Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
btwise
openssl
提交
18cd23df
O
openssl
项目概览
btwise
/
openssl
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
O
openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
18cd23df
编写于
5月 07, 2015
作者:
R
Rich Salz
提交者:
Rich Salz
9月 22, 2015
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Remove "noise" comments from TS files.
Reviewed-by:
N
Tim Hudson
<
tjh@openssl.org
>
上级
ff03599a
变更
10
隐藏空白更改
内联
并排
Showing
10 changed file
with
48 addition
and
337 deletion
+48
-337
apps/ts.c
apps/ts.c
+29
-134
crypto/ts/ts_asn1.c
crypto/ts/ts_asn1.c
+0
-9
crypto/ts/ts_conf.c
crypto/ts/ts_conf.c
+2
-6
crypto/ts/ts_lib.c
crypto/ts/ts_lib.c
+0
-4
crypto/ts/ts_req_print.c
crypto/ts/ts_req_print.c
+0
-2
crypto/ts/ts_rsp_print.c
crypto/ts/ts_rsp_print.c
+0
-16
crypto/ts/ts_rsp_sign.c
crypto/ts/ts_rsp_sign.c
+8
-88
crypto/ts/ts_rsp_utils.c
crypto/ts/ts_rsp_utils.c
+0
-3
crypto/ts/ts_rsp_verify.c
crypto/ts/ts_rsp_verify.c
+9
-71
crypto/ts/ts_verify_ctx.c
crypto/ts/ts_verify_ctx.c
+0
-4
未找到文件。
apps/ts.c
浏览文件 @
18cd23df
...
...
@@ -67,13 +67,17 @@
#include <openssl/ts.h>
#include <openssl/bn.h>
/*
Length of the nonce of the request
in bits (must be a multiple of 8). */
/*
Request nonce length,
in bits (must be a multiple of 8). */
#define NONCE_LENGTH 64
/*
Macro definitions for the configuration
file. */
/*
Name of config entry that defines the OID
file. */
#define ENV_OID_FILE "oid_file"
/* Local function declarations. */
/* Is |EXACTLY_ONE| of three pointers set? */
#define EXACTLY_ONE(a, b, c) \
(( a && !b && !c) || \
( b && !a && !c) || \
( c && !a && !b))
static
ASN1_OBJECT
*
txt2obj
(
const
char
*
oid
);
static
CONF
*
load_config_file
(
const
char
*
configfile
);
...
...
@@ -309,7 +313,6 @@ int ts_main(int argc, char **argv)
app_RAND_load_files
(
rnd
));
}
/* Get the password if required. */
if
(
mode
==
OPT_REPLY
&&
passin
&&
!
app_passwd
(
passin
,
NULL
,
&
password
,
NULL
))
{
BIO_printf
(
bio_err
,
"Error getting password.
\n
"
);
...
...
@@ -320,33 +323,22 @@ int ts_main(int argc, char **argv)
if
(
!
app_load_modules
(
conf
))
goto
end
;
/*
* Check consistency of parameters and execute the appropriate function.
*/
/* Check parameter consistency and execute the appropriate function. */
switch
(
mode
)
{
default:
case
OPT_ERR
:
goto
opthelp
;
case
OPT_QUERY
:
/*
* Data file and message imprint cannot be specified at the same
* time.
*/
ret
=
data
!=
NULL
&&
digest
!=
NULL
;
if
(
ret
)
if
((
data
!=
NULL
)
&&
(
digest
!=
NULL
))
goto
opthelp
;
ret
=
!
query_command
(
data
,
digest
,
md
,
policy
,
no_nonce
,
cert
,
in
,
out
,
text
);
break
;
case
OPT_REPLY
:
if
((
in
!=
NULL
)
&&
(
queryfile
!=
NULL
))
goto
opthelp
;
if
(
in
==
NULL
)
{
ret
=
!
(
queryfile
!=
NULL
&&
conf
!=
NULL
&&
!
token_in
);
if
(
ret
)
goto
opthelp
;
}
else
{
/* 'in' and 'queryfile' are exclusive. */
ret
=
!
(
queryfile
==
NULL
);
if
(
ret
)
if
((
conf
==
NULL
)
||
(
token_in
!=
0
))
goto
opthelp
;
}
ret
=
!
reply_command
(
conf
,
section
,
engine
,
queryfile
,
...
...
@@ -354,24 +346,17 @@ int ts_main(int argc, char **argv)
in
,
token_in
,
out
,
token_out
,
text
);
break
;
case
OPT_VERIFY
:
ret
=
!
(((
queryfile
&&
!
data
&&
!
digest
)
||
(
!
queryfile
&&
data
&&
!
digest
)
||
(
!
queryfile
&&
!
data
&&
digest
))
&&
in
!=
NULL
);
if
(
ret
)
if
((
in
==
NULL
)
||
!
EXACTLY_ONE
(
queryfile
,
data
,
digest
))
goto
opthelp
;
ret
=
!
verify_command
(
data
,
digest
,
queryfile
,
in
,
token_in
,
CApath
,
CAfile
,
untrusted
);
}
end:
/* Clean up. */
app_RAND_write_file
(
NULL
);
NCONF_free
(
conf
);
OPENSSL_free
(
password
);
OBJ_cleanup
();
return
(
ret
);
}
...
...
@@ -427,13 +412,12 @@ static int query_command(const char *data, char *digest, const EVP_MD *md,
BIO
*
data_bio
=
NULL
;
BIO
*
out_bio
=
NULL
;
/* Build query object
either from file or from scratch
. */
/* Build query object. */
if
(
in
!=
NULL
)
{
if
((
in_bio
=
bio_open_default
(
in
,
'r'
,
FORMAT_ASN1
))
==
NULL
)
goto
end
;
query
=
d2i_TS_REQ_bio
(
in_bio
,
NULL
);
}
else
{
/* Open the file if no explicit digest bytes were specified. */
if
(
digest
==
NULL
&&
(
data_bio
=
bio_open_default
(
data
,
'r'
,
FORMAT_ASN1
))
==
NULL
)
goto
end
;
...
...
@@ -442,15 +426,12 @@ static int query_command(const char *data, char *digest, const EVP_MD *md,
if
(
query
==
NULL
)
goto
end
;
/* Write query either in ASN.1 or in text format. */
if
(
text
)
{
/* Text output. */
if
((
out_bio
=
bio_open_default
(
out
,
'w'
,
FORMAT_TEXT
))
==
NULL
)
goto
end
;
if
(
!
TS_REQ_print_bio
(
out_bio
,
query
))
goto
end
;
}
else
{
/* ASN.1 output. */
if
((
out_bio
=
bio_open_default
(
out
,
'w'
,
FORMAT_ASN1
))
==
NULL
)
goto
end
;
if
(
!
i2d_TS_REQ_bio
(
out_bio
,
query
))
...
...
@@ -461,13 +442,10 @@ static int query_command(const char *data, char *digest, const EVP_MD *md,
end:
ERR_print_errors
(
bio_err
);
/* Clean up. */
BIO_free_all
(
in_bio
);
BIO_free_all
(
data_bio
);
BIO_free_all
(
out_bio
);
TS_REQ_free
(
query
);
return
ret
;
}
...
...
@@ -483,23 +461,14 @@ static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md,
ASN1_OBJECT
*
policy_obj
=
NULL
;
ASN1_INTEGER
*
nonce_asn1
=
NULL
;
/* Setting default message digest. */
if
(
md
==
NULL
&&
(
md
=
EVP_get_digestbyname
(
"sha1"
))
==
NULL
)
goto
err
;
/* Creating request object. */
if
((
ts_req
=
TS_REQ_new
())
==
NULL
)
goto
err
;
/* Setting version. */
if
(
!
TS_REQ_set_version
(
ts_req
,
1
))
goto
err
;
/* Creating and adding MSG_IMPRINT object. */
if
((
msg_imprint
=
TS_MSG_IMPRINT_new
())
==
NULL
)
goto
err
;
/* Adding algorithm. */
if
((
algo
=
X509_ALGOR_new
())
==
NULL
)
goto
err
;
if
((
algo
->
algorithm
=
OBJ_nid2obj
(
EVP_MD_type
(
md
)))
==
NULL
)
...
...
@@ -509,17 +478,12 @@ static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md,
algo
->
parameter
->
type
=
V_ASN1_NULL
;
if
(
!
TS_MSG_IMPRINT_set_algo
(
msg_imprint
,
algo
))
goto
err
;
/* Adding message digest. */
if
((
len
=
create_digest
(
data_bio
,
digest
,
md
,
&
data
))
==
0
)
goto
err
;
if
(
!
TS_MSG_IMPRINT_set_msg
(
msg_imprint
,
data
,
len
))
goto
err
;
if
(
!
TS_REQ_set_msg_imprint
(
ts_req
,
msg_imprint
))
goto
err
;
/* Setting policy if requested. */
if
(
policy
&&
(
policy_obj
=
txt2obj
(
policy
))
==
NULL
)
goto
err
;
if
(
policy_obj
&&
!
TS_REQ_set_policy_id
(
ts_req
,
policy_obj
))
...
...
@@ -530,8 +494,6 @@ static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md,
goto
err
;
if
(
nonce_asn1
&&
!
TS_REQ_set_nonce
(
ts_req
,
nonce_asn1
))
goto
err
;
/* Setting certificate request flag if requested. */
if
(
!
TS_REQ_set_cert_req
(
ts_req
,
cert
))
goto
err
;
...
...
@@ -541,6 +503,7 @@ static TS_REQ *create_query(BIO *data_bio, char *digest, const EVP_MD *md,
TS_REQ_free
(
ts_req
);
ts_req
=
NULL
;
BIO_printf
(
bio_err
,
"could not create query
\n
"
);
ERR_print_errors
(
bio_err
);
}
TS_MSG_IMPRINT_free
(
msg_imprint
);
X509_ALGOR_free
(
algo
);
...
...
@@ -557,9 +520,9 @@ static int create_digest(BIO *input, char *digest, const EVP_MD *md,
md_value_len
=
EVP_MD_size
(
md
);
if
(
md_value_len
<
0
)
goto
err
;
return
0
;
if
(
input
)
{
/* Digest must be computed from an input file. */
EVP_MD_CTX
md_ctx
;
unsigned
char
buffer
[
4096
];
int
length
;
...
...
@@ -572,7 +535,6 @@ static int create_digest(BIO *input, char *digest, const EVP_MD *md,
if
(
!
EVP_DigestFinal
(
&
md_ctx
,
*
md_value
,
NULL
))
return
0
;
}
else
{
/* Digest bytes are specified with digest. */
long
digest_len
;
*
md_value
=
string_to_hex
(
digest
,
&
digest_len
);
if
(
!*
md_value
||
md_value_len
!=
digest_len
)
{
...
...
@@ -580,13 +542,10 @@ static int create_digest(BIO *input, char *digest, const EVP_MD *md,
*
md_value
=
NULL
;
BIO_printf
(
bio_err
,
"bad digest, %d bytes "
"must be specified
\n
"
,
md_value_len
);
goto
err
;
return
0
;
}
}
return
md_value_len
;
err:
return
0
;
}
static
ASN1_INTEGER
*
create_nonce
(
int
bits
)
...
...
@@ -596,7 +555,6 @@ static ASN1_INTEGER *create_nonce(int bits)
int
len
=
(
bits
-
1
)
/
8
+
1
;
int
i
;
/* Generating random byte sequence. */
if
(
len
>
(
int
)
sizeof
(
buf
))
goto
err
;
if
(
RAND_bytes
(
buf
,
len
)
<=
0
)
...
...
@@ -608,12 +566,11 @@ static ASN1_INTEGER *create_nonce(int bits)
if
((
nonce
=
ASN1_INTEGER_new
())
==
NULL
)
goto
err
;
OPENSSL_free
(
nonce
->
data
);
/* Allocate at least one byte. */
nonce
->
length
=
len
-
i
;
nonce
->
data
=
app_malloc
(
nonce
->
length
+
1
,
"nonce buffer"
);
memcpy
(
nonce
->
data
,
buf
+
i
,
nonce
->
length
);
return
nonce
;
err:
BIO_printf
(
bio_err
,
"could not create nonce
\n
"
);
ASN1_INTEGER_free
(
nonce
);
...
...
@@ -638,18 +595,12 @@ static int reply_command(CONF *conf, char *section, char *engine,
BIO
*
signer_bio
=
NULL
;
BIO
*
out_bio
=
NULL
;
/* Build response object either from response or query. */
if
(
in
!=
NULL
)
{
if
((
in_bio
=
BIO_new_file
(
in
,
"rb"
))
==
NULL
)
goto
end
;
if
(
token_in
)
{
/*
* We have a ContentInfo (PKCS7) object, add 'granted' status
* info around it.
*/
response
=
read_PKCS7
(
in_bio
);
}
else
{
/* We have a ready-made TS_RESP object. */
response
=
d2i_TS_RESP_bio
(
in_bio
,
NULL
);
}
}
else
{
...
...
@@ -663,9 +614,8 @@ static int reply_command(CONF *conf, char *section, char *engine,
if
(
response
==
NULL
)
goto
end
;
/* Write response
either in ASN.1 or text format
. */
/* Write response. */
if
(
text
)
{
/* Text output. */
if
((
out_bio
=
bio_open_default
(
out
,
'w'
,
FORMAT_TEXT
))
==
NULL
)
goto
end
;
if
(
token_out
)
{
...
...
@@ -677,7 +627,6 @@ static int reply_command(CONF *conf, char *section, char *engine,
goto
end
;
}
}
else
{
/* ASN.1 DER output. */
if
((
out_bio
=
bio_open_default
(
out
,
'w'
,
FORMAT_ASN1
))
==
NULL
)
goto
end
;
if
(
token_out
)
{
...
...
@@ -694,15 +643,12 @@ static int reply_command(CONF *conf, char *section, char *engine,
end:
ERR_print_errors
(
bio_err
);
/* Clean up. */
BIO_free_all
(
in_bio
);
BIO_free_all
(
query_bio
);
BIO_free_all
(
inkey_bio
);
BIO_free_all
(
signer_bio
);
BIO_free_all
(
out_bio
);
TS_RESP_free
(
response
);
return
ret
;
}
...
...
@@ -715,30 +661,23 @@ static TS_RESP *read_PKCS7(BIO *in_bio)
TS_RESP
*
resp
=
NULL
;
TS_STATUS_INFO
*
si
=
NULL
;
/* Read PKCS7 object and extract the signed time stamp info. */
if
((
token
=
d2i_PKCS7_bio
(
in_bio
,
NULL
))
==
NULL
)
goto
end
;
if
((
tst_info
=
PKCS7_to_TS_TST_INFO
(
token
))
==
NULL
)
goto
end
;
/* Creating response object. */
if
((
resp
=
TS_RESP_new
())
==
NULL
)
goto
end
;
/* Create granted status info. */
if
((
si
=
TS_STATUS_INFO_new
())
==
NULL
)
goto
end
;
if
(
!
TS_STATUS_INFO_set_status
(
si
,
TS_STATUS_GRANTED
))
goto
end
;
if
(
!
TS_RESP_set_status_info
(
resp
,
si
))
goto
end
;
/* Setting encapsulated token. */
TS_RESP_set_tst_info
(
resp
,
token
,
tst_info
);
token
=
NULL
;
/* Ownership is lost. */
tst_info
=
NULL
;
/* Ownership is lost. */
ret
=
1
;
end:
PKCS7_free
(
token
);
TS_TST_INFO_free
(
tst_info
);
...
...
@@ -762,73 +701,42 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
if
((
query_bio
=
BIO_new_file
(
queryfile
,
"rb"
))
==
NULL
)
goto
end
;
/* Getting TSA configuration section. */
if
((
section
=
TS_CONF_get_tsa_section
(
conf
,
section
))
==
NULL
)
goto
end
;
/* Setting up response generation context. */
if
((
resp_ctx
=
TS_RESP_CTX_new
())
==
NULL
)
goto
end
;
/* Setting serial number provider callback. */
if
(
!
TS_CONF_set_serial
(
conf
,
section
,
serial_cb
,
resp_ctx
))
goto
end
;
#ifndef OPENSSL_NO_ENGINE
/* Setting default OpenSSL engine. */
if
(
!
TS_CONF_set_crypto_device
(
conf
,
section
,
engine
))
goto
end
;
#endif
/* Setting TSA signer certificate. */
if
(
!
TS_CONF_set_signer_cert
(
conf
,
section
,
signer
,
resp_ctx
))
goto
end
;
/* Setting TSA signer certificate chain. */
if
(
!
TS_CONF_set_certs
(
conf
,
section
,
chain
,
resp_ctx
))
goto
end
;
/* Setting TSA signer private key. */
if
(
!
TS_CONF_set_signer_key
(
conf
,
section
,
inkey
,
passin
,
resp_ctx
))
goto
end
;
/* Setting default policy OID. */
if
(
!
TS_CONF_set_def_policy
(
conf
,
section
,
policy
,
resp_ctx
))
goto
end
;
/* Setting acceptable policy OIDs. */
if
(
!
TS_CONF_set_policies
(
conf
,
section
,
resp_ctx
))
goto
end
;
/* Setting the acceptable one-way hash algorithms. */
if
(
!
TS_CONF_set_digests
(
conf
,
section
,
resp_ctx
))
goto
end
;
/* Setting guaranteed time stamp accuracy. */
if
(
!
TS_CONF_set_accuracy
(
conf
,
section
,
resp_ctx
))
goto
end
;
/* Setting the precision of the time. */
if
(
!
TS_CONF_set_clock_precision_digits
(
conf
,
section
,
resp_ctx
))
goto
end
;
/* Setting the ordering flaf if requested. */
if
(
!
TS_CONF_set_ordering
(
conf
,
section
,
resp_ctx
))
goto
end
;
/* Setting the TSA name required flag if requested. */
if
(
!
TS_CONF_set_tsa_name
(
conf
,
section
,
resp_ctx
))
goto
end
;
/* Setting the ESS cert id chain flag if requested. */
if
(
!
TS_CONF_set_ess_cert_id_chain
(
conf
,
section
,
resp_ctx
))
goto
end
;
/* Creating the response. */
if
((
response
=
TS_RESP_create_response
(
resp_ctx
,
query_bio
))
==
NULL
)
goto
end
;
ret
=
1
;
end:
if
(
!
ret
)
{
TS_RESP_free
(
response
);
...
...
@@ -836,7 +744,6 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
}
TS_RESP_CTX_free
(
resp_ctx
);
BIO_free_all
(
query_bio
);
return
response
;
}
...
...
@@ -889,6 +796,7 @@ static ASN1_INTEGER *next_serial(const char *serialfile)
goto
err
;
}
ret
=
1
;
err:
if
(
!
ret
)
{
ASN1_INTEGER_free
(
serial
);
...
...
@@ -919,6 +827,7 @@ static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial)
return
ret
;
}
/*
* Verify-related method definitions.
*/
...
...
@@ -933,7 +842,6 @@ static int verify_command(char *data, char *digest, char *queryfile,
TS_VERIFY_CTX
*
verify_ctx
=
NULL
;
int
ret
=
0
;
/* Decode the token (PKCS7) or response (TS_RESP) files. */
if
((
in_bio
=
BIO_new_file
(
in
,
"rb"
))
==
NULL
)
goto
end
;
if
(
token_in
)
{
...
...
@@ -948,10 +856,9 @@ static int verify_command(char *data, char *digest, char *queryfile,
CApath
,
CAfile
,
untrusted
))
==
NULL
)
goto
end
;
/* Checking the token or response against the request. */
ret
=
token_in
?
TS_RESP_verify_token
(
verify_ctx
,
token
)
:
TS_RESP_verify_response
(
verify_ctx
,
response
);
ret
=
token_in
?
TS_RESP_verify_token
(
verify_ctx
,
token
)
:
TS_RESP_verify_response
(
verify_ctx
,
response
);
end:
printf
(
"Verification: "
);
...
...
@@ -959,11 +866,9 @@ static int verify_command(char *data, char *digest, char *queryfile,
printf
(
"OK
\n
"
);
else
{
printf
(
"FAILED
\n
"
);
/* Print errors, if there are any. */
ERR_print_errors
(
bio_err
);
}
/* Clean up. */
BIO_free_all
(
in_bio
);
PKCS7_free
(
token
);
TS_RESP_free
(
response
);
...
...
@@ -1001,10 +906,6 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
}
}
else
if
(
queryfile
!=
NULL
)
{
/*
* The request has just to be read, decoded and converted to a verify
* context object.
*/
if
((
input
=
BIO_new_file
(
queryfile
,
"rb"
))
==
NULL
)
goto
err
;
if
((
request
=
d2i_TS_REQ_bio
(
input
,
NULL
))
==
NULL
)
...
...
@@ -1026,8 +927,8 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
if
(
untrusted
&&
TS_VERIFY_CTS_set_certs
(
ctx
,
TS_CONF_load_certs
(
untrusted
))
==
NULL
)
goto
err
;
ret
=
1
;
err:
if
(
!
ret
)
{
TS_VERIFY_CTX_free
(
ctx
);
...
...
@@ -1044,13 +945,8 @@ static X509_STORE *create_cert_store(char *CApath, char *CAfile)
X509_LOOKUP
*
lookup
=
NULL
;
int
i
;
/* Creating the X509_STORE object. */
cert_ctx
=
X509_STORE_new
();
/* Setting the callback for certificate chain verification. */
X509_STORE_set_verify_cb
(
cert_ctx
,
verify_cb
);
/* Adding a trusted certificate directory source. */
if
(
CApath
)
{
lookup
=
X509_STORE_add_lookup
(
cert_ctx
,
X509_LOOKUP_hash_dir
());
if
(
lookup
==
NULL
)
{
...
...
@@ -1064,7 +960,6 @@ static X509_STORE *create_cert_store(char *CApath, char *CAfile)
}
}
/* Adding a trusted certificate file source. */
if
(
CAfile
)
{
lookup
=
X509_STORE_add_lookup
(
cert_ctx
,
X509_LOOKUP_file
());
if
(
lookup
==
NULL
)
{
...
...
@@ -1077,8 +972,8 @@ static X509_STORE *create_cert_store(char *CApath, char *CAfile)
goto
err
;
}
}
return
cert_ctx
;
err:
X509_STORE_free
(
cert_ctx
);
return
NULL
;
...
...
crypto/ts/ts_asn1.c
浏览文件 @
18cd23df
...
...
@@ -287,31 +287,22 @@ TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token)
TSerr
(
TS_F_PKCS7_TO_TS_TST_INFO
,
TS_R_BAD_PKCS7_TYPE
);
return
NULL
;
}
/* Content must be present. */
if
(
PKCS7_get_detached
(
token
))
{
TSerr
(
TS_F_PKCS7_TO_TS_TST_INFO
,
TS_R_DETACHED_CONTENT
);
return
NULL
;
}
/* We have a signed data with content. */
pkcs7_signed
=
token
->
d
.
sign
;
enveloped
=
pkcs7_signed
->
contents
;
if
(
OBJ_obj2nid
(
enveloped
->
type
)
!=
NID_id_smime_ct_TSTInfo
)
{
TSerr
(
TS_F_PKCS7_TO_TS_TST_INFO
,
TS_R_BAD_PKCS7_TYPE
);
return
NULL
;
}
/* We have a DER encoded TST_INFO as the signed data. */
tst_info_wrapper
=
enveloped
->
d
.
other
;
if
(
tst_info_wrapper
->
type
!=
V_ASN1_OCTET_STRING
)
{
TSerr
(
TS_F_PKCS7_TO_TS_TST_INFO
,
TS_R_BAD_TYPE
);
return
NULL
;
}
/* We have the correct ASN1_OCTET_STRING type. */
tst_info_der
=
tst_info_wrapper
->
value
.
octet_string
;
/* At last, decode the TST_INFO. */
p
=
tst_info_der
->
data
;
return
d2i_TS_TST_INFO
(
NULL
,
&
p
,
tst_info_der
->
length
);
}
crypto/ts/ts_conf.c
浏览文件 @
18cd23df
...
...
@@ -68,7 +68,6 @@
#include <openssl/ts.h>
/* Macro definitions for the configuration file. */
#define BASE_SECTION "tsa"
#define ENV_DEFAULT_TSA "default_tsa"
#define ENV_SERIAL "serial"
...
...
@@ -214,20 +213,17 @@ int TS_CONF_set_default_engine(const char *name)
ENGINE
*
e
=
NULL
;
int
ret
=
0
;
/* Leave the default if builtin specified. */
if
(
strcmp
(
name
,
"builtin"
)
==
0
)
return
1
;
if
((
e
=
ENGINE_by_id
(
name
))
==
NULL
)
goto
err
;
/* Enable the use of the NCipher HSM for forked children. */
if
(
strcmp
(
name
,
"chil"
)
==
0
)
ENGINE_ctrl
(
e
,
ENGINE_CTRL_CHIL_SET_FORKCHECK
,
1
,
0
,
0
);
/* All the operations are going to be carried out by the engine. */
if
(
!
ENGINE_set_default
(
e
,
ENGINE_METHOD_ALL
))
goto
err
;
ret
=
1
;
err:
if
(
!
ret
)
{
TSerr
(
TS_F_TS_CONF_SET_DEFAULT_ENGINE
,
TS_R_COULD_NOT_SET_ENGINE
);
...
...
@@ -467,8 +463,8 @@ int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
static
int
ts_CONF_add_flag
(
CONF
*
conf
,
const
char
*
section
,
const
char
*
field
,
int
flag
,
TS_RESP_CTX
*
ctx
)
{
/* Default is false. */
const
char
*
value
=
NCONF_get_string
(
conf
,
section
,
field
);
if
(
value
)
{
if
(
strcmp
(
value
,
ENV_VALUE_YES
)
==
0
)
TS_RESP_CTX_add_flags
(
ctx
,
flag
);
...
...
crypto/ts/ts_lib.c
浏览文件 @
18cd23df
...
...
@@ -66,10 +66,6 @@
#include <openssl/ts.h>
#include "ts_lcl.h"
/* Local function declarations. */
/* Function definitions. */
int
TS_ASN1_INTEGER_print_bio
(
BIO
*
bio
,
const
ASN1_INTEGER
*
num
)
{
BIGNUM
*
num_bn
;
...
...
crypto/ts/ts_req_print.c
浏览文件 @
18cd23df
...
...
@@ -65,8 +65,6 @@
#include <openssl/ts.h>
#include "ts_lcl.h"
/* Function definitions. */
int
TS_REQ_print_bio
(
BIO
*
bio
,
TS_REQ
*
a
)
{
int
v
;
...
...
crypto/ts/ts_rsp_print.c
浏览文件 @
18cd23df
...
...
@@ -70,13 +70,10 @@ struct status_map_st {
const
char
*
text
;
};
/* Local function declarations. */
static
int
ts_status_map_print
(
BIO
*
bio
,
const
struct
status_map_st
*
a
,
const
ASN1_BIT_STRING
*
v
);
static
int
ts_ACCURACY_print_bio
(
BIO
*
bio
,
const
TS_ACCURACY
*
accuracy
);
/* Function definitions. */
int
TS_RESP_print_bio
(
BIO
*
bio
,
TS_RESP
*
a
)
{
...
...
@@ -125,7 +122,6 @@ int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a)
long
status
;
int
i
,
lines
=
0
;
/* Printing status code. */
BIO_printf
(
bio
,
"Status: "
);
status
=
ASN1_INTEGER_get
(
a
->
status
);
if
(
0
<=
status
&&
status
<
(
long
)
OSSL_NELEM
(
status_map
))
...
...
@@ -133,7 +129,6 @@ int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a)
else
BIO_printf
(
bio
,
"out of bounds
\n
"
);
/* Printing status description. */
BIO_printf
(
bio
,
"Status description: "
);
for
(
i
=
0
;
i
<
sk_ASN1_UTF8STRING_num
(
a
->
text
);
++
i
)
{
if
(
i
>
0
)
...
...
@@ -144,7 +139,6 @@ int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a)
if
(
i
==
0
)
BIO_printf
(
bio
,
"unspecified
\n
"
);
/* Printing failure information. */
BIO_printf
(
bio
,
"Failure info: "
);
if
(
a
->
failure_info
!=
NULL
)
lines
=
ts_status_map_print
(
bio
,
failure_map
,
a
->
failure_info
);
...
...
@@ -178,18 +172,14 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
if
(
a
==
NULL
)
return
0
;
/* Print version. */
v
=
ASN1_INTEGER_get
(
a
->
version
);
BIO_printf
(
bio
,
"Version: %d
\n
"
,
v
);
/* Print policy id. */
BIO_printf
(
bio
,
"Policy OID: "
);
TS_OBJ_print_bio
(
bio
,
a
->
policy_id
);
/* Print message imprint. */
TS_MSG_IMPRINT_print_bio
(
bio
,
a
->
msg_imprint
);
/* Print serial number. */
BIO_printf
(
bio
,
"Serial number: "
);
if
(
a
->
serial
==
NULL
)
BIO_printf
(
bio
,
"unspecified"
);
...
...
@@ -197,12 +187,10 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
TS_ASN1_INTEGER_print_bio
(
bio
,
a
->
serial
);
BIO_write
(
bio
,
"
\n
"
,
1
);
/* Print time stamp. */
BIO_printf
(
bio
,
"Time stamp: "
);
ASN1_GENERALIZEDTIME_print
(
bio
,
a
->
time
);
BIO_write
(
bio
,
"
\n
"
,
1
);
/* Print accuracy. */
BIO_printf
(
bio
,
"Accuracy: "
);
if
(
a
->
accuracy
==
NULL
)
BIO_printf
(
bio
,
"unspecified"
);
...
...
@@ -210,10 +198,8 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
ts_ACCURACY_print_bio
(
bio
,
a
->
accuracy
);
BIO_write
(
bio
,
"
\n
"
,
1
);
/* Print ordering. */
BIO_printf
(
bio
,
"Ordering: %s
\n
"
,
a
->
ordering
?
"yes"
:
"no"
);
/* Print nonce. */
BIO_printf
(
bio
,
"Nonce: "
);
if
(
a
->
nonce
==
NULL
)
BIO_printf
(
bio
,
"unspecified"
);
...
...
@@ -221,7 +207,6 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
TS_ASN1_INTEGER_print_bio
(
bio
,
a
->
nonce
);
BIO_write
(
bio
,
"
\n
"
,
1
);
/* Print TSA name. */
BIO_printf
(
bio
,
"TSA: "
);
if
(
a
->
tsa
==
NULL
)
BIO_printf
(
bio
,
"unspecified"
);
...
...
@@ -233,7 +218,6 @@ int TS_TST_INFO_print_bio(BIO *bio, TS_TST_INFO *a)
}
BIO_write
(
bio
,
"
\n
"
,
1
);
/* Print extensions. */
TS_ext_print_bio
(
bio
,
a
->
extensions
);
return
1
;
...
...
crypto/ts/ts_rsp_sign.c
浏览文件 @
18cd23df
...
...
@@ -68,8 +68,6 @@
#include <openssl/pkcs7.h>
#include "ts_lcl.h"
/* Private function declarations. */
static
ASN1_INTEGER
*
def_serial_cb
(
struct
TS_resp_ctx
*
,
void
*
);
static
int
def_time_cb
(
struct
TS_resp_ctx
*
,
void
*
,
long
*
sec
,
long
*
usec
);
static
int
def_extension_cb
(
struct
TS_resp_ctx
*
,
X509_EXTENSION
*
,
void
*
);
...
...
@@ -93,16 +91,17 @@ static ASN1_GENERALIZEDTIME
*
TS_RESP_set_genTime_with_precision
(
ASN1_GENERALIZEDTIME
*
,
long
,
long
,
unsigned
);
/* Default callbacks for response generation. */
/* Default callback for response generation. */
static
ASN1_INTEGER
*
def_serial_cb
(
struct
TS_resp_ctx
*
ctx
,
void
*
data
)
{
ASN1_INTEGER
*
serial
=
ASN1_INTEGER_new
();
if
(
!
serial
)
goto
err
;
if
(
!
ASN1_INTEGER_set
(
serial
,
1
))
goto
err
;
return
serial
;
err:
TSerr
(
TS_F_DEF_SERIAL_CB
,
ERR_R_MALLOC_FAILURE
);
TS_RESP_CTX_set_status_info
(
ctx
,
TS_STATUS_REJECTION
,
...
...
@@ -112,7 +111,6 @@ static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *ctx, void *data)
#if defined(OPENSSL_SYS_UNIX)
/* Use the gettimeofday function call. */
static
int
def_time_cb
(
struct
TS_resp_ctx
*
ctx
,
void
*
data
,
long
*
sec
,
long
*
usec
)
{
...
...
@@ -124,7 +122,6 @@ static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
TS_RESP_CTX_add_failure_info
(
ctx
,
TS_INFO_TIME_NOT_AVAILABLE
);
return
0
;
}
/* Return time to caller. */
*
sec
=
tv
.
tv_sec
;
*
usec
=
tv
.
tv_usec
;
...
...
@@ -133,7 +130,6 @@ static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
#else
/* Use the time function call that provides only seconds precision. */
static
int
def_time_cb
(
struct
TS_resp_ctx
*
ctx
,
void
*
data
,
long
*
sec
,
long
*
usec
)
{
...
...
@@ -145,7 +141,6 @@ static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
TS_RESP_CTX_add_failure_info
(
ctx
,
TS_INFO_TIME_NOT_AVAILABLE
);
return
0
;
}
/* Return time to caller, only second precision. */
*
sec
=
(
long
)
t
;
*
usec
=
0
;
...
...
@@ -157,7 +152,6 @@ static int def_time_cb(struct TS_resp_ctx *ctx, void *data,
static
int
def_extension_cb
(
struct
TS_resp_ctx
*
ctx
,
X509_EXTENSION
*
ext
,
void
*
data
)
{
/* No extensions are processed here. */
TS_RESP_CTX_set_status_info
(
ctx
,
TS_STATUS_REJECTION
,
"Unsupported extension."
);
TS_RESP_CTX_add_failure_info
(
ctx
,
TS_INFO_UNACCEPTED_EXTENSION
);
...
...
@@ -175,7 +169,6 @@ TS_RESP_CTX *TS_RESP_CTX_new()
return
NULL
;
}
/* Setting default callbacks. */
ctx
->
serial_cb
=
def_serial_cb
;
ctx
->
time_cb
=
def_time_cb
;
ctx
->
extension_cb
=
def_extension_cb
;
...
...
@@ -252,7 +245,6 @@ int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
{
ASN1_OBJECT
*
copy
=
NULL
;
/* Create new policy stack if necessary. */
if
(
ctx
->
policies
==
NULL
&&
(
ctx
->
policies
=
sk_ASN1_OBJECT_new_null
())
==
NULL
)
goto
err
;
...
...
@@ -270,11 +262,9 @@ int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy)
int
TS_RESP_CTX_add_md
(
TS_RESP_CTX
*
ctx
,
const
EVP_MD
*
md
)
{
/* Create new md stack if necessary. */
if
(
ctx
->
mds
==
NULL
&&
(
ctx
->
mds
=
sk_EVP_MD_new_null
())
==
NULL
)
goto
err
;
/* Add the shared md, no copy needed. */
if
(
!
sk_EVP_MD_push
(
ctx
->
mds
,
(
EVP_MD
*
)
md
))
goto
err
;
...
...
@@ -381,7 +371,6 @@ int TS_RESP_CTX_set_status_info_cond(TS_RESP_CTX *ctx,
TS_STATUS_INFO
*
si
=
ctx
->
response
->
status_info
;
if
(
ASN1_INTEGER_get
(
si
->
status
)
==
TS_STATUS_GRANTED
)
{
/* Status has not been set, set it now. */
ret
=
TS_RESP_CTX_set_status_info
(
ctx
,
status
,
text
);
}
return
ret
;
...
...
@@ -429,46 +418,30 @@ TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio)
ts_RESP_CTX_init
(
ctx
);
/* Creating the response object. */
if
((
ctx
->
response
=
TS_RESP_new
())
==
NULL
)
{
TSerr
(
TS_F_TS_RESP_CREATE_RESPONSE
,
ERR_R_MALLOC_FAILURE
);
goto
end
;
}
/* Parsing DER request. */
if
((
ctx
->
request
=
d2i_TS_REQ_bio
(
req_bio
,
NULL
))
==
NULL
)
{
TS_RESP_CTX_set_status_info
(
ctx
,
TS_STATUS_REJECTION
,
"Bad request format or
"
"
system error."
);
"Bad request format or system error."
);
TS_RESP_CTX_add_failure_info
(
ctx
,
TS_INFO_BAD_DATA_FORMAT
);
goto
end
;
}
/* Setting default status info. */
if
(
!
TS_RESP_CTX_set_status_info
(
ctx
,
TS_STATUS_GRANTED
,
NULL
))
goto
end
;
/* Checking the request format. */
if
(
!
ts_RESP_check_request
(
ctx
))
goto
end
;
/* Checking acceptable policies. */
if
((
policy
=
ts_RESP_get_policy
(
ctx
))
==
NULL
)
goto
end
;
/* Creating the TS_TST_INFO object. */
if
((
ctx
->
tst_info
=
ts_RESP_create_tst_info
(
ctx
,
policy
))
==
NULL
)
goto
end
;
/* Processing extensions. */
if
(
!
ts_RESP_process_extensions
(
ctx
))
goto
end
;
/* Generating the signature. */
if
(
!
ts_RESP_sign
(
ctx
))
goto
end
;
/* Everything was successful. */
result
=
1
;
end:
if
(
!
result
)
{
TSerr
(
TS_F_TS_RESP_CREATE_RESPONSE
,
TS_R_RESPONSE_SETUP_ERROR
);
...
...
@@ -518,7 +491,6 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx)
EVP_MD
*
md
=
NULL
;
int
i
;
/* Checking request version. */
if
(
TS_REQ_get_version
(
request
)
!=
1
)
{
TS_RESP_CTX_set_status_info
(
ctx
,
TS_STATUS_REJECTION
,
"Bad request version."
);
...
...
@@ -526,7 +498,6 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx)
return
0
;
}
/* Checking message digest algorithm. */
msg_imprint
=
request
->
msg_imprint
;
md_alg
=
msg_imprint
->
hash_algo
;
md_alg_id
=
OBJ_obj2nid
(
md_alg
->
algorithm
);
...
...
@@ -543,7 +514,6 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx)
return
0
;
}
/* No message digest takes parameter. */
if
(
md_alg
->
parameter
&&
ASN1_TYPE_get
(
md_alg
->
parameter
)
!=
V_ASN1_NULL
)
{
TS_RESP_CTX_set_status_info
(
ctx
,
TS_STATUS_REJECTION
,
"Superfluous message digest "
...
...
@@ -551,7 +521,6 @@ static int ts_RESP_check_request(TS_RESP_CTX *ctx)
TS_RESP_CTX_add_failure_info
(
ctx
,
TS_INFO_BAD_ALG
);
return
0
;
}
/* Checking message digest size. */
digest
=
msg_imprint
->
hashed_msg
;
if
(
digest
->
length
!=
EVP_MD_size
(
md
))
{
TS_RESP_CTX_set_status_info
(
ctx
,
TS_STATUS_REJECTION
,
...
...
@@ -574,10 +543,6 @@ static ASN1_OBJECT *ts_RESP_get_policy(TS_RESP_CTX *ctx)
TSerr
(
TS_F_TS_RESP_GET_POLICY
,
TS_R_INVALID_NULL_POINTER
);
return
NULL
;
}
/*
* Return the default policy if none is requested or the default is
* requested.
*/
if
(
!
requested
||
!
OBJ_cmp
(
requested
,
ctx
->
default_policy
))
policy
=
ctx
->
default_policy
;
...
...
@@ -627,11 +592,9 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx,
||
!
TS_TST_INFO_set_time
(
tst_info
,
asn1_time
))
goto
end
;
/* Setting accuracy if needed. */
if
((
ctx
->
seconds
||
ctx
->
millis
||
ctx
->
micros
)
&&
(
accuracy
=
TS_ACCURACY_new
())
==
NULL
)
goto
end
;
if
(
ctx
->
seconds
&&
!
TS_ACCURACY_set_seconds
(
accuracy
,
ctx
->
seconds
))
goto
end
;
if
(
ctx
->
millis
&&
!
TS_ACCURACY_set_millis
(
accuracy
,
ctx
->
millis
))
...
...
@@ -641,17 +604,14 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx,
if
(
accuracy
&&
!
TS_TST_INFO_set_accuracy
(
tst_info
,
accuracy
))
goto
end
;
/* Setting ordering. */
if
((
ctx
->
flags
&
TS_ORDERING
)
&&
!
TS_TST_INFO_set_ordering
(
tst_info
,
1
))
goto
end
;
/* Setting nonce if needed. */
if
((
nonce
=
ctx
->
request
->
nonce
)
!=
NULL
&&
!
TS_TST_INFO_set_nonce
(
tst_info
,
nonce
))
goto
end
;
/* Setting TSA name to subject of signer certificate. */
if
(
ctx
->
flags
&
TS_TSA_NAME
)
{
if
((
tsa_name
=
GENERAL_NAME_new
())
==
NULL
)
goto
end
;
...
...
@@ -692,7 +652,7 @@ static int ts_RESP_process_extensions(TS_RESP_CTX *ctx)
for
(
i
=
0
;
ok
&&
i
<
sk_X509_EXTENSION_num
(
exts
);
++
i
)
{
X509_EXTENSION
*
ext
=
sk_X509_EXTENSION_value
(
exts
,
i
);
/*
*
XXXXX
The last argument was previously (void *)ctx->extension_cb,
* The last argument was previously (void *)ctx->extension_cb,
* but ISO C doesn't permit converting a function pointer to void *.
* For lack of better information, I'm placing a NULL there instead.
* The callback can pick its own address out from the ctx anyway...
...
...
@@ -715,25 +675,20 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
BIO
*
p7bio
=
NULL
;
int
i
;
/* Check if signcert and pkey match. */
if
(
!
X509_check_private_key
(
ctx
->
signer_cert
,
ctx
->
signer_key
))
{
TSerr
(
TS_F_TS_RESP_SIGN
,
TS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE
);
goto
err
;
}
/* Create a new PKCS7 signed object. */
if
((
p7
=
PKCS7_new
())
==
NULL
)
{
TSerr
(
TS_F_TS_RESP_SIGN
,
ERR_R_MALLOC_FAILURE
);
goto
err
;
}
if
(
!
PKCS7_set_type
(
p7
,
NID_pkcs7_signed
))
goto
err
;
/* Force SignedData version to be 3 instead of the default 1. */
if
(
!
ASN1_INTEGER_set
(
p7
->
d
.
sign
->
version
,
3
))
goto
err
;
/* Add signer certificate and optional certificate chain. */
if
(
ctx
->
request
->
cert_req
)
{
PKCS7_add_certificate
(
p7
,
ctx
->
signer_cert
);
if
(
ctx
->
certs
)
{
...
...
@@ -744,14 +699,12 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
}
}
/* Add a new signer info. */
if
((
si
=
PKCS7_add_signature
(
p7
,
ctx
->
signer_cert
,
ctx
->
signer_key
,
EVP_sha1
()))
==
NULL
)
{
TSerr
(
TS_F_TS_RESP_SIGN
,
TS_R_PKCS7_ADD_SIGNATURE_ERROR
);
goto
err
;
}
/* Add content type signed attribute to the signer info. */
oid
=
OBJ_nid2obj
(
NID_id_smime_ct_TSTInfo
);
if
(
!
PKCS7_add_signed_attribute
(
si
,
NID_pkcs9_contentType
,
V_ASN1_OBJECT
,
oid
))
{
...
...
@@ -759,43 +712,28 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
goto
err
;
}
/*
* Create the ESS SigningCertificate attribute which contains the signer
* certificate id and optionally the certificate chain.
*/
certs
=
ctx
->
flags
&
TS_ESS_CERT_ID_CHAIN
?
ctx
->
certs
:
NULL
;
if
((
sc
=
ess_SIGNING_CERT_new_init
(
ctx
->
signer_cert
,
certs
))
==
NULL
)
goto
err
;
/* Add SigningCertificate signed attribute to the signer info. */
if
(
!
ESS_add_signing_cert
(
si
,
sc
))
{
TSerr
(
TS_F_TS_RESP_SIGN
,
TS_R_ESS_ADD_SIGNING_CERT_ERROR
);
goto
err
;
}
/* Add a new empty NID_id_smime_ct_TSTInfo encapsulated content. */
if
(
!
ts_TST_INFO_content_new
(
p7
))
goto
err
;
/* Add the DER encoded tst_info to the PKCS7 structure. */
if
((
p7bio
=
PKCS7_dataInit
(
p7
,
NULL
))
==
NULL
)
{
TSerr
(
TS_F_TS_RESP_SIGN
,
ERR_R_MALLOC_FAILURE
);
goto
err
;
}
/* Convert tst_info to DER. */
if
(
!
i2d_TS_TST_INFO_bio
(
p7bio
,
ctx
->
tst_info
))
{
TSerr
(
TS_F_TS_RESP_SIGN
,
TS_R_TS_DATASIGN
);
goto
err
;
}
/* Create the signature and add it to the signer info. */
if
(
!
PKCS7_dataFinal
(
p7
,
p7bio
))
{
TSerr
(
TS_F_TS_RESP_SIGN
,
TS_R_TS_DATASIGN
);
goto
err
;
}
/* Set new PKCS7 and TST_INFO objects. */
TS_RESP_set_tst_info
(
ctx
->
response
,
p7
,
ctx
->
tst_info
);
p7
=
NULL
;
/* Ownership is lost. */
ctx
->
tst_info
=
NULL
;
/* Ownership is lost. */
...
...
@@ -819,18 +757,15 @@ static ESS_SIGNING_CERT *ess_SIGNING_CERT_new_init(X509 *signcert,
ESS_SIGNING_CERT
*
sc
=
NULL
;
int
i
;
/* Creating the ESS_CERT_ID stack. */
if
((
sc
=
ESS_SIGNING_CERT_new
())
==
NULL
)
goto
err
;
if
(
sc
->
cert_ids
==
NULL
&&
(
sc
->
cert_ids
=
sk_ESS_CERT_ID_new_null
())
==
NULL
)
goto
err
;
/* Adding the signing certificate id. */
if
((
cid
=
ess_CERT_ID_new_init
(
signcert
,
0
))
==
NULL
||
!
sk_ESS_CERT_ID_push
(
sc
->
cert_ids
,
cid
))
goto
err
;
/* Adding the certificate chain ids. */
for
(
i
=
0
;
i
<
sk_X509_num
(
certs
);
++
i
)
{
X509
*
cert
=
sk_X509_value
(
certs
,
i
);
if
((
cid
=
ess_CERT_ID_new_init
(
cert
,
1
))
==
NULL
...
...
@@ -850,9 +785,7 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
ESS_CERT_ID
*
cid
=
NULL
;
GENERAL_NAME
*
name
=
NULL
;
/* Recompute SHA1 hash of certificate if necessary (side effect). */
X509_check_purpose
(
cert
,
-
1
,
0
);
if
((
cid
=
ESS_CERT_ID_new
())
==
NULL
)
goto
err
;
if
(
!
ASN1_OCTET_STRING_set
(
cid
->
hash
,
cert
->
sha1_hash
,
...
...
@@ -861,11 +794,9 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
/* Setting the issuer/serial if requested. */
if
(
issuer_needed
)
{
/* Creating issuer/serial structure. */
if
(
cid
->
issuer_serial
==
NULL
&&
(
cid
->
issuer_serial
=
ESS_ISSUER_SERIAL_new
())
==
NULL
)
goto
err
;
/* Creating general name from the certificate issuer. */
if
((
name
=
GENERAL_NAME_new
())
==
NULL
)
goto
err
;
name
->
type
=
GEN_DIRNAME
;
...
...
@@ -874,7 +805,6 @@ static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
if
(
!
sk_GENERAL_NAME_push
(
cid
->
issuer_serial
->
issuer
,
name
))
goto
err
;
name
=
NULL
;
/* Ownership is lost. */
/* Setting the serial number. */
ASN1_INTEGER_free
(
cid
->
issuer_serial
->
serial
);
if
(
!
(
cid
->
issuer_serial
->
serial
=
ASN1_INTEGER_dup
(
X509_get_serialNumber
(
cert
))))
...
...
@@ -973,12 +903,7 @@ static ASN1_GENERALIZEDTIME
tm
->
tm_year
+
1900
,
tm
->
tm_mon
+
1
,
tm
->
tm_mday
,
tm
->
tm_hour
,
tm
->
tm_min
,
tm
->
tm_sec
);
if
(
precision
>
0
)
{
/* Add fraction of seconds (leave space for dot and null). */
BIO_snprintf
(
p
,
2
+
precision
,
".%06ld"
,
usec
);
/*
* We cannot use the snprintf return value, because it might have
* been truncated.
*/
p
+=
strlen
(
p
);
/*
...
...
@@ -997,18 +922,13 @@ static ASN1_GENERALIZEDTIME
* this loop even if all the digits are zero.
*/
while
(
*--
p
==
'0'
)
/*
* empty
*/
;
/* p points to either the dot or the last non-zero digit. */
continue
;
if
(
*
p
!=
'.'
)
++
p
;
}
/* Add the trailing Z and the terminating null. */
*
p
++
=
'Z'
;
*
p
++
=
'\0'
;
/* Now call OpenSSL to check and set our genTime value */
if
(
asn1_time
==
NULL
&&
(
asn1_time
=
ASN1_GENERALIZEDTIME_new
())
==
NULL
)
goto
err
;
...
...
@@ -1016,8 +936,8 @@ static ASN1_GENERALIZEDTIME
ASN1_GENERALIZEDTIME_free
(
asn1_time
);
goto
err
;
}
return
asn1_time
;
err:
TSerr
(
TS_F_TS_RESP_SET_GENTIME_WITH_PRECISION
,
TS_R_COULD_NOT_SET_TIME
);
return
NULL
;
...
...
crypto/ts/ts_rsp_utils.c
浏览文件 @
18cd23df
...
...
@@ -64,8 +64,6 @@
#include <openssl/pkcs7.h>
#include "ts_lcl.h"
/* Function definitions. */
int
TS_RESP_set_status_info
(
TS_RESP
*
a
,
TS_STATUS_INFO
*
status_info
)
{
TS_STATUS_INFO
*
new_status_info
;
...
...
@@ -91,7 +89,6 @@ TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a)
/* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */
void
TS_RESP_set_tst_info
(
TS_RESP
*
a
,
PKCS7
*
p7
,
TS_TST_INFO
*
tst_info
)
{
/* Set new PKCS7 and TST_INFO objects. */
PKCS7_free
(
a
->
token
);
a
->
token
=
p7
;
TS_TST_INFO_free
(
a
->
tst_info
);
...
...
crypto/ts/ts_rsp_verify.c
浏览文件 @
18cd23df
...
...
@@ -64,8 +64,6 @@
#include <openssl/pkcs7.h>
#include "ts_lcl.h"
/* Private function declarations. */
static
int
ts_verify_cert
(
X509_STORE
*
store
,
STACK_OF
(
X509
)
*
untrusted
,
X509
*
signer
,
STACK_OF
(
X509
)
**
chain
);
static
int
ts_check_signing_certs
(
PKCS7_SIGNER_INFO
*
si
,
...
...
@@ -126,7 +124,6 @@ static struct {
#define TS_FAILURE_INFO_SIZE OSSL_NELEM(ts_failure_info)
/* Functions for verifying a signed TS_TST_INFO structure. */
/*-
* This function carries out the following tasks:
...
...
@@ -157,22 +154,16 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
TSerr
(
TS_F_TS_RESP_VERIFY_SIGNATURE
,
TS_R_INVALID_NULL_POINTER
);
goto
err
;
}
/* Check for the correct content type */
if
(
!
PKCS7_type_is_signed
(
token
))
{
TSerr
(
TS_F_TS_RESP_VERIFY_SIGNATURE
,
TS_R_WRONG_CONTENT_TYPE
);
goto
err
;
}
/* Check if there is one and only one signer. */
sinfos
=
PKCS7_get_signer_info
(
token
);
if
(
!
sinfos
||
sk_PKCS7_SIGNER_INFO_num
(
sinfos
)
!=
1
)
{
TSerr
(
TS_F_TS_RESP_VERIFY_SIGNATURE
,
TS_R_THERE_MUST_BE_ONE_SIGNER
);
goto
err
;
}
si
=
sk_PKCS7_SIGNER_INFO_value
(
sinfos
,
0
);
/* Check for no content: no data to verify signature. */
if
(
PKCS7_get_detached
(
token
))
{
TSerr
(
TS_F_TS_RESP_VERIFY_SIGNATURE
,
TS_R_NO_CONTENT
);
goto
err
;
...
...
@@ -187,35 +178,26 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
goto
err
;
signer
=
sk_X509_value
(
signers
,
0
);
/* Now verify the certificate. */
if
(
!
ts_verify_cert
(
store
,
certs
,
signer
,
&
chain
))
goto
err
;
/*
* Check if the signer certificate is consistent with the ESS extension.
*/
if
(
!
ts_check_signing_certs
(
si
,
chain
))
goto
err
;
/* Creating the message digest. */
p7bio
=
PKCS7_dataInit
(
token
,
NULL
);
/* We now have to 'read' from p7bio to calculate digests etc. */
while
((
i
=
BIO_read
(
p7bio
,
buf
,
sizeof
(
buf
)))
>
0
)
;
while
((
i
=
BIO_read
(
p7bio
,
buf
,
sizeof
(
buf
)))
>
0
)
continue
;
/* Verifying the signature. */
j
=
PKCS7_signatureVerify
(
p7bio
,
token
,
si
,
signer
);
if
(
j
<=
0
)
{
TSerr
(
TS_F_TS_RESP_VERIFY_SIGNATURE
,
TS_R_SIGNATURE_FAILURE
);
goto
err
;
}
/* Return the signer certificate if needed. */
if
(
signer_out
)
{
*
signer_out
=
signer
;
X509_up_ref
(
signer
);
}
ret
=
1
;
err:
...
...
@@ -237,7 +219,6 @@ static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
int
i
;
int
ret
=
1
;
/* chain is an out argument. */
*
chain
=
NULL
;
X509_STORE_CTX_init
(
&
cert_ctx
,
store
,
signer
,
untrusted
);
X509_STORE_CTX_set_purpose
(
&
cert_ctx
,
X509_PURPOSE_TIMESTAMP_SIGN
);
...
...
@@ -249,7 +230,6 @@ static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
X509_verify_cert_error_string
(
j
));
ret
=
0
;
}
else
{
/* Get a copy of the certificate chain. */
*
chain
=
X509_STORE_CTX_get1_chain
(
&
cert_ctx
);
}
...
...
@@ -270,7 +250,6 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
if
(
!
ss
)
goto
err
;
cert_ids
=
ss
->
cert_ids
;
/* The signer certificate must be the first in cert_ids. */
cert
=
sk_X509_value
(
chain
,
0
);
if
(
ts_find_cert
(
cert_ids
,
cert
)
!=
0
)
goto
err
;
...
...
@@ -280,7 +259,6 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
* certificate ids in cert_ids.
*/
if
(
sk_ESS_CERT_ID_num
(
cert_ids
)
>
1
)
{
/* All the certificates of the chain must be in cert_ids. */
for
(
i
=
1
;
i
<
sk_X509_num
(
chain
);
++
i
)
{
cert
=
sk_X509_value
(
chain
,
i
);
if
(
ts_find_cert
(
cert_ids
,
cert
)
<
0
)
...
...
@@ -322,11 +300,9 @@ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
for
(
i
=
0
;
i
<
sk_ESS_CERT_ID_num
(
cert_ids
);
++
i
)
{
ESS_CERT_ID
*
cid
=
sk_ESS_CERT_ID_value
(
cert_ids
,
i
);
/* Check the SHA-1 hash first. */
if
(
cid
->
hash
->
length
==
sizeof
(
cert
->
sha1_hash
)
&&
!
memcmp
(
cid
->
hash
->
data
,
cert
->
sha1_hash
,
sizeof
(
cert
->
sha1_hash
)))
{
/* Check the issuer/serial as well if specified. */
&&
memcmp
(
cid
->
hash
->
data
,
cert
->
sha1_hash
,
sizeof
(
cert
->
sha1_hash
))
==
0
)
{
ESS_ISSUER_SERIAL
*
is
=
cid
->
issuer_serial
;
if
(
!
is
||
!
ts_issuer_serial_cmp
(
is
,
cert
))
return
i
;
...
...
@@ -343,13 +319,11 @@ static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert)
if
(
!
is
||
!
cert
||
sk_GENERAL_NAME_num
(
is
->
issuer
)
!=
1
)
return
-
1
;
/* Check the issuer first. It must be a directory name. */
issuer
=
sk_GENERAL_NAME_value
(
is
->
issuer
,
0
);
if
(
issuer
->
type
!=
GEN_DIRNAME
||
X509_NAME_cmp
(
issuer
->
d
.
dirn
,
X509_get_issuer_name
(
cert
)))
return
-
1
;
/* Check the serial number, too. */
if
(
ASN1_INTEGER_cmp
(
is
->
serial
,
X509_get_serialNumber
(
cert
)))
return
-
1
;
...
...
@@ -368,15 +342,12 @@ int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response)
TS_TST_INFO
*
tst_info
=
response
->
tst_info
;
int
ret
=
0
;
/* Check if we have a successful TS_TST_INFO object in place. */
if
(
!
ts_check_status_info
(
response
))
goto
err
;
/* Check the contents of the time stamp token. */
if
(
!
int_ts_RESP_verify_token
(
ctx
,
token
,
tst_info
))
goto
err
;
ret
=
1
;
err:
return
ret
;
}
...
...
@@ -418,56 +389,41 @@ static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx,
unsigned
imprint_len
=
0
;
int
ret
=
0
;
/* Verify the signature. */
if
((
ctx
->
flags
&
TS_VFY_SIGNATURE
)
&&
!
TS_RESP_verify_signature
(
token
,
ctx
->
certs
,
ctx
->
store
,
&
signer
))
goto
err
;
/* Check version number of response. */
if
((
ctx
->
flags
&
TS_VFY_VERSION
)
&&
TS_TST_INFO_get_version
(
tst_info
)
!=
1
)
{
TSerr
(
TS_F_INT_TS_RESP_VERIFY_TOKEN
,
TS_R_UNSUPPORTED_VERSION
);
goto
err
;
}
/* Check policies. */
if
((
ctx
->
flags
&
TS_VFY_POLICY
)
&&
!
ts_check_policy
(
ctx
->
policy
,
tst_info
))
goto
err
;
/* Check message imprints. */
if
((
ctx
->
flags
&
TS_VFY_IMPRINT
)
&&
!
ts_check_imprints
(
ctx
->
md_alg
,
ctx
->
imprint
,
ctx
->
imprint_len
,
tst_info
))
goto
err
;
/* Compute and check message imprints. */
if
((
ctx
->
flags
&
TS_VFY_DATA
)
&&
(
!
ts_compute_imprint
(
ctx
->
data
,
tst_info
,
&
md_alg
,
&
imprint
,
&
imprint_len
)
||
!
ts_check_imprints
(
md_alg
,
imprint
,
imprint_len
,
tst_info
)))
goto
err
;
/* Check nonces. */
if
((
ctx
->
flags
&
TS_VFY_NONCE
)
&&
!
ts_check_nonces
(
ctx
->
nonce
,
tst_info
))
goto
err
;
/* Check whether TSA name and signer certificate match. */
if
((
ctx
->
flags
&
TS_VFY_SIGNER
)
&&
tsa_name
&&
!
ts_check_signer_name
(
tsa_name
,
signer
))
{
TSerr
(
TS_F_INT_TS_RESP_VERIFY_TOKEN
,
TS_R_TSA_NAME_MISMATCH
);
goto
err
;
}
/* Check whether the TSA is the expected one. */
if
((
ctx
->
flags
&
TS_VFY_TSA_NAME
)
&&
!
ts_check_signer_name
(
ctx
->
tsa_name
,
signer
))
{
TSerr
(
TS_F_INT_TS_RESP_VERIFY_TOKEN
,
TS_R_TSA_UNTRUSTED
);
goto
err
;
}
ret
=
1
;
err:
X509_free
(
signer
);
X509_ALGOR_free
(
md_alg
);
...
...
@@ -483,7 +439,6 @@ static int ts_check_status_info(TS_RESP *response)
char
*
embedded_status_text
=
NULL
;
char
failure_text
[
TS_STATUS_BUF_SIZE
]
=
""
;
/* Check if everything went fine. */
if
(
status
==
0
||
status
==
1
)
return
1
;
...
...
@@ -493,16 +448,15 @@ static int ts_check_status_info(TS_RESP *response)
else
status_text
=
"unknown code"
;
/* Set the embedded_status_text to the returned description. */
if
(
sk_ASN1_UTF8STRING_num
(
info
->
text
)
>
0
&&
(
embedded_status_text
=
ts_get_status_text
(
info
->
text
))
==
NULL
)
return
0
;
/* Fill
ing
in failure_text with the failure information. */
/* Fill in failure_text with the failure information. */
if
(
info
->
failure_info
)
{
int
i
;
int
first
=
1
;
for
(
i
=
0
;
i
<
(
int
)
TS_FAILURE_INFO_SIZE
;
++
i
)
{
for
(
i
=
0
;
i
<
(
int
)
OSSL_NELEM
(
ts_failure_info
)
;
++
i
)
{
if
(
ASN1_BIT_STRING_get_bit
(
info
->
failure_info
,
ts_failure_info
[
i
].
code
))
{
if
(
!
first
)
...
...
@@ -516,7 +470,6 @@ static int ts_check_status_info(TS_RESP *response)
if
(
failure_text
[
0
]
==
'\0'
)
strcpy
(
failure_text
,
"unspecified"
);
/* Making up the error string. */
TSerr
(
TS_F_TS_CHECK_STATUS_INFO
,
TS_R_NO_TIME_STAMP_TOKEN
);
ERR_add_error_data
(
6
,
"status code: "
,
status_text
,
...
...
@@ -535,18 +488,16 @@ static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
char
*
result
=
NULL
;
char
*
p
;
/* Determine length first. */
for
(
i
=
0
;
i
<
sk_ASN1_UTF8STRING_num
(
text
);
++
i
)
{
ASN1_UTF8STRING
*
current
=
sk_ASN1_UTF8STRING_value
(
text
,
i
);
length
+=
ASN1_STRING_length
(
current
);
length
+=
1
;
/* separator character */
}
/* Allocate memory (closing '\0' included). */
if
((
result
=
OPENSSL_malloc
(
length
))
==
NULL
)
{
TSerr
(
TS_F_TS_GET_STATUS_TEXT
,
ERR_R_MALLOC_FAILURE
);
return
NULL
;
}
/* Concatenate the descriptions. */
for
(
i
=
0
,
p
=
result
;
i
<
sk_ASN1_UTF8STRING_num
(
text
);
++
i
)
{
ASN1_UTF8STRING
*
current
=
sk_ASN1_UTF8STRING_value
(
text
,
i
);
length
=
ASN1_STRING_length
(
current
);
...
...
@@ -555,7 +506,6 @@ static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
strncpy
(
p
,
(
const
char
*
)
ASN1_STRING_data
(
current
),
length
);
p
+=
length
;
}
/* We do have space for this, too. */
*
p
=
'\0'
;
return
result
;
...
...
@@ -587,17 +537,12 @@ static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
*
md_alg
=
NULL
;
*
imprint
=
NULL
;
/* Return the MD algorithm of the response. */
if
((
*
md_alg
=
X509_ALGOR_dup
(
md_alg_resp
))
==
NULL
)
goto
err
;
/* Getting the MD object. */
if
((
md
=
EVP_get_digestbyobj
((
*
md_alg
)
->
algorithm
))
==
NULL
)
{
TSerr
(
TS_F_TS_COMPUTE_IMPRINT
,
TS_R_UNSUPPORTED_MD_ALGORITHM
);
goto
err
;
}
/* Compute message digest. */
length
=
EVP_MD_size
(
md
);
if
(
length
<
0
)
goto
err
;
...
...
@@ -633,9 +578,7 @@ static int ts_check_imprints(X509_ALGOR *algor_a,
X509_ALGOR
*
algor_b
=
b
->
hash_algo
;
int
ret
=
0
;
/* algor_a is optional. */
if
(
algor_a
)
{
/* Compare algorithm OIDs. */
if
(
OBJ_cmp
(
algor_a
->
algorithm
,
algor_b
->
algorithm
))
goto
err
;
...
...
@@ -647,7 +590,6 @@ static int ts_check_imprints(X509_ALGOR *algor_a,
goto
err
;
}
/* Compare octet strings. */
ret
=
len_a
==
(
unsigned
)
ASN1_STRING_length
(
b
->
hashed_msg
)
&&
memcmp
(
imprint_a
,
ASN1_STRING_data
(
b
->
hashed_msg
),
len_a
)
==
0
;
err:
...
...
@@ -660,7 +602,6 @@ static int ts_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info)
{
const
ASN1_INTEGER
*
b
=
tst_info
->
nonce
;
/* Error if nonce is missing. */
if
(
!
b
)
{
TSerr
(
TS_F_TS_CHECK_NONCES
,
TS_R_NONCE_NOT_RETURNED
);
return
0
;
...
...
@@ -685,12 +626,9 @@ static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer)
int
idx
=
-
1
;
int
found
=
0
;
/* Check the subject name first. */
if
(
tsa_name
->
type
==
GEN_DIRNAME
&&
X509_name_cmp
(
tsa_name
->
d
.
dirn
,
X509_get_subject_name
(
signer
))
==
0
)
return
1
;
/* Check all the alternative names. */
gen_names
=
X509_get_ext_d2i
(
signer
,
NID_subject_alt_name
,
NULL
,
&
idx
);
while
(
gen_names
!=
NULL
)
{
found
=
ts_find_name
(
gen_names
,
tsa_name
)
>=
0
;
...
...
crypto/ts/ts_verify_ctx.c
浏览文件 @
18cd23df
...
...
@@ -162,17 +162,14 @@ TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
else
if
((
ret
=
TS_VERIFY_CTX_new
())
==
NULL
)
return
NULL
;
/* Setting flags. */
ret
->
flags
=
TS_VFY_ALL_IMPRINT
&
~
(
TS_VFY_TSA_NAME
|
TS_VFY_SIGNATURE
);
/* Setting policy. */
if
((
policy
=
req
->
policy_id
)
!=
NULL
)
{
if
((
ret
->
policy
=
OBJ_dup
(
policy
))
==
NULL
)
goto
err
;
}
else
ret
->
flags
&=
~
TS_VFY_POLICY
;
/* Setting md_alg, imprint and imprint_len. */
imprint
=
req
->
msg_imprint
;
md_alg
=
imprint
->
hash_algo
;
if
((
ret
->
md_alg
=
X509_ALGOR_dup
(
md_alg
))
==
NULL
)
...
...
@@ -183,7 +180,6 @@ TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
goto
err
;
memcpy
(
ret
->
imprint
,
ASN1_STRING_data
(
msg
),
ret
->
imprint_len
);
/* Setting nonce. */
if
((
nonce
=
req
->
nonce
)
!=
NULL
)
{
if
((
ret
->
nonce
=
ASN1_INTEGER_dup
(
nonce
))
==
NULL
)
goto
err
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录