{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1753413111, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"613c13692ed75d7f8cff6129b5a614e3", "commit": {"type":"commit", "time": 1492022470, "time_ofs": 18446744073709551376, "oid_tree": { "oid": "b03c7f9c1698d3d50d242281bcd7c8d9135cfbbe", "alias": []}, "oid":{ "oid": "3bb0f989b53c59c6d4527a0b5077dbb7fabe14b7", "alias": []}, "msg": "OCSP Updates: error codes and multiple certificates", "sig_commit": { "git_time": { "time": 1492022470, "offset": -240 }, "name": "Rich Salz", "email": "rsalz@openssl.org", "md5": "3ed6b9cf7bbe83902a044f6590346d26" }, "sig_author": { "git_time": { "time": 1427835981, "offset": -240 }, "name": "Todd Short", "email": "tshort@akamai.com", "md5": "e0436a4477f604d3a4d03268d03fb577" }}, "body": "OCSP Updates: error codes and multiple certificates\n\nRT3877: Add X509 OCSP error codes and messages\nAdd additional OCSP error codes for X509 verify usage\n\nRT3867: Support Multiple CA certs in ocsp app\nAdd the ability to read multiple CA certs from a single file in the\nocsp app.\n\nUpdate some missing X509 errors in documentation.\n\nReviewed-by: Richard Levitte \u003clevitte@openssl.org\u003e\nReviewed-by: Rich Salz \u003crsalz@openssl.org\u003e\n(Merged from https://github.com/openssl/openssl/pull/941)" , "diff": "diff --git a/apps/ocsp.c b/apps/ocsp.c\nindex 8f60842..c461e76 100644\n--- a/apps/ocsp.c\n+++ b/apps/ocsp.c\n@@ -64,7 +64,7 @@ static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,\n STACK_OF(OCSP_CERTID) *ids, long nsec,\n long maxage);\n static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,\n- CA_DB *db, X509 *ca, X509 *rcert,\n+ CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,\n EVP_PKEY *rkey, const EVP_MD *md,\n STACK_OF(X509) *rother, unsigned long flags,\n int nmin, int ndays, int badsig);\n@@ -192,7 +192,8 @@ int ocsp_main(int argc, char **argv)\n STACK_OF(OPENSSL_STRING) *reqnames \u003d NULL;\n STACK_OF(X509) *sign_other \u003d NULL, *verify_other \u003d NULL, *rother \u003d NULL;\n STACK_OF(X509) *issuers \u003d NULL;\n- X509 *issuer \u003d NULL, *cert \u003d NULL, *rca_cert \u003d NULL;\n+ X509 *issuer \u003d NULL, *cert \u003d NULL;\n+ STACK_OF(X509) *rca_cert \u003d NULL;\n X509 *signer \u003d NULL, *rsigner \u003d NULL;\n X509_STORE *store \u003d NULL;\n X509_VERIFY_PARAM *vpm \u003d NULL;\n@@ -506,7 +507,9 @@ int ocsp_main(int argc, char **argv)\n BIO_printf(bio_err, \u0022Error loading responder certificate\u005cn\u0022);\n goto end;\n }\n- rca_cert \u003d load_cert(rca_filename, FORMAT_PEM, \u0022CA certificate\u0022);\n+ if (!load_certs(rca_filename, \u0026rca_cert, FORMAT_PEM,\n+ NULL, \u0022CA certificate\u0022))\n+ goto end;\n if (rcertfile) {\n if (!load_certs(rcertfile, \u0026rother, FORMAT_PEM, NULL,\n \u0022responder other certificates\u0022))\n@@ -725,7 +728,7 @@ int ocsp_main(int argc, char **argv)\n X509_free(cert);\n sk_X509_pop_free(issuers, X509_free);\n X509_free(rsigner);\n- X509_free(rca_cert);\n+ sk_X509_pop_free(rca_cert, X509_free);\n free_index(rdb);\n BIO_free_all(cbio);\n BIO_free_all(acbio);\n@@ -864,13 +867,13 @@ static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,\n }\n \n static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,\n- CA_DB *db, X509 *ca, X509 *rcert,\n+ CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,\n EVP_PKEY *rkey, const EVP_MD *rmd,\n STACK_OF(X509) *rother, unsigned long flags,\n int nmin, int ndays, int badsig)\n {\n ASN1_TIME *thisupd \u003d NULL, *nextupd \u003d NULL;\n- OCSP_CERTID *cid, *ca_id \u003d NULL;\n+ OCSP_CERTID *cid;\n OCSP_BASICRESP *bs \u003d NULL;\n int i, id_count;\n \n@@ -892,6 +895,8 @@ static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,\n OCSP_ONEREQ *one;\n ASN1_INTEGER *serial;\n char **inf;\n+ int jj;\n+ int found \u003d 0;\n ASN1_OBJECT *cert_id_md_oid;\n const EVP_MD *cert_id_md;\n one \u003d OCSP_request_onereq_get0(req, i);\n@@ -905,11 +910,17 @@ static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,\n NULL);\n goto end;\n }\n- OCSP_CERTID_free(ca_id);\n- ca_id \u003d OCSP_cert_to_id(cert_id_md, NULL, ca);\n+ for (jj \u003d 0; jj \u003c sk_X509_num(ca) \u0026\u0026 !found; jj++) {\n+ X509 *ca_cert \u003d sk_X509_value(ca, jj);\n+ OCSP_CERTID *ca_id \u003d OCSP_cert_to_id(cert_id_md, NULL, ca_cert);\n+\n+ if (OCSP_id_issuer_cmp(ca_id, cid) \u003d\u003d 0)\n+ found \u003d 1;\n+\n+ OCSP_CERTID_free(ca_id);\n+ }\n \n- /* Is this request about our CA? */\n- if (OCSP_id_issuer_cmp(ca_id, cid)) {\n+ if (!found) {\n OCSP_basic_add1_status(bs, cid,\n V_OCSP_CERTSTATUS_UNKNOWN,\n 0, NULL, thisupd, nextupd);\n@@ -962,7 +973,6 @@ static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,\n end:\n ASN1_TIME_free(thisupd);\n ASN1_TIME_free(nextupd);\n- OCSP_CERTID_free(ca_id);\n OCSP_BASICRESP_free(bs);\n }\n \ndiff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c\nindex 66e5fcd..a460bf5 100644\n--- a/crypto/x509/x509_txt.c\n+++ b/crypto/x509/x509_txt.c\n@@ -169,6 +169,12 @@ const char *X509_verify_cert_error_string(long n)\n return (\u0022Certificate Transparency required, but no valid SCTs found\u0022);\n case X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION:\n return (\u0022proxy subject name violation\u0022);\n+ case X509_V_ERR_OCSP_VERIFY_NEEDED:\n+ return(\u0022OCSP verification needed\u0022);\n+ case X509_V_ERR_OCSP_VERIFY_FAILED:\n+ return(\u0022OCSP verification failed\u0022);\n+ case X509_V_ERR_OCSP_CERT_UNKNOWN:\n+ return(\u0022OCSP unknown cert\u0022);\n \n default:\n /* Printing an error number into a static buffer is not thread-safe */\ndiff --git a/doc/man1/verify.pod b/doc/man1/verify.pod\nindex 6db7cd8..5596e1d 100644\n--- a/doc/man1/verify.pod\n+++ b/doc/man1/verify.pod\n@@ -696,6 +696,47 @@ DANE TLSA authentication is enabled, but no TLSA records matched the\n certificate chain.\n This error is only possible in L\u003cs_client(1)\u003e.\n \n+\u003ditem B\u003cX509_V_ERR_EE_KEY_TOO_SMALL\u003e\n+\n+EE certificate key too weak.\n+\n+\u003ditem B\u003cX509_ERR_CA_KEY_TOO_SMALL\u003e\n+\n+CA certificate key too weak.\n+\n+\u003ditem B\u003cX509_ERR_CA_MD_TOO_WEAK\u003e\n+\n+CA signature digest algorithm too weak.\n+\n+\u003ditem B\u003cX509_V_ERR_INVALID_CALL\u003e\n+\n+nvalid certificate verification context.\n+\n+\u003ditem B\u003cX509_V_ERR_STORE_LOOKUP\u003e\n+\n+Issuer certificate lookup error.\n+\n+\u003ditem B\u003cX509_V_ERR_NO_VALID_SCTS\u003e\n+\n+Certificate Transparency required, but no valid SCTs found.\n+\n+\u003ditem B\u003cX509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION\u003e\n+\n+Proxy subject name violation.\n+\n+\u003ditem B\u003cX509_V_ERR_OCSP_VERIFY_NEEDED\u003e\n+\n+Returned by the verify callback to indicate an OCSP verification is needed.\n+\n+\u003ditem B\u003cX509_V_ERR_OCSP_VERIFY_FAILED\u003e\n+\n+Returned by the verify callback to indicate OCSP verification failed.\n+\n+\u003ditem B\u003cX509_V_ERR_OCSP_CERT_UNKNOWN\u003e\n+\n+Returned by the verify callback to indicate that the certificate is not recognized\n+by the OCSP responder.\n+\n \u003dback\n \n \u003dhead1 BUGS\ndiff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h\nindex 1aa0a33..1414781 100644\n--- a/include/openssl/x509_vfy.h\n+++ b/include/openssl/x509_vfy.h\n@@ -180,6 +180,10 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);\n # define X509_V_ERR_NO_VALID_SCTS 71\n \n # define X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION 72\n+/* OCSP status errors */\n+# define X509_V_ERR_OCSP_VERIFY_NEEDED 73 /* Need OCSP verification */\n+# define X509_V_ERR_OCSP_VERIFY_FAILED 74 /* Couldn't verify cert through OCSP */\n+# define X509_V_ERR_OCSP_CERT_UNKNOWN 75 /* Certificate wasn't recognized by the OCSP responder */\n \n /* Certificate verify flags */\n \n","s":{"c":1753413111,"u": 30779}} ],"g": 32918,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}