diff options
| author | David Cooper <david.cooper@nist.gov> | 2017-12-12 16:01:22 -0500 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-01-24 18:30:31 +0000 |
| commit | 89623f84299a66761ba4c69f01dbd86fc584d0a3 (patch) | |
| tree | e310c37aace5ab28240e1893e67f62e226fa7021 | |
| parent | b4dd21a7b8b850a39b0f610fceca21557853c943 (diff) | |
Make editorial changes suggested by Rich Salz and add the -rsigopt option to the man page for the ocsp command.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4190)
| -rw-r--r-- | apps/ocsp.c | 7 | ||||
| -rw-r--r-- | crypto/ocsp/ocsp_srv.c | 5 | ||||
| -rw-r--r-- | doc/man1/ocsp.pod | 6 |
3 files changed, 12 insertions, 6 deletions
diff --git a/apps/ocsp.c b/apps/ocsp.c index 379e111ac4..b9bad81f24 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -719,8 +719,7 @@ redo_accept: X509_free(signer); X509_STORE_free(store); X509_VERIFY_PARAM_free(vpm); - if (rsign_sigopts != NULL) - sk_OPENSSL_STRING_free(rsign_sigopts); + sk_OPENSSL_STRING_free(rsign_sigopts); EVP_PKEY_free(key); EVP_PKEY_free(rkey); X509_free(cert); @@ -971,6 +970,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req } for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); + if (pkey_ctrl_string(pkctx, sigopt) <= 0) { BIO_printf(err, "parameter error \"%s\"\n", sigopt); ERR_print_errors(bio_err); @@ -989,8 +989,7 @@ static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); end: - if (mctx != NULL) - EVP_MD_CTX_free(mctx); + EVP_MD_CTX_free(mctx); ASN1_TIME_free(thisupd); ASN1_TIME_free(nextupd); OCSP_BASICRESP_free(bs); diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index d31a3c0c25..b459e695b9 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -175,8 +175,9 @@ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, int i; OCSP_RESPID *rid; - if (!ctx || !EVP_MD_CTX_pkey_ctx(ctx) || !EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)) || - !X509_check_private_key(signer, EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)))) { + if (ctx == NULL || EVP_MD_CTX_pkey_ctx(ctx) == NULL + || EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)) == NULL + || !X509_check_private_key(signer, EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)))) { OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX, OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); goto err; diff --git a/doc/man1/ocsp.pod b/doc/man1/ocsp.pod index 46fff32985..44f1a60aa0 100644 --- a/doc/man1/ocsp.pod +++ b/doc/man1/ocsp.pod @@ -81,6 +81,7 @@ B<openssl> B<ocsp> [B<-rsigner file>] [B<-rkey file>] [B<-rother file>] +[B<-rsigopt nm:v>] [B<-resp_no_certs>] [B<-nmin n>] [B<-ndays n>] @@ -340,6 +341,11 @@ subject name. The private key to sign OCSP responses with: if not present the file specified in the B<rsigner> option is used. +=item B<-rsigopt nm:v> + +Pass options to the signature algorithm when signing OCSP responses. +Names and values of these options are algorithm-specific. + =item B<-port portnum> Port to listen for OCSP requests on. The port may also be specified |