OCSP response signature verification implemented

diff --git a/emi.canl.canl-c/src/canl_ocsp.c b/emi.canl.canl-c/src/canl_ocsp.c
index ba98ece..249d130 100644 (file)
--- a/emi.canl.canl-c/src/canl_ocsp.c
+++ b/emi.canl.canl-c/src/canl_ocsp.c
@@ -225,6 +225,17 @@ int set_ocsp_timeout(canl_ocsprequest_t *ocspreq, int timeout)
     return 0;
 }
 
+int set_ocsp_chain(canl_ocsprequest_t *ocspreq, STACK_OF(X509) *chain)
+{
+    if (!ocspreq)
+        ocspreq = calloc(1, sizeof(*ocspreq));
+    if (!ocspreq)
+        return 1;
+    if (chain)
+        ocspreq->cert_chain = chain;
+    return 0;
+}
+
 static canl_x509store_t * 
 store_dup(canl_x509store_t *store_from)
 {
@@ -388,7 +399,6 @@ int do_ocsp_verify (canl_ocsprequest_t *data)
     ASN1_GENERALIZEDTIME  *producedAt, *thisUpdate, *nextUpdate;
     int timeout = -1; // -1 means no timeout - use blocking I/O
     unsigned long verify_flags = 0;
-    STACK_OF(X509) *verify_other = NULL;
 
     if (!data || !data->cert) { // TODO || !data->issuer ?
         result = EINVAL; //TODO error code
@@ -481,7 +491,7 @@ int do_ocsp_verify (canl_ocsprequest_t *data)
         goto end;
     
     /* The last param. may be used when OCSP API is fully defined*/
-    rc = OCSP_basic_verify(basic, verify_other, store, verify_flags);
+    rc = OCSP_basic_verify(basic, data->cert_chain, store, verify_flags);
     if (rc < 0)
         rc = OCSP_basic_verify(basic, NULL, store, 0);
     if (rc <= 0) {
@@ -524,8 +534,6 @@ end:
         OCSP_BASICRESP_free(basic);
     if (chosenurl)
         free(chosenurl);
-    if (verify_other)
-        sk_X509_pop_free(verify_other, X509_free);
     if (store)
         X509_STORE_free(store);
 

diff --git a/emi.canl.canl-c/src/canl_ocsp.h b/emi.canl.canl-c/src/canl_ocsp.h
index 2ef7009..7e693f3 100644 (file)
--- a/emi.canl.canl-c/src/canl_ocsp.h
+++ b/emi.canl.canl-c/src/canl_ocsp.h
@@ -12,6 +12,7 @@ typedef struct {
     char            *url;
     X509            *cert;
     X509            *issuer;
+    STACK_OF(X509)  *cert_chain;
     canl_x509store_t *store;
     X509            *sign_cert;
     EVP_PKEY        *sign_key;
@@ -50,6 +51,7 @@ int set_ocsp_maxage(canl_ocsprequest_t *ocspreq, int maxage);
 int set_ocsp_url(canl_ocsprequest_t *ocspreq, char *url);
 int set_ocsp_issuer(canl_ocsprequest_t *ocspreq, X509 *issuer);
 int set_ocsp_store(canl_ocsprequest_t *ocspreq, canl_x509store_t *store);
+int set_ocsp_chain(canl_ocsprequest_t *ocspreq, STACK_OF(X509) *chain);
 
 int ocsprequest_init(canl_ocsprequest_t **ocspreq);
 void ocsprequest_free(canl_ocsprequest_t *or);

diff --git a/emi.canl.canl-c/src/proxy/sslutils.c b/emi.canl.canl-c/src/proxy/sslutils.c
index 6d37d8b..15befe4 100644 (file)
--- a/emi.canl.canl-c/src/proxy/sslutils.c
+++ b/emi.canl.canl-c/src/proxy/sslutils.c
@@ -2204,7 +2204,6 @@ proxy_verify_callback(
         if (cert_dir){
             canl_x509store_t *c_store = NULL;
             if (!canl_x509store_init(&c_store)) {
-                /* TODO This is obviously wrong, cert_dir is not ca_cert_dir*/
                 c_store->ca_dir = strdup(cert_dir);
                 set_ocsp_store(ocsp_data, c_store);
                 canl_x509store_free(c_store);
@@ -2213,6 +2212,7 @@ proxy_verify_callback(
         }
         set_ocsp_skew(ocsp_data, MAX_VALIDITY_PERIOD);
         set_ocsp_maxage(ocsp_data, -1);
+        set_ocsp_chain(ocsp_data, ctx->chain);
         /*Timeout should be set here 
        set_ocsp_timeout(pvd->timeout, -1); */
         do_ocsp_verify (ocsp_data);
@@ -2240,7 +2240,6 @@ fail_verify:
     }
 
     return(0);
-
 }
 
 /**********************************************************************