Various OCSP responder utility functions.

Delete obsolete OCSP functions. Largely untested at present...
2024-11-29 04:55:11 +08:00 · 2001-02-03 19:20:45 +00:00 · 2001-02-03 19:20:45 +00:00 · 02e4fbed3d
commit 02e4fbed3d
parent 7403c34b0b
8 changed files with 334 additions and 227 deletions
--- a/13
+++ b/13
@ -3,6 +3,19 @@

 Changes between 0.9.6 and 0.9.7  [xx XXX 2000]

+  *) Functions for OCSP responders. OCSP_request_onereq_count(),
+     OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
+     extract information from a certificate request. OCSP_response_create()
+     creates a response and optionally adds a basic response structure.
+     OCSP_basic_add1_status() adds a complete single response to a basic
+     reponse and returns the OCSP_SINGLERESP structure just added (to allow
+     extensions to be included for example). OCSP_basic_add1_cert() adds a
+     certificate to a basic response and OCSP_basic_sign() signs a basic
+     response with various flags. New helper functions ASN1_TIME_check()
+     (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
+     (converts ASN1_TIME to GeneralizedTime).
+     [Steve Henson]
+
  *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
     in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
     structure from a certificate. X509_pubkey_digest() digests tha public_key
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@ -112,3 +112,49 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
 					return ASN1_UTCTIME_set(s, t);
 	return ASN1_GENERALIZEDTIME_set(s,t);
 	}
+
+int ASN1_TIME_check(ASN1_TIME *t)
+	{
+	if (t->type == V_ASN1_GENERALIZEDTIME)
+		return ASN1_GENERALIZEDTIME_check(t);
+	else if (t->type == V_ASN1_UTCTIME)
+		return ASN1_UTCTIME_check(t);
+	return 0;
+	}
+
+/* Convert an ASN1_TIME structure to GeneralizedTime */
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)
+	{
+	ASN1_GENERALIZEDTIME *ret;
+	char *str;
+
+	if (!ASN1_TIME_check(t)) return NULL;
+
+	if (!out || !*out)
+		{
+		if (!(ret = ASN1_GENERALIZEDTIME_new ()))
+			return NULL;
+		if (out) *out = ret;
+		}
+	else ret = *out;
+
+	/* If already GeneralizedTime just copy across */
+	if (t->type == V_ASN1_GENERALIZEDTIME)
+		{
+		if(!ASN1_STRING_set(ret, t->data, t->length))
+			return NULL;
+		return ret;
+		}
+
+	/* grow the string */
+	if (!ASN1_STRING_set(ret, NULL, t->length + 2))
+		return NULL;
+	/* Work out the century and prepend */
+	str = (char *)t->data;
+	if (*str >= '5') strcpy(str, "19");
+	else strcpy(str, "20");
+
+	strcat(str, (char *)t->data);
+
+	return ret;
+	}
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@ -756,6 +756,8 @@ DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
 DECLARE_ASN1_FUNCTIONS(ASN1_TIME)

 ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t);
+int ASN1_TIME_check(ASN1_TIME *t);
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);

 int		i2d_ASN1_SET(STACK *a, unsigned char **pp,
 			int (*func)(), int ex_tag, int ex_class, int is_set);
--- a/crypto/ocsp/Makefile.ssl
+++ b/crypto/ocsp/Makefile.ssl
@ -23,10 +23,10 @@ APPS=

 LIB=$(TOP)/libcrypto.a
 LIBSRC= ocsp_asn.c ocsp_ext.c ocsp_ht.c ocsp_lib.c ocsp_cl.c \
-	ocsp_prn.c ocsp_vfy.c ocsp_err.c
+	ocsp_srv.c ocsp_prn.c ocsp_vfy.c ocsp_err.c

 LIBOBJ= ocsp_asn.o ocsp_ext.o ocsp_ht.o ocsp_lib.o ocsp_cl.o \
-	ocsp_prn.o ocsp_vfy.o ocsp_err.o
+	ocsp_srv.o ocsp_prn.o ocsp_vfy.o ocsp_err.o

 SRC= $(LIBSRC)

--- a/crypto/ocsp/ocsp.h
+++ b/crypto/ocsp/ocsp.h
@ -86,6 +86,8 @@ extern "C" {
 #define OCSP_NODELEGATED		0x80
 #define OCSP_NOCHECKS			0x100
 #define OCSP_TRUSTOTHER			0x200
+#define OCSP_RESPID_KEY			0x400
+#define OCSP_NOTIME			0x800

 /*   CertID ::= SEQUENCE {
 *       hashAlgorithm            AlgorithmIdentifier,
@ -446,29 +448,21 @@ int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey);
 int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
 int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);

-OCSP_BASICRESP *OCSP_basic_response_new(int tag,
-					X509* cert);
-
-int OCSP_basic_response_add(OCSP_BASICRESP           *rsp,
-			    OCSP_CERTID              *cid,
-			    OCSP_CERTSTATUS          *cst,
-			    char                     *thisUpdate,
-			    char                     *nextUpdate);
-
-int OCSP_basic_response_sign(OCSP_BASICRESP *brsp, 
-			     EVP_PKEY       *key,
-			     const EVP_MD   *dgst,
-			     STACK_OF(X509) *certs);
-
-int OCSP_response_verify(OCSP_RESPONSE *rsp, EVP_PKEY *pkey);
-
-int OCSP_basic_response_verify(OCSP_BASICRESP *rsp, EVP_PKEY *pkey);
-
-
-OCSP_RESPONSE *OCSP_response_new(int status,
-				 int nid,
-				 int (*i2d)(),
-				 char *data);
+int OCSP_request_onereq_count(OCSP_REQUEST *req);
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i);
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
+int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+			ASN1_OCTET_STRING **pikeyHash,
+			ASN1_INTEGER **pserial, OCSP_CERTID *cid);
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+						OCSP_CERTID *cid,
+						int status, int reason,
+						ASN1_TIME *revtime,
+					ASN1_TIME *thisupd, ASN1_TIME *nextupd);
+int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
+int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+			X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+			STACK_OF(X509) *certs, unsigned long flags);

 ASN1_STRING *ASN1_STRING_encode(ASN1_STRING *s, int (*i2d)(), 
 				char *data, STACK_OF(ASN1_OBJECT) *sk);
@ -567,6 +561,7 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_F_CERT_ID_NEW				 102
 #define OCSP_F_CERT_STATUS_NEW				 103
 #define OCSP_F_D2I_OCSP_NONCE				 109
+#define OCSP_F_OCSP_BASIC_ADD1_STATUS			 118
 #define OCSP_F_OCSP_BASIC_VERIFY			 113
 #define OCSP_F_OCSP_CHECK_DELEGATED			 117
 #define OCSP_F_OCSP_CHECK_IDS				 114
@ -598,6 +593,7 @@ void ERR_load_OCSP_strings(void);
 #define OCSP_R_NO_CONTENT				 115
 #define OCSP_R_NO_PUBLIC_KEY				 103
 #define OCSP_R_NO_RESPONSE_DATA				 104
+#define OCSP_R_NO_REVOKED_TIME				 132
 #define OCSP_R_NO_SIGNATURE				 105
 #define OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA	 129
 #define OCSP_R_REVOKED_NO_TIME				 106
--- a/crypto/ocsp/ocsp_err.c
+++ b/crypto/ocsp/ocsp_err.c
@ -72,6 +72,7 @@ static ERR_STRING_DATA OCSP_str_functs[]=
 {ERR_PACK(0,OCSP_F_CERT_ID_NEW,0),	"CERT_ID_NEW"},
 {ERR_PACK(0,OCSP_F_CERT_STATUS_NEW,0),	"CERT_STATUS_NEW"},
 {ERR_PACK(0,OCSP_F_D2I_OCSP_NONCE,0),	"D2I_OCSP_NONCE"},
+{ERR_PACK(0,OCSP_F_OCSP_BASIC_ADD1_STATUS,0),	"OCSP_basic_add1_status"},
 {ERR_PACK(0,OCSP_F_OCSP_BASIC_VERIFY,0),	"OCSP_basic_verify"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_DELEGATED,0),	"OCSP_CHECK_DELEGATED"},
 {ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0),	"OCSP_CHECK_IDS"},
@ -106,6 +107,7 @@ static ERR_STRING_DATA OCSP_str_reasons[]=
 {OCSP_R_NO_CONTENT                       ,"no content"},
 {OCSP_R_NO_PUBLIC_KEY                    ,"no public key"},
 {OCSP_R_NO_RESPONSE_DATA                 ,"no response data"},
+{OCSP_R_NO_REVOKED_TIME                  ,"no revoked time"},
 {OCSP_R_NO_SIGNATURE                     ,"no signature"},
 {OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA,"response contains no revocation data"},
 {OCSP_R_REVOKED_NO_TIME                  ,"revoked no time"},
--- a/crypto/ocsp/ocsp_lib.c
+++ b/crypto/ocsp/ocsp_lib.c
@ -129,38 +129,6 @@ err:
 	return NULL;
 	}

-OCSP_CERTSTATUS *OCSP_cert_status_new(int status, int reason, char *tim)
-        {
-	OCSP_REVOKEDINFO *ri;
-	OCSP_CERTSTATUS *cs = NULL;
-
-	if (!(cs = OCSP_CERTSTATUS_new())) goto err;
-	if ((cs->type = status) == V_OCSP_CERTSTATUS_REVOKED)
-	        {
-		if (!time)
-		        {
-		        OCSPerr(OCSP_F_CERT_STATUS_NEW,OCSP_R_REVOKED_NO_TIME);
-			goto err;
-		        }
-		if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
-		if (!ASN1_GENERALIZEDTIME_set_string(ri->revocationTime,tim))
-			goto err;	
-		if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
-		        {
-			if (!(ri->revocationReason = ASN1_ENUMERATED_new())) 
-			        goto err;
-			if (!(ASN1_ENUMERATED_set(ri->revocationReason, 
-						  reason)))
-			        goto err;	
-			}
-		}
-	return cs;
-err:
-	if (cs) OCSP_CERTSTATUS_free(cs);
-	return NULL;
-	}
-
-
 int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
 	{
 	int ret;
@ -179,124 +147,6 @@ int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b)
 	return ASN1_INTEGER_cmp(a->serialNumber, b->serialNumber);
 	}

-OCSP_BASICRESP *OCSP_basic_response_new(int type, X509* cert)
-        {
-	time_t t;
-	OCSP_RESPID *rid;
-	OCSP_BASICRESP *rsp = NULL;
-	unsigned char md[SHA_DIGEST_LENGTH];
-	
-	if (!(rsp = OCSP_BASICRESP_new())) goto err;
-	rid = rsp->tbsResponseData->responderId;
-	switch (rid->type = type)
-	        {
-		case V_OCSP_RESPID_NAME:
-		        /* cert is user cert */
-		        if (!(rid->value.byName =
-			          X509_NAME_dup(X509_get_subject_name(cert))))
-				goto err;
-		        break;
-		case V_OCSP_RESPID_KEY:
-		        /* cert is issuer cert */
-			/* SHA-1 hash of responder's public key
-                         * (excluding the tag and length fields)
-			 */
-			X509_pubkey_digest(cert, EVP_sha1(), md, NULL);
-			if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
-				goto err;
-			if (!(ASN1_OCTET_STRING_set(rid->value.byKey,
-						    md, sizeof md)))
-				goto err;
-		        break;
-		default:
-		        OCSPerr(OCSP_F_BASIC_RESPONSE_NEW,OCSP_R_BAD_TAG);
-			goto err;
-		        break;
-		}
-	time(&t);
-	if (!(ASN1_GENERALIZEDTIME_set(rsp->tbsResponseData->producedAt, t)))
-		goto err;
-	if (!(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new(NULL))) goto err;
-	return rsp;
-err:
-	if (rsp) OCSP_BASICRESP_free(rsp);
-	return NULL;
-	}
-
-int OCSP_basic_response_add(OCSP_BASICRESP           *rsp,
-			    OCSP_CERTID              *cid,
-			    OCSP_CERTSTATUS          *cst,
-			    char                     *this,
-			    char                     *next)
-        {
-	OCSP_SINGLERESP *single = NULL;
-
-	if (!(single = OCSP_SINGLERESP_new())) goto err;
-	if (single->certId) OCSP_CERTID_free(single->certId);
-	if (!(single->certId = OCSP_CERTID_dup(cid))) goto err;
-	if (single->certStatus) OCSP_CERTSTATUS_free(single->certStatus);
-	if (!(single->certStatus = OCSP_CERTSTATUS_dup(cst))) goto err;
-	if (!ASN1_GENERALIZEDTIME_set_string(single->thisUpdate,this))goto err;
-	if (next)
-                { 
-		if (!(single->nextUpdate = ASN1_GENERALIZEDTIME_new()))
-		        goto err;
-		if (!ASN1_GENERALIZEDTIME_set_string(single->nextUpdate,next))
-	                goto err;
-		}
-	if (!sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses,single)) goto err;
-	return 1;
-err:
-	if (single) OCSP_SINGLERESP_free(single);
-	return 0;
-	}
-
-int OCSP_basic_response_sign(OCSP_BASICRESP *brsp, 
-			     EVP_PKEY       *key,
-			     const EVP_MD   *dgst,
-			     STACK_OF(X509) *certs)
-        {
-	int i;
-
-	/* Right now, I think that not doing double hashing is the right
-	   thing.	-- Richard Levitte */
-	if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
-	if (certs)
-	        {
-	        if (!(brsp->certs = sk_X509_dup(certs))) goto err;
-	        for (i = 0; i < sk_X509_num(brsp->certs); i++)
-	                {
-			sk_X509_set(brsp->certs, i,
-		               X509_dup(sk_X509_value(certs, i)));
-		        if (! sk_X509_value(brsp->certs, i))
-				goto err;
-		        }
-		}
-	return 1;
-err:
-	return 0;
-	}
-
-OCSP_RESPONSE *OCSP_response_new(int status,
-				 int nid,
-				 int (*i2d)(),
-				 char *data)
-        {
-        OCSP_RESPONSE *rsp = NULL;
-
-	if (!(rsp = OCSP_RESPONSE_new())) goto err;
-	if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
-	if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
-	if (rsp->responseBytes->responseType) ASN1_OBJECT_free(rsp->responseBytes->responseType);
-	if (!(rsp->responseBytes->responseType = OBJ_nid2obj(nid))) goto err;
-	if (!ASN1_STRING_encode((ASN1_STRING*)rsp->responseBytes->response,
-				i2d, data, NULL)) goto err;
-	return rsp;
-err:
-	if (rsp) OCSP_RESPONSE_free(rsp);
-	return NULL;
-	}
-
 /* XXX assumes certs in signature are sorted root to leaf XXX */
 int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey)
        {
@ -314,55 +164,3 @@ int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey)
 		}
 	return OCSP_REQUEST_verify(req, pkey);
        }
-
-int OCSP_response_verify(OCSP_RESPONSE *rsp, EVP_PKEY *pkey)
-        {
-	int i, r;
-	unsigned char *p;
-	OCSP_RESPBYTES *rb;
-	OCSP_BASICRESP *br = NULL;
-
-	if ((rb = rsp->responseBytes) == NULL) 
-	        {
-		OCSPerr(OCSP_F_RESPONSE_VERIFY,OCSP_R_NO_RESPONSE_DATA);
-                return 0;
-		}
-	if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) 
-	        {
-		OCSPerr(OCSP_F_RESPONSE_VERIFY,OCSP_R_BAD_TAG);
-                return 0;
-		}
-	p = ASN1_STRING_data(rb->response);
-	i = ASN1_STRING_length(rb->response);
-	if (!(d2i_OCSP_BASICRESP(&br, &p, i))) return 0;
-	r = OCSP_basic_response_verify(br, pkey);
-	OCSP_BASICRESP_free(br);
-	return r;
-        }
-
-int OCSP_basic_response_verify(OCSP_BASICRESP *rsp, EVP_PKEY *pkey)
-        {
-	STACK_OF(X509) *sk;
-	int ret;
-
-	if (!rsp->signature) 
-	        {
-		OCSPerr(OCSP_F_BASIC_RESPONSE_VERIFY,OCSP_R_NO_SIGNATURE);
-                return 0;
-		}
-	if (pkey == NULL)
-	        {
-	        if (!(sk = rsp->certs))
-		        {
-		        OCSPerr(OCSP_F_BASIC_RESPONSE_VERIFY,OCSP_R_NO_CERTIFICATE);
-			return 0;
-			}
-		if (!(pkey=X509_get_pubkey(sk_X509_value(sk, sk_X509_num(sk)-1))))
-		        {
-		        OCSPerr(OCSP_F_BASIC_RESPONSE_VERIFY,OCSP_R_NO_PUBLIC_KEY);
-			return 0;
-		        }
-		}
-	ret = OCSP_BASICRESP_verify(rsp, pkey, 0);
-	return ret;
-        }
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@ -0,0 +1,250 @@
+/* ocsp_srv.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <cryptlib.h>
+#include <openssl/objects.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/x509v3.h>
+#include <openssl/ocsp.h>
+
+/* Utility functions related to sending OCSP responses and extracting
+ * relevant information from the request.
+ */
+
+int OCSP_request_onereq_count(OCSP_REQUEST *req)
+	{
+	return sk_OCSP_ONEREQ_num(req->tbsRequest->requestList);
+	}
+
+OCSP_ONEREQ *OCSP_request_onereq_get0(OCSP_REQUEST *req, int i)
+	{
+	return sk_OCSP_ONEREQ_value(req->tbsRequest->requestList, i);
+	}
+
+OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one)
+	{
+	return one->reqCert;
+	}
+
+int OCSP_id_get0_info(ASN1_OCTET_STRING **piNameHash, ASN1_OBJECT **pmd,
+			ASN1_OCTET_STRING **pikeyHash,
+			ASN1_INTEGER **pserial, OCSP_CERTID *cid)
+	{
+	if (!cid) return 0;
+	if (pmd) *pmd = cid->hashAlgorithm->algorithm;
+	if(piNameHash) *piNameHash = cid->issuerNameHash;
+	if (pikeyHash) *pikeyHash = cid->issuerKeyHash;
+	if (pserial) *pserial = cid->serialNumber;
+	return 1;
+	}
+
+/* Create an OCSP response and encode an optional basic response */
+OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs)
+        {
+        OCSP_RESPONSE *rsp = NULL;
+
+	if (!(rsp = OCSP_RESPONSE_new())) goto err;
+	if (!(ASN1_ENUMERATED_set(rsp->responseStatus, status))) goto err;
+	if (!bs) return rsp;
+	if (!(rsp->responseBytes = OCSP_RESPBYTES_new())) goto err;
+	rsp->responseBytes->responseType = OBJ_nid2obj(NID_id_pkix_OCSP_basic);
+	if (!ASN1_item_pack(bs, &OCSP_BASICRESP_it, &rsp->responseBytes->response))
+				goto err;
+	return rsp;
+err:
+	if (rsp) OCSP_RESPONSE_free(rsp);
+	return NULL;
+	}
+
+
+OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
+						OCSP_CERTID *cid,
+						int status, int reason,
+						ASN1_TIME *revtime,
+					ASN1_TIME *thisupd, ASN1_TIME *nextupd)
+	{
+	OCSP_SINGLERESP *single = NULL;
+	OCSP_CERTSTATUS *cs;
+	OCSP_REVOKEDINFO *ri;
+
+	if(!rsp->tbsResponseData->responses &&
+	    !(rsp->tbsResponseData->responses = sk_OCSP_SINGLERESP_new_null()))
+		goto err;
+
+	if (!(single = OCSP_SINGLERESP_new()))
+		goto err;
+
+
+
+	if (!ASN1_TIME_to_generalizedtime(thisupd, &single->thisUpdate))
+		goto err;
+	if (nextupd &&
+		!ASN1_TIME_to_generalizedtime(nextupd, &single->nextUpdate))
+		goto err;
+
+	OCSP_CERTID_free(single->certId);
+
+	if(!(single->certId = OCSP_CERTID_dup(cid)))
+		goto err;
+
+	cs = single->certStatus;
+	switch(cs->type = status)
+		{
+	case V_OCSP_CERTSTATUS_REVOKED:
+		if (!revtime)
+		        {
+		        OCSPerr(OCSP_F_OCSP_BASIC_ADD1_STATUS,OCSP_R_NO_REVOKED_TIME);
+			goto err;
+		        }
+		if (!(cs->value.revoked = ri = OCSP_REVOKEDINFO_new())) goto err;
+		if (!ASN1_TIME_to_generalizedtime(revtime, &ri->revocationTime))
+			goto err;	
+		if (reason != OCSP_REVOKED_STATUS_NOSTATUS)
+		        {
+			if (!(ri->revocationReason = ASN1_ENUMERATED_new())) 
+			        goto err;
+			if (!(ASN1_ENUMERATED_set(ri->revocationReason, 
+						  reason)))
+			        goto err;	
+			}
+		break;
+
+	case V_OCSP_CERTSTATUS_GOOD:
+		cs->value.good = ASN1_NULL_new();
+		break;
+
+	case V_OCSP_CERTSTATUS_UNKNOWN:
+		cs->value.unknown = ASN1_NULL_new();
+		break;
+
+	default:
+		goto err;
+
+		}
+	if (!(sk_OCSP_SINGLERESP_push(rsp->tbsResponseData->responses, single)))
+		goto err;
+	return single;
+err:
+	OCSP_SINGLERESP_free(single);
+	return NULL;
+	}
+
+/* Add a certificate to an OCSP request */
+
+int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
+	{
+	if (!resp->certs && !(resp->certs = sk_X509_new_null()))
+		return 0;
+
+	if(!sk_X509_push(resp->certs, cert)) return 0;
+	CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+	return 1;
+	}
+
+int OCSP_basic_sign(OCSP_BASICRESP *brsp, 
+			X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
+			STACK_OF(X509) *certs, unsigned long flags)
+        {
+	int i;
+	OCSP_RESPID *rid;
+
+	if(!(flags & OCSP_NOCERTS) && !OCSP_basic_add1_cert(brsp, signer))
+		goto err;
+
+	for (i = 0; i < sk_X509_num(certs); i++)
+		{
+		X509 *tmpcert = sk_X509_value(certs, i);
+		if(!OCSP_basic_add1_cert(brsp, tmpcert))
+				goto err;
+		}
+
+	rid = brsp->tbsResponseData->responderId;
+	if (flags & OCSP_RESPID_KEY)
+		{
+		unsigned char md[SHA_DIGEST_LENGTH];
+		X509_pubkey_digest(signer, EVP_sha1(), md, NULL);
+		if (!(rid->value.byKey = ASN1_OCTET_STRING_new()))
+			goto err;
+		if (!(ASN1_OCTET_STRING_set(rid->value.byKey, md, SHA_DIGEST_LENGTH)))
+				goto err;
+		rid->type = V_OCSP_RESPID_KEY;
+		}
+	else
+		{
+		if (!X509_NAME_set(&rid->value.byName,
+					X509_get_subject_name(signer)))
+				goto err;
+		rid->type = V_OCSP_RESPID_NAME;
+		}
+
+	if (!(flags & OCSP_NOTIME) &&
+		!X509_gmtime_adj(brsp->tbsResponseData->producedAt, 0))
+		goto err;
+
+	/* Right now, I think that not doing double hashing is the right
+	   thing.	-- Richard Levitte */
+
+	if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0)) goto err;
+
+	return 1;
+err:
+	return 0;
+	}