262 {
265 }
273 {
276 }
283 {
284 gnutls_datum_t d;
287 {
293 {
296 }
297 }
302 {
305 }
310 {
313 }
314 }
315 else
319 }
321 static int
323 {
329 {
332 }
339 {
342 }
345 }
347 /**
348 * gnutls_ocsp_req_export:
349 * @req: Holds the OCSP request
350 * @data: newly allocate buffer holding DER encoded OCSP request
351 *
352 * This function will export the OCSP request to DER format.
353 *
354 * Returns: In case of failure a negative error code will be
355 * returned, and 0 on success.
356 **/
357 int
359 {
363 {
366 }
368 /* XXX remove when we support these fields */
372 /* prune extension field if we don't have any extension */
378 }
380 /**
381 * gnutls_ocsp_resp_export:
382 * @resp: Holds the OCSP response
383 * @data: newly allocate buffer holding DER encoded OCSP response
384 *
385 * This function will export the OCSP response to DER format.
386 *
387 * Returns: In case of failure a negative error code will be
388 * returned, and 0 on success.
389 **/
390 int
392 {
394 {
397 }
400 }
402 /**
403 * gnutls_ocsp_req_get_version:
404 * @req: should contain a #gnutls_ocsp_req_t structure
405 *
406 * This function will return the version of the OCSP request.
407 * Typically this is always 1 indicating version 1.
408 *
409 * Returns: version of OCSP request, or a negative error code on error.
410 **/
411 int
413 {
418 {
421 }
426 {
431 }
434 }
436 /**
437 * gnutls_ocsp_req_get_cert_id:
438 * @req: should contain a #gnutls_ocsp_req_t structure
439 * @indx: Specifies which extension OID to get. Use (0) to get the first one.
440 * @digest: output variable with #gnutls_digest_algorithm_t hash algorithm
441 * @issuer_name_hash: output buffer with hash of issuer's DN
442 * @issuer_key_hash: output buffer with hash of issuer's public key
443 * @serial_number: output buffer with serial number of certificate to check
444 *
445 * This function will return the certificate information of the
446 * @indx'ed request in the OCSP request. The information returned
447 * corresponds to the CertID structure:
448 *
449 * <informalexample><programlisting>
450 * CertID ::= SEQUENCE {
451 * hashAlgorithm AlgorithmIdentifier,
452 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
453 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key
454 * serialNumber CertificateSerialNumber }
455 * </programlisting></informalexample>
456 *
457 * Each of the pointers to output variables may be NULL to indicate
458 * that the caller is not interested in that value.
459 *
460 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
461 * negative error code is returned. If you have reached the last
462 * CertID available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
463 * returned.
464 **/
465 int
472 {
473 gnutls_datum_t sa;
478 {
481 }
490 {
493 }
498 {
501 }
507 {
512 {
515 }
516 }
519 {
524 {
529 }
530 }
533 {
538 {
545 }
546 }
549 }
551 /**
552 * gnutls_ocsp_req_add_cert_id:
553 * @req: should contain a #gnutls_ocsp_req_t structure
554 * @digest: hash algorithm, a #gnutls_digest_algorithm_t value
555 * @issuer_name_hash: hash of issuer's DN
556 * @issuer_key_hash: hash of issuer's public key
557 * @serial_number: serial number of certificate to check
558 *
559 * This function will add another request to the OCSP request for a
560 * particular certificate having the issuer name hash of
561 * @issuer_name_hash and issuer key hash of @issuer_key_hash (both
562 * hashed using @digest) and serial number @serial_number.
563 *
564 * The information needed corresponds to the CertID structure:
565 *
566 * <informalexample><programlisting>
567 * CertID ::= SEQUENCE {
568 * hashAlgorithm AlgorithmIdentifier,
569 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
570 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key
571 * serialNumber CertificateSerialNumber }
572 * </programlisting></informalexample>
573 *
574 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
575 * negative error code is returned.
576 **/
577 int
579 gnutls_digest_algorithm_t digest,
583 {
589 {
592 }
596 {
599 }
603 {
606 }
608 result = asn1_write_value
612 {
615 }
617 /* XXX we don't support any algorithm with parameters */
618 result = asn1_write_value
622 {
625 }
627 result = asn1_write_value
631 {
634 }
636 result = asn1_write_value
640 {
643 }
645 result = asn1_write_value
649 {
652 }
654 /* XXX add separate function that can add extensions too */
655 result = asn1_write_value
659 {
662 }
665 }
667 /**
668 * gnutls_ocsp_req_add_cert:
669 * @req: should contain a #gnutls_ocsp_req_t structure
670 * @digest: hash algorithm, a #gnutls_digest_algorithm_t value
671 * @issuer: issuer of @subject certificate
672 * @cert: certificate to request status for
673 *
674 * This function will add another request to the OCSP request for a
675 * particular certificate. The issuer name hash, issuer key hash, and
676 * serial number fields is populated as follows. The issuer name and
677 * the serial number is taken from @cert. The issuer key is taken
678 * from @issuer. The hashed values will be hashed using the @digest
679 * algorithm, normally %GNUTLS_DIG_SHA1.
680 *
681 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
682 * negative error code is returned.
683 **/
684 int
686 gnutls_digest_algorithm_t digest,
687 gnutls_x509_crt_t issuer,
688 gnutls_x509_crt_t cert)
689 {
698 {
701 }
707 {
710 }
715 {
718 }
722 ret = _gnutls_x509_read_value
726 {
729 }
734 {
737 }
744 {
747 }
752 {
755 }
758 }
760 /**
761 * gnutls_ocsp_req_get_extension:
762 * @req: should contain a #gnutls_ocsp_req_t structure
763 * @indx: Specifies which extension OID to get. Use (0) to get the first one.
764 * @oid: will hold newly allocated buffer with OID of extension, may be NULL
765 * @critical: output variable with critical flag, may be NULL.
766 * @data: will hold newly allocated buffer with extension data, may be NULL
767 *
768 * This function will return all information about the requested
769 * extension in the OCSP request. The information returned is the
770 * OID, the critical flag, and the data itself. The extension OID
771 * will be stored as a string. Any of @oid, @critical, and @data may
772 * be NULL which means that the caller is not interested in getting
773 * that information back.
774 *
775 * The caller needs to deallocate memory by calling gnutls_free() on
776 * @oid->data and @data->data.
777 *
778 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
779 * negative error code is returned. If you have reached the last
780 * extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will
781 * be returned.
782 **/
783 int
789 {
796 {
799 }
808 {
811 }
814 {
817 else
819 }
822 {
827 {
830 }
831 }
834 {
839 {
844 }
845 }
848 }
850 /**
851 * gnutls_ocsp_req_set_extension:
852 * @req: should contain a #gnutls_ocsp_req_t structure
853 * @oid: buffer with OID of extension as a string.
854 * @critical: critical flag, normally false.
855 * @data: the extension data
856 *
857 * This function will add an extension to the OCSP request. Calling
858 * this function multiple times for the same OID will overwrite values
859 * from earlier calls.
860 *
861 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
862 * negative error code is returned.
863 **/
864 int
869 {
871 {
874 }
878 }
880 /**
881 * gnutls_ocsp_req_get_nonce:
882 * @req: should contain a #gnutls_ocsp_req_t structure
883 * @critical: whether nonce extension is marked critical, or NULL
884 * @nonce: will hold newly allocated buffer with nonce data
885 *
886 * This function will return the OCSP request nonce extension data.
887 *
888 * The caller needs to deallocate memory by calling gnutls_free() on
889 * @nonce->data.
890 *
891 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
892 * negative error code is returned.
893 **/
894 int
898 {
901 gnutls_datum_t tmp;
904 {
907 }
913 {
916 }
921 {
925 }
929 {
933 }
939 {
942 }
946 }
948 /**
949 * gnutls_ocsp_req_set_nonce:
950 * @req: should contain a #gnutls_ocsp_req_t structure
951 * @critical: critical flag, normally false.
952 * @nonce: the nonce data
953 *
954 * This function will add an nonce extension to the OCSP request.
955 * Calling this function multiple times will overwrite values from
956 * earlier calls.
957 *
958 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
959 * negative error code is returned.
960 **/
961 int
965 {
967 gnutls_datum_t dernonce;
972 {
975 }
982 {
985 }
995 {
998 }
1001 }
1003 /**
1004 * gnutls_ocsp_req_randomize_nonce:
1005 * @req: should contain a #gnutls_ocsp_req_t structure
1006 *
1007 * This function will add or update an nonce extension to the OCSP
1008 * request with a newly generated random value.
1009 *
1010 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1011 * negative error code is returned.
1012 **/
1013 int
1015 {
1021 {
1024 }
1028 {
1031 }
1035 {
1038 }
1041 }
1043 /**
1044 * gnutls_ocsp_resp_get_status:
1045 * @resp: should contain a #gnutls_ocsp_resp_t structure
1046 *
1047 * This function will return the status of a OCSP response, an
1048 * #gnutls_ocsp_resp_status_t enumeration.
1049 *
1050 * Returns: status of OCSP request as a #gnutls_ocsp_resp_status_t, or
1051 * a negative error code on error.
1052 **/
1053 int
1055 {
1060 {
1063 }
1068 {
1071 }
1074 {
1084 }
1087 }
1089 /**
1090 * gnutls_ocsp_resp_get_response:
1091 * @resp: should contain a #gnutls_ocsp_resp_t structure
1092 * @response_type_oid: newly allocated output buffer with response type OID
1093 * @response: newly allocated output buffer with DER encoded response
1094 *
1095 * This function will extract the response type OID in and the
1096 * response data from an OCSP response. Normally the
1097 * @response_type_oid is always "1.3.6.1.5.5.7.48.1.1" which means the
1098 * @response should be decoded as a Basic OCSP Response, but
1099 * technically other response types could be used.
1100 *
1101 * This function is typically only useful when you want to extract the
1102 * response type OID of an response for diagnostic purposes.
1103 * Otherwise gnutls_ocsp_resp_import() will decode the basic OCSP
1104 * response part and the caller need not worry about that aspect.
1105 *
1106 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1107 * negative error value.
1108 **/
1109 int
1113 {
1117 {
1120 }
1123 {
1127 {
1130 }
1131 }
1134 {
1138 {
1141 }
1142 }
1145 }
1147 /**
1148 * gnutls_ocsp_resp_get_version:
1149 * @resp: should contain a #gnutls_ocsp_resp_t structure
1150 *
1151 * This function will return the version of the Basic OCSP Response.
1152 * Typically this is always 1 indicating version 1.
1153 *
1154 * Returns: version of Basic OCSP response, or a negative error code
1155 * on error.
1156 **/
1157 int
1159 {
1164 {
1167 }
1172 {
1177 }
1180 }
1182 /**
1183 * gnutls_ocsp_resp_get_responder:
1184 * @resp: should contain a #gnutls_ocsp_resp_t structure
1185 * @dn: newly allocated buffer with name
1186 *
1187 * This function will extract the name of the Basic OCSP Response in
1188 * the provided buffer. The name will be in the form
1189 * "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. The output string
1190 * will be ASCII or UTF-8 encoded, depending on the certificate data.
1191 *
1192 * The caller needs to deallocate memory by calling gnutls_free() on
1193 * @dn->data.
1194 *
1195 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1196 * negative error code is returned.
1197 **/
1198 int
1201 {
1206 {
1209 }
1211 ret = _gnutls_x509_parse_dn
1215 {
1218 }
1222 {
1225 }
1227 ret = _gnutls_x509_parse_dn
1231 {
1234 }
1239 }
1241 /**
1242 * gnutls_ocsp_resp_get_produced:
1243 * @resp: should contain a #gnutls_ocsp_resp_t structure
1244 *
1245 * This function will return the time when the OCSP response was
1246 * signed.
1247 *
1248 * Returns: signing time, or (time_t)-1 on error.
1249 **/
1250 time_t
1252 {
1258 {
1261 }
1267 {
1270 }
1275 }
1277 /**
1278 * gnutls_ocsp_resp_get_single:
1279 * @resp: should contain a #gnutls_ocsp_resp_t structure
1280 * @indx: Specifies which extension OID to get. Use (0) to get the first one.
1281 * @digest: output variable with #gnutls_digest_algorithm_t hash algorithm
1282 * @issuer_name_hash: output buffer with hash of issuer's DN
1283 * @issuer_key_hash: output buffer with hash of issuer's public key
1284 * @serial_number: output buffer with serial number of certificate to check
1285 * @cert_status: a certificate status, a #gnutls_ocsp_cert_status_t enum.
1286 * @this_update: time at which the status is known to be correct.
1287 * @next_update: when newer information will be available, or (time_t)-1 if unspecified
1288 * @revocation_time: when @cert_status is %GNUTLS_OCSP_CERT_REVOKED, holds time of revocation.
1289 * @revocation_reason: revocation reason, a #gnutls_x509_crl_reason_t enum.
1290 *
1291 * This function will return the certificate information of the
1292 * @indx'ed response in the Basic OCSP Response @resp. The
1293 * information returned corresponds to the SingleResponse structure
1294 * except the final singleExtensions, reproduced here for illustration:
1295 *
1296 * <informalexample><programlisting>
1297 * SingleResponse ::= SEQUENCE {
1298 * certID CertID,
1299 * certStatus CertStatus,
1300 * thisUpdate GeneralizedTime,
1301 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
1302 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
1303 *
1304 * CertID ::= SEQUENCE {
1305 * hashAlgorithm AlgorithmIdentifier,
1306 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
1307 * issuerKeyHash OCTET STRING, -- Hash of Issuers public key
1308 * serialNumber CertificateSerialNumber }
1309 *
1310 * CertStatus ::= CHOICE {
1311 * good [0] IMPLICIT NULL,
1312 * revoked [1] IMPLICIT RevokedInfo,
1313 * unknown [2] IMPLICIT UnknownInfo }
1314 *
1315 * RevokedInfo ::= SEQUENCE {
1316 * revocationTime GeneralizedTime,
1317 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
1318 * </programlisting></informalexample>
1319 *
1320 * Each of the pointers to output variables may be NULL to indicate
1321 * that the caller is not interested in that value.
1322 *
1323 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1324 * negative error code is returned. If you have reached the last
1325 * CertID available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be
1326 * returned.
1327 **/
1328 int
1340 {
1341 gnutls_datum_t sa;
1352 {
1355 }
1360 {
1363 }
1369 {
1376 {
1379 }
1380 }
1383 {
1390 {
1395 }
1396 }
1399 {
1406 {
1413 }
1414 }
1417 {
1425 {
1428 }
1435 else
1436 {
1440 }
1442 }
1445 {
1455 {
1458 }
1459 else
1461 }
1464 {
1474 {
1477 }
1478 else
1480 }
1483 {
1488 "tbsResponseData.responses.?%u.certStatus."
1494 {
1497 }
1498 else
1500 }
1502 /* revocation_reason */
1505 }
1507 /**
1508 * gnutls_ocsp_resp_get_extension:
1509 * @resp: should contain a #gnutls_ocsp_resp_t structure
1510 * @indx: Specifies which extension OID to get. Use (0) to get the first one.
1511 * @oid: will hold newly allocated buffer with OID of extension, may be NULL
1512 * @critical: output variable with critical flag, may be NULL.
1513 * @data: will hold newly allocated buffer with extension data, may be NULL
1514 *
1515 * This function will return all information about the requested
1516 * extension in the OCSP response. The information returned is the
1517 * OID, the critical flag, and the data itself. The extension OID
1518 * will be stored as a string. Any of @oid, @critical, and @data may
1519 * be NULL which means that the caller is not interested in getting
1520 * that information back.
1521 *
1522 * The caller needs to deallocate memory by calling gnutls_free() on
1523 * @oid->data and @data->data.
1524 *
1525 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1526 * negative error code is returned. If you have reached the last
1527 * extension available %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will
1528 * be returned.
1529 **/
1530 int
1536 {
1543 {
1546 }
1556 {
1559 }
1562 {
1565 else
1567 }
1570 {
1575 {
1578 }
1579 }
1582 {
1587 {
1592 }
1593 }
1596 }
1598 /**
1599 * gnutls_ocsp_resp_get_nonce:
1600 * @resp: should contain a #gnutls_ocsp_resp_t structure
1601 * @critical: whether nonce extension is marked critical
1602 * @nonce: will hold newly allocated buffer with nonce data
1603 *
1604 * This function will return the Basic OCSP Response nonce extension
1605 * data.
1606 *
1607 * The caller needs to deallocate memory by calling gnutls_free() on
1608 * @nonce->data.
1609 *
1610 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1611 * negative error code is returned.
1612 **/
1613 int
1617 {
1620 gnutls_datum_t tmp;
1626 {
1629 }
1634 {
1638 }
1642 {
1646 }
1652 {
1655 }
1659 }
1661 /**
1662 * gnutls_ocsp_resp_get_signature_algorithm:
1663 * @resp: should contain a #gnutls_ocsp_resp_t structure
1664 *
1665 * This function will return a value of the #gnutls_sign_algorithm_t
1666 * enumeration that is the signature algorithm that has been used to
1667 * sign the OCSP response.
1668 *
1669 * Returns: a #gnutls_sign_algorithm_t value, or a negative error code
1670 * on error.
1671 **/
1672 int
1674 {
1676 gnutls_datum_t sa;
1681 {
1684 }
1691 }
1693 /**
1694 * gnutls_ocsp_resp_get_signature:
1695 * @resp: should contain a #gnutls_ocsp_resp_t structure
1696 * @sig: newly allocated output buffer with signature data
1697 *
1698 * This function will extract the signature field of a OCSP response.
1699 *
1700 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1701 * negative error value.
1702 **/
1703 int
1706 {
1710 {
1713 }
1717 {
1720 }
1723 }
1725 /**
1726 * gnutls_ocsp_resp_get_certs:
1727 * @resp: should contain a #gnutls_ocsp_resp_t structure
1728 * @certs: newly allocated array with #gnutls_x509_crt_t certificates
1729 * @ncerts: output variable with number of allocated certs.
1730 *
1731 * This function will extract the X.509 certificates found in the
1732 * Basic OCSP Response. The @certs output variable will hold a newly
1733 * allocated zero-terminated array with X.509 certificates.
1734 *
1735 * Every certificate in the array needs to be de-allocated with
1736 * gnutls_x509_crt_deinit() and the array itself must be freed using
1737 * gnutls_free().
1738 *
1739 * Both the @certs and @ncerts variables may be NULL. Then the
1740 * function will work as normal but will not return the NULL:d
1741 * information. This can be used to get the number of certificates
1742 * only, or to just get the certificate array without its size.
1743 *
1744 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
1745 * negative error value.
1746 **/
1747 int
1751 {
1758 {
1761 }
1765 {
1768 }
1771 {
1779 {
1782 }
1786 {
1790 }
1795 {
1798 }
1799 ctr++;
1802 GNUTLS_X509_FMT_DER);
1804 {
1807 }
1811 }
1819 else
1820 {
1821 /* clean up memory */
1824 }
1828 error:
1834 }
1836 /* Search the OCSP response for a certificate matching the responderId
1837 mentioned in the OCSP response. */
1838 static gnutls_x509_crt_t
1840 {
1844 gnutls_datum_t riddn;
1849 {
1852 }
1856 {
1860 }
1863 {
1870 {
1873 }
1877 {
1880 }
1884 {
1888 }
1896 {
1899 }
1900 }
1905 quit:
1912 }
1914 static int
1916 gnutls_x509_crt_t signercert,
1919 {
1927 {
1930 }
1934 {
1937 }
1942 {
1945 }
1949 {
1952 }
1956 {
1959 }
1963 {
1966 }
1970 {
1973 }
1975 {
1978 }
1979 else
1984 done:
1990 }
1993 {
2002 else
2006 }
2009 {
2015 {
2019 NULL);
2021 {
2024 }
2026 {
2029 }
2031 {
2033 }
2036 {
2039 }
2041 }
2044 }
2046 /**
2047 * gnutls_ocsp_resp_verify_direct:
2048 * @resp: should contain a #gnutls_ocsp_resp_t structure
2049 * @issuer: certificate believed to have signed the response
2050 * @verify: output variable with verification status, an #gnutls_ocsp_cert_status_t
2051 * @flags: verification flags, 0 for now.
2052 *
2053 * Verify signature of the Basic OCSP Response against the public key
2054 * in the @issuer certificate.
2055 *
2056 * The output @verify variable will hold verification status codes
2057 * (e.g., %GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND,
2058 * %GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM) which are only valid if the
2059 * function returned %GNUTLS_E_SUCCESS.
2060 *
2061 * Note that the function returns %GNUTLS_E_SUCCESS even when
2062 * verification failed. The caller must always inspect the @verify
2063 * variable to find out the verification status.
2064 *
2065 * The @flags variable should be 0 for now.
2066 *
2067 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2068 * negative error value.
2069 **/
2070 int
2072 gnutls_x509_crt_t issuer,
2075 {
2076 gnutls_x509_crt_t signercert;
2080 {
2083 }
2087 {
2089 }
2091 {
2096 {
2099 }
2102 {
2107 }
2111 {
2116 }
2117 }
2121 done:
2126 }
2128 /**
2129 * gnutls_ocsp_resp_verify:
2130 * @resp: should contain a #gnutls_ocsp_resp_t structure
2131 * @trustlist: trust anchors as a #gnutls_x509_trust_list_t structure
2132 * @verify: output variable with verification status, an #gnutls_ocsp_cert_status_t
2133 * @flags: verification flags, 0 for now.
2134 *
2135 * Verify signature of the Basic OCSP Response against the public key
2136 * in the certificate of a trusted signer. The @trustlist should be
2137 * populated with trust anchors. The function will extract the signer
2138 * certificate from the Basic OCSP Response and will verify it against
2139 * the @trustlist. A trusted signer is a certificate that is either
2140 * in @trustlist, or it is signed directly by a certificate in
2141 * @trustlist and has the id-ad-ocspSigning Extended Key Usage bit
2142 * set.
2143 *
2144 * The output @verify variable will hold verification status codes
2145 * (e.g., %GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND,
2146 * %GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM) which are only valid if the
2147 * function returned %GNUTLS_E_SUCCESS.
2148 *
2149 * Note that the function returns %GNUTLS_E_SUCCESS even when
2150 * verification failed. The caller must always inspect the @verify
2151 * variable to find out the verification status.
2152 *
2153 * The @flags variable should be 0 for now.
2154 *
2155 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
2156 * negative error value.
2157 **/
2158 int
2160 gnutls_x509_trust_list_t trustlist,
2163 {
2167 /* Algorithm:
2168 1. Find signer cert.
2169 1a. Search in OCSP response Certificate field for responderID.
2170 1b. Verify that signer cert is trusted.
2171 2a. It is in trustlist?
2172 2b. It has OCSP key usage and directly signed by a CA in trustlist?
2173 3. Verify signature of Basic Response using public key from signer cert.
2174 */
2178 {
2179 /* XXX Search in trustlist for certificate matching
2180 responderId as well? */
2185 }
2187 /* Either the signer is directly trusted (i.e., in trustlist) or it
2188 is directly signed by something in trustlist and has proper OCSP
2189 extkeyusage. */
2192 {
2195 }
2197 {
2198 /* not in trustlist, need to verify signature and bits */
2199 gnutls_x509_crt_t issuer;
2207 {
2212 }
2216 {
2219 }
2222 {
2227 }
2231 {
2236 }
2237 }
2241 done:
2245 }