[openssl-commits] [openssl] master update
kaduk at mit.edu
kaduk at mit.edu
Sun Nov 12 02:11:15 UTC 2017
The branch master has been updated
via f1d3de718bc96e70ce76bf2b4ccee128ecbcd100 (commit)
via 27da13430bfb3c178716cec10e8d5d6134e54f90 (commit)
via ce5886dda80b6f60fb30762381506d5c6f2d995c (commit)
from 47c07020b7be6f5f8d8ffc7323b54a4ac259c910 (commit)
- Log -----------------------------------------------------------------
commit f1d3de718bc96e70ce76bf2b4ccee128ecbcd100
Author: Ben Kaduk <kaduk at mit.edu>
Date: Sat Nov 11 20:04:42 2017 -0600
make update
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)
commit 27da13430bfb3c178716cec10e8d5d6134e54f90
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Thu Oct 19 14:44:10 2017 -0500
Add OCSP API test executable
Some of the OCSP APIs (such as the recently added OCSP_resp_get0_signer)
do not really merit inclusion in the ocsp(1) utility, but we should still
have unit tests for them.
For now, only test OCSP_resp_get0_signer(), but it should be easy to
add more tests in the future.
Provide an X509 cert and private key in the test's data directory
to use for signing responses, since constructing those on the fly
is more effort than is needed.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)
commit ce5886dda80b6f60fb30762381506d5c6f2d995c
Author: Benjamin Kaduk <bkaduk at akamai.com>
Date: Wed Oct 18 15:29:18 2017 -0500
Add an API to get the signer of an OCSP response
Add a new function OCSP_resp_get0_signer() that looks in the
certs bundled with the response as well as in additional certificates
provided as a function argument, returning the certificate that signed
the given response (if present).
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Tim Hudson <tjh at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4573)
-----------------------------------------------------------------------
Summary of changes:
crypto/ocsp/ocsp_vfy.c | 9 +++
doc/man3/OCSP_resp_find_status.pod | 15 +++-
include/openssl/ocsp.h | 2 +
test/build.info | 6 +-
test/ocspapitest.c | 137 ++++++++++++++++++++++++++++++++
test/recipes/80-test_ocsp.t | 11 ++-
test/recipes/80-test_ocsp_data/cert.pem | 19 +++++
test/recipes/80-test_ocsp_data/key.pem | 28 +++++++
util/libcrypto.num | 1 +
9 files changed, 224 insertions(+), 4 deletions(-)
create mode 100644 test/ocspapitest.c
create mode 100644 test/recipes/80-test_ocsp_data/cert.pem
create mode 100644 test/recipes/80-test_ocsp_data/key.pem
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 809f7f4..89147d9 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -138,6 +138,15 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
goto end;
}
+int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
+ STACK_OF(X509) *extra_certs)
+{
+ int ret;
+
+ ret = ocsp_find_signer(signer, bs, extra_certs, 0);
+ return (ret > 0) ? 1 : 0;
+}
+
static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
STACK_OF(X509) *certs, unsigned long flags)
{
diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod
index e1442eb..a369509 100644
--- a/doc/man3/OCSP_resp_find_status.pod
+++ b/doc/man3/OCSP_resp_find_status.pod
@@ -3,6 +3,7 @@
=head1 NAME
OCSP_resp_get0_certs,
+OCSP_resp_get0_signer,
OCSP_resp_get0_id,
OCSP_resp_get1_id,
OCSP_resp_get0_produced_at,
@@ -33,6 +34,9 @@ OCSP_single_get0_status, OCSP_check_validity
const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
+ int OCSP_resp get0_signer(OCSP_BASICRESP *bs, X509 **signer,
+ STACK_OF(X509) *extra_certs);
+
int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
const ASN1_OCTET_STRING **pid,
const X509_NAME **pname);
@@ -76,7 +80,13 @@ single response B<bs>.
OCSP_resp_get0_certs() returns any certificates included in B<bs>.
-OCSP_resp_get0_id() gets the responder id of <bs>. If the responder ID is
+OCSP_resp_get0_signer() attempts to retrive the certificate that directly
+signed B<bs>. The OCSP protocol does not require that this certificate
+is included in the B<certs> field of the response, so additional certificates
+can be supplied in B<extra_certs> if the certificates that may have
+signed the response are known via some out-of-band mechanism.
+
+OCSP_resp_get0_id() gets the responder id of B<bs>. If the responder ID is
a name then <*pname> is set to the name and B<*pid> is set to NULL. If the
responder ID is by key ID then B<*pid> is set to the key ID and B<*pname>
is set to NULL. OCSP_resp_get1_id() leaves ownership of B<*pid> and B<*pname>
@@ -106,6 +116,9 @@ B<id> was not found.
OCSP_single_get0_status() returns the status of B<single> or -1 if an error
occurred.
+OCSP_resp_get0_signer() returns 1 if the signing certificate was located,
+or 0 on error.
+
=head1 NOTES
Applications will typically call OCSP_resp_find_status() using the certificate
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index b609e9a..3ca2a92 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -197,6 +197,8 @@ int OCSP_response_status(OCSP_RESPONSE *resp);
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
+int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
+ STACK_OF(X509) *extra_certs);
int OCSP_resp_count(OCSP_BASICRESP *bs);
OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
diff --git a/test/build.info b/test/build.info
index cbdc0d9..d7cfd7e 100644
--- a/test/build.info
+++ b/test/build.info
@@ -46,7 +46,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
recordlentest drbgtest sslbuffertest \
time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \
- servername_test
+ servername_test ocspapitest
SOURCE[aborttest]=aborttest.c
INCLUDE[aborttest]=../include
@@ -277,6 +277,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
INCLUDE[sslapitest]=../include ..
DEPEND[sslapitest]=../libcrypto ../libssl libtestutil.a
+ SOURCE[ocspapitest]=ocspapitest.c
+ INCLUDE[ocspapitest]=../include ..
+ DEPEND[ocspapitest]=../libcrypto libtestutil.a
+
SOURCE[dtlstest]=dtlstest.c ssltestlib.c
INCLUDE[dtlstest]=../include .
DEPEND[dtlstest]=../libcrypto ../libssl libtestutil.a
diff --git a/test/ocspapitest.c b/test/ocspapitest.c
new file mode 100644
index 0000000..e76f7243
--- /dev/null
+++ b/test/ocspapitest.c
@@ -0,0 +1,137 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+
+#include <openssl/opensslconf.h>
+#include <openssl/crypto.h>
+#include <openssl/ocsp.h>
+#include <openssl/x509.h>
+#include <openssl/asn1.h>
+#include <openssl/pem.h>
+
+#include "testutil.h"
+
+static const char *certstr;
+static const char *privkeystr;
+
+static int get_cert_and_key(X509 **cert_out, EVP_PKEY **key_out)
+{
+ BIO *certbio, *keybio;
+ X509 *cert = NULL;
+ EVP_PKEY *key = NULL;
+
+ if (!TEST_ptr(certbio = BIO_new_file(certstr, "r")))
+ return 0;
+ cert = PEM_read_bio_X509(certbio, NULL, NULL, NULL);
+ BIO_free(certbio);
+ if (!TEST_ptr(keybio = BIO_new_file(privkeystr, "r")))
+ goto end;
+ key = PEM_read_bio_PrivateKey(keybio, NULL, NULL, NULL);
+ BIO_free(keybio);
+ if (!TEST_ptr(cert) || !TEST_ptr(key))
+ goto end;
+ *cert_out = cert;
+ *key_out = key;
+ return 1;
+ end:
+ X509_free(cert);
+ EVP_PKEY_free(key);
+ return 0;
+}
+
+static OCSP_BASICRESP *make_dummy_resp(void)
+{
+ const unsigned char namestr[] = "openssl.example.com";
+ unsigned char keybytes[128] = {7};
+ OCSP_BASICRESP *bs = OCSP_BASICRESP_new();
+ OCSP_CERTID *cid;
+ ASN1_TIME *thisupd = ASN1_TIME_set(NULL, time(NULL));
+ ASN1_TIME *nextupd = ASN1_TIME_set(NULL, time(NULL) + 200);
+ X509_NAME *name = X509_NAME_new();
+ ASN1_BIT_STRING *key = ASN1_BIT_STRING_new();
+ ASN1_INTEGER *serial = ASN1_INTEGER_new();
+
+ if (!X509_NAME_add_entry_by_NID(name, NID_commonName, MBSTRING_ASC,
+ namestr, -1, -1, 1)
+ || !ASN1_BIT_STRING_set(key, keybytes, sizeof(keybytes)
+ || !ASN1_INTEGER_set_uint64(serial, (uint64_t)1)))
+ return NULL;
+ cid = OCSP_cert_id_new(EVP_sha256(), name, key, serial);
+ if (!TEST_ptr(bs)
+ || !TEST_ptr(thisupd)
+ || !TEST_ptr(nextupd)
+ || !TEST_ptr(cid)
+ || !TEST_true(OCSP_basic_add1_status(bs, cid,
+ V_OCSP_CERTSTATUS_UNKNOWN,
+ 0, NULL, thisupd, nextupd)))
+ return NULL;
+ ASN1_TIME_free(thisupd);
+ ASN1_TIME_free(nextupd);
+ ASN1_BIT_STRING_free(key);
+ ASN1_INTEGER_free(serial);
+ OCSP_CERTID_free(cid);
+ X509_NAME_free(name);
+ return bs;
+}
+
+#ifndef OPENSSL_NO_OCSP
+static int test_resp_signer(void)
+{
+ OCSP_BASICRESP *bs;
+ X509 *signer = NULL, *tmp;
+ EVP_PKEY *key = NULL;
+ STACK_OF(X509) *extra_certs;
+
+ /*
+ * Test a response with no certs at all; get the signer from the
+ * extra certs given to OCSP_resp_get0_signer().
+ */
+ bs = make_dummy_resp();
+ extra_certs = sk_X509_new_null();
+ if (!TEST_ptr(bs)
+ || !TEST_ptr(extra_certs)
+ || !TEST_true(get_cert_and_key(&signer, &key))
+ || !TEST_true(sk_X509_push(extra_certs, signer))
+ || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
+ NULL, OCSP_NOCERTS)))
+ return 0;
+ if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, extra_certs))
+ || !TEST_int_eq(X509_cmp(tmp, signer), 0))
+ return 0;
+ OCSP_BASICRESP_free(bs);
+
+ /* Do it again but include the signer cert */
+ bs = make_dummy_resp();
+ tmp = NULL;
+ if (!TEST_ptr(bs)
+ || !TEST_true(OCSP_basic_sign(bs, signer, key, EVP_sha1(),
+ NULL, 0)))
+ return 0;
+ if (!TEST_true(OCSP_resp_get0_signer(bs, &tmp, NULL))
+ || !TEST_int_eq(X509_cmp(tmp, signer), 0))
+ return 0;
+ OCSP_BASICRESP_free(bs);
+ sk_X509_free(extra_certs);
+ X509_free(signer);
+ EVP_PKEY_free(key);
+ return 1;
+}
+#endif
+
+int setup_tests(void)
+{
+ if (!TEST_ptr(certstr = test_get_argument(0))
+ || !TEST_ptr(privkeystr = test_get_argument(1)))
+ return 0;
+#ifndef OPENSSL_NO_OCSP
+ ADD_TEST(test_resp_signer);
+#endif
+ return 1;
+}
diff --git a/test/recipes/80-test_ocsp.t b/test/recipes/80-test_ocsp.t
index 9f178de..e9ed7b4 100644
--- a/test/recipes/80-test_ocsp.t
+++ b/test/recipes/80-test_ocsp.t
@@ -13,7 +13,7 @@ use warnings;
use POSIX;
use File::Spec::Functions qw/devnull catfile/;
use File::Copy;
-use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir/;
+use OpenSSL::Test qw/:DEFAULT with pipe srctop_dir data_file/;
use OpenSSL::Test::Utils;
setup("test_ocsp");
@@ -48,7 +48,7 @@ sub test_ocsp {
unlink "ocsp-resp-fff.dat";
}
-plan tests => 10;
+plan tests => 11;
subtest "=== VALID OCSP RESPONSES ===" => sub {
plan tests => 7;
@@ -210,3 +210,10 @@ subtest "=== INVALID SIGNATURE on the ISSUER CERTIFICATE ===" => sub {
test_ocsp("DELEGATED; Root CA -> EE",
"D3.ors", "ISIC_D3_Issuer_Root.pem", "", 0);
};
+
+subtest "=== OCSP API TESTS===" => sub {
+ plan tests => 1;
+
+ ok(run(test(["ocspapitest", data_file("cert.pem"), data_file("key.pem")])),
+ "running ocspapitest");
+}
diff --git a/test/recipes/80-test_ocsp_data/cert.pem b/test/recipes/80-test_ocsp_data/cert.pem
new file mode 100644
index 0000000..f70e792
--- /dev/null
+++ b/test/recipes/80-test_ocsp_data/cert.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDLDCCAhSgAwIBAgICFs8wDQYJKoZIhvcNAQELBQAwSzEQMA4GA1UECgwHT3Bl
+blNTTDETMBEGA1UECwwKVGVzdCBTdWl0ZTEiMCAGA1UEAwwZVGVzdCBPQ1NQIHJl
+c3BvbnNlIHNpZ25lcjAeFw0xNzEwMjMxNDA4MDlaFw0yNjAxMDkxNDA4MDlaMEsx
+EDAOBgNVBAoMB09wZW5TU0wxEzARBgNVBAsMClRlc3QgU3VpdGUxIjAgBgNVBAMM
+GVRlc3QgT0NTUCByZXNwb25zZSBzaWduZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQC81prq23FY2YDuwiXetb/NCs/cSm/afVnPsdSseRKi/GHi9d7b
+EEgWnQOJmz4zTuU+Bw2duHZ1X2WUR/Pjy4CvWNRq417aJ3IfyQHf8cxEplk9Ifd0
+5VEq6WzWVWAX6ki/CZIJUihzj3AAn/SYfvXw2wd319OQGvwYiQVt3Is5k4E4rAI2
+zXf5BdE9XkayM3jq6Ewc/VZ05EA/LaBLy5ujQljjfAFEy/qopYx3AJ4G8t2a5rvM
+dbNOyJCx9NNeryZMv2wRzEaYp6jYao+xxqbm5lgnwfE3jJ4aA9/oC1sUM8FokOGW
+9KAK3UEptoxux8JHH9R8X5bTVE7HADHhG5s7AgMBAAGjGjAYMAkGA1UdEwQCMAAw
+CwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBCwUAA4IBAQCPkojVPBFNT9DGpLq9Y/Hl
+XhcA+vSdt83EFzPD/nxIMp/QYSnZ9w2SWL21AH4C+HWd4JuKX5Zlsd6qYobYZLcT
+TyVfw0OMwwPUI6Mxbz395EAnVLmtddN2RDsEYvThSMMoSfhtUwyANpA0Q6M8RcGt
+LwnaC69iXhBh1xcTVVg97yEJ22yIrwQ1GhX4F1PRJIAQ/QmQhnoTGlhl2VAQ3LIk
+lNFxkWbx0rqPIcor27QDNa2DPqioyvHMlkjC1h5EPhL9Ynu011r4Dn9A34+vFxeu
+Q+emRwl/JjCNZX4l/AripU/Cy/+J2YGKilKzRcB1QMMVSl0VaeLSCwkNDQtdlwWO
+-----END CERTIFICATE-----
diff --git a/test/recipes/80-test_ocsp_data/key.pem b/test/recipes/80-test_ocsp_data/key.pem
new file mode 100644
index 0000000..cd211dc
--- /dev/null
+++ b/test/recipes/80-test_ocsp_data/key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC81prq23FY2YDu
+wiXetb/NCs/cSm/afVnPsdSseRKi/GHi9d7bEEgWnQOJmz4zTuU+Bw2duHZ1X2WU
+R/Pjy4CvWNRq417aJ3IfyQHf8cxEplk9Ifd05VEq6WzWVWAX6ki/CZIJUihzj3AA
+n/SYfvXw2wd319OQGvwYiQVt3Is5k4E4rAI2zXf5BdE9XkayM3jq6Ewc/VZ05EA/
+LaBLy5ujQljjfAFEy/qopYx3AJ4G8t2a5rvMdbNOyJCx9NNeryZMv2wRzEaYp6jY
+ao+xxqbm5lgnwfE3jJ4aA9/oC1sUM8FokOGW9KAK3UEptoxux8JHH9R8X5bTVE7H
+ADHhG5s7AgMBAAECggEBAJLp946eeVmhpiCa5XGWPwlbzwlY1BrNCRGADbC9ZRVu
+ew1jMiWGTj9hmr31DHhIeis+u4YoW+jG9jVdoU5pJc3Fs0URbdsVc0FtVcsPyFbk
+gGsCQQ4t1m8nOaiqtV8Fw+D0piwgQh5dysqBp374z4i6Lt47CHqFs/m2qIWnXp3E
+YF3xX2Zz9rIgejERRxrUnp5998NqxSYHPF7Ts4VQ/+UezUqEpA2jBs6cJ2tWVNR9
+uf+3Fklpo7Uau+xG5xkiRYxx4mSIg6EREz5+XMPkSOcXi6tyinoKsafxTNQDil0q
+pdurVlHNgZb2QdJjHugVmbalydHIQ5c0CU1RO5CP97kCgYEA7RqrRooniil0iAKR
+6scFct0juVBW1Uw05Ejt97RtwQRf/m9SU5mSs0PfFx/l3PeNDSWnpmwunL1igYQb
++tVqDQQ9xR4owyl6/qDJSP2bS84jb+3MCR4UE/b2YR2rCDBllXeyQsDT7KMoW8lX
+gliWmYd6HYddRDOKNM/tzccFG1cCgYEAy+M6yv0ublrpTj4o8DcOi6JJrQbPSAWx
+R7zKDXSvSq5lLjfXmqX4s/jgZWgQ+kYoYZrIOqIygcZ2U6tBMCP2LAhbf86I6r27
+loMyQg7lhC5GCztpGes4/JmUvnvjTUIFspB6ReaXlBFAstzzJirgI1wmoO6+GiG/
+OUDmvCjFdL0CgYALQGa8VDYIImt7QNP31jX1+3SEiMF2IcWox6UzSgajUDfV9SZs
+/S6u/xuJF2RrFfxFkXHhPeUAXyRbjQ9e2d3MfFUKE6JPkJpblvm2UwKZmFCqMRir
+nhfJ0sBiX2wMWW+YpjN5Y3krE5sIsAdNEjMjWgB7gj70y5VVaECasUUWxQKBgQDB
+aauqSIc1VLSh7sGzLudzet5db2pPLmdAYE1kel6Xf9yn/X1gTTYitGNaj2Abq1Y/
+US/Ev30eMwCo2nqaimLK3pq+IVUtKhO78nVIyQzdWXBE03Uei0+iAKdkE+5Kqejx
+vbDggqEka0Fu678VY/MAWDikzhY0f/MBAxpfQGYgGQKBgC0tR1ymvCLkk6J5e4/G
+OD1D9m2JJjcK4eWUS4rAiEH61sI5CKQRU2pQ3f3cIGekDZZt3XzHLYwc9W2UnN2J
+glMmKXp0qqt2HoE/XKLrIc1dEDXsZxFnMZ6nmWKsl4AHxM/gyXqfDo/AUXyEGcVu
+8TbVs3nlISUy7vwjpaW1KOs1
+-----END PRIVATE KEY-----
diff --git a/util/libcrypto.num b/util/libcrypto.num
index a6b4ceb..100e71f 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4426,3 +4426,4 @@ EVP_sm4_ofb 4370 1_1_1 EXIST::FUNCTION:SM4
EVP_sm4_ecb 4371 1_1_1 EXIST::FUNCTION:SM4
EVP_sm4_cfb128 4372 1_1_1 EXIST::FUNCTION:SM4
EVP_sm3 4373 1_1_1 EXIST::FUNCTION:SM3
+OCSP_resp_get0_signer 4374 1_1_0h EXIST::FUNCTION:OCSP
More information about the openssl-commits
mailing list