Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Openssl
提交
f1965221
T
Third Party Openssl
项目概览
OpenHarmony
/
Third Party Openssl
大约 1 年 前同步成功
通知
9
Star
18
Fork
1
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Openssl
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
f1965221
编写于
2月 24, 2001
作者:
D
Dr. Stephen Henson
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
New function and options to check OCSP response validity.
上级
4ff18c8c
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
150 addition
and
5 deletion
+150
-5
CHANGES
CHANGES
+11
-0
apps/ocsp.c
apps/ocsp.c
+52
-3
crypto/ocsp/ocsp.h
crypto/ocsp/ocsp.h
+10
-0
crypto/ocsp/ocsp_cl.c
crypto/ocsp/ocsp_cl.c
+70
-2
crypto/ocsp/ocsp_err.c
crypto/ocsp/ocsp_err.c
+7
-0
未找到文件。
CHANGES
浏览文件 @
f1965221
...
...
@@ -3,6 +3,17 @@
Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
*) Add OCSP_check_validity() function to check the validity of OCSP
responses. OCSP responses are prepared in real time and may only
be a few seconds old. Simply checking that the current time lies
between thisUpdate and nextUpdate max reject otherwise valid responses
caused by either OCSP responder or client clock innacuracy. Instead
we allow thisUpdate and nextUpdate to fall within a certain period of
the current time. The age of the response can also optionally be
checked. Two new options -validity_period and -status_age added to
ocsp utility.
[Steve Henson]
*) If signature or public key algorithm is unrecognized print out its
OID rather that just UNKOWN.
[Steve Henson]
...
...
apps/ocsp.c
浏览文件 @
f1965221
...
...
@@ -64,12 +64,16 @@
#include <openssl/ssl.h>
#include "apps.h"
/* Maximum leeway in validity period: default 5 minutes */
#define MAX_VALIDITY_PERIOD (5 * 60)
static
int
add_ocsp_cert
(
OCSP_REQUEST
**
req
,
X509
*
cert
,
X509
*
issuer
,
STACK_OF
(
OCSP_CERTID
)
*
ids
);
static
int
add_ocsp_serial
(
OCSP_REQUEST
**
req
,
char
*
serial
,
X509
*
issuer
,
STACK_OF
(
OCSP_CERTID
)
*
ids
);
static
int
print_ocsp_summary
(
BIO
*
out
,
OCSP_BASICRESP
*
bs
,
OCSP_REQUEST
*
req
,
STACK
*
names
,
STACK_OF
(
OCSP_CERTID
)
*
ids
);
STACK
*
names
,
STACK_OF
(
OCSP_CERTID
)
*
ids
,
long
nsec
,
long
maxage
);
#undef PROG
#define PROG ocsp_main
...
...
@@ -94,6 +98,7 @@ int MAIN(int argc, char **argv)
BIO
*
cbio
=
NULL
,
*
derbio
=
NULL
;
BIO
*
out
=
NULL
;
int
req_text
=
0
,
resp_text
=
0
;
long
nsec
=
MAX_VALIDITY_PERIOD
,
maxage
=
-
1
;
char
*
CAfile
=
NULL
,
*
CApath
=
NULL
;
X509_STORE
*
store
=
NULL
;
SSL_CTX
*
ctx
=
NULL
;
...
...
@@ -247,6 +252,38 @@ int MAIN(int argc, char **argv)
}
else
badarg
=
1
;
}
else
if
(
!
strcmp
(
*
args
,
"-validity_period"
))
{
if
(
args
[
1
])
{
args
++
;
nsec
=
atol
(
*
args
);
if
(
nsec
<
0
)
{
BIO_printf
(
bio_err
,
"Illegal validity period %s
\n
"
,
*
args
);
badarg
=
1
;
}
}
else
badarg
=
1
;
}
else
if
(
!
strcmp
(
*
args
,
"-status_age"
))
{
if
(
args
[
1
])
{
args
++
;
maxage
=
atol
(
*
args
);
if
(
maxage
<
0
)
{
BIO_printf
(
bio_err
,
"Illegal validity age %s
\n
"
,
*
args
);
badarg
=
1
;
}
}
else
badarg
=
1
;
}
else
if
(
!
strcmp
(
*
args
,
"-signkey"
))
{
if
(
args
[
1
])
...
...
@@ -356,6 +393,8 @@ int MAIN(int argc, char **argv)
BIO_printf
(
bio_err
,
"-CApath dir trusted certificates directory
\n
"
);
BIO_printf
(
bio_err
,
"-CAfile file trusted certificates file
\n
"
);
BIO_printf
(
bio_err
,
"-VAfile file validator certificates file
\n
"
);
BIO_printf
(
bio_err
,
"-validity_period n maximum validity discrepancy in seconds
\n
"
);
BIO_printf
(
bio_err
,
"-status_age n maximum status age in seconds
\n
"
);
BIO_printf
(
bio_err
,
"-noverify don't verify response at all
\n
"
);
BIO_printf
(
bio_err
,
"-verify_certs file additional certificates to search for signer
\n
"
);
BIO_printf
(
bio_err
,
"-trust_other don't verify additional certificates
\n
"
);
...
...
@@ -564,7 +603,7 @@ int MAIN(int argc, char **argv)
}
if
(
!
print_ocsp_summary
(
out
,
bs
,
req
,
reqnames
,
ids
))
if
(
!
print_ocsp_summary
(
out
,
bs
,
req
,
reqnames
,
ids
,
nsec
,
maxage
))
goto
end
;
ret
=
0
;
...
...
@@ -652,7 +691,8 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
}
static
int
print_ocsp_summary
(
BIO
*
out
,
OCSP_BASICRESP
*
bs
,
OCSP_REQUEST
*
req
,
STACK
*
names
,
STACK_OF
(
OCSP_CERTID
)
*
ids
)
STACK
*
names
,
STACK_OF
(
OCSP_CERTID
)
*
ids
,
long
nsec
,
long
maxage
)
{
OCSP_CERTID
*
id
;
char
*
name
;
...
...
@@ -677,6 +717,15 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
BIO_puts
(
out
,
"ERROR: No Status found.
\n
"
);
continue
;
}
/* Check validity: if invalid write to output BIO so we
* know which response this refers to.
*/
if
(
!
OCSP_check_validity
(
thisupd
,
nextupd
,
nsec
,
maxage
))
{
BIO_puts
(
out
,
"WARNING: Status times invalid.
\n
"
);
ERR_print_errors
(
out
);
}
BIO_printf
(
out
,
"%s
\n
"
,
OCSP_cert_status_str
(
status
));
BIO_puts
(
out
,
"
\t
This Update: "
);
...
...
crypto/ocsp/ocsp.h
浏览文件 @
f1965221
...
...
@@ -444,6 +444,9 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
ASN1_GENERALIZEDTIME
**
revtime
,
ASN1_GENERALIZEDTIME
**
thisupd
,
ASN1_GENERALIZEDTIME
**
nextupd
);
int
OCSP_check_validity
(
ASN1_GENERALIZEDTIME
*
thisupd
,
ASN1_GENERALIZEDTIME
*
nextupd
,
long
sec
,
long
maxsec
);
int
OCSP_request_verify
(
OCSP_REQUEST
*
req
,
EVP_PKEY
*
pkey
);
...
...
@@ -569,6 +572,7 @@ void ERR_load_OCSP_strings(void);
#define OCSP_F_OCSP_CHECK_DELEGATED 106
#define OCSP_F_OCSP_CHECK_IDS 107
#define OCSP_F_OCSP_CHECK_ISSUER 108
#define OCSP_F_OCSP_CHECK_VALIDITY 115
#define OCSP_F_OCSP_MATCH_ISSUERID 109
#define OCSP_F_OCSP_PARSE_URL 114
#define OCSP_F_OCSP_REQUEST_SIGN 110
...
...
@@ -580,8 +584,11 @@ void ERR_load_OCSP_strings(void);
#define OCSP_R_BAD_DATA 100
#define OCSP_R_CERTIFICATE_VERIFY_ERROR 101
#define OCSP_R_DIGEST_ERR 102
#define OCSP_R_ERROR_IN_NEXTUPDATE_FIELD 122
#define OCSP_R_ERROR_IN_THISUPDATE_FIELD 123
#define OCSP_R_ERROR_PARSING_URL 121
#define OCSP_R_MISSING_OCSPSIGNING_USAGE 103
#define OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE 124
#define OCSP_R_NOT_BASIC_RESPONSE 104
#define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105
#define OCSP_R_NO_CONTENT 106
...
...
@@ -597,6 +604,9 @@ void ERR_load_OCSP_strings(void);
#define OCSP_R_SERVER_WRITE_ERROR 116
#define OCSP_R_SIGNATURE_FAILURE 117
#define OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND 118
#define OCSP_R_STATUS_EXPIRED 125
#define OCSP_R_STATUS_NOT_YET_VALID 126
#define OCSP_R_STATUS_TOO_OLD 127
#define OCSP_R_UNKNOWN_MESSAGE_DIGEST 119
#define OCSP_R_UNKNOWN_NID 120
...
...
crypto/ocsp/ocsp_cl.c
浏览文件 @
f1965221
...
...
@@ -62,6 +62,7 @@
*/
#include <stdio.h>
#include <time.h>
#include <cryptlib.h>
#include <openssl/objects.h>
#include <openssl/rand.h>
...
...
@@ -259,8 +260,9 @@ int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
ASN1_GENERALIZEDTIME
**
nextupd
)
{
int
ret
;
OCSP_CERTSTATUS
*
cst
=
single
->
certStatus
;
OCSP_CERTSTATUS
*
cst
;
if
(
!
single
)
return
-
1
;
cst
=
single
->
certStatus
;
ret
=
cst
->
type
;
if
(
ret
==
V_OCSP_CERTSTATUS_REVOKED
)
{
...
...
@@ -278,7 +280,7 @@ int OCSP_single_get0_status(OCSP_SINGLERESP *single, int *reason,
return
ret
;
}
/* This function combines the previous ones: look a certificate ID and
/* This function combines the previous ones: look
up
a certificate ID and
* if found extract status information. Return 0 is successful.
*/
...
...
@@ -299,4 +301,70 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
return
1
;
}
/* Check validity of thisUpdate and nextUpdate fields. It is possible that the request will
* take a few seconds to process and/or the time wont be totally accurate. Therefore to avoid
* rejecting otherwise valid time we allow the times to be within 'nsec' of the current time.
* Also to avoid accepting very old responses without a nextUpdate field an optional maxage
* parameter specifies the maximum age the thisUpdate field can be.
*/
int
OCSP_check_validity
(
ASN1_GENERALIZEDTIME
*
thisupd
,
ASN1_GENERALIZEDTIME
*
nextupd
,
long
nsec
,
long
maxsec
)
{
int
ret
=
1
;
time_t
t_now
,
t_tmp
;
time
(
&
t_now
);
/* Check thisUpdate is valid and not more than nsec in the future */
if
(
!
ASN1_GENERALIZEDTIME_check
(
thisupd
))
{
OCSPerr
(
OCSP_F_OCSP_CHECK_VALIDITY
,
OCSP_R_ERROR_IN_THISUPDATE_FIELD
);
ret
=
0
;
}
else
{
t_tmp
=
t_now
+
nsec
;
if
(
X509_cmp_time
(
thisupd
,
&
t_tmp
)
>
0
)
{
OCSPerr
(
OCSP_F_OCSP_CHECK_VALIDITY
,
OCSP_R_STATUS_NOT_YET_VALID
);
ret
=
0
;
}
/* If maxsec specified check thisUpdate is not more than maxsec in the past */
if
(
maxsec
>=
0
)
{
t_tmp
=
t_now
-
maxsec
;
if
(
X509_cmp_time
(
thisupd
,
&
t_tmp
)
<
0
)
{
OCSPerr
(
OCSP_F_OCSP_CHECK_VALIDITY
,
OCSP_R_STATUS_TOO_OLD
);
ret
=
0
;
}
}
}
if
(
!
nextupd
)
return
ret
;
/* Check nextUpdate is valid and not more than nsec in the past */
if
(
!
ASN1_GENERALIZEDTIME_check
(
nextupd
))
{
OCSPerr
(
OCSP_F_OCSP_CHECK_VALIDITY
,
OCSP_R_ERROR_IN_NEXTUPDATE_FIELD
);
ret
=
0
;
}
else
{
t_tmp
=
t_now
-
nsec
;
if
(
X509_cmp_time
(
nextupd
,
&
t_tmp
)
<
0
)
{
OCSPerr
(
OCSP_F_OCSP_CHECK_VALIDITY
,
OCSP_R_STATUS_EXPIRED
);
ret
=
0
;
}
}
/* Also don't allow nextUpdate to precede thisUpdate */
if
(
ASN1_STRING_cmp
(
nextupd
,
thisupd
)
<
0
)
{
OCSPerr
(
OCSP_F_OCSP_CHECK_VALIDITY
,
OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE
);
ret
=
0
;
}
return
ret
;
}
crypto/ocsp/ocsp_err.c
浏览文件 @
f1965221
...
...
@@ -75,6 +75,7 @@ static ERR_STRING_DATA OCSP_str_functs[]=
{
ERR_PACK
(
0
,
OCSP_F_OCSP_CHECK_DELEGATED
,
0
),
"OCSP_CHECK_DELEGATED"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_CHECK_IDS
,
0
),
"OCSP_CHECK_IDS"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_CHECK_ISSUER
,
0
),
"OCSP_CHECK_ISSUER"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_CHECK_VALIDITY
,
0
),
"OCSP_check_validity"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_MATCH_ISSUERID
,
0
),
"OCSP_MATCH_ISSUERID"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_PARSE_URL
,
0
),
"OCSP_parse_url"
},
{
ERR_PACK
(
0
,
OCSP_F_OCSP_REQUEST_SIGN
,
0
),
"OCSP_request_sign"
},
...
...
@@ -89,8 +90,11 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
{
OCSP_R_BAD_DATA
,
"bad data"
},
{
OCSP_R_CERTIFICATE_VERIFY_ERROR
,
"certificate verify error"
},
{
OCSP_R_DIGEST_ERR
,
"digest err"
},
{
OCSP_R_ERROR_IN_NEXTUPDATE_FIELD
,
"error in nextupdate field"
},
{
OCSP_R_ERROR_IN_THISUPDATE_FIELD
,
"error in thisupdate field"
},
{
OCSP_R_ERROR_PARSING_URL
,
"error parsing url"
},
{
OCSP_R_MISSING_OCSPSIGNING_USAGE
,
"missing ocspsigning usage"
},
{
OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE
,
"nextupdate before thisupdate"
},
{
OCSP_R_NOT_BASIC_RESPONSE
,
"not basic response"
},
{
OCSP_R_NO_CERTIFICATES_IN_CHAIN
,
"no certificates in chain"
},
{
OCSP_R_NO_CONTENT
,
"no content"
},
...
...
@@ -106,6 +110,9 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
{
OCSP_R_SERVER_WRITE_ERROR
,
"server write error"
},
{
OCSP_R_SIGNATURE_FAILURE
,
"signature failure"
},
{
OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND
,
"signer certificate not found"
},
{
OCSP_R_STATUS_EXPIRED
,
"status expired"
},
{
OCSP_R_STATUS_NOT_YET_VALID
,
"status not yet valid"
},
{
OCSP_R_STATUS_TOO_OLD
,
"status too old"
},
{
OCSP_R_UNKNOWN_MESSAGE_DIGEST
,
"unknown message digest"
},
{
OCSP_R_UNKNOWN_NID
,
"unknown nid"
},
{
0
,
NULL
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录