OCSP bindings (#4449)

* add many OCSP bindings

Much of OCSP was opaqued in 1.1.0 so this also adds a bunch of getters
for older OpenSSL. However, 1.1.0 itself made it impossible to access
certain fields in the opaque struct, so we're forced to de-opaque them
for 1.1.0 through 1.1.0i as well as 1.1.1-pre1 through 1.1.1-pre9. There
is a patch (openssl/openssl#7082) that fixes this and should be in
1.1.0j and 1.1.1-pre10 (or 1.1.1 final, whichever they choose to issue)

* backslashes are sometimes useful

* comments

2 files changed, 97 insertions, 0 deletions

diff --git a/src/_cffi_src/openssl/cryptography.py b/src/_cffi_src/openssl/cryptography.py
index e3e73580..3ebe3c5b 100644
--- a/src/_cffi_src/openssl/cryptography.py
+++ b/src/_cffi_src/openssl/cryptography.py
@@ -44,6 +44,9 @@ INCLUDES = """
     (OPENSSL_VERSION_NUMBER >= 0x10100000 && !CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_110F_OR_GREATER \
     (OPENSSL_VERSION_NUMBER >= 0x1010006f && !CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_BETWEEN_111_and_111PRE9 \
+    (OPENSSL_VERSION_NUMBER >= 0x10101000 && \
+     OPENSSL_VERSION_NUMBER <= 0x10101009)
 
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_102 \
     (OPENSSL_VERSION_NUMBER < 0x10002000 || CRYPTOGRAPHY_IS_LIBRESSL)
@@ -51,6 +54,8 @@ INCLUDES = """
     (OPENSSL_VERSION_NUMBER < 0x1000209f || CRYPTOGRAPHY_IS_LIBRESSL)
 #define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110 \
     (OPENSSL_VERSION_NUMBER < 0x10100000 || CRYPTOGRAPHY_IS_LIBRESSL)
+#define CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+    (OPENSSL_VERSION_NUMBER < 0x101000af || CRYPTOGRAPHY_IS_LIBRESSL)
 """
 
 TYPES = """
diff --git a/src/_cffi_src/openssl/ocsp.py b/src/_cffi_src/openssl/ocsp.py
index 61546027..dbe0367f 100644
--- a/src/_cffi_src/openssl/ocsp.py
+++ b/src/_cffi_src/openssl/ocsp.py
@@ -15,12 +15,22 @@ typedef ... OCSP_RESPONSE;
 typedef ... OCSP_BASICRESP;
 typedef ... OCSP_SINGLERESP;
 typedef ... OCSP_CERTID;
+typedef ... OCSP_RESPDATA;
 """
 
 FUNCTIONS = """
 int OCSP_response_status(OCSP_RESPONSE *);
 OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *);
 int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *);
+const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *);
+Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs(const OCSP_BASICRESP *);
+const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
+    const OCSP_BASICRESP *);
+const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *);
+int OCSP_resp_get0_id(const OCSP_BASICRESP *, const ASN1_OCTET_STRING **,
+                      const X509_NAME **);
+const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *);
+const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *);
 X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *, int);
 int OCSP_resp_count(OCSP_BASICRESP *);
 OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *, int);
@@ -51,6 +61,7 @@ int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *, int, void *, int,
 int OCSP_basic_sign(OCSP_BASICRESP *, X509 *, EVP_PKEY *, const EVP_MD *,
                     Cryptography_STACK_OF_X509 *, unsigned long);
 OCSP_RESPONSE *OCSP_response_create(int, OCSP_BASICRESP *);
+void OCSP_RESPONSE_free(OCSP_RESPONSE *);
 
 OCSP_REQUEST *OCSP_REQUEST_new(void);
 void OCSP_REQUEST_free(OCSP_REQUEST *);
@@ -62,7 +73,88 @@ OCSP_REQUEST *d2i_OCSP_REQUEST_bio(BIO *, OCSP_REQUEST **);
 OCSP_RESPONSE *d2i_OCSP_RESPONSE_bio(BIO *, OCSP_RESPONSE **);
 int i2d_OCSP_REQUEST_bio(BIO *, OCSP_REQUEST *);
 int i2d_OCSP_RESPONSE_bio(BIO *, OCSP_RESPONSE *);
+int i2d_OCSP_RESPDATA(OCSP_RESPDATA *, unsigned char **);
 """
 
 CUSTOMIZATIONS = """
+#if ( \
+    CRYPTOGRAPHY_OPENSSL_110_OR_GREATER && \
+    CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J \
+    ) || CRYPTOGRAPHY_OPENSSL_BETWEEN_111_and_111PRE9
+/* These structs come from ocsp_lcl.h and are needed to de-opaque the struct
+   for the getters in OpenSSL 1.1.0 through 1.1.0i, as well as 1.1.1-pre1 to
+   1.1.1-pre9 */
+struct ocsp_responder_id_st {
+    int type;
+    union {
+        X509_NAME *byName;
+        ASN1_OCTET_STRING *byKey;
+    } value;
+};
+struct ocsp_response_data_st {
+    ASN1_INTEGER *version;
+    OCSP_RESPID responderId;
+    ASN1_GENERALIZEDTIME *producedAt;
+    STACK_OF(OCSP_SINGLERESP) *responses;
+    STACK_OF(X509_EXTENSION) *responseExtensions;
+};
+struct ocsp_basic_response_st {
+    OCSP_RESPDATA tbsResponseData;
+    X509_ALGOR signatureAlgorithm;
+    ASN1_BIT_STRING *signature;
+    STACK_OF(X509) *certs;
+};
+#endif
+
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110
+/* These functions are all taken from ocsp_cl.c in OpenSSL 1.1.0 */
+const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
+{
+    return single->certId;
+}
+const Cryptography_STACK_OF_X509 *OCSP_resp_get0_certs(
+    const OCSP_BASICRESP *bs)
+{
+    return bs->certs;
+}
+int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
+                      const ASN1_OCTET_STRING **pid,
+                      const X509_NAME **pname)
+{
+    const OCSP_RESPID *rid = bs->tbsResponseData->responderId;
+
+    if (rid->type == V_OCSP_RESPID_NAME) {
+        *pname = rid->value.byName;
+        *pid = NULL;
+    } else if (rid->type == V_OCSP_RESPID_KEY) {
+        *pid = rid->value.byKey;
+        *pname = NULL;
+    } else {
+        return 0;
+    }
+    return 1;
+}
+const ASN1_GENERALIZEDTIME *OCSP_resp_get0_produced_at(
+    const OCSP_BASICRESP* bs)
+{
+    return bs->tbsResponseData->producedAt;
+}
+const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs)
+{
+    return bs->signature;
+}
+#endif
+
+#if CRYPTOGRAPHY_OPENSSL_LESS_THAN_110J || \
+    CRYPTOGRAPHY_OPENSSL_BETWEEN_111_and_111PRE9
+const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs)
+{
+    return &bs->signatureAlgorithm;
+}
+
+const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs)
+{
+    return &bs->tbsResponseData;
+}
+#endif
 """