Add OCSP nonce functionality

openssl-sys/src/ocsp.rs

@@ -66,6 +66,7 @@ cfg_if! {
 
 extern "C" {
     pub fn OCSP_request_add0_id(r: *mut OCSP_REQUEST, id: *mut OCSP_CERTID) -> *mut OCSP_ONEREQ;
+    pub fn OCSP_request_add1_nonce(req: *mut OCSP_REQUEST, val: *mut c_uchar, len: c_int) -> c_int;
 
     pub fn OCSP_resp_find_status(
         bs: *mut OCSP_BASICRESP,
@@ -85,6 +86,9 @@ extern "C" {
 
     pub fn OCSP_response_status(resp: *mut OCSP_RESPONSE) -> c_int;
     pub fn OCSP_response_get1_basic(resp: *mut OCSP_RESPONSE) -> *mut OCSP_BASICRESP;
+    pub fn OCSP_basic_add1_nonce(resp: *mut OCSP_BASICRESP, val: *mut c_uchar, len: c_int)
+        -> c_int;
+    pub fn OCSP_copy_nonce(resp: *mut OCSP_BASICRESP, req: *mut OCSP_REQUEST) -> c_int;
 
     pub fn OCSP_response_create(status: c_int, bs: *mut OCSP_BASICRESP) -> *mut OCSP_RESPONSE;
 
@@ -115,4 +119,6 @@ extern "C" {
         st: *mut X509_STORE,
         flags: c_ulong,
     ) -> c_int;
+
+    pub fn OCSP_check_nonce(req: *mut OCSP_REQUEST, bs: *mut OCSP_BASICRESP) -> c_int;
 }

openssl/src/ocsp.rs

@@ -200,6 +200,24 @@ impl OcspBasicResponseRef {
             }
         }
     }
+
+    pub fn add_nonce(&mut self, val: Option<&[u8]>) -> Result<(), ErrorStack> {
+        unsafe {
+            let (ptr, len) = match val {
+                Some(slice) => (slice.as_ptr() as *mut _, slice.len() as c_int),
+                None => (ptr::null_mut(), 0),
+            };
+            cvt(ffi::OCSP_basic_add1_nonce(self.as_ptr(), ptr, len))?;
+            Ok(())
+        }
+    }
+
+    pub fn copy_nonce(&mut self, req: OcspRequestRef) -> Result<(), ErrorStack> {
+        unsafe {
+            cvt(ffi::OCSP_copy_nonce(self.as_ptr(), req.as_ptr()))?;
+            Ok(())
+        }
+    }
 }
 
 foreign_type_and_impl_send_sync! {
@@ -336,6 +354,17 @@ impl OcspRequestRef {
             Ok(OcspOneReqRef::from_ptr_mut(ptr))
         }
     }
+
+    pub fn add_nonce(&mut self, val: Option<&[u8]>) -> Result<(), ErrorStack> {
+        unsafe {
+            let (ptr, len) = match val {
+                Some(slice) => (slice.as_ptr() as *mut _, slice.len() as c_int),
+                None => (ptr::null_mut(), 0),
+            };
+            cvt(ffi::OCSP_request_add1_nonce(self.as_ptr(), ptr, len))?;
+            Ok(())
+        }
+    }
 }
 
 foreign_type_and_impl_send_sync! {
@@ -345,3 +374,48 @@ foreign_type_and_impl_send_sync! {
     pub struct OcspOneReq;
     pub struct OcspOneReqRef;
 }
+
+pub fn check_nonce(req: &OcspRequestRef, bs: &OcspBasicResponseRef) -> Result<(), ErrorStack> {
+    unsafe {
+        cvt(ffi::OCSP_check_nonce(req.as_ptr(), bs.as_ptr()))?;
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use hex::FromHex;
+
+    use super::*;
+    use hash::MessageDigest;
+    use x509::X509;
+
+    #[test]
+    fn test_create_ocsp_request() {
+        let subject = include_bytes!("../test/cert.pem");
+        let subject = X509::from_pem(subject).unwrap();
+        let issuer = include_bytes!("../test/root-ca.pem");
+        let issuer = X509::from_pem(issuer).unwrap();
+
+        let req_der = include_bytes!("../test/ocsp-req.der");
+        let req_nonce_der = include_bytes!("../test/ocsp-req-nonce.der");
+
+        let cert_id = OcspCertId::from_cert(
+            MessageDigest::sha1(),
+            &subject,
+            &issuer
+            ).unwrap();
+
+        let mut req = OcspRequest::new().unwrap();
+        req.add_id(cert_id).unwrap();
+
+        assert_eq!(&*req.to_der().unwrap(), req_der.as_ref());
+
+
+        let nonce = Vec::from_hex("4413A2C5019A7C3A384CDD8AB30E3816").unwrap();
+        req.add_nonce(Some(&nonce)).unwrap();
+
+        assert_eq!(&*req.to_der().unwrap(), req_nonce_der.as_ref());
+    }
+
+}