diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2001-01-17 01:31:34 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2001-01-17 01:31:34 +0000 |
| commit | 81f169e95c86fe9b2c3a7ba51a85f7a00763a0e7 (patch) | |
| tree | 9c61e9161ee5332e99d091153a4cd242160b9180 /apps | |
| parent | a068630a2038ff167d29cdaed828161719355531 (diff) | |
Initial OCSP certificate verify. Not complete,
it just supports a "trusted OCSP global root CA".
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/apps.c | 29 | ||||
| -rw-r--r-- | apps/apps.h | 1 | ||||
| -rw-r--r-- | apps/ocsp.c | 37 | ||||
| -rw-r--r-- | apps/smime.c | 33 |
4 files changed, 68 insertions, 32 deletions
diff --git a/apps/apps.c b/apps/apps.c index ca3f557ca2..bdd8c71426 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -837,3 +837,32 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags) } } +X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath) +{ + X509_STORE *store; + X509_LOOKUP *lookup; + if(!(store = X509_STORE_new())) goto end; + lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file()); + if (lookup == NULL) goto end; + if (CAfile) { + if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) { + BIO_printf(bp, "Error loading file %s\n", CAfile); + goto end; + } + } else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); + + lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir()); + if (lookup == NULL) goto end; + if (CApath) { + if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) { + BIO_printf(bp, "Error loading directory %s\n", CApath); + goto end; + } + } else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); + + ERR_clear_error(); + return store; + end: + X509_STORE_free(store); + return NULL; +} diff --git a/apps/apps.h b/apps/apps.h index 11133cb1d2..2da89e2112 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -158,6 +158,7 @@ X509 *load_cert(BIO *err, char *file, int format); EVP_PKEY *load_key(BIO *err, char *file, int format, char *pass, ENGINE *e); EVP_PKEY *load_pubkey(BIO *err, char *file, int format, ENGINE *e); STACK_OF(X509) *load_certs(BIO *err, char *file, int format); +X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath); #define FORMAT_UNDEF 0 #define FORMAT_ASN1 1 diff --git a/apps/ocsp.c b/apps/ocsp.c index cfd4f18d2e..3125583ace 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -82,14 +82,18 @@ int MAIN(int argc, char **argv) int add_nonce = 1; OCSP_REQUEST *req = NULL; OCSP_RESPONSE *resp = NULL; + OCSP_BASICRESP *bs = NULL; X509 *issuer = NULL, *cert = NULL; X509 *signer = NULL; EVP_PKEY *key = NULL; BIO *cbio = NULL, *derbio = NULL; BIO *out = NULL; int req_text = 0, resp_text = 0; + char *CAfile = NULL, *CApath = NULL; + X509_STORE *store = NULL; int ret = 1; int badarg = 0; + int i; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); ERR_load_crypto_strings(); args = argv + 1; @@ -153,6 +157,24 @@ int MAIN(int argc, char **argv) } else badarg = 1; } + else if (!strcmp (*args, "-CAfile")) + { + if (args[1]) + { + args++; + CAfile = *args; + } + else badarg = 1; + } + else if (!strcmp (*args, "-CApath")) + { + if (args[1]) + { + args++; + CApath = *args; + } + else badarg = 1; + } else if (!strcmp(*args, "-signkey")) { if (args[1]) @@ -386,11 +408,25 @@ int MAIN(int argc, char **argv) if (resp_text) OCSP_RESPONSE_print(out, resp, 0); + store = setup_verify(bio_err, CAfile, CApath); + if(!store) goto end; + + bs = OCSP_response_get1_basic(resp); + + i = OCSP_basic_verify(bs, NULL, store, 0); + + if(i <= 0) + { + BIO_printf(bio_err, "Response verify error (%d)\n", i); + ERR_print_errors(bio_err); + } + ret = 0; end: ERR_print_errors(bio_err); X509_free(signer); + X509_STORE_free(store); EVP_PKEY_free(key); X509_free(issuer); X509_free(cert); @@ -398,6 +434,7 @@ end: BIO_free(out); OCSP_REQUEST_free(req); OCSP_RESPONSE_free(resp); + OCSP_BASICRESP_free(bs); EXIT(ret); } diff --git a/apps/smime.c b/apps/smime.c index 0a16bbc4dd..e0d31b20be 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -68,7 +68,6 @@ #undef PROG #define PROG smime_main -static X509_STORE *setup_verify(char *CAfile, char *CApath); static int save_certs(char *signerfile, STACK_OF(X509) *signers); #define SMIME_OP 0x10 @@ -431,7 +430,7 @@ int MAIN(int argc, char **argv) } if(operation == SMIME_VERIFY) { - if(!(store = setup_verify(CAfile, CApath))) goto end; + if(!(store = setup_verify(bio_err, CAfile, CApath))) goto end; } ret = 3; @@ -530,36 +529,6 @@ end: return (ret); } -static X509_STORE *setup_verify(char *CAfile, char *CApath) -{ - X509_STORE *store; - X509_LOOKUP *lookup; - if(!(store = X509_STORE_new())) goto end; - lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file()); - if (lookup == NULL) goto end; - if (CAfile) { - if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) { - BIO_printf(bio_err, "Error loading file %s\n", CAfile); - goto end; - } - } else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); - - lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir()); - if (lookup == NULL) goto end; - if (CApath) { - if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) { - BIO_printf(bio_err, "Error loading directory %s\n", CApath); - goto end; - } - } else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); - - ERR_clear_error(); - return store; - end: - X509_STORE_free(store); - return NULL; -} - static int save_certs(char *signerfile, STACK_OF(X509) *signers) { int i; |