summaryrefslogtreecommitdiffstats
path: root/apps/ocsp.c
diff options
context:
space:
mode:
Diffstat (limited to 'apps/ocsp.c')
-rw-r--r--apps/ocsp.c929
1 files changed, 386 insertions, 543 deletions
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 96f4c67421..840e506a5c 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1,4 +1,3 @@
-/* ocsp.c */
/*
* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
* 2000.
@@ -95,7 +94,7 @@
# endif
/* Maximum leeway in validity period: default 5 minutes */
-# define MAX_VALIDITY_PERIOD (5 * 60)
+# define MAX_VALIDITY_PERIOD (5 * 60)
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
@@ -103,12 +102,11 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
const EVP_MD *cert_id_md, X509 *issuer,
STACK_OF(OCSP_CERTID) *ids);
-static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
+static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
STACK_OF(OPENSSL_STRING) *names,
STACK_OF(OCSP_CERTID) *ids, long nsec,
long maxage);
-
-static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
+static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, X509 *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *md,
STACK_OF(X509) *rother, unsigned long flags,
@@ -119,498 +117,372 @@ static BIO *init_responder(const char *port);
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
const char *port);
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
-static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
+static OCSP_RESPONSE *query_responder(BIO *cbio, const char *path,
const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout);
-# undef PROG
-# define PROG ocsp_main
-
-int MAIN(int, char **);
-
-int MAIN(int argc, char **argv)
+typedef enum OPTION_choice {
+ OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+ OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT,
+ OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE,
+ OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS,
+ OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN,
+ OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER,
+ OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT,
+ OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER,
+ OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH,
+ OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,
+ OPT_RESPOUT, OPT_PATH, OPT_CERT, OPT_SERIAL,
+ OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,
+ OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_HEADER,
+ OPT_V_ENUM,
+ OPT_MD
+} OPTION_CHOICE;
+
+OPTIONS ocsp_options[] = {
+ {"help", OPT_HELP, '-', "Display this summary"},
+ {"out", OPT_OUTFILE, '>', "Output filename"},
+ {"timeout", OPT_TIMEOUT, 'p'},
+ {"url", OPT_URL, 's', "Responder URL"},
+ {"host", OPT_HOST, 's', "host:prot top to connect to"},
+ {"port", OPT_PORT, 'p', "Port to run responder on"},
+ {"ignore_err", OPT_IGNORE_ERR, '-'},
+ {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"},
+ {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"},
+ {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"},
+ {"resp_no_certs", OPT_RESP_NO_CERTS, '-',
+ "Don't include any certificates in response"},
+ {"resp_key_id", OPT_RESP_KEY_ID, '-',
+ "Identify reponse by signing certificate key ID"},
+ {"no_certs", OPT_NO_CERTS, '-',
+ "Don't include any certificates in signed request"},
+ {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
+ "Don't check signature on response"},
+ {"no_cert_verify", OPT_NO_CERT_VERIFY, '-',
+ "Don't check signing certificate"},
+ {"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"},
+ {"no_cert_checks", OPT_NO_CERT_CHECKS, '-',
+ "Don't do additional checks on signing certificate"},
+ {"no_explicit", OPT_NO_EXPLICIT, '-'},
+ {"trust_other", OPT_TRUST_OTHER, '-',
+ "Don't verify additional certificates"},
+ {"no_intern", OPT_NO_INTERN, '-',
+ "Don't search certificates contained in response for signer"},
+ {"badsig", OPT_BADSIG, '-'},
+ {"text", OPT_TEXT, '-', "Print text form of request and response"},
+ {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"},
+ {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"},
+ {"reqin", OPT_REQIN, 's', "File with the DER-encoded request"},
+ {"respin", OPT_RESPIN, 's', "File with the DER-encoded response"},
+ {"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"},
+ {"VAfile", OPT_VAFILE, '<', "Validator certificates file"},
+ {"sign_other", OPT_SIGN_OTHER, '<',
+ "Additional certificates to include in signed request"},
+ {"verify_other", OPT_VERIFY_OTHER, '<',
+ "Additional certificates to search for signer"},
+ {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"},
+ {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"},
+ {"validity_period", OPT_VALIDITY_PERIOD, 'u',
+ "Maximum validity discrepancy in seconds"},
+ {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"},
+ {"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"},
+ {"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"},
+ {"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"},
+ {"path", OPT_PATH, 's', "Path to use in OCSP request"},
+ {"cert", OPT_CERT, '<', "Certificate to check"},
+ {"serial", OPT_SERIAL, 's', "Nerial number to check"},
+ {"index", OPT_INDEX, '<', "Certificate status index file"},
+ {"CA", OPT_CA, '<', "CA certificate"},
+ {"nmin", OPT_NMIN, 'p', "Number of minutes before next update"},
+ {"nrequest", OPT_REQUEST, 'p',
+ "Number of requests to accept (default unlimited)"},
+ {"ndays", OPT_NDAYS, 'p', "Number of days before next update"},
+ {"rsigner", OPT_RSIGNER, '<',
+ "Sesponder certificate to sign responses with"},
+ {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},
+ {"rother", OPT_ROTHER, '<', "Other certificates to include in response"},
+ {"rmd", OPT_RMD, 's'},
+ {"header", OPT_HEADER, 's', "key=value header to add"},
+ {"", OPT_MD, '-', "Any supported digest"},
+ OPT_V_OPTIONS,
+ {NULL}
+};
+
+int ocsp_main(int argc, char **argv)
{
- ENGINE *e = NULL;
- char **args;
- char *host = NULL, *port = NULL, *path = "/";
- char *thost = NULL, *tport = NULL, *tpath = NULL;
- char *reqin = NULL, *respin = NULL;
- char *reqout = NULL, *respout = NULL;
- char *signfile = NULL, *keyfile = NULL;
- char *rsignfile = NULL, *rkeyfile = NULL;
- char *outfile = NULL;
- int add_nonce = 1, noverify = 0, use_ssl = -1;
- STACK_OF(CONF_VALUE) *headers = NULL;
+ BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL;
+ const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
+ CA_DB *rdb = NULL;
+ EVP_PKEY *key = NULL, *rkey = NULL;
+ OCSP_BASICRESP *bs = NULL;
OCSP_REQUEST *req = NULL;
OCSP_RESPONSE *resp = NULL;
- OCSP_BASICRESP *bs = NULL;
- X509 *issuer = NULL, *cert = NULL;
+ STACK_OF(CONF_VALUE) *headers = NULL;
+ STACK_OF(OCSP_CERTID) *ids = NULL;
+ STACK_OF(OPENSSL_STRING) *reqnames = NULL;
+ STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
+ X509 *issuer = NULL, *cert = NULL, *rca_cert = NULL;
X509 *signer = NULL, *rsigner = NULL;
- EVP_PKEY *key = NULL, *rkey = NULL;
- BIO *acbio = NULL, *cbio = NULL;
- BIO *derbio = NULL;
- BIO *out = NULL;
- int req_timeout = -1;
- int req_text = 0, resp_text = 0;
- long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
- char *CAfile = NULL, *CApath = NULL;
X509_STORE *store = NULL;
X509_VERIFY_PARAM *vpm = NULL;
- STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
+ char *CAfile = NULL, *CApath = NULL, *header, *value;
+ char *host = NULL, *port = NULL, *path = "/", *outfile = NULL;
+ char *rca_filename = NULL, *reqin = NULL, *respin = NULL;
+ char *reqout = NULL, *respout = NULL, *ridx_filename = NULL;
+ char *rsignfile = NULL, *rkeyfile = NULL;
char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
+ char *signfile = NULL, *keyfile = NULL;
+ char *thost = NULL, *tport = NULL, *tpath = NULL;
+ int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;
+ int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;
+ int req_text = 0, resp_text = 0, req_timeout = -1, ret = 1;
+ long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
- int ret = 1;
- int accept_count = -1;
- int badarg = 0;
- int badsig = 0;
- int i;
- int ignore_err = 0;
- STACK_OF(OPENSSL_STRING) *reqnames = NULL;
- STACK_OF(OCSP_CERTID) *ids = NULL;
-
- X509 *rca_cert = NULL;
- char *ridx_filename = NULL;
- char *rca_filename = NULL;
- CA_DB *rdb = NULL;
- int nmin = 0, ndays = -1;
- const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
+ OPTION_CHOICE o;
+ char *prog;
- if (bio_err == NULL)
- bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-
- if (!load_config(bio_err, NULL))
- goto end;
- SSL_load_error_strings();
- OpenSSL_add_ssl_algorithms();
- args = argv + 1;
reqnames = sk_OPENSSL_STRING_new_null();
+ if (!reqnames)
+ goto end;
ids = sk_OCSP_CERTID_new_null();
- while (!badarg && *args && *args[0] == '-') {
- if (!strcmp(*args, "-out")) {
- if (args[1]) {
- args++;
- outfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-timeout")) {
- if (args[1]) {
- args++;
- req_timeout = atol(*args);
- if (req_timeout < 0) {
- BIO_printf(bio_err, "Illegal timeout value %s\n", *args);
- badarg = 1;
- }
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-url")) {
+ if (!ids)
+ goto end;
+ if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
+ return 1;
+
+ prog = opt_init(argc, argv, ocsp_options);
+ while ((o = opt_next()) != OPT_EOF) {
+ switch (o) {
+ case OPT_EOF:
+ case OPT_ERR:
+ opthelp:
+ BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+ goto end;
+ case OPT_HELP:
+ ret = 0;
+ opt_help(ocsp_options);
+ goto end;
+ case OPT_OUTFILE:
+ outfile = opt_arg();
+ break;
+ case OPT_TIMEOUT:
+ req_timeout = atoi(opt_arg());
+ break;
+ case OPT_URL:
if (thost)
OPENSSL_free(thost);
if (tport)
OPENSSL_free(tport);
if (tpath)
OPENSSL_free(tpath);
- if (args[1]) {
- args++;
- if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) {
- BIO_printf(bio_err, "Error parsing URL\n");
- badarg = 1;
- }
- thost = host;
- tport = port;
- tpath = path;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-host")) {
- if (args[1]) {
- args++;
- host = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-port")) {
- if (args[1]) {
- args++;
- port = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-header")) {
- if (args[1] && args[2]) {
- if (!X509V3_add_value(args[1], args[2], &headers))
- goto end;
- args += 2;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-ignore_err"))
+ if (!OCSP_parse_url(opt_arg(), &host, &port, &path, &use_ssl)) {
+ BIO_printf(bio_err, "%s Error parsing URL\n", prog);
+ goto end;
+ }
+ thost = host;
+ tport = port;
+ tpath = path;
+ break;
+ case OPT_HOST:
+ host = opt_arg();
+ break;
+ case OPT_PORT:
+ port = opt_arg();
+ break;
+ case OPT_IGNORE_ERR:
ignore_err = 1;
- else if (!strcmp(*args, "-noverify"))
+ break;
+ case OPT_NOVERIFY:
noverify = 1;
- else if (!strcmp(*args, "-nonce"))
+ break;
+ case OPT_NONCE:
add_nonce = 2;
- else if (!strcmp(*args, "-no_nonce"))
+ break;
+ case OPT_NO_NONCE:
add_nonce = 0;
- else if (!strcmp(*args, "-resp_no_certs"))
+ break;
+ case OPT_RESP_NO_CERTS:
rflags |= OCSP_NOCERTS;
- else if (!strcmp(*args, "-resp_key_id"))
+ break;
+ case OPT_RESP_KEY_ID:
rflags |= OCSP_RESPID_KEY;
- else if (!strcmp(*args, "-no_certs"))
+ break;
+ case OPT_NO_CERTS:
sign_flags |= OCSP_NOCERTS;
- else if (!strcmp(*args, "-no_signature_verify"))
+ break;
+ case OPT_NO_SIGNATURE_VERIFY:
verify_flags |= OCSP_NOSIGS;
- else if (!strcmp(*args, "-no_cert_verify"))
+ break;
+ case OPT_NO_CERT_VERIFY:
verify_flags |= OCSP_NOVERIFY;
- else if (!strcmp(*args, "-no_chain"))
+ break;
+ case OPT_NO_CHAIN:
verify_flags |= OCSP_NOCHAIN;
- else if (!strcmp(*args, "-no_cert_checks"))
+ break;
+ case OPT_NO_CERT_CHECKS:
verify_flags |= OCSP_NOCHECKS;
- else if (!strcmp(*args, "-no_explicit"))
+ break;
+ case OPT_NO_EXPLICIT:
verify_flags |= OCSP_NOEXPLICIT;
- else if (!strcmp(*args, "-trust_other"))
+ break;
+ case OPT_TRUST_OTHER:
verify_flags |= OCSP_TRUSTOTHER;
- else if (!strcmp(*args, "-no_intern"))
+ break;
+ case OPT_NO_INTERN:
verify_flags |= OCSP_NOINTERN;
- else if (!strcmp(*args, "-badsig"))
+ break;
+ case OPT_BADSIG:
badsig = 1;
- else if (!strcmp(*args, "-text")) {
- req_text = 1;
- resp_text = 1;
- } else if (!strcmp(*args, "-req_text"))
+ break;
+ case OPT_TEXT:
+ req_text = resp_text = 1;
+ break;
+ case OPT_REQ_TEXT:
req_text = 1;
- else if (!strcmp(*args, "-resp_text"))
+ break;
+ case OPT_RESP_TEXT:
resp_text = 1;
- else if (!strcmp(*args, "-reqin")) {
- if (args[1]) {
- args++;
- reqin = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-respin")) {
- if (args[1]) {
- args++;
- respin = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-signer")) {
- if (args[1]) {
- args++;
- signfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-VAfile")) {
- if (args[1]) {
- args++;
- verify_certfile = *args;
- verify_flags |= OCSP_TRUSTOTHER;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-sign_other")) {
- if (args[1]) {
- args++;
- sign_certfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-verify_other")) {
- if (args[1]) {
- args++;
- verify_certfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-CAfile")) {
- if (args[1]) {
- args++;
- CAfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-CApath")) {
- if (args[1]) {
- args++;
- CApath = *args;
- } else
- badarg = 1;
- } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) {
- if (badarg)
+ break;
+ case OPT_REQIN:
+ reqin = opt_arg();
+ break;
+ case OPT_RESPIN:
+ respin = opt_arg();
+ break;
+ case OPT_SIGNER:
+ signfile = opt_arg();
+ break;
+ case OPT_VAFILE:
+ verify_certfile = opt_arg();
+ verify_flags |= OCSP_TRUSTOTHER;
+ break;
+ case OPT_SIGN_OTHER:
+ sign_certfile = opt_arg();
+ break;
+ case OPT_VERIFY_OTHER:
+ verify_certfile = opt_arg();
+ break;
+ case OPT_CAFILE:
+ CAfile = opt_arg();
+ break;
+ case OPT_CAPATH:
+ CApath = opt_arg();
+ break;
+ case OPT_V_CASES:
+ if (!opt_verify(o, vpm))
goto end;
- continue;
- } else if (!strcmp(*args, "-validity_period")) {
- if (args[1]) {
- args++;
- nsec = atol(*args);
- if (nsec < 0) {
- BIO_printf(bio_err,
- "Illegal validity period %s\n", *args);
- badarg = 1;
- }
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-status_age")) {
- if (args[1]) {
- args++;
- maxage = atol(*args);
- if (maxage < 0) {
- BIO_printf(bio_err, "Illegal validity age %s\n", *args);
- badarg = 1;
- }
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-signkey")) {
- if (args[1]) {
- args++;
- keyfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-reqout")) {
- if (args[1]) {
- args++;
- reqout = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-respout")) {
- if (args[1]) {
- args++;
- respout = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-path")) {
- if (args[1]) {
- args++;
- path = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-issuer")) {
- if (args[1]) {
- args++;
- X509_free(issuer);
- issuer = load_cert(bio_err, *args, FORMAT_PEM,
- NULL, e, "issuer certificate");
- if (!issuer)
- goto end;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-cert")) {
- if (args[1]) {
- args++;
- X509_free(cert);
- cert = load_cert(bio_err, *args, FORMAT_PEM,
- NULL, e, "certificate");
- if (!cert)
- goto end;
- if (!cert_id_md)
- cert_id_md = EVP_sha1();
- if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
- goto end;
- if (!sk_OPENSSL_STRING_push(reqnames, *args))
- goto end;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-serial")) {
- if (args[1]) {
- args++;
- if (!cert_id_md)
- cert_id_md = EVP_sha1();
- if (!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids))
- goto end;
- if (!sk_OPENSSL_STRING_push(reqnames, *args))
- goto end;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-index")) {
- if (args[1]) {
- args++;
- ridx_filename = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-CA")) {
- if (args[1]) {
- args++;
- rca_filename = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-nmin")) {
- if (args[1]) {
- args++;
- nmin = atol(*args);
- if (nmin < 0) {
- BIO_printf(bio_err, "Illegal update period %s\n", *args);
- badarg = 1;
- }
- }
+ vpmtouched++;
+ break;
+ case OPT_VALIDITY_PERIOD:
+ opt_long(opt_arg(), &nsec);
+ break;
+ case OPT_STATUS_AGE:
+ opt_long(opt_arg(), &maxage);
+ break;
+ case OPT_SIGNKEY:
+ keyfile = opt_arg();
+ break;
+ case OPT_REQOUT:
+ reqout = opt_arg();
+ break;
+ case OPT_RESPOUT:
+ respout = opt_arg();
+ break;
+ case OPT_PATH:
+ path = opt_arg();
+ break;
+ case OPT_CERT:
+ X509_free(cert);
+ cert = load_cert(opt_arg(), FORMAT_PEM,
+ NULL, NULL, "certificate");
+ if (cert == NULL)
+ goto end;
+ if (cert_id_md == NULL)
+ cert_id_md = EVP_sha1();
+ if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
+ goto end;
+ if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
+ goto end;
+ break;
+ case OPT_SERIAL:
+ if (cert_id_md == NULL)
+ cert_id_md = EVP_sha1();
+ if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids))
+ goto end;
+ if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
+ goto end;
+ break;
+ case OPT_INDEX:
+ ridx_filename = opt_arg();
+ break;
+ case OPT_CA:
+ rca_filename = opt_arg();
+ break;
+ case OPT_NMIN:
+ opt_int(opt_arg(), &nmin);
if (ndays == -1)
ndays = 0;
- else
- badarg = 1;
- } else if (!strcmp(*args, "-nrequest")) {
- if (args[1]) {
- args++;
- accept_count = atol(*args);
- if (accept_count < 0) {
- BIO_printf(bio_err, "Illegal accept count %s\n", *args);
- badarg = 1;
- }
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-ndays")) {
- if (args[1]) {
- args++;
- ndays = atol(*args);
- if (ndays < 0) {
- BIO_printf(bio_err, "Illegal update period %s\n", *args);
- badarg = 1;
- }
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-rsigner")) {
- if (args[1]) {
- args++;
- rsignfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-rkey")) {
- if (args[1]) {
- args++;
- rkeyfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-rother")) {
- if (args[1]) {
- args++;
- rcertfile = *args;
- } else
- badarg = 1;
- } else if (!strcmp(*args, "-rmd")) {
- if (args[1]) {
- args++;
- rsign_md = EVP_get_digestbyname(*args);
- if (!rsign_md)
- badarg = 1;
- } else
- badarg = 1;
- } else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) {
- badarg = 1;
+ break;
+ case OPT_REQUEST:
+ opt_int(opt_arg(), &accept_count);
+ break;
+ case OPT_NDAYS:
+ ndays = atoi(opt_arg());
+ break;
+ case OPT_RSIGNER:
+ rsignfile = opt_arg();
+ break;
+ case OPT_RKEY:
+ rkeyfile = opt_arg();
+ break;
+ case OPT_ROTHER:
+ rcertfile = opt_arg();
+ break;
+ case OPT_RMD:
+ if (!opt_md(opt_arg(), &rsign_md))
+ goto end;
+ break;
+ case OPT_HEADER:
+ header = opt_arg();
+ value = strchr(header, '=');
+ if (value == NULL) {
+ BIO_printf(bio_err, "Missing = in header key=value\n");
+ goto opthelp;
+ }
+ *value++ = '\0';
+ if (!X509V3_add_value(header, value, &headers))
+ goto end;
+ break;
+ case OPT_MD:
+ if (cert_id_md != NULL) {
+ BIO_printf(bio_err,
+ "%s: Digest must be before -cert or -serial\n",
+ prog);
+ goto opthelp;
+ }
+ if (!opt_md(opt_unknown(), &cert_id_md))
+ goto opthelp;
+ break;
}
- args++;
}
+ argc = opt_num_rest();
+ argv = opt_rest();
/* Have we anything to do? */
if (!req && !reqin && !respin && !(port && ridx_filename))
- badarg = 1;
-
- if (badarg) {
- BIO_printf(bio_err, "OCSP utility\n");
- BIO_printf(bio_err, "Usage ocsp [options]\n");
- BIO_printf(bio_err, "where options are\n");
- BIO_printf(bio_err, "-out file output filename\n");
- BIO_printf(bio_err, "-issuer file issuer certificate\n");
- BIO_printf(bio_err, "-cert file certificate to check\n");
- BIO_printf(bio_err, "-serial n serial number to check\n");
- BIO_printf(bio_err,
- "-signer file certificate to sign OCSP request with\n");
- BIO_printf(bio_err,
- "-signkey file private key to sign OCSP request with\n");
- BIO_printf(bio_err,
- "-sign_other file additional certificates to include in signed request\n");
- BIO_printf(bio_err,
- "-no_certs don't include any certificates in signed request\n");
- BIO_printf(bio_err,
- "-req_text print text form of request\n");
- BIO_printf(bio_err,
- "-resp_text print text form of response\n");
- BIO_printf(bio_err,
- "-text print text form of request and response\n");
- BIO_printf(bio_err,
- "-reqout file write DER encoded OCSP request to \"file\"\n");
- BIO_printf(bio_err,
- "-respout file write DER encoded OCSP reponse to \"file\"\n");
- BIO_printf(bio_err,
- "-reqin file read DER encoded OCSP request from \"file\"\n");
- BIO_printf(bio_err,
- "-respin file read DER encoded OCSP reponse from \"file\"\n");
- BIO_printf(bio_err,
- "-nonce add OCSP nonce to request\n");
- BIO_printf(bio_err,
- "-no_nonce don't add OCSP nonce to request\n");
- BIO_printf(bio_err, "-url URL OCSP responder URL\n");
- BIO_printf(bio_err,
- "-host host:n send OCSP request to host on port n\n");
- BIO_printf(bio_err,
- "-path path to use in OCSP request\n");
- BIO_printf(bio_err,
- "-CApath dir trusted certificates directory\n");
- BIO_printf(bio_err,
- "-CAfile file trusted certificates file\n");
- BIO_printf(bio_err,
- "-trusted_first use locally trusted CA's first when building trust chain\n");
- BIO_printf(bio_err,
- "-no_alt_chains only ever use the first certificate chain found\n");
- BIO_printf(bio_err,
- "-VAfile file validator certificates file\n");
- BIO_printf(bio_err,
- "-validity_period n maximum validity discrepancy in seconds\n");
- BIO_printf(bio_err,
- "-status_age n maximum status age in seconds\n");
- BIO_printf(bio_err,
- "-noverify don't verify response at all\n");
- BIO_printf(bio_err,
- "-verify_other file additional certificates to search for signer\n");
- BIO_printf(bio_err,
- "-trust_other don't verify additional certificates\n");
- BIO_printf(bio_err,
- "-no_intern don't search certificates contained in response for signer\n");
- BIO_printf(bio_err,
- "-no_signature_verify don't check signature on response\n");
- BIO_printf(bio_err,
- "-no_cert_verify don't check signing certificate\n");
- BIO_printf(bio_err,
- "-no_chain don't chain verify response\n");
- BIO_printf(bio_err,
- "-no_cert_checks don't do additional checks on signing certificate\n");
- BIO_printf(bio_err,
- "-port num port to run responder on\n");
- BIO_printf(bio_err,
- "-index file certificate status index file\n");
- BIO_printf(bio_err, "-CA file CA certificate\n");
- BIO_printf(bio_err,
- "-rsigner file responder certificate to sign responses with\n");
- BIO_printf(bio_err,
- "-rkey file responder key to sign responses with\n");
- BIO_printf(bio_err,
- "-rother file other certificates to include in response\n");
- BIO_printf(bio_err,
- "-resp_no_certs don't include any certificates in response\n");
- BIO_printf(bio_err,
- "-nmin n number of minutes before next update\n");
- BIO_printf(bio_err,
- "-ndays n number of days before next update\n");
- BIO_printf(bio_err,
- "-resp_key_id identify reponse by signing certificate key ID\n");
- BIO_printf(bio_err,
- "-nrequest n number of requests to accept (default unlimited)\n");
- BIO_printf(bio_err,
- "-<dgst alg> use specified digest in the request\n");
- BIO_printf(bio_err,
- "-timeout n timeout connection to OCSP responder after n seconds\n");
- goto end;
- }
+ goto opthelp;
- if (outfile)
- out = BIO_new_file(outfile, "w");
- else
- out = BIO_new_fp(stdout, BIO_NOCLOSE);
-
- if (!out) {
- BIO_printf(bio_err, "Error opening output file\n");
+ out = bio_open_default(outfile, "w");
+ if (out == NULL)
goto end;
- }
if (!req && (add_nonce != 2))
add_nonce = 0;
if (!req && reqin) {
- if (!strcmp(reqin, "-"))
- derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
- else
- derbio = BIO_new_file(reqin, "rb");
- if (!derbio) {
- BIO_printf(bio_err, "Error Opening OCSP request file\n");
+ derbio = bio_open_default(reqin, "rb");
+ if (derbio == NULL)
goto end;
- }
req = d2i_OCSP_REQUEST_bio(derbio, NULL);
BIO_free(derbio);
if (!req) {
@@ -628,21 +500,21 @@ int MAIN(int argc, char **argv)
if (rsignfile && !rdb) {
if (!rkeyfile)
rkeyfile = rsignfile;
- rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
- NULL, e, "responder certificate");
+ rsigner = load_cert(rsignfile, FORMAT_PEM,
+ NULL, NULL, "responder certificate");
if (!rsigner) {
BIO_printf(bio_err, "Error loading responder certificate\n");
goto end;
}
- rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
- NULL, e, "CA certificate");
+ rca_cert = load_cert(rca_filename, FORMAT_PEM,
+ NULL, NULL, "CA certificate");
if (rcertfile) {
- rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
- NULL, e, "responder other certificates");
+ rother = load_certs(rcertfile, FORMAT_PEM,
+ NULL, NULL, "responder other certificates");
if (!rother)
goto end;
}
- rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
+ rkey = load_key(rkeyfile, FORMAT_PEM, 0, NULL, NULL,
"responder private key");
if (!rkey)
goto end;
@@ -675,19 +547,19 @@ int MAIN(int argc, char **argv)
if (signfile) {
if (!keyfile)
keyfile = signfile;
- signer = load_cert(bio_err, signfile, FORMAT_PEM,
- NULL, e, "signer certificate");
+ signer = load_cert(signfile, FORMAT_PEM,
+ NULL, NULL, "signer certificate");
if (!signer) {
BIO_printf(bio_err, "Error loading signer certificate\n");
goto end;
}
if (sign_certfile) {
- sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
- NULL, e, "signer certificates");
+ sign_other = load_certs(sign_certfile, FORMAT_PEM,
+ NULL, NULL, "signer certificates");
if (!sign_other)
goto end;
}
- key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
+ key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL,
"signer private key");
if (!key)
goto end;
@@ -703,14 +575,9 @@ int MAIN(int argc, char **argv)
OCSP_REQUEST_print(out, req, 0);
if (reqout) {
- if (!strcmp(reqout, "-"))
- derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
- else
- derbio = BIO_new_file(reqout, "wb");
- if (!derbio) {
- BIO_printf(bio_err, "Error opening file %s\n", reqout);
+ derbio = bio_open_default(reqout, "wb");
+ if (derbio == NULL)
goto end;
- }
i2d_OCSP_REQUEST_bio(derbio, req);
BIO_free(derbio);
}
@@ -730,13 +597,13 @@ int MAIN(int argc, char **argv)
}
if (rdb) {
- i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
+ make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
rsign_md, rother, rflags, nmin, ndays, badsig);
if (cbio)
send_ocsp_response(cbio, resp);
} else if (host) {
# ifndef OPENSSL_NO_SOCK
- resp = process_responder(bio_err, req, host, path,
+ resp = process_responder(req, host, path,
port, use_ssl, headers, req_timeout);
if (!resp)
goto end;
@@ -746,21 +613,15 @@ int MAIN(int argc, char **argv)
goto end;
# endif
} else if (respin) {
- if (!strcmp(respin, "-"))
- derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
- else
- derbio = BIO_new_file(respin, "rb");
- if (!derbio) {
- BIO_printf(bio_err, "Error Opening OCSP response file\n");
+ derbio = bio_open_default(respin, "rb");
+ if (derbio == NULL)
goto end;
- }
resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
BIO_free(derbio);
if (!resp) {
BIO_printf(bio_err, "Error reading OCSP response\n");
goto end;
}
-
} else {
ret = 0;
goto end;
@@ -769,20 +630,14 @@ int MAIN(int argc