Implement some standard OCSP extensions in the v3 code. These

are all raw print only extensions at present.

CHANGES

@@ -8,7 +8,7 @@
 
   *) Move common extension printing code to new function
      X509V3_print_extensions(). Reorganise OCSP print routines and
-     implement some needed OCSP ASN1 functions.
+     implement some needed OCSP ASN1 functions. Add OCSP extensions.
      [Steve Henson]
 
   *) New function X509_signature_print() to remove duplication in some

crypto/ocsp/ocsp.h

@@ -444,10 +444,7 @@ X509_EXTENSION *OCSP_archive_cutoff_new(char* tim);
 
 X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls);
 
-OCSP_SINGLERESP *OCSP_SINGLERESP_new(void);
-void OCSP_SINGLERESP_free(OCSP_SINGLERESP *a);
-int i2d_OCSP_SINGLERESP(OCSP_SINGLERESP *a, unsigned char **pp);
-OCSP_SINGLERESP *d2i_OCSP_SINGLERESP(OCSP_SINGLERESP **a, unsigned char **pp, long length);
+DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
 int i2a_OCSP_SINGLERESP(BIO *bp, OCSP_SINGLERESP* a);
 
 OCSP_CERTSTATUS *OCSP_CERTSTATUS_new(void);
@@ -518,23 +515,14 @@ int i2d_OCSP_SIGNATURE(OCSP_SIGNATURE *a, unsigned char **pp);
 OCSP_SIGNATURE *d2i_OCSP_SIGNATURE(OCSP_SIGNATURE **a, unsigned char **pp, long length);
 int i2a_OCSP_SIGNATURE(BIO *bp, OCSP_SIGNATURE* a);
 
-OCSP_REQINFO *OCSP_REQINFO_new(void);
-void OCSP_REQINFO_free(OCSP_REQINFO *a);
-int i2d_OCSP_REQINFO(OCSP_REQINFO *a, unsigned char **pp);
-OCSP_REQINFO *d2i_OCSP_REQINFO(OCSP_REQINFO **a, unsigned char **pp, long length);
+DECLARE_ASN1_FUNCTIONS(OCSP_REQINFO)
 int i2a_OCSP_REQINFO(BIO *bp, OCSP_REQINFO* a);
 
-OCSP_CRLID *OCSP_CRLID_new(void);
-void OCSP_CRLID_free(OCSP_CRLID *a);
-int i2d_OCSP_CRLID(OCSP_CRLID *a, unsigned char **pp);
-OCSP_CRLID *d2i_OCSP_CRLID(OCSP_CRLID **a, unsigned char **pp, long length);
+DECLARE_ASN1_FUNCTIONS(OCSP_CRLID)
 int i2a_OCSP_CRLID(BIO *bp, OCSP_CRLID* a);
 int OCSP_CRLID_print(BIO *bp, OCSP_CRLID *a, int ind);
 
-OCSP_SERVICELOC *OCSP_SERVICELOC_new(void);
-void OCSP_SERVICELOC_free(OCSP_SERVICELOC *a);
-int i2d_OCSP_SERVICELOC(OCSP_SERVICELOC *a, unsigned char **pp);
-OCSP_SERVICELOC *d2i_OCSP_SERVICELOC(OCSP_SERVICELOC **a, unsigned char **pp, long length);
+DECLARE_ASN1_FUNCTIONS(OCSP_SERVICELOC)
 int i2a_OCSP_SERVICELOC(BIO *bp, OCSP_SERVICELOC* a);
 int OCSP_SERVICELOC_print(BIO *bp, OCSP_SERVICELOC* a, int ind);
 

crypto/x509v3/Makefile.ssl

@@ -25,11 +25,11 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=	v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c \
 v3_lib.c v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
 v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
-v3_nonce.c
+v3_ocsp.c
 LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
 v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
 v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
-v3_nonce.o
+v3_ocsp.o
 
 SRC= $(LIBSRC)
 

crypto/x509v3/ext_dat.h

@@ -61,7 +61,8 @@ extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
 extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_cpols, v3_crld;
-extern X509V3_EXT_METHOD v3_ocsp_nonce;
+extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
+extern X509V3_EXT_METHOD v3_ocsp_crlid;
 
 /* This table will be searched using OBJ_bsearch so it *must* kept in
  * order of the ext_nid values.
@@ -90,7 +91,10 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_crl_reason,
 &v3_sxnet,
 &v3_info,
-&v3_ocsp_nonce
+&v3_ocsp_nonce,
+&v3_ocsp_crlid,
+&v3_ocsp_accresp,
+&v3_ocsp_acutoff
 };
 
 /* Number of standard extensions */

crypto/x509v3/v3_extku.c

@@ -63,20 +63,32 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
-static EXTENDED_KEY_USAGE *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
+static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
 				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
-		EXTENDED_KEY_USAGE *eku, STACK_OF(CONF_VALUE) *extlist);
+		void *eku, STACK_OF(CONF_VALUE) *extlist);
 
 X509V3_EXT_METHOD v3_ext_ku = {
-NID_ext_key_usage, 0,
-&EXTENDED_KEY_USAGE_it,
-0,0,0,0,
-0,0,
-(X509V3_EXT_I2V)i2v_EXTENDED_KEY_USAGE,
-(X509V3_EXT_V2I)v2i_EXTENDED_KEY_USAGE,
-0,0,
-NULL
+	NID_ext_key_usage, 0,
+	&EXTENDED_KEY_USAGE_it,
+	0,0,0,0,
+	0,0,
+	i2v_EXTENDED_KEY_USAGE,
+	v2i_EXTENDED_KEY_USAGE,
+	0,0,
+	NULL
+};
+
+/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
+X509V3_EXT_METHOD v3_ocsp_accresp = {
+	NID_id_pkix_OCSP_acceptableResponses, 0,
+	&EXTENDED_KEY_USAGE_it,
+	0,0,0,0,
+	0,0,
+	i2v_EXTENDED_KEY_USAGE,
+	v2i_EXTENDED_KEY_USAGE,
+	0,0,
+	NULL
 };
 
 ASN1_ITEM_TEMPLATE(EXTENDED_KEY_USAGE) = 
@@ -86,44 +98,45 @@ ASN1_ITEM_TEMPLATE_END(EXTENDED_KEY_USAGE);
 IMPLEMENT_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
 
 static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
-		EXTENDED_KEY_USAGE *eku, STACK_OF(CONF_VALUE) *ext_list)
+		void *a, STACK_OF(CONF_VALUE) *ext_list)
 {
-int i;
-ASN1_OBJECT *obj;
-char obj_tmp[80];
-for(i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
-	obj = sk_ASN1_OBJECT_value(eku, i);
-	i2t_ASN1_OBJECT(obj_tmp, 80, obj);
-	X509V3_add_value(NULL, obj_tmp, &ext_list);
-}
-return ext_list;
+	EXTENDED_KEY_USAGE *eku = a;
+	int i;
+	ASN1_OBJECT *obj;
+	char obj_tmp[80];
+	for(i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
+		obj = sk_ASN1_OBJECT_value(eku, i);
+		i2t_ASN1_OBJECT(obj_tmp, 80, obj);
+		X509V3_add_value(NULL, obj_tmp, &ext_list);
+	}
+	return ext_list;
 }
 
-static EXTENDED_KEY_USAGE *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
+static void *v2i_EXTENDED_KEY_USAGE(X509V3_EXT_METHOD *method,
 				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
 {
-EXTENDED_KEY_USAGE *extku;
-char *extval;
-ASN1_OBJECT *objtmp;
-CONF_VALUE *val;
-int i;
+	EXTENDED_KEY_USAGE *extku;
+	char *extval;
+	ASN1_OBJECT *objtmp;
+	CONF_VALUE *val;
+	int i;
 
-if(!(extku = sk_ASN1_OBJECT_new_null())) {
-	X509V3err(X509V3_F_V2I_EXT_KU,ERR_R_MALLOC_FAILURE);
-	return NULL;
-}
-
-for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-	val = sk_CONF_VALUE_value(nval, i);
-	if(val->value) extval = val->value;
-	else extval = val->name;
-	if(!(objtmp = OBJ_txt2obj(extval, 0))) {
-		sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
-		X509V3err(X509V3_F_V2I_EXT_KU,X509V3_R_INVALID_OBJECT_IDENTIFIER);
-		X509V3_conf_err(val);
+	if(!(extku = sk_ASN1_OBJECT_new_null())) {
+		X509V3err(X509V3_F_V2I_EXT_KU,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
-	sk_ASN1_OBJECT_push(extku, objtmp);
-}
-return extku;
+
+	for(i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		if(val->value) extval = val->value;
+		else extval = val->name;
+		if(!(objtmp = OBJ_txt2obj(extval, 0))) {
+			sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
+			X509V3err(X509V3_F_V2I_EXT_KU,X509V3_R_INVALID_OBJECT_IDENTIFIER);
+			X509V3_conf_err(val);
+			return NULL;
+		}
+		sk_ASN1_OBJECT_push(extku, objtmp);
+	}
+	return extku;
 }

crypto/x509v3/v3_nonce.c → crypto/x509v3/v3_ocsp.c

-/* v3_nonce.c */
+/* v3_ocsp.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
  * project 1999.
  */
@@ -63,16 +63,36 @@
 #include <openssl/ocsp.h>
 #include <openssl/x509v3.h>
 
-/* OCSP nonce. This is needs special treatment because it doesn't have
- * an ASN1 encoding at all: it just contains arbitrary data.
+/* OCSP extensions.
  */
 
+static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
+
 static void *ocsp_nonce_new(void);
 static int i2d_ocsp_nonce(void *a, unsigned char **pp);
 static void *d2i_ocsp_nonce(void *a, unsigned char **pp, long length);
 static void ocsp_nonce_free(void *a);
 static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int indent);
 
+X509V3_EXT_METHOD v3_ocsp_crlid = {
+	NID_id_pkix_OCSP_CrlID, 0, &OCSP_CRLID_it,
+	0,0,0,0,
+	0,0,
+	0,0,
+	i2r_ocsp_crlid,0,
+	NULL
+};
+
+X509V3_EXT_METHOD v3_ocsp_acutoff = {
+	NID_id_pkix_OCSP_archiveCutoff, 0, &ASN1_GENERALIZEDTIME_it,
+	0,0,0,0,
+	0,0,
+	0,0,
+	i2r_ocsp_acutoff,0,
+	NULL
+};
+
 X509V3_EXT_METHOD v3_ocsp_nonce = {
 	NID_id_pkix_OCSP_Nonce, 0, NULL,
 	ocsp_nonce_new,
@@ -85,6 +105,44 @@ X509V3_EXT_METHOD v3_ocsp_nonce = {
 	NULL
 };
 
+static int i2r_ocsp_crlid(X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+{
+	OCSP_CRLID *a = in;
+	if (a->crlUrl)
+	        {
+		if (!BIO_printf(bp, "%*scrlUrl: ", ind, "")) goto err;
+		if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl)) goto err;
+		if (!BIO_write(bp, "\n", 1)) goto err;
+		}
+	if (a->crlNum)
+	        {
+		if (!BIO_printf(bp, "%*scrlNum: ", ind, "")) goto err;
+		if (!i2a_ASN1_INTEGER(bp, a->crlNum)) goto err;
+		if (!BIO_write(bp, "\n", 1)) goto err;
+		}
+	if (a->crlTime)
+	        {
+		if (!BIO_printf(bp, "%*scrlTime: ", ind, "")) goto err;
+		if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime)) goto err;
+		if (!BIO_write(bp, "\n", 1)) goto err;
+		}
+	return 1;
+	err:
+	return 0;
+}
+
+static int i2r_ocsp_acutoff(X509V3_EXT_METHOD *method, void *cutoff, BIO *bp, int ind)
+{
+	if (!BIO_printf(bp, "%*s", ind, "")) return 0;
+	if(!ASN1_GENERALIZEDTIME_print(bp, cutoff)) return 0;
+	return 1;
+}
+
+
+/* OCSP nonce. This is needs special treatment because it doesn't have
+ * an ASN1 encoding at all: it just contains arbitrary data.
+ */
+
 static void *ocsp_nonce_new(void)
 {
 	return ASN1_OCTET_STRING_new();
@@ -130,3 +188,5 @@ static int i2r_ocsp_nonce(X509V3_EXT_METHOD *method, void *nonce, BIO *out, int
 	if(i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0) return 0;
 	return 1;
 }
+
+