diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2001-02-24 13:50:06 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2001-02-24 13:50:06 +0000 |
commit | f196522159a514915e6d749a71febd08e7a09b71 (patch) | |
tree | b493a977d2737a5e5b7972174826b6b7ec867426 /apps | |
parent | 4ff18c8c3efa9416aabb50fa6e9026c2197c961b (diff) |
New function and options to check OCSP response validity.
Diffstat (limited to 'apps')
-rw-r--r-- | apps/ocsp.c | 55 |
1 files changed, 52 insertions, 3 deletions
diff --git a/apps/ocsp.c b/apps/ocsp.c index 723e0dc9ab..ba456fc58f 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -64,12 +64,16 @@ #include <openssl/ssl.h> #include "apps.h" +/* Maximum leeway in validity period: default 5 minutes */ +#define MAX_VALIDITY_PERIOD (5 * 60) + static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, STACK_OF(OCSP_CERTID) *ids); static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, - STACK *names, STACK_OF(OCSP_CERTID) *ids); + STACK *names, STACK_OF(OCSP_CERTID) *ids, + long nsec, long maxage); #undef PROG #define PROG ocsp_main @@ -94,6 +98,7 @@ int MAIN(int argc, char **argv) BIO *cbio = NULL, *derbio = NULL; BIO *out = NULL; int req_text = 0, resp_text = 0; + long nsec = MAX_VALIDITY_PERIOD, maxage = -1; char *CAfile = NULL, *CApath = NULL; X509_STORE *store = NULL; SSL_CTX *ctx = NULL; @@ -247,6 +252,38 @@ int MAIN(int argc, char **argv) } else badarg = 1; } + else if (!strcmp (*args, "-validity_period")) + { + if (args[1]) + { + args++; + nsec = atol(*args); + if (nsec < 0) + { + BIO_printf(bio_err, + "Illegal validity period %s\n", + *args); + badarg = 1; + } + } + else badarg = 1; + } + else if (!strcmp (*args, "-status_age")) + { + if (args[1]) + { + args++; + maxage = atol(*args); + if (maxage < 0) + { + BIO_printf(bio_err, + "Illegal validity age %s\n", + *args); + badarg = 1; + } + } + else badarg = 1; + } else if (!strcmp(*args, "-signkey")) { if (args[1]) @@ -356,6 +393,8 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); BIO_printf (bio_err, "-VAfile file validator certificates file\n"); + BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); + BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); BIO_printf (bio_err, "-noverify don't verify response at all\n"); BIO_printf (bio_err, "-verify_certs file additional certificates to search for signer\n"); BIO_printf (bio_err, "-trust_other don't verify additional certificates\n"); @@ -564,7 +603,7 @@ int MAIN(int argc, char **argv) } - if (!print_ocsp_summary(out, bs, req, reqnames, ids)) + if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage)) goto end; ret = 0; @@ -652,7 +691,8 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer, } static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, - STACK *names, STACK_OF(OCSP_CERTID) *ids) + STACK *names, STACK_OF(OCSP_CERTID) *ids, + long nsec, long maxage) { OCSP_CERTID *id; char *name; @@ -677,6 +717,15 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, BIO_puts(out, "ERROR: No Status found.\n"); continue; } + + /* Check validity: if invalid write to output BIO so we + * know which response this refers to. + */ + if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) + { + BIO_puts(out, "WARNING: Status times invalid.\n"); + ERR_print_errors(out); + } BIO_printf(out, "%s\n", OCSP_cert_status_str(status)); BIO_puts(out, "\tThis Update: "); |