version 1.22, 2022/11/11 17:07:39 |
version 1.23, 2023/03/06 14:32:06 |
|
|
int use_ssl; |
int use_ssl; |
char *verify_certfile; |
char *verify_certfile; |
unsigned long verify_flags; |
unsigned long verify_flags; |
} ocsp_config; |
} cfg; |
|
|
static int |
static int |
ocsp_opt_cert(char *arg) |
ocsp_opt_cert(char *arg) |
{ |
{ |
X509_free(ocsp_config.cert); |
X509_free(cfg.cert); |
ocsp_config.cert = load_cert(bio_err, arg, FORMAT_PEM, NULL, |
cfg.cert = load_cert(bio_err, arg, FORMAT_PEM, NULL, |
"certificate"); |
"certificate"); |
if (ocsp_config.cert == NULL) { |
if (cfg.cert == NULL) { |
ocsp_config.no_usage = 1; |
cfg.no_usage = 1; |
return (1); |
return (1); |
} |
} |
if (ocsp_config.cert_id_md == NULL) |
if (cfg.cert_id_md == NULL) |
ocsp_config.cert_id_md = EVP_sha1(); |
cfg.cert_id_md = EVP_sha1(); |
if (!add_ocsp_cert(&ocsp_config.req, ocsp_config.cert, |
if (!add_ocsp_cert(&cfg.req, cfg.cert, |
ocsp_config.cert_id_md, ocsp_config.issuer, ocsp_config.ids)) { |
cfg.cert_id_md, cfg.issuer, cfg.ids)) { |
ocsp_config.no_usage = 1; |
cfg.no_usage = 1; |
return (1); |
return (1); |
} |
} |
if (!sk_OPENSSL_STRING_push(ocsp_config.reqnames, arg)) { |
if (!sk_OPENSSL_STRING_push(cfg.reqnames, arg)) { |
ocsp_config.no_usage = 1; |
cfg.no_usage = 1; |
return (1); |
return (1); |
} |
} |
return (0); |
return (0); |
|
|
if (*name++ != '-') |
if (*name++ != '-') |
return (1); |
return (1); |
|
|
if ((ocsp_config.cert_id_md = EVP_get_digestbyname(name)) == NULL) |
if ((cfg.cert_id_md = EVP_get_digestbyname(name)) == NULL) |
return (1); |
return (1); |
|
|
*argsused = 1; |
*argsused = 1; |
|
|
if (argc < 3 || argv[1] == NULL || argv[2] == NULL) |
if (argc < 3 || argv[1] == NULL || argv[2] == NULL) |
return (1); |
return (1); |
|
|
if (!X509V3_add_value(argv[1], argv[2], &ocsp_config.headers)) { |
if (!X509V3_add_value(argv[1], argv[2], &cfg.headers)) { |
ocsp_config.no_usage = 1; |
cfg.no_usage = 1; |
return (1); |
return (1); |
} |
} |
|
|
|
|
static int |
static int |
ocsp_opt_host(char *arg) |
ocsp_opt_host(char *arg) |
{ |
{ |
if (ocsp_config.use_ssl != -1) |
if (cfg.use_ssl != -1) |
return (1); |
return (1); |
|
|
ocsp_config.host = arg; |
cfg.host = arg; |
return (0); |
return (0); |
} |
} |
|
|
static int |
static int |
ocsp_opt_issuer(char *arg) |
ocsp_opt_issuer(char *arg) |
{ |
{ |
X509_free(ocsp_config.issuer); |
X509_free(cfg.issuer); |
ocsp_config.issuer = load_cert(bio_err, arg, FORMAT_PEM, NULL, |
cfg.issuer = load_cert(bio_err, arg, FORMAT_PEM, NULL, |
"issuer certificate"); |
"issuer certificate"); |
if (ocsp_config.issuer == NULL) { |
if (cfg.issuer == NULL) { |
ocsp_config.no_usage = 1; |
cfg.no_usage = 1; |
return (1); |
return (1); |
} |
} |
return (0); |
return (0); |
|
|
{ |
{ |
const char *errstr = NULL; |
const char *errstr = NULL; |
|
|
ocsp_config.ndays = strtonum(arg, 0, INT_MAX, &errstr); |
cfg.ndays = strtonum(arg, 0, INT_MAX, &errstr); |
if (errstr != NULL) { |
if (errstr != NULL) { |
BIO_printf(bio_err, "Illegal update period %s: %s\n", |
BIO_printf(bio_err, "Illegal update period %s: %s\n", |
arg, errstr); |
arg, errstr); |
|
|
{ |
{ |
const char *errstr = NULL; |
const char *errstr = NULL; |
|
|
ocsp_config.nmin = strtonum(arg, 0, INT_MAX, &errstr); |
cfg.nmin = strtonum(arg, 0, INT_MAX, &errstr); |
if (errstr != NULL) { |
if (errstr != NULL) { |
BIO_printf(bio_err, "Illegal update period %s: %s\n", |
BIO_printf(bio_err, "Illegal update period %s: %s\n", |
arg, errstr); |
arg, errstr); |
return (1); |
return (1); |
} |
} |
|
|
if (ocsp_config.ndays != -1) |
if (cfg.ndays != -1) |
return (1); |
return (1); |
|
|
ocsp_config.ndays = 0; |
cfg.ndays = 0; |
return (0); |
return (0); |
} |
} |
|
|
|
|
{ |
{ |
const char *errstr = NULL; |
const char *errstr = NULL; |
|
|
ocsp_config.accept_count = strtonum(arg, 0, INT_MAX, &errstr); |
cfg.accept_count = strtonum(arg, 0, INT_MAX, &errstr); |
if (errstr != NULL) { |
if (errstr != NULL) { |
BIO_printf(bio_err, "Illegal accept count %s: %s\n", |
BIO_printf(bio_err, "Illegal accept count %s: %s\n", |
arg, errstr); |
arg, errstr); |
|
|
static int |
static int |
ocsp_opt_port(char *arg) |
ocsp_opt_port(char *arg) |
{ |
{ |
if (ocsp_config.use_ssl != -1) |
if (cfg.use_ssl != -1) |
return (1); |
return (1); |
|
|
ocsp_config.port = arg; |
cfg.port = arg; |
return (0); |
return (0); |
} |
} |
|
|
static int |
static int |
ocsp_opt_serial(char *arg) |
ocsp_opt_serial(char *arg) |
{ |
{ |
if (ocsp_config.cert_id_md == NULL) |
if (cfg.cert_id_md == NULL) |
ocsp_config.cert_id_md = EVP_sha1(); |
cfg.cert_id_md = EVP_sha1(); |
if (!add_ocsp_serial(&ocsp_config.req, arg, ocsp_config.cert_id_md, |
if (!add_ocsp_serial(&cfg.req, arg, cfg.cert_id_md, |
ocsp_config.issuer, ocsp_config.ids)) { |
cfg.issuer, cfg.ids)) { |
ocsp_config.no_usage = 1; |
cfg.no_usage = 1; |
return (1); |
return (1); |
} |
} |
if (!sk_OPENSSL_STRING_push(ocsp_config.reqnames, arg)) { |
if (!sk_OPENSSL_STRING_push(cfg.reqnames, arg)) { |
ocsp_config.no_usage = 1; |
cfg.no_usage = 1; |
return (1); |
return (1); |
} |
} |
return (0); |
return (0); |
|
|
{ |
{ |
const char *errstr = NULL; |
const char *errstr = NULL; |
|
|
ocsp_config.maxage = strtonum(arg, 0, LONG_MAX, &errstr); |
cfg.maxage = strtonum(arg, 0, LONG_MAX, &errstr); |
if (errstr != NULL) { |
if (errstr != NULL) { |
BIO_printf(bio_err, "Illegal validity age %s: %s\n", |
BIO_printf(bio_err, "Illegal validity age %s: %s\n", |
arg, errstr); |
arg, errstr); |
|
|
static int |
static int |
ocsp_opt_text(void) |
ocsp_opt_text(void) |
{ |
{ |
ocsp_config.req_text = 1; |
cfg.req_text = 1; |
ocsp_config.resp_text = 1; |
cfg.resp_text = 1; |
return (0); |
return (0); |
} |
} |
|
|
|
|
{ |
{ |
const char *errstr = NULL; |
const char *errstr = NULL; |
|
|
ocsp_config.req_timeout = strtonum(arg, 0, INT_MAX, &errstr); |
cfg.req_timeout = strtonum(arg, 0, INT_MAX, &errstr); |
if (errstr != NULL) { |
if (errstr != NULL) { |
BIO_printf(bio_err, "Illegal timeout value %s: %s\n", |
BIO_printf(bio_err, "Illegal timeout value %s: %s\n", |
arg, errstr); |
arg, errstr); |
|
|
static int |
static int |
ocsp_opt_url(char *arg) |
ocsp_opt_url(char *arg) |
{ |
{ |
if (ocsp_config.host == NULL && ocsp_config.port == NULL && |
if (cfg.host == NULL && cfg.port == NULL && |
ocsp_config.path == NULL) { |
cfg.path == NULL) { |
if (!OCSP_parse_url(arg, &ocsp_config.host, &ocsp_config.port, |
if (!OCSP_parse_url(arg, &cfg.host, &cfg.port, |
&ocsp_config.path, &ocsp_config.use_ssl)) { |
&cfg.path, &cfg.use_ssl)) { |
BIO_printf(bio_err, "Error parsing URL\n"); |
BIO_printf(bio_err, "Error parsing URL\n"); |
return (1); |
return (1); |
} |
} |
|
|
static int |
static int |
ocsp_opt_vafile(char *arg) |
ocsp_opt_vafile(char *arg) |
{ |
{ |
ocsp_config.verify_certfile = arg; |
cfg.verify_certfile = arg; |
ocsp_config.verify_flags |= OCSP_TRUSTOTHER; |
cfg.verify_flags |= OCSP_TRUSTOTHER; |
return (0); |
return (0); |
} |
} |
|
|
|
|
{ |
{ |
const char *errstr = NULL; |
const char *errstr = NULL; |
|
|
ocsp_config.nsec = strtonum(arg, 0, LONG_MAX, &errstr); |
cfg.nsec = strtonum(arg, 0, LONG_MAX, &errstr); |
if (errstr != NULL) { |
if (errstr != NULL) { |
BIO_printf(bio_err, "Illegal validity period %s: %s\n", |
BIO_printf(bio_err, "Illegal validity period %s: %s\n", |
arg, errstr); |
arg, errstr); |
|
|
.argname = "file", |
.argname = "file", |
.desc = "CA certificate corresponding to the revocation information", |
.desc = "CA certificate corresponding to the revocation information", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.rca_filename, |
.opt.arg = &cfg.rca_filename, |
}, |
}, |
{ |
{ |
.name = "CAfile", |
.name = "CAfile", |
.argname = "file", |
.argname = "file", |
.desc = "Trusted certificates file", |
.desc = "Trusted certificates file", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.CAfile, |
.opt.arg = &cfg.CAfile, |
}, |
}, |
{ |
{ |
.name = "CApath", |
.name = "CApath", |
.argname = "directory", |
.argname = "directory", |
.desc = "Trusted certificates directory", |
.desc = "Trusted certificates directory", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.CApath, |
.opt.arg = &cfg.CApath, |
}, |
}, |
{ |
{ |
.name = "cert", |
.name = "cert", |
|
|
.name = "ignore_err", |
.name = "ignore_err", |
.desc = "Ignore the invalid response", |
.desc = "Ignore the invalid response", |
.type = OPTION_FLAG, |
.type = OPTION_FLAG, |
.opt.flag = &ocsp_config.ignore_err, |
.opt.flag = &cfg.ignore_err, |
}, |
}, |
{ |
{ |
.name = "index", |
.name = "index", |
.argname = "indexfile", |
.argname = "indexfile", |
.desc = "Certificate status index file", |
.desc = "Certificate status index file", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.ridx_filename, |
.opt.arg = &cfg.ridx_filename, |
}, |
}, |
{ |
{ |
.name = "issuer", |
.name = "issuer", |
|
|
.name = "no_cert_checks", |
.name = "no_cert_checks", |
.desc = "Don't do additional checks on signing certificate", |
.desc = "Don't do additional checks on signing certificate", |
.type = OPTION_UL_VALUE_OR, |
.type = OPTION_UL_VALUE_OR, |
.opt.ulvalue = &ocsp_config.verify_flags, |
.opt.ulvalue = &cfg.verify_flags, |
.ulvalue = OCSP_NOCHECKS, |
.ulvalue = OCSP_NOCHECKS, |
}, |
}, |
{ |
{ |
.name = "no_cert_verify", |
.name = "no_cert_verify", |
.desc = "Don't check signing certificate", |
.desc = "Don't check signing certificate", |
.type = OPTION_UL_VALUE_OR, |
.type = OPTION_UL_VALUE_OR, |
.opt.ulvalue = &ocsp_config.verify_flags, |
.opt.ulvalue = &cfg.verify_flags, |
.ulvalue = OCSP_NOVERIFY, |
.ulvalue = OCSP_NOVERIFY, |
}, |
}, |
{ |
{ |
.name = "no_certs", |
.name = "no_certs", |
.desc = "Don't include any certificates in signed request", |
.desc = "Don't include any certificates in signed request", |
.type = OPTION_UL_VALUE_OR, |
.type = OPTION_UL_VALUE_OR, |
.opt.ulvalue = &ocsp_config.sign_flags, |
.opt.ulvalue = &cfg.sign_flags, |
.ulvalue = OCSP_NOCERTS, |
.ulvalue = OCSP_NOCERTS, |
}, |
}, |
{ |
{ |
.name = "no_chain", |
.name = "no_chain", |
.desc = "Don't use certificates in the response", |
.desc = "Don't use certificates in the response", |
.type = OPTION_UL_VALUE_OR, |
.type = OPTION_UL_VALUE_OR, |
.opt.ulvalue = &ocsp_config.verify_flags, |
.opt.ulvalue = &cfg.verify_flags, |
.ulvalue = OCSP_NOCHAIN, |
.ulvalue = OCSP_NOCHAIN, |
}, |
}, |
{ |
{ |
.name = "no_explicit", |
.name = "no_explicit", |
.desc = "Don't check the explicit trust for OCSP signing", |
.desc = "Don't check the explicit trust for OCSP signing", |
.type = OPTION_UL_VALUE_OR, |
.type = OPTION_UL_VALUE_OR, |
.opt.ulvalue = &ocsp_config.verify_flags, |
.opt.ulvalue = &cfg.verify_flags, |
.ulvalue = OCSP_NOEXPLICIT, |
.ulvalue = OCSP_NOEXPLICIT, |
}, |
}, |
{ |
{ |
.name = "no_intern", |
.name = "no_intern", |
.desc = "Don't search certificates contained in response for signer", |
.desc = "Don't search certificates contained in response for signer", |
.type = OPTION_UL_VALUE_OR, |
.type = OPTION_UL_VALUE_OR, |
.opt.ulvalue = &ocsp_config.verify_flags, |
.opt.ulvalue = &cfg.verify_flags, |
.ulvalue = OCSP_NOINTERN, |
.ulvalue = OCSP_NOINTERN, |
}, |
}, |
{ |
{ |
.name = "no_nonce", |
.name = "no_nonce", |
.desc = "Don't add OCSP nonce to request", |
.desc = "Don't add OCSP nonce to request", |
.type = OPTION_VALUE, |
.type = OPTION_VALUE, |
.opt.value = &ocsp_config.add_nonce, |
.opt.value = &cfg.add_nonce, |
.value = 0, |
.value = 0, |
}, |
}, |
{ |
{ |
.name = "no_signature_verify", |
.name = "no_signature_verify", |
.desc = "Don't check signature on response", |
.desc = "Don't check signature on response", |
.type = OPTION_UL_VALUE_OR, |
.type = OPTION_UL_VALUE_OR, |
.opt.ulvalue = &ocsp_config.verify_flags, |
.opt.ulvalue = &cfg.verify_flags, |
.ulvalue = OCSP_NOSIGS, |
.ulvalue = OCSP_NOSIGS, |
}, |
}, |
{ |
{ |
.name = "nonce", |
.name = "nonce", |
.desc = "Add OCSP nonce to request", |
.desc = "Add OCSP nonce to request", |
.type = OPTION_VALUE, |
.type = OPTION_VALUE, |
.opt.value = &ocsp_config.add_nonce, |
.opt.value = &cfg.add_nonce, |
.value = 2, |
.value = 2, |
}, |
}, |
{ |
{ |
.name = "noverify", |
.name = "noverify", |
.desc = "Don't verify response at all", |
.desc = "Don't verify response at all", |
.type = OPTION_FLAG, |
.type = OPTION_FLAG, |
.opt.flag = &ocsp_config.noverify, |
.opt.flag = &cfg.noverify, |
}, |
}, |
{ |
{ |
.name = "nrequest", |
.name = "nrequest", |
|
|
.argname = "file", |
.argname = "file", |
.desc = "Output filename", |
.desc = "Output filename", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.outfile, |
.opt.arg = &cfg.outfile, |
}, |
}, |
{ |
{ |
.name = "path", |
.name = "path", |
.argname = "path", |
.argname = "path", |
.desc = "Path to use in OCSP request", |
.desc = "Path to use in OCSP request", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.path, |
.opt.arg = &cfg.path, |
}, |
}, |
{ |
{ |
.name = "port", |
.name = "port", |
|
|
.name = "req_text", |
.name = "req_text", |
.desc = "Print text form of request", |
.desc = "Print text form of request", |
.type = OPTION_FLAG, |
.type = OPTION_FLAG, |
.opt.flag = &ocsp_config.req_text, |
.opt.flag = &cfg.req_text, |
}, |
}, |
{ |
{ |
.name = "reqin", |
.name = "reqin", |
.argname = "file", |
.argname = "file", |
.desc = "Read DER encoded OCSP request from \"file\"", |
.desc = "Read DER encoded OCSP request from \"file\"", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.reqin, |
.opt.arg = &cfg.reqin, |
}, |
}, |
{ |
{ |
.name = "reqout", |
.name = "reqout", |
.argname = "file", |
.argname = "file", |
.desc = "Write DER encoded OCSP request to \"file\"", |
.desc = "Write DER encoded OCSP request to \"file\"", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.reqout, |
.opt.arg = &cfg.reqout, |
}, |
}, |
{ |
{ |
.name = "resp_key_id", |
.name = "resp_key_id", |
.desc = "Identify response by signing certificate key ID", |
.desc = "Identify response by signing certificate key ID", |
.type = OPTION_UL_VALUE_OR, |
.type = OPTION_UL_VALUE_OR, |
.opt.ulvalue = &ocsp_config.rflags, |
.opt.ulvalue = &cfg.rflags, |
.ulvalue = OCSP_RESPID_KEY, |
.ulvalue = OCSP_RESPID_KEY, |
}, |
}, |
{ |
{ |
.name = "resp_no_certs", |
.name = "resp_no_certs", |
.desc = "Don't include any certificates in response", |
.desc = "Don't include any certificates in response", |
.type = OPTION_UL_VALUE_OR, |
.type = OPTION_UL_VALUE_OR, |
.opt.ulvalue = &ocsp_config.rflags, |
.opt.ulvalue = &cfg.rflags, |
.ulvalue = OCSP_NOCERTS, |
.ulvalue = OCSP_NOCERTS, |
}, |
}, |
{ |
{ |
.name = "resp_text", |
.name = "resp_text", |
.desc = "Print text form of response", |
.desc = "Print text form of response", |
.type = OPTION_FLAG, |
.type = OPTION_FLAG, |
.opt.flag = &ocsp_config.resp_text, |
.opt.flag = &cfg.resp_text, |
}, |
}, |
{ |
{ |
.name = "respin", |
.name = "respin", |
.argname = "file", |
.argname = "file", |
.desc = "Read DER encoded OCSP response from \"file\"", |
.desc = "Read DER encoded OCSP response from \"file\"", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.respin, |
.opt.arg = &cfg.respin, |
}, |
}, |
{ |
{ |
.name = "respout", |
.name = "respout", |
.argname = "file", |
.argname = "file", |
.desc = "Write DER encoded OCSP response to \"file\"", |
.desc = "Write DER encoded OCSP response to \"file\"", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.respout, |
.opt.arg = &cfg.respout, |
}, |
}, |
{ |
{ |
.name = "rkey", |
.name = "rkey", |
.argname = "file", |
.argname = "file", |
.desc = "Responder key to sign responses with", |
.desc = "Responder key to sign responses with", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.rkeyfile, |
.opt.arg = &cfg.rkeyfile, |
}, |
}, |
{ |
{ |
.name = "rother", |
.name = "rother", |
.argname = "file", |
.argname = "file", |
.desc = "Other certificates to include in response", |
.desc = "Other certificates to include in response", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.rcertfile, |
.opt.arg = &cfg.rcertfile, |
}, |
}, |
{ |
{ |
.name = "rsigner", |
.name = "rsigner", |
.argname = "file", |
.argname = "file", |
.desc = "Responder certificate to sign responses with", |
.desc = "Responder certificate to sign responses with", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.rsignfile, |
.opt.arg = &cfg.rsignfile, |
}, |
}, |
{ |
{ |
.name = "serial", |
.name = "serial", |
|
|
.argname = "file", |
.argname = "file", |
.desc = "Additional certificates to include in signed request", |
.desc = "Additional certificates to include in signed request", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.sign_certfile, |
.opt.arg = &cfg.sign_certfile, |
}, |
}, |
{ |
{ |
.name = "signer", |
.name = "signer", |
.argname = "file", |
.argname = "file", |
.desc = "Certificate to sign OCSP request with", |
.desc = "Certificate to sign OCSP request with", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.signfile, |
.opt.arg = &cfg.signfile, |
}, |
}, |
{ |
{ |
.name = "signkey", |
.name = "signkey", |
.argname = "file", |
.argname = "file", |
.desc = "Private key to sign OCSP request with", |
.desc = "Private key to sign OCSP request with", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.keyfile, |
.opt.arg = &cfg.keyfile, |
}, |
}, |
{ |
{ |
.name = "status_age", |
.name = "status_age", |
|
|
.name = "trust_other", |
.name = "trust_other", |
.desc = "Don't verify additional certificates", |
.desc = "Don't verify additional certificates", |
.type = OPTION_UL_VALUE_OR, |
.type = OPTION_UL_VALUE_OR, |
.opt.ulvalue = &ocsp_config.verify_flags, |
.opt.ulvalue = &cfg.verify_flags, |
.ulvalue = OCSP_TRUSTOTHER, |
.ulvalue = OCSP_TRUSTOTHER, |
}, |
}, |
{ |
{ |
|
|
.argname = "file", |
.argname = "file", |
.desc = "Additional certificates to search for signer", |
.desc = "Additional certificates to search for signer", |
.type = OPTION_ARG, |
.type = OPTION_ARG, |
.opt.arg = &ocsp_config.verify_certfile, |
.opt.arg = &cfg.verify_certfile, |
}, |
}, |
{ |
{ |
.name = NULL, |
.name = NULL, |
|
|
exit(1); |
exit(1); |
} |
} |
|
|
memset(&ocsp_config, 0, sizeof(ocsp_config)); |
memset(&cfg, 0, sizeof(cfg)); |
ocsp_config.accept_count = -1; |
cfg.accept_count = -1; |
ocsp_config.add_nonce = 1; |
cfg.add_nonce = 1; |
if ((ocsp_config.ids = sk_OCSP_CERTID_new_null()) == NULL) |
if ((cfg.ids = sk_OCSP_CERTID_new_null()) == NULL) |
goto end; |
goto end; |
ocsp_config.maxage = -1; |
cfg.maxage = -1; |
ocsp_config.ndays = -1; |
cfg.ndays = -1; |
ocsp_config.nsec = MAX_VALIDITY_PERIOD; |
cfg.nsec = MAX_VALIDITY_PERIOD; |
ocsp_config.req_timeout = -1; |
cfg.req_timeout = -1; |
if ((ocsp_config.reqnames = sk_OPENSSL_STRING_new_null()) == NULL) |
if ((cfg.reqnames = sk_OPENSSL_STRING_new_null()) == NULL) |
goto end; |
goto end; |
ocsp_config.use_ssl = -1; |
cfg.use_ssl = -1; |
|
|
if (options_parse(argc, argv, ocsp_options, NULL, NULL) != 0) { |
if (options_parse(argc, argv, ocsp_options, NULL, NULL) != 0) { |
if (ocsp_config.no_usage) |
if (cfg.no_usage) |
goto end; |
goto end; |
else |
else |
badarg = 1; |
badarg = 1; |
} |
} |
|
|
/* Have we anything to do? */ |
/* Have we anything to do? */ |
if (!ocsp_config.req && !ocsp_config.reqin && !ocsp_config.respin && |
if (!cfg.req && !cfg.reqin && !cfg.respin && |
!(ocsp_config.port && ocsp_config.ridx_filename)) |
!(cfg.port && cfg.ridx_filename)) |
badarg = 1; |
badarg = 1; |
|
|
if (badarg) { |
if (badarg) { |
ocsp_usage(); |
ocsp_usage(); |
goto end; |
goto end; |
} |
} |
if (ocsp_config.outfile) |
if (cfg.outfile) |
out = BIO_new_file(ocsp_config.outfile, "w"); |
out = BIO_new_file(cfg.outfile, "w"); |
else |
else |
out = BIO_new_fp(stdout, BIO_NOCLOSE); |
out = BIO_new_fp(stdout, BIO_NOCLOSE); |
|
|
|
|
BIO_printf(bio_err, "Error opening output file\n"); |
BIO_printf(bio_err, "Error opening output file\n"); |
goto end; |
goto end; |
} |
} |
if (!ocsp_config.req && (ocsp_config.add_nonce != 2)) |
if (!cfg.req && (cfg.add_nonce != 2)) |
ocsp_config.add_nonce = 0; |
cfg.add_nonce = 0; |
|
|
if (!ocsp_config.req && ocsp_config.reqin) { |
if (!cfg.req && cfg.reqin) { |
derbio = BIO_new_file(ocsp_config.reqin, "rb"); |
derbio = BIO_new_file(cfg.reqin, "rb"); |
if (!derbio) { |
if (!derbio) { |
BIO_printf(bio_err, |
BIO_printf(bio_err, |
"Error Opening OCSP request file\n"); |
"Error Opening OCSP request file\n"); |
goto end; |
goto end; |
} |
} |
ocsp_config.req = d2i_OCSP_REQUEST_bio(derbio, NULL); |
cfg.req = d2i_OCSP_REQUEST_bio(derbio, NULL); |
BIO_free(derbio); |
BIO_free(derbio); |
if (!ocsp_config.req) { |
if (!cfg.req) { |
BIO_printf(bio_err, "Error reading OCSP request\n"); |
BIO_printf(bio_err, "Error reading OCSP request\n"); |
goto end; |
goto end; |
} |
} |
} |
} |
if (!ocsp_config.req && ocsp_config.port) { |
if (!cfg.req && cfg.port) { |
acbio = init_responder(ocsp_config.port); |
acbio = init_responder(cfg.port); |
if (!acbio) |
if (!acbio) |
goto end; |
goto end; |
} |
} |
if (ocsp_config.rsignfile && !rdb) { |
if (cfg.rsignfile && !rdb) { |
if (!ocsp_config.rkeyfile) |
if (!cfg.rkeyfile) |
ocsp_config.rkeyfile = ocsp_config.rsignfile; |
cfg.rkeyfile = cfg.rsignfile; |
rsigner = load_cert(bio_err, ocsp_config.rsignfile, FORMAT_PEM, |
rsigner = load_cert(bio_err, cfg.rsignfile, FORMAT_PEM, |
NULL, "responder certificate"); |
NULL, "responder certificate"); |
if (!rsigner) { |
if (!rsigner) { |
BIO_printf(bio_err, |
BIO_printf(bio_err, |
"Error loading responder certificate\n"); |
"Error loading responder certificate\n"); |
goto end; |
goto end; |
} |
} |
rca_cert = load_cert(bio_err, ocsp_config.rca_filename, |
rca_cert = load_cert(bio_err, cfg.rca_filename, |
FORMAT_PEM, NULL, "CA certificate"); |
FORMAT_PEM, NULL, "CA certificate"); |
if (ocsp_config.rcertfile) { |
if (cfg.rcertfile) { |
rother = load_certs(bio_err, ocsp_config.rcertfile, |
rother = load_certs(bio_err, cfg.rcertfile, |
FORMAT_PEM, NULL, "responder other certificates"); |
FORMAT_PEM, NULL, "responder other certificates"); |
if (!rother) |
if (!rother) |
goto end; |
goto end; |
} |
} |
rkey = load_key(bio_err, ocsp_config.rkeyfile, FORMAT_PEM, 0, |
rkey = load_key(bio_err, cfg.rkeyfile, FORMAT_PEM, 0, |
NULL, "responder private key"); |
NULL, "responder private key"); |
if (!rkey) |
if (!rkey) |
goto end; |
goto end; |
|
|
redo_accept: |
redo_accept: |
|
|
if (acbio) { |
if (acbio) { |
if (!do_responder(&ocsp_config.req, &cbio, acbio, |
if (!do_responder(&cfg.req, &cbio, acbio, |
ocsp_config.port)) |
cfg.port)) |
goto end; |
goto end; |
if (!ocsp_config.req) { |
if (!cfg.req) { |
resp = OCSP_response_create( |
resp = OCSP_response_create( |
OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); |
OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); |
send_ocsp_response(cbio, resp); |
send_ocsp_response(cbio, resp); |
goto done_resp; |
goto done_resp; |
} |
} |
} |
} |
if (!ocsp_config.req && |
if (!cfg.req && |
(ocsp_config.signfile || ocsp_config.reqout || ocsp_config.host || |
(cfg.signfile || cfg.reqout || cfg.host || |
ocsp_config.add_nonce || ocsp_config.ridx_filename)) { |
cfg.add_nonce || cfg.ridx_filename)) { |
BIO_printf(bio_err, |
BIO_printf(bio_err, |
"Need an OCSP request for this operation!\n"); |
"Need an OCSP request for this operation!\n"); |
goto end; |
goto end; |
} |
} |
if (ocsp_config.req && ocsp_config.add_nonce) |
if (cfg.req && cfg.add_nonce) |
OCSP_request_add1_nonce(ocsp_config.req, NULL, -1); |
OCSP_request_add1_nonce(cfg.req, NULL, -1); |
|
|
if (ocsp_config.signfile) { |
if (cfg.signfile) { |
if (!ocsp_config.keyfile) |
if (!cfg.keyfile) |
ocsp_config.keyfile = ocsp_config.signfile; |
cfg.keyfile = cfg.signfile; |
signer = load_cert(bio_err, ocsp_config.signfile, FORMAT_PEM, |
signer = load_cert(bio_err, cfg.signfile, FORMAT_PEM, |
NULL, "signer certificate"); |
NULL, "signer certificate"); |
if (!signer) { |
if (!signer) { |
BIO_printf(bio_err, |
BIO_printf(bio_err, |
"Error loading signer certificate\n"); |
"Error loading signer certificate\n"); |
goto end; |
goto end; |
} |
} |
if (ocsp_config.sign_certfile) { |
if (cfg.sign_certfile) { |
sign_other = load_certs(bio_err, |
sign_other = load_certs(bio_err, |
ocsp_config.sign_certfile, FORMAT_PEM, NULL, |
cfg.sign_certfile, FORMAT_PEM, NULL, |
"signer certificates"); |
"signer certificates"); |
if (!sign_other) |
if (!sign_other) |
goto end; |
goto end; |
} |
} |
key = load_key(bio_err, ocsp_config.keyfile, FORMAT_PEM, 0, |
key = load_key(bio_err, cfg.keyfile, FORMAT_PEM, 0, |
NULL, "signer private key"); |
NULL, "signer private key"); |
if (!key) |
if (!key) |
goto end; |
goto end; |
|
|
if (!OCSP_request_sign(ocsp_config.req, signer, key, NULL, |
if (!OCSP_request_sign(cfg.req, signer, key, NULL, |
sign_other, ocsp_config.sign_flags)) { |
sign_other, cfg.sign_flags)) { |
BIO_printf(bio_err, "Error signing OCSP request\n"); |
BIO_printf(bio_err, "Error signing OCSP request\n"); |
goto end; |
goto end; |
} |
} |
} |
} |
if (ocsp_config.req_text && ocsp_config.req) |
if (cfg.req_text && cfg.req) |
OCSP_REQUEST_print(out, ocsp_config.req, 0); |
OCSP_REQUEST_print(out, cfg.req, 0); |
|
|
if (ocsp_config.reqout) { |
if (cfg.reqout) { |
derbio = BIO_new_file(ocsp_config.reqout, "wb"); |
derbio = BIO_new_file(cfg.reqout, "wb"); |
if (!derbio) { |
if (!derbio) { |
BIO_printf(bio_err, "Error opening file %s\n", |
BIO_printf(bio_err, "Error opening file %s\n", |
ocsp_config.reqout); |
cfg.reqout); |
goto end; |
goto end; |
} |
} |
i2d_OCSP_REQUEST_bio(derbio, ocsp_config.req); |
i2d_OCSP_REQUEST_bio(derbio, cfg.req); |
BIO_free(derbio); |
BIO_free(derbio); |
} |
} |
if (ocsp_config.ridx_filename && (!rkey || !rsigner || !rca_cert)) { |
if (cfg.ridx_filename && (!rkey || !rsigner || !rca_cert)) { |
BIO_printf(bio_err, |
BIO_printf(bio_err, |
"Need a responder certificate, key and CA for this operation!\n"); |
"Need a responder certificate, key and CA for this operation!\n"); |
goto end; |
goto end; |
} |
} |
if (ocsp_config.ridx_filename && !rdb) { |
if (cfg.ridx_filename && !rdb) { |
rdb = load_index(ocsp_config.ridx_filename, NULL); |
rdb = load_index(cfg.ridx_filename, NULL); |
if (!rdb) |
if (!rdb) |
goto end; |
goto end; |
if (!index_index(rdb)) |
if (!index_index(rdb)) |
goto end; |
goto end; |
} |
} |
if (rdb) { |
if (rdb) { |
i = make_ocsp_response(&resp, ocsp_config.req, rdb, rca_cert, |
i = make_ocsp_response(&resp, cfg.req, rdb, rca_cert, |
rsigner, rkey, rother, ocsp_config.rflags, |
rsigner, rkey, rother, cfg.rflags, |
ocsp_config.nmin, ocsp_config.ndays); |
cfg.nmin, cfg.ndays); |
if (cbio) |
if (cbio) |
send_ocsp_response(cbio, resp); |
send_ocsp_response(cbio, resp); |
} else if (ocsp_config.host) { |
} else if (cfg.host) { |
resp = process_responder(bio_err, ocsp_config.req, |
resp = process_responder(bio_err, cfg.req, |
ocsp_config.host, |
cfg.host, |
ocsp_config.path ? ocsp_config.path : "/", |
cfg.path ? cfg.path : "/", |
ocsp_config.port, ocsp_config.use_ssl, ocsp_config.headers, |
cfg.port, cfg.use_ssl, cfg.headers, |
ocsp_config.req_timeout); |
cfg.req_timeout); |
if (!resp) |
if (!resp) |
goto end; |
goto end; |
} else if (ocsp_config.respin) { |
} else if (cfg.respin) { |
derbio = BIO_new_file(ocsp_config.respin, "rb"); |
derbio = BIO_new_file(cfg.respin, "rb"); |
if (!derbio) { |
if (!derbio) { |
BIO_printf(bio_err, |
BIO_printf(bio_err, |
"Error Opening OCSP response file\n"); |
"Error Opening OCSP response file\n"); |
|
|
|
|
done_resp: |
done_resp: |
|
|
if (ocsp_config.respout) { |
if (cfg.respout) { |
derbio = BIO_new_file(ocsp_config.respout, "wb"); |
derbio = BIO_new_file(cfg.respout, "wb"); |
if (!derbio) { |
if (!derbio) { |
BIO_printf(bio_err, "Error opening file %s\n", |
BIO_printf(bio_err, "Error opening file %s\n", |
ocsp_config.respout); |
cfg.respout); |
goto end; |
goto end; |
} |
} |
i2d_OCSP_RESPONSE_bio(derbio, resp); |
i2d_OCSP_RESPONSE_bio(derbio, resp); |
|
|
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { |
if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { |
BIO_printf(bio_err, "Responder Error: %s (%d)\n", |
BIO_printf(bio_err, "Responder Error: %s (%d)\n", |
OCSP_response_status_str(i), i); |
OCSP_response_status_str(i), i); |
if (ocsp_config.ignore_err) |
if (cfg.ignore_err) |
goto redo_accept; |
goto redo_accept; |
ret = 1; |
ret = 1; |
goto end; |
goto end; |
} |
} |
if (ocsp_config.resp_text) |
if (cfg.resp_text) |
OCSP_RESPONSE_print(out, resp, 0); |
OCSP_RESPONSE_print(out, resp, 0); |
|
|
/* If running as responder don't verify our own response */ |
/* If running as responder don't verify our own response */ |
if (cbio) { |
if (cbio) { |
if (ocsp_config.accept_count > 0) |
if (cfg.accept_count > 0) |
ocsp_config.accept_count--; |
cfg.accept_count--; |
/* Redo if more connections needed */ |
/* Redo if more connections needed */ |
if (ocsp_config.accept_count) { |
if (cfg.accept_count) { |
BIO_free_all(cbio); |
BIO_free_all(cbio); |
cbio = NULL; |
cbio = NULL; |
OCSP_REQUEST_free(ocsp_config.req); |
OCSP_REQUEST_free(cfg.req); |
ocsp_config.req = NULL; |
cfg.req = NULL; |
OCSP_RESPONSE_free(resp); |
OCSP_RESPONSE_free(resp); |
resp = NULL; |
resp = NULL; |
goto redo_accept; |
goto redo_accept; |
|
|
goto end; |
goto end; |
} |
} |
if (!store) |
if (!store) |
store = setup_verify(bio_err, ocsp_config.CAfile, |
store = setup_verify(bio_err, cfg.CAfile, |
ocsp_config.CApath); |
cfg.CApath); |
if (!store) |
if (!store) |
goto end; |
goto end; |
if (ocsp_config.verify_certfile) { |
if (cfg.verify_certfile) { |
verify_other = load_certs(bio_err, ocsp_config.verify_certfile, |
verify_other = load_certs(bio_err, cfg.verify_certfile, |
FORMAT_PEM, NULL, "validator certificate"); |
FORMAT_PEM, NULL, "validator certificate"); |
if (!verify_other) |
if (!verify_other) |
goto end; |
goto end; |
|
|
BIO_printf(bio_err, "Error parsing response\n"); |
BIO_printf(bio_err, "Error parsing response\n"); |
goto end; |
goto end; |
} |
} |
if (!ocsp_config.noverify) { |
if (!cfg.noverify) { |
if (ocsp_config.req && |
if (cfg.req && |
((i = OCSP_check_nonce(ocsp_config.req, bs)) <= 0)) { |
((i = OCSP_check_nonce(cfg.req, bs)) <= 0)) { |
if (i == -1) { |
if (i == -1) { |
BIO_printf(bio_err, |
BIO_printf(bio_err, |
"WARNING: no nonce in response\n"); |
"WARNING: no nonce in response\n"); |
|
|
} |
} |
} |
} |
i = OCSP_basic_verify(bs, verify_other, store, |
i = OCSP_basic_verify(bs, verify_other, store, |
ocsp_config.verify_flags); |
cfg.verify_flags); |
if (i < 0) |
if (i < 0) |
i = OCSP_basic_verify(bs, NULL, store, 0); |
i = OCSP_basic_verify(bs, NULL, store, 0); |
|
|
|
|
BIO_printf(bio_err, "Response verify OK\n"); |
BIO_printf(bio_err, "Response verify OK\n"); |
} |
} |
} |
} |
if (!print_ocsp_summary(out, bs, ocsp_config.req, ocsp_config.reqnames, |
if (!print_ocsp_summary(out, bs, cfg.req, cfg.reqnames, |
ocsp_config.ids, ocsp_config.nsec, ocsp_config.maxage)) |
cfg.ids, cfg.nsec, cfg.maxage)) |
goto end; |
goto end; |
|
|
ret = 0; |
ret = 0; |
|
|
X509_STORE_free(store); |
X509_STORE_free(store); |
EVP_PKEY_free(key); |
EVP_PKEY_free(key); |
EVP_PKEY_free(rkey); |
EVP_PKEY_free(rkey); |
X509_free(ocsp_config.issuer); |
X509_free(cfg.issuer); |
X509_free(ocsp_config.cert); |
X509_free(cfg.cert); |
X509_free(rsigner); |
X509_free(rsigner); |
X509_free(rca_cert); |
X509_free(rca_cert); |
free_index(rdb); |
free_index(rdb); |
BIO_free_all(cbio); |
BIO_free_all(cbio); |
BIO_free_all(acbio); |
BIO_free_all(acbio); |
BIO_free(out); |
BIO_free(out); |
OCSP_REQUEST_free(ocsp_config.req); |
OCSP_REQUEST_free(cfg.req); |
OCSP_RESPONSE_free(resp); |
OCSP_RESPONSE_free(resp); |
OCSP_BASICRESP_free(bs); |
OCSP_BASICRESP_free(bs); |
sk_OPENSSL_STRING_free(ocsp_config.reqnames); |
sk_OPENSSL_STRING_free(cfg.reqnames); |
sk_OCSP_CERTID_free(ocsp_config.ids); |
sk_OCSP_CERTID_free(cfg.ids); |
sk_X509_pop_free(sign_other, X509_free); |
sk_X509_pop_free(sign_other, X509_free); |
sk_X509_pop_free(verify_other, X509_free); |
sk_X509_pop_free(verify_other, X509_free); |
sk_CONF_VALUE_pop_free(ocsp_config.headers, X509V3_conf_free); |
sk_CONF_VALUE_pop_free(cfg.headers, X509V3_conf_free); |
|
|
if (ocsp_config.use_ssl != -1) { |
if (cfg.use_ssl != -1) { |
free(ocsp_config.host); |
free(cfg.host); |
free(ocsp_config.port); |
free(cfg.port); |
free(ocsp_config.path); |
free(cfg.path); |
} |
} |
return (ret); |
return (ret); |
} |
} |