diff options
author | Matt Caswell <matt@openssl.org> | 2020-03-20 14:54:55 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-03-27 11:20:39 +0000 |
commit | be6aeda6474a77e97b344f300334f5fe3612e4b4 (patch) | |
tree | 9a6c33e8298c4dd87e7ec7f2ec8cdb0c99c3b034 /crypto/ocsp | |
parent | 5fcb97c61e6796b20c8ee1b0daab25151bf65bd0 (diff) |
Add OCSP_RESPID_set_by_key_ex() and OCSP_RESPID_match_ex()
OCSP_RESPID_set_by_key() calculates a SHA1 hash of the supplied
certificate. We need to be able to specify which libctx and property
query string is used to fetch that algorithm so we introduce
OCSP_RESPID_set_by_key_ex() which does the same thing but enables you to
speicfy the library context and propery query string explicitly.
OCSP_RESPID_match() matches with certificates based on the SHA1 hash.
Therefore for the same reason we introduce OCSP_RESPID_match_ex().
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11407)
Diffstat (limited to 'crypto/ocsp')
-rw-r--r-- | crypto/ocsp/ocsp_srv.c | 57 |
1 files changed, 43 insertions, 14 deletions
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index 7e0aca169b..051747b445 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -259,45 +259,67 @@ int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert) return 1; } -int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert) +int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert, + OPENSSL_CTX *libctx, const char *propq) { ASN1_OCTET_STRING *byKey = NULL; unsigned char md[SHA_DIGEST_LENGTH]; + EVP_MD *sha1 = EVP_MD_fetch(libctx, "SHA1", propq); + int ret = 0; - /* RFC2560 requires SHA1 */ - if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL)) + if (sha1 == NULL) return 0; + /* RFC2560 requires SHA1 */ + if (!X509_pubkey_digest(cert, sha1, md, NULL)) + goto err; + byKey = ASN1_OCTET_STRING_new(); if (byKey == NULL) - return 0; + goto err; if (!(ASN1_OCTET_STRING_set(byKey, md, SHA_DIGEST_LENGTH))) { ASN1_OCTET_STRING_free(byKey); - return 0; + goto err; } respid->type = V_OCSP_RESPID_KEY; respid->value.byKey = byKey; - return 1; + ret = 1; + err: + EVP_MD_free(sha1); + return ret; } -int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert) +int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert) { + return OCSP_RESPID_set_by_key_ex(respid, cert, NULL, NULL); +} + +int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OPENSSL_CTX *libctx, + const char *propq) +{ + EVP_MD *sha1 = NULL; + int ret = 0; + if (respid->type == V_OCSP_RESPID_KEY) { unsigned char md[SHA_DIGEST_LENGTH]; + sha1 = EVP_MD_fetch(libctx, "SHA1", propq); + if (sha1 == NULL) + goto err; + if (respid->value.byKey == NULL) - return 0; + goto err; /* RFC2560 requires SHA1 */ - if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL)) - return 0; + if (!X509_pubkey_digest(cert, sha1, md, NULL)) + goto err; - return (ASN1_STRING_length(respid->value.byKey) == SHA_DIGEST_LENGTH) - && (memcmp(ASN1_STRING_get0_data(respid->value.byKey), md, - SHA_DIGEST_LENGTH) == 0); + ret = (ASN1_STRING_length(respid->value.byKey) == SHA_DIGEST_LENGTH) + && (memcmp(ASN1_STRING_get0_data(respid->value.byKey), md, + SHA_DIGEST_LENGTH) == 0); } else if (respid->type == V_OCSP_RESPID_NAME) { if (respid->value.byName == NULL) return 0; @@ -306,5 +328,12 @@ int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert) X509_get_subject_name(cert)) == 0; } - return 0; + err: + EVP_MD_free(sha1); + return ret; +} + +int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert) +{ + return OCSP_RESPID_match_ex(respid, cert, NULL, NULL); } |