Fix ASN1_TIME_to_generlizedtime().

Add protoype for OCSP_response_create().

Add OCSP_request_sign() and OCSP_basic_sign()
private key and certificate checks and make
OCSP_NOCERTS consistent with PKCS7_NOCERTS

4 files changed, 33 insertions, 9 deletions

diff --git a/crypto/ocsp/ocsp.h b/crypto/ocsp/ocsp.h
index ca748a0fed..f77c4fd039 100644
--- a/crypto/ocsp/ocsp.h
+++ b/crypto/ocsp/ocsp.h
@@ -454,6 +454,7 @@ OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
 int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
 			ASN1_OCTET_STRING **pikeyHash,
 			ASN1_INTEGER **pserial, OCSP_CERTID *cid);
+OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs);
 OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
 						OCSP_CERTID *cid,
 						int status, int reason,
@@ -562,12 +563,14 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_F_CERT_STATUS_NEW				 103
 #define OCSP_F_D2I_OCSP_NONCE				 109
 #define OCSP_F_OCSP_BASIC_ADD1_STATUS			 118
+#define OCSP_F_OCSP_BASIC_SIGN				 119
 #define OCSP_F_OCSP_BASIC_VERIFY			 113
 #define OCSP_F_OCSP_CHECK_DELEGATED			 117
 #define OCSP_F_OCSP_CHECK_IDS				 114
 #define OCSP_F_OCSP_CHECK_ISSUER			 115
 #define OCSP_F_OCSP_CHECK_NONCE				 112
 #define OCSP_F_OCSP_MATCH_ISSUERID			 116
+#define OCSP_F_OCSP_REQUEST_SIGN			 120
 #define OCSP_F_OCSP_RESPONSE_GET1_BASIC			 111
 #define OCSP_F_OCSP_SENDREQ_BIO				 110
 #define OCSP_F_REQUEST_VERIFY				 104
@@ -595,6 +598,7 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_R_NO_RESPONSE_DATA				 104
 #define OCSP_R_NO_REVOKED_TIME				 132
 #define OCSP_R_NO_SIGNATURE				 105
+#define OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE	 133
 #define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA	 129
 #define OCSP_R_REVOKED_NO_TIME				 106
 #define OCSP_R_ROOT_CA_NOT_TRUSTED			 127
diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index 34c3969bcc..7b3e742e4a 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -148,22 +148,31 @@ int OCSP_request_sign(OCSP_REQUEST   *req,
 	OCSP_SIGNATURE *sig;
 	X509 *x;
 
-	if (signer &&
-		!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
+	if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
 			goto err;
 
 	if (!(req->optionalSignature = sig = OCSP_SIGNATURE_new())) goto err;
 	if (!dgst) dgst = EVP_sha1();
-	if (key && !OCSP_REQUEST_sign(req, key, dgst)) goto err;
+	if (key)
+		{
+		if (!X509_check_private_key(signer, key))
+			{
+			OCSPerr(OCSP_F_OCSP_REQUEST_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
+			goto err;
+			}
+		if (!OCSP_REQUEST_sign(req, key, dgst)) goto err;
+		}
+
 	if (!(flags & OCSP_NOCERTS))
 		{
-		if (!OCSP_request_add1_cert(req, signer)) goto err;
-	        for (i = 0; i < sk_X509_num(certs); i++)
+		if(!OCSP_request_add1_cert(req, signer)) goto err;
+		for (i = 0; i < sk_X509_num(certs); i++)
 			{
 			x = sk_X509_value(certs, i);
 			if (!OCSP_request_add1_cert(req, x)) goto err;
 			}
 		}
+
 	return 1;
 err:
 	OCSP_SIGNATURE_free(req->optionalSignature);
diff --git a/crypto/ocsp/ocsp_err.c b/crypto/ocsp/ocsp_err.c
index e1b2e3444d..abf8307397 100644
--- a/crypto/ocsp/ocsp_err.c
+++ b/crypto/ocsp/ocsp_err.c
@@ -73,12 +73,14 @@ static ERR_STRING_DATA OCSP_str_functs[]=
 {ERR_PACK(0,OCSP_F_CERT_STATUS_NEW,0),	"CERT_STATUS_NEW"},
 {ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),	"D2I_OCSP_NONCE"},
 {ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),	"OCSP_basic_add1_status"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_SIGN,0),	"OCSP_basic_sign"},
 {ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),	"OCSP_basic_verify"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),	"OCSP_CHECK_DELEGATED"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),	"OCSP_CHECK_IDS"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0),	"OCSP_CHECK_ISSUER"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_NONCE,0),	"OCSP_check_nonce"},
 {ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0),	"OCSP_MATCH_ISSUERID"},
+{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0),	"OCSP_request_sign"},
 {ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0),	"OCSP_response_get1_basic"},
 {ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0),	"OCSP_sendreq_bio"},
 {ERR_PACK(0,OCSP_F_REQUEST_VERIFY,0),	"REQUEST_VERIFY"},
@@ -109,6 +111,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
 {OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},
 {OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},
 {OCSP_R_NO_SIGNATURE                     ,"no signature"},
+{OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE,"private key does not match certificate"},
 {OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
 {OCSP_R_REVOKED_NO_TIME                  ,"revoked no time"},
 {OCSP_R_ROOT_CA_NOT_TRUSTED              ,"root ca not trusted"},
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index b83992896f..5743f9c754 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -206,14 +206,22 @@ int OCSP_basic_sign(OCSP_BASICRESP *brsp,
 	int i;
 	OCSP_RESPID *rid;
 
-	if(!(flags & OCSP_NOCERTS) && !OCSP_basic_add1_cert(brsp, signer))
+	if (!X509_check_private_key(signer, key))
+		{
+		OCSPerr(OCSP_F_OCSP_BASIC_SIGN, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
 		goto err;
+		}
 
-	for (i = 0; i < sk_X509_num(certs); i++)
+	if(!(flags & OCSP_NOCERTS))
 		{
-		X509 *tmpcert = sk_X509_value(certs, i);
-		if(!OCSP_basic_add1_cert(brsp, tmpcert))
+		if(!OCSP_basic_add1_cert(brsp, signer))
+			goto err;
+		for (i = 0; i < sk_X509_num(certs); i++)
+			{
+			X509 *tmpcert = sk_X509_value(certs, i);
+			if(!OCSP_basic_add1_cert(brsp, tmpcert))
 				goto err;
+			}
 		}
 
 	rid = brsp->tbsResponseData->responderId;