Initial OCSP certificate verify. Not complete,

it just supports a "trusted OCSP global root CA".

2 files changed, 37 insertions, 3 deletions

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 717e23d5c6..9d67bd92d5 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -61,7 +61,6 @@
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
 
-
 static void x509v3_cache_extensions(X509 *x);
 
 static int ca_check(const X509 *x);
@@ -74,6 +73,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int c
 static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca);
 static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
 
 static int xp_cmp(const X509_PURPOSE * const *a,
 		const X509_PURPOSE * const *b);
@@ -87,6 +87,7 @@ static X509_PURPOSE xstandard[] = {
 	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
 	{X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
 	{X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
+	{X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
 };
 
 #define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
@@ -144,7 +145,6 @@ int X509_PURPOSE_get_by_sname(char *sname)
 	return -1;
 }
 
-
 int X509_PURPOSE_get_by_id(int purpose)
 {
 	X509_PURPOSE tmp;
@@ -320,6 +320,15 @@ static void x509v3_cache_extensions(X509 *x)
 				case NID_ms_sgc:
 				case NID_ns_sgc:
 				x->ex_xkusage |= XKU_SGC;
+				break;
+
+				case NID_OCSP_sign:
+				x->ex_xkusage |= XKU_OCSP_SIGN;
+				break;
+
+				case NID_time_stamp:
+				x->ex_xkusage |= XKU_TIMESTAMP;
+				break;
 			}
 		}
 		sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
@@ -470,6 +479,27 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
 	return 1;
 }
 
+/* OCSP helper: this is *not* a full OCSP check. It just checks that
+ * each CA is valid. Additional checks must be made on the chain.
+ */
+
+static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
+{
+	/* Must be a valid CA */
+	if(ca) {
+		int ca_ret;
+		ca_ret = ca_check(x);
+		if(ca_ret != 2) return ca_ret;
+		if(x->ex_flags & EXFLAG_NSCERT) {
+			if(x->ex_nscert & NS_ANY_CA) return ca_ret;
+			return 0;
+		}
+		return 0;
+	}
+	/* leaf certificate is checked in OCSP_verify() */
+	return 1;
+}
+
 static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
 {
 	return 1;
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index 8bf67bcbe0..29421b754d 100644
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -342,12 +342,15 @@ DECLARE_ASN1_SET_OF(POLICYINFO)
 #define NS_SSL_CA		0x04
 #define NS_SMIME_CA		0x02
 #define NS_OBJSIGN_CA		0x01
+#define NS_ANY_CA		(NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
 
 #define XKU_SSL_SERVER		0x1	
 #define XKU_SSL_CLIENT		0x2
 #define XKU_SMIME		0x4
 #define XKU_CODE_SIGN		0x8
 #define XKU_SGC			0x10
+#define XKU_OCSP_SIGN		0x20
+#define XKU_TIMESTAMP		0x40
 
 #define X509_PURPOSE_DYNAMIC	0x1
 #define X509_PURPOSE_DYNAMIC_NAME	0x2
@@ -370,9 +373,10 @@ typedef struct x509_purpose_st {
 #define X509_PURPOSE_SMIME_ENCRYPT	5
 #define X509_PURPOSE_CRL_SIGN		6
 #define X509_PURPOSE_ANY		7
+#define X509_PURPOSE_OCSP_HELPER	8
 
 #define X509_PURPOSE_MIN		1
-#define X509_PURPOSE_MAX		7
+#define X509_PURPOSE_MAX		8
 
 /* Flags for X509V3_EXT_print() */