Support OCSP_basic_add1_nonce

samuel40791765 · Aug 1, 2024 · 1a976dd · 1a976dd
1 parent a265ac9
commit 1a976dd
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 1 deletion.
diff --git a/crypto/ocsp/ocsp_extension.c b/crypto/ocsp/ocsp_extension.c
@@ -103,6 +103,18 @@ int OCSP_request_add1_nonce(OCSP_REQUEST *req, unsigned char *val, int len) {
   return ocsp_add_nonce(&req->tbsRequest->requestExtensions, val, len);
 }
 
+int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp, unsigned char *val, int len) {
+  if (resp == NULL) {
+    OPENSSL_PUT_ERROR(OCSP, ERR_R_PASSED_NULL_PARAMETER);
+    return 0;
+  }
+  if (val != NULL && len <= 0) {
+    OPENSSL_PUT_ERROR(OCSP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+    return 0;
+  }
+  return ocsp_add_nonce(&resp->tbsResponseData->responseExtensions, val, len);
+}
+
 int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs) {
   if (req == NULL || bs == NULL) {
     OPENSSL_PUT_ERROR(OCSP, ERR_R_PASSED_NULL_PARAMETER);

diff --git a/crypto/ocsp/ocsp_test.cc b/crypto/ocsp/ocsp_test.cc
@@ -1411,6 +1411,31 @@ TEST(OCSPTest, OCSPNonce) {
   EXPECT_GE(OCSP_REQUEST_get_ext_by_NID(ocspRequest.get(),
                                         NID_id_pkix_OCSP_Nonce, -1),
             0);
+
+  // Same tests as above, but against an |OCSP_BASICRESP|.
+  data = GetTestData(
+      std::string("crypto/ocsp/test/aws/ocsp_response_no_nonce.der").c_str());
+  std::vector<uint8_t> ocsp_response_data(data.begin(), data.end());
+  bssl::UniquePtr<OCSP_RESPONSE> ocspResponse =
+      LoadOCSP_RESPONSE(ocsp_response_data);
+  ASSERT_TRUE(ocspResponse);
+  bssl::UniquePtr<OCSP_BASICRESP> basicResponse(
+      OCSP_response_get1_basic(ocspResponse.get()));
+  ASSERT_TRUE(basicResponse);
+
+  EXPECT_FALSE(
+      OCSP_basic_add1_nonce(basicResponse.get(), ocsp_response_nonce, 0));
+
+  // Adding a random nonce with the default length should succeed.
+  // |OCSP_REQUEST_get_ext_by_NID| returns a negative number if a nonce does
+  // not exist.
+  EXPECT_LT(OCSP_BASICRESP_get_ext_by_NID(basicResponse.get(),
+                                          NID_id_pkix_OCSP_Nonce, -1),
+            0);
+  EXPECT_TRUE(OCSP_basic_add1_nonce(basicResponse.get(), nullptr, 0));
+  EXPECT_GE(OCSP_BASICRESP_get_ext_by_NID(basicResponse.get(),
+                                          NID_id_pkix_OCSP_Nonce, -1),
+            0);
 }
 
 TEST(OCSPTest, OCSPCRLString) {

diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
@@ -171,11 +171,16 @@ OPENSSL_EXPORT OCSP_CERTID *OCSP_onereq_get0_id(OCSP_ONEREQ *one);
 // |req|. If |val| is NULL, a random nonce is generated and used. If |len| is
 // zero or negative, a default length of 16 bytes will be used.
 // If |val| is non-NULL, |len| must equal the length of |val|. This is different
-// from OpenSSL, which allows a default length for |len| to be used. Misusage
+// from OpenSSL, which allows a default length for |len| to be used. Mis-usage
 // of the default length could result in a read overflow, so we disallow it.
 OPENSSL_EXPORT int OCSP_request_add1_nonce(OCSP_REQUEST *req,
                                            unsigned char *val, int len);
 
+// OCSP_basic_add1_nonce is identical to |OCSP_request_add1_nonce|, but adds the
+// nonce to |resp| instead (the response).
+OPENSSL_EXPORT int OCSP_basic_add1_nonce(OCSP_BASICRESP *resp,
+                                         unsigned char *val, int len);
+
 // OCSP_check_nonce checks nonce existence and equality in |req| and |bs|. If
 // there is parsing issue with |req| or |bs|, it will be determined that a
 // nonce does not exist within |req| or |bs|.