From c67b21c82878b53661f40fd37658f37ce3c5766f Mon Sep 17 00:00:00 2001 From: Marcel Poul Date: Tue, 20 Mar 2012 23:18:07 +0000 Subject: [PATCH] prepare OCSP support --- emi.canl.canl-c/src/canl_ssl.c | 102 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) diff --git a/emi.canl.canl-c/src/canl_ssl.c b/emi.canl.canl-c/src/canl_ssl.c index ee07f9c..9f6116f 100644 --- a/emi.canl.canl-c/src/canl_ssl.c +++ b/emi.canl.canl-c/src/canl_ssl.c @@ -1014,6 +1014,108 @@ static void dbg_print_ssl_error(int errorcode) } #endif +#if 0 + +int do_ocsp_verify ((X509 *cert, X509 *issuer)) +{ + OCSP_REQUEST *req = NULL; + int result = 0, ssl = 0; + char *host = NULL, *path = NULL, *port = NULL; + OCSP_CERTID *id = NULL; + /*get url from cert or use some implicit value*/ + + /*get connection parameters out of url*/ + if (!OCSP_parse_url(chosenurl, &host, &port, &path, &ssl)) { + result = MYPROXY_OCSPRESULT_ERROR_BADOCSPADDRESS; + goto end; + } + if (!(req = OCSP_REQUEST_new())) { + result = MYPROXY_OCSPRESULT_ERROR_OUTOFMEMORY; + goto end; + } + + id = OCSP_cert_to_id(0, cert, issuer); + + /* Add id and nonce*/ + if (!id || !OCSP_request_add0_id(req, id)) + goto end; + //OCSP_request_add1_nonce(req, 0, -1); Is it necessery? + + + /*make new canl cc and io and init client*/ + + /* sign the request */ + if (sign_cert && sign_key && + !OCSP_request_sign(req, sign_cert, sign_key, EVP_sha1(), 0, 0)) { + result = MYPROXY_OCSPRESULT_ERROR_SIGNFAILURE; + goto end; + } + + /* establish a connection to the OCSP responder */ + if (!(result = ssl_connect(cc, io, ))) { + result = MYPROXY_OCSPRESULT_ERROR_CONNECTFAILURE; + goto end; + } + + /* send the request and get a response */ + resp = OCSP_sendreq_bio(bio, path, req); + if ((rc = OCSP_response_status(resp)) != OCSP_RESPONSE_STATUS_SUCCESSFUL) { + switch (rc) { + case OCSP_RESPONSE_STATUS_MALFORMEDREQUEST: + result = MYPROXY_OCSPRESULT_ERROR_MALFORMEDREQUEST; break; + case OCSP_RESPONSE_STATUS_INTERNALERROR: + result = MYPROXY_OCSPRESULT_ERROR_INTERNALERROR; break; + case OCSP_RESPONSE_STATUS_TRYLATER: + result = MYPROXY_OCSPRESULT_ERROR_TRYLATER; break; + case OCSP_RESPONSE_STATUS_SIGREQUIRED: + result = MYPROXY_OCSPRESULT_ERROR_SIGREQUIRED; break; + case OCSP_RESPONSE_STATUS_UNAUTHORIZED: + result = MYPROXY_OCSPRESULT_ERROR_UNAUTHORIZED; break; + } + goto end; + } + + /* verify the response */ + result = MYPROXY_OCSPRESULT_ERROR_INVALIDRESPONSE; + if (!(basic = OCSP_response_get1_basic(resp))) goto end; + if (usenonce && OCSP_check_nonce(req, basic) <= 0) goto end; + + if (!responder_cert || + (rc = OCSP_basic_verify(basic, responder_cert, store, + OCSP_TRUSTOTHER)) <= 0) + if ((rc = OCSP_basic_verify(basic, NULL, store, 0)) <= 0) + goto end; + + if (!OCSP_resp_find_status(basic, id, &status, &reason, &producedAt, + &thisUpdate, &nextUpdate)) + goto end; + if (!OCSP_check_validity(thisUpdate, nextUpdate, skew, maxage)) + goto end; + + /* All done. Set the return code based on the status from the response. */ + if (status == V_OCSP_CERTSTATUS_REVOKED) { + result = MYPROXY_OCSPRESULT_CERTIFICATE_REVOKED; + myproxy_log("OCSP status revoked!"); + } else { + result = MYPROXY_OCSPRESULT_CERTIFICATE_VALID; + myproxy_log("OCSP status valid"); + } + + if (host) OPENSSL_free(host); + if (port) OPENSSL_free(port); + if (path) OPENSSL_free(path); + if (req) OCSP_REQUEST_free(req); + if (resp) OCSP_RESPONSE_free(resp); + if (basic) OCSP_BASICRESP_free(basic); + if (ctx) SSL_CTX_free(ctx); /* this does X509_STORE_free(store) */ + if (certdir) free(certdir); + if (aiaocspurl) free(aiaocspurl); + + return 0; +} + +#endif + mech_glb_ctx ssl_glb_ctx; canl_mech canl_mech_ssl = { -- 1.8.2.3