OCSP request creation almost complete, added ocsp revoke error code

2025-07-31 19:24:42 +02:00 · 2012-05-08 18:32:57 -07:00
parent 81a6ed4577
commit 4feeeeda55
6 changed files with 53 additions and 20 deletions
--- a/ctaocrypt/src/asn.c
+++ b/ctaocrypt/src/asn.c
@@ -4113,20 +4113,50 @@ int OcspResponseDecode(OcspResponse* resp)
 }


-void InitOcspRequest(OcspRequest* req)
+static int SetInt(const byte* input, word32 inputSz, byte* output)
 {
+	return 0;
 }
+#define MAX_INT_SZ 32

-
-int MakeOcspRequest(OcspRequest* req)
+int EncodeOcspRequest(DecodedCert* cert, byte* output, word32 outputSz)
 {
-    return 0;
-}
+	byte seqArray[5][MAX_SEQ_SZ];
+	/* The ASN.1 of the OCSP Request is an onion of sequences */
+	byte algoArray[MAX_ALGO_SZ];
+	byte issuerArray[MAX_ENCODED_DIG_SZ];
+	byte issuerKeyArray[MAX_ENCODED_DIG_SZ];
+	byte snArray[MAX_INT_SZ];

+	word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, totalSz;
+	int i;

-int EncodeOcspRequest(void)
-{
-    return 0;
+	algoSz = SetAlgoID(SHAh, algoArray, hashType);
+	issuerSz = SetDigest(cert->issuerHash, SHA_SIZE, issuerArray);
+	issuerKeySz = SetDigest(cert->issuerKeyHash, SHA_SIZE, issuerKeyArray);
+	snSz = SetInt(cert->serial, cert->serialSz, snArray);
+
+	totalSz = algoSz + issuerSz + issuerKeySz + snSz;
+
+	for (i = 4; i >= 0; i--) {
+		seqSz[i] = SetSequence(totalSz, seqArray[i]);
+		totalSz += seqSz[i];
+	}
+	totalSz = 0;
+	for (i = 0; i < 5; i++) {
+		XMEMCPY(output + totalSz, seqArray[i], seqSz[i]);
+		totalSz += seqSz[i];
+	}
+	XMEMCPY(output + totalSz, algoArray, algoSz);
+	totalSz += algoSz;
+	XMEMCPY(output + totalSz, issuerArray, issuerSz);
+	totalSz += issuerSz;
+	XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz);
+	totalSz += issuerKeySz;
+	XMEMCPY(output + totalSz, snArray, snSz);
+	totalSz += snSz;
+
+    return totalSz;
 }

 #endif
--- a/cyassl/ctaocrypt/asn.h
+++ b/cyassl/ctaocrypt/asn.h
@@ -335,13 +335,6 @@ enum Ocsp_Sums {


 typedef struct OcspResponse OcspResponse;
-typedef struct OcspRequest OcspRequest;
-
-
-struct OcspRequest {
-    byte* serialNumber; /* not owned by us */
-    int serialSz;
-};


 struct OcspResponse {
@@ -374,6 +367,7 @@ struct OcspResponse {
 CYASSL_LOCAL void InitOcspResponse(OcspResponse*, byte*, word32, void*);
 CYASSL_LOCAL void FreeOcspResponse(OcspResponse*);
 CYASSL_LOCAL int  OcspResponseDecode(OcspResponse*);
+CYASSL_LOCAL int  EncodeOcspRequest(DecodedCert*, byte*, word32);


 #endif /* HAVE_OCSP */
--- a/cyassl/error.h
+++ b/cyassl/error.h
@@ -96,9 +96,10 @@ enum CyaSSL_ErrorCodes {

    /* begin negotiation parameter errors */
    UNSUPPORTED_SUITE      = -270,            /* unsupported cipher suite */
-    MATCH_SUITE_ERROR      = -271             /* can't match cipher suite */
+    MATCH_SUITE_ERROR      = -271,            /* can't match cipher suite */
    /* end negotiation parameter errors only 10 for now */
    /* add strings to SetErrorString !!!!! */
+    OCSP_CERT_REVOKED      = -272
 };


--- a/cyassl/ocsp.h
+++ b/cyassl/ocsp.h
@@ -37,8 +37,8 @@ typedef struct CYASSL_OCSP CYASSL_OCSP;
 typedef struct CertStatus CertStatus;

 struct CertStatus {
-    byte subjectHash[SHA_SIZE];
    byte issuerHash[SHA_SIZE];
+    byte issuerKeyHash[SHA_SIZE];
    byte serial[EXTERNAL_SERIAL_SIZE];
    int serialSz;
    int status;
--- a/src/internal.c
+++ b/src/internal.c
@@ -1695,7 +1695,11 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
        }

 #ifdef HAVE_OCSP
-        CyaSSL_OCSP_Lookup_Cert(&ssl->ctx->ocsp, &dCert);
+        if (CyaSSL_OCSP_Lookup_Cert(&ssl->ctx->ocsp, &dCert) == CERT_REVOKED) {
+			CYASSL_MSG("\tOCSP Lookup returned revoked");
+			ret = OCSP_CERT_REVOKED;
+			fatal = 0;
+		}
 #endif

 #ifdef OPENSSL_EXTRA
@@ -3501,6 +3505,10 @@ void SetErrorString(int error, char* str)
        XSTRNCPY(str, "Bad Cert Manager error", max);
        break;

+    case OCSP_CERT_REVOKED:
+        XSTRNCPY(str, "OCSP Cert revoked", max);
+        break;
+
    default :
        XSTRNCPY(str, "unknown error number", max);
    }
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -305,13 +305,13 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
        return CERT_UNKNOWN;
    }

-    XMEMCPY(ocsp->status[0].subjectHash, cert->subjectHash, SHA_SIZE);
    XMEMCPY(ocsp->status[0].issuerHash, cert->issuerHash, SHA_SIZE);
+    XMEMCPY(ocsp->status[0].issuerKeyHash, cert->issuerKeyHash, SHA_SIZE);
    XMEMCPY(ocsp->status[0].serial, cert->serial, cert->serialSz);
    ocsp->status[0].serialSz = cert->serialSz;
    ocsp->statusLen = 1;

-    ocspReqSz = build_ocsp_request(ocsp, ocspReqBuf, ocspReqSz);
+    ocspReqSz = EncodeOcspRequest(cert, ocspReqBuf, ocspReqSz);
    httpBufSz = build_http_request(ocsp, ocspReqSz, httpBuf, httpBufSz);

    tcp_connect(&sfd, ocsp->overrideName, ocsp->overridePort);