Symaptic: os/ossrv/ssl/tsrc/BC/libcrypto/topenssl/src/ocsp.c@bde4ae8d615e (annotated)

sl@0	1	/* ocsp.c */
sl@0	2	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
sl@0	3	* project 2000.
sl@0	4	*/
sl@0	5	/* ====================================================================
sl@0	6	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
sl@0	7	*
sl@0	8	* Redistribution and use in source and binary forms, with or without
sl@0	9	* modification, are permitted provided that the following conditions
sl@0	10	* are met:
sl@0	11	*
sl@0	12	* 1. Redistributions of source code must retain the above copyright
sl@0	13	* notice, this list of conditions and the following disclaimer.
sl@0	14	*
sl@0	15	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	16	* notice, this list of conditions and the following disclaimer in
sl@0	17	* the documentation and/or other materials provided with the
sl@0	18	* distribution.
sl@0	19	*
sl@0	20	* 3. All advertising materials mentioning features or use of this
sl@0	21	* software must display the following acknowledgment:
sl@0	22	* "This product includes software developed by the OpenSSL Project
sl@0	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
sl@0	24	*
sl@0	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	26	* endorse or promote products derived from this software without
sl@0	27	* prior written permission. For written permission, please contact
sl@0	28	* licensing@OpenSSL.org.
sl@0	29	*
sl@0	30	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	31	* nor may "OpenSSL" appear in their names without prior written
sl@0	32	* permission of the OpenSSL Project.
sl@0	33	*
sl@0	34	* 6. Redistributions of any form whatsoever must retain the following
sl@0	35	* acknowledgment:
sl@0	36	* "This product includes software developed by the OpenSSL Project
sl@0	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
sl@0	38	*
sl@0	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	51	* ====================================================================
sl@0	52	*
sl@0	53	* This product includes cryptographic software written by Eric Young
sl@0	54	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	55	* Hudson (tjh@cryptsoft.com).
sl@0	56	*
sl@0	57	*/
sl@0	58	#ifndef OPENSSL_NO_OCSP
sl@0	59
sl@0	60	#include <stdio.h>
sl@0	61	#include <string.h>
sl@0	62	#include "apps.h"
sl@0	63	#include <openssl/pem.h>
sl@0	64	#include <openssl/ocsp.h>
sl@0	65	#include <openssl/err.h>
sl@0	66	#include <openssl/ssl.h>
sl@0	67	#include <openssl/bn.h>
sl@0	68
sl@0	69	/* Maximum leeway in validity period: default 5 minutes */
sl@0	70	#define MAX_VALIDITY_PERIOD (5 * 60)
sl@0	71
sl@0	72	static int add_ocsp_cert(OCSP_REQUEST *req, X509 cert, X509 *issuer,
sl@0	73	STACK_OF(OCSP_CERTID) *ids);
sl@0	74	static int add_ocsp_serial(OCSP_REQUEST *req, char serial, X509 *issuer,
sl@0	75	STACK_OF(OCSP_CERTID) *ids);
sl@0	76	static int print_ocsp_summary(BIO out, OCSP_BASICRESP bs, OCSP_REQUEST *req,
sl@0	77	STACK names, STACK_OF(OCSP_CERTID) ids,
sl@0	78	long nsec, long maxage);
sl@0	79
sl@0	80	static int make_ocsp_response(OCSP_RESPONSE *resp, OCSP_REQUEST req, CA_DB *db,
sl@0	81	X509 ca, X509 rcert, EVP_PKEY *rkey,
sl@0	82	STACK_OF(X509) *rother, unsigned long flags,
sl@0	83	int nmin, int ndays);
sl@0	84
sl@0	85	static char *lookup_serial(CA_DB db, ASN1_INTEGER *ser);
sl@0	86	static BIO init_responder(char port);
sl@0	87	static int do_responder(OCSP_REQUEST preq, BIO pcbio, BIO acbio, char port);
sl@0	88	static int send_ocsp_response(BIO cbio, OCSP_RESPONSE resp);
sl@0	89
sl@0	90	#undef PROG
sl@0	91	#define PROG ocsp_main
sl@0	92
sl@0	93	int MAIN(int, char **);
sl@0	94
sl@0	95	int MAIN(int argc, char **argv)
sl@0	96	{
sl@0	97	ENGINE *e = NULL;
sl@0	98	char **args;
sl@0	99	char host = NULL, port = NULL, *path = "/";
sl@0	100	char reqin = NULL, respin = NULL;
sl@0	101	char reqout = NULL, respout = NULL;
sl@0	102	char signfile = NULL, keyfile = NULL;
sl@0	103	char rsignfile = NULL, rkeyfile = NULL;
sl@0	104	char *outfile = NULL;
sl@0	105	int add_nonce = 1, noverify = 0, use_ssl = -1;
sl@0	106	OCSP_REQUEST *req = NULL;
sl@0	107	OCSP_RESPONSE *resp = NULL;
sl@0	108	OCSP_BASICRESP *bs = NULL;
sl@0	109	X509 issuer = NULL, cert = NULL;
sl@0	110	X509 signer = NULL, rsigner = NULL;
sl@0	111	EVP_PKEY key = NULL, rkey = NULL;
sl@0	112	BIO acbio = NULL, cbio = NULL;
sl@0	113	BIO *derbio = NULL;
sl@0	114	BIO *out = NULL;
sl@0	115	int req_text = 0, resp_text = 0;
sl@0	116	long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
sl@0	117	char CAfile = NULL, CApath = NULL;
sl@0	118	X509_STORE *store = NULL;
sl@0	119	SSL_CTX *ctx = NULL;
sl@0	120	STACK_OF(X509) sign_other = NULL, verify_other = NULL, *rother = NULL;
sl@0	121	char sign_certfile = NULL, verify_certfile = NULL, *rcertfile = NULL;
sl@0	122	unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
sl@0	123	int ret = 1;
sl@0	124	int accept_count = -1;
sl@0	125	int badarg = 0;
sl@0	126	int i;
sl@0	127	int ignore_err = 0;
sl@0	128	STACK *reqnames = NULL;
sl@0	129	STACK_OF(OCSP_CERTID) *ids = NULL;
sl@0	130
sl@0	131	X509 *rca_cert = NULL;
sl@0	132	char *ridx_filename = NULL;
sl@0	133	char *rca_filename = NULL;
sl@0	134	CA_DB *rdb = NULL;
sl@0	135	int nmin = 0, ndays = -1;
sl@0	136
sl@0	137	if (bio_err == NULL)
sl@0	138	bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
sl@0	139	if (!load_config(bio_err, NULL))
sl@0	140	goto end;
sl@0	141	SSL_load_error_strings();
sl@0	142	args = argv + 1;
sl@0	143	reqnames = sk_new_null();
sl@0	144	ids = sk_OCSP_CERTID_new_null();
sl@0	145	while (!badarg && args && args[0] == '-')
sl@0	146	{
sl@0	147	if (!strcmp(*args, "-out"))
sl@0	148	{
sl@0	149	if (args[1])
sl@0	150	{
sl@0	151	args++;
sl@0	152	outfile = *args;
sl@0	153	}
sl@0	154	else badarg = 1;
sl@0	155	}
sl@0	156	else if (!strcmp(*args, "-url"))
sl@0	157	{
sl@0	158	if (args[1])
sl@0	159	{
sl@0	160	args++;
sl@0	161	if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl))
sl@0	162	{
sl@0	163	BIO_printf(bio_err, "Error parsing URL\n");
sl@0	164	badarg = 1;
sl@0	165	}
sl@0	166	}
sl@0	167	else badarg = 1;
sl@0	168	}
sl@0	169	else if (!strcmp(*args, "-host"))
sl@0	170	{
sl@0	171	if (args[1])
sl@0	172	{
sl@0	173	args++;
sl@0	174	host = *args;
sl@0	175	}
sl@0	176	else badarg = 1;
sl@0	177	}
sl@0	178	else if (!strcmp(*args, "-port"))
sl@0	179	{
sl@0	180	if (args[1])
sl@0	181	{
sl@0	182	args++;
sl@0	183	port = *args;
sl@0	184	}
sl@0	185	else badarg = 1;
sl@0	186	}
sl@0	187	else if (!strcmp(*args, "-ignore_err"))
sl@0	188	ignore_err = 1;
sl@0	189	else if (!strcmp(*args, "-noverify"))
sl@0	190	noverify = 1;
sl@0	191	else if (!strcmp(*args, "-nonce"))
sl@0	192	add_nonce = 2;
sl@0	193	else if (!strcmp(*args, "-no_nonce"))
sl@0	194	add_nonce = 0;
sl@0	195	else if (!strcmp(*args, "-resp_no_certs"))
sl@0	196	rflags \|= OCSP_NOCERTS;
sl@0	197	else if (!strcmp(*args, "-resp_key_id"))
sl@0	198	rflags \|= OCSP_RESPID_KEY;
sl@0	199	else if (!strcmp(*args, "-no_certs"))
sl@0	200	sign_flags \|= OCSP_NOCERTS;
sl@0	201	else if (!strcmp(*args, "-no_signature_verify"))
sl@0	202	verify_flags \|= OCSP_NOSIGS;
sl@0	203	else if (!strcmp(*args, "-no_cert_verify"))
sl@0	204	verify_flags \|= OCSP_NOVERIFY;
sl@0	205	else if (!strcmp(*args, "-no_chain"))
sl@0	206	verify_flags \|= OCSP_NOCHAIN;
sl@0	207	else if (!strcmp(*args, "-no_cert_checks"))
sl@0	208	verify_flags \|= OCSP_NOCHECKS;
sl@0	209	else if (!strcmp(*args, "-no_explicit"))
sl@0	210	verify_flags \|= OCSP_NOEXPLICIT;
sl@0	211	else if (!strcmp(*args, "-trust_other"))
sl@0	212	verify_flags \|= OCSP_TRUSTOTHER;
sl@0	213	else if (!strcmp(*args, "-no_intern"))
sl@0	214	verify_flags \|= OCSP_NOINTERN;
sl@0	215	else if (!strcmp(*args, "-text"))
sl@0	216	{
sl@0	217	req_text = 1;
sl@0	218	resp_text = 1;
sl@0	219	}
sl@0	220	else if (!strcmp(*args, "-req_text"))
sl@0	221	req_text = 1;
sl@0	222	else if (!strcmp(*args, "-resp_text"))
sl@0	223	resp_text = 1;
sl@0	224	else if (!strcmp(*args, "-reqin"))
sl@0	225	{
sl@0	226	if (args[1])
sl@0	227	{
sl@0	228	args++;
sl@0	229	reqin = *args;
sl@0	230	}
sl@0	231	else badarg = 1;
sl@0	232	}
sl@0	233	else if (!strcmp(*args, "-respin"))
sl@0	234	{
sl@0	235	if (args[1])
sl@0	236	{
sl@0	237	args++;
sl@0	238	respin = *args;
sl@0	239	}
sl@0	240	else badarg = 1;
sl@0	241	}
sl@0	242	else if (!strcmp(*args, "-signer"))
sl@0	243	{
sl@0	244	if (args[1])
sl@0	245	{
sl@0	246	args++;
sl@0	247	signfile = *args;
sl@0	248	}
sl@0	249	else badarg = 1;
sl@0	250	}
sl@0	251	else if (!strcmp (*args, "-VAfile"))
sl@0	252	{
sl@0	253	if (args[1])
sl@0	254	{
sl@0	255	args++;
sl@0	256	verify_certfile = *args;
sl@0	257	verify_flags \|= OCSP_TRUSTOTHER;
sl@0	258	}
sl@0	259	else badarg = 1;
sl@0	260	}
sl@0	261	else if (!strcmp(*args, "-sign_other"))
sl@0	262	{
sl@0	263	if (args[1])
sl@0	264	{
sl@0	265	args++;
sl@0	266	sign_certfile = *args;
sl@0	267	}
sl@0	268	else badarg = 1;
sl@0	269	}
sl@0	270	else if (!strcmp(*args, "-verify_other"))
sl@0	271	{
sl@0	272	if (args[1])
sl@0	273	{
sl@0	274	args++;
sl@0	275	verify_certfile = *args;
sl@0	276	}
sl@0	277	else badarg = 1;
sl@0	278	}
sl@0	279	else if (!strcmp (*args, "-CAfile"))
sl@0	280	{
sl@0	281	if (args[1])
sl@0	282	{
sl@0	283	args++;
sl@0	284	CAfile = *args;
sl@0	285	}
sl@0	286	else badarg = 1;
sl@0	287	}
sl@0	288	else if (!strcmp (*args, "-CApath"))
sl@0	289	{
sl@0	290	if (args[1])
sl@0	291	{
sl@0	292	args++;
sl@0	293	CApath = *args;
sl@0	294	}
sl@0	295	else badarg = 1;
sl@0	296	}
sl@0	297	else if (!strcmp (*args, "-validity_period"))
sl@0	298	{
sl@0	299	if (args[1])
sl@0	300	{
sl@0	301	args++;
sl@0	302	nsec = atol(*args);
sl@0	303	if (nsec < 0)
sl@0	304	{
sl@0	305	BIO_printf(bio_err,
sl@0	306	"Illegal validity period %s\n",
sl@0	307	*args);
sl@0	308	badarg = 1;
sl@0	309	}
sl@0	310	}
sl@0	311	else badarg = 1;
sl@0	312	}
sl@0	313	else if (!strcmp (*args, "-status_age"))
sl@0	314	{
sl@0	315	if (args[1])
sl@0	316	{
sl@0	317	args++;
sl@0	318	maxage = atol(*args);
sl@0	319	if (maxage < 0)
sl@0	320	{
sl@0	321	BIO_printf(bio_err,
sl@0	322	"Illegal validity age %s\n",
sl@0	323	*args);
sl@0	324	badarg = 1;
sl@0	325	}
sl@0	326	}
sl@0	327	else badarg = 1;
sl@0	328	}
sl@0	329	else if (!strcmp(*args, "-signkey"))
sl@0	330	{
sl@0	331	if (args[1])
sl@0	332	{
sl@0	333	args++;
sl@0	334	keyfile = *args;
sl@0	335	}
sl@0	336	else badarg = 1;
sl@0	337	}
sl@0	338	else if (!strcmp(*args, "-reqout"))
sl@0	339	{
sl@0	340	if (args[1])
sl@0	341	{
sl@0	342	args++;
sl@0	343	reqout = *args;
sl@0	344	}
sl@0	345	else badarg = 1;
sl@0	346	}
sl@0	347	else if (!strcmp(*args, "-respout"))
sl@0	348	{
sl@0	349	if (args[1])
sl@0	350	{
sl@0	351	args++;
sl@0	352	respout = *args;
sl@0	353	}
sl@0	354	else badarg = 1;
sl@0	355	}
sl@0	356	else if (!strcmp(*args, "-path"))
sl@0	357	{
sl@0	358	if (args[1])
sl@0	359	{
sl@0	360	args++;
sl@0	361	path = *args;
sl@0	362	}
sl@0	363	else badarg = 1;
sl@0	364	}
sl@0	365	else if (!strcmp(*args, "-issuer"))
sl@0	366	{
sl@0	367	if (args[1])
sl@0	368	{
sl@0	369	args++;
sl@0	370	X509_free(issuer);
sl@0	371	issuer = load_cert(bio_err, *args, FORMAT_PEM,
sl@0	372	NULL, e, "issuer certificate");
sl@0	373	if(!issuer) goto end;
sl@0	374	}
sl@0	375	else badarg = 1;
sl@0	376	}
sl@0	377	else if (!strcmp (*args, "-cert"))
sl@0	378	{
sl@0	379	if (args[1])
sl@0	380	{
sl@0	381	args++;
sl@0	382	X509_free(cert);
sl@0	383	cert = load_cert(bio_err, *args, FORMAT_PEM,
sl@0	384	NULL, e, "certificate");
sl@0	385	if(!cert) goto end;
sl@0	386	if(!add_ocsp_cert(&req, cert, issuer, ids))
sl@0	387	goto end;
sl@0	388	if(!sk_push(reqnames, *args))
sl@0	389	goto end;
sl@0	390	}
sl@0	391	else badarg = 1;
sl@0	392	}
sl@0	393	else if (!strcmp(*args, "-serial"))
sl@0	394	{
sl@0	395	if (args[1])
sl@0	396	{
sl@0	397	args++;
sl@0	398	if(!add_ocsp_serial(&req, *args, issuer, ids))
sl@0	399	goto end;
sl@0	400	if(!sk_push(reqnames, *args))
sl@0	401	goto end;
sl@0	402	}
sl@0	403	else badarg = 1;
sl@0	404	}
sl@0	405	else if (!strcmp(*args, "-index"))
sl@0	406	{
sl@0	407	if (args[1])
sl@0	408	{
sl@0	409	args++;
sl@0	410	ridx_filename = *args;
sl@0	411	}
sl@0	412	else badarg = 1;
sl@0	413	}
sl@0	414	else if (!strcmp(*args, "-CA"))
sl@0	415	{
sl@0	416	if (args[1])
sl@0	417	{
sl@0	418	args++;
sl@0	419	rca_filename = *args;
sl@0	420	}
sl@0	421	else badarg = 1;
sl@0	422	}
sl@0	423	else if (!strcmp (*args, "-nmin"))
sl@0	424	{
sl@0	425	if (args[1])
sl@0	426	{
sl@0	427	args++;
sl@0	428	nmin = atol(*args);
sl@0	429	if (nmin < 0)
sl@0	430	{
sl@0	431	BIO_printf(bio_err,
sl@0	432	"Illegal update period %s\n",
sl@0	433	*args);
sl@0	434	badarg = 1;
sl@0	435	}
sl@0	436	}
sl@0	437	if (ndays == -1)
sl@0	438	ndays = 0;
sl@0	439	else badarg = 1;
sl@0	440	}
sl@0	441	else if (!strcmp (*args, "-nrequest"))
sl@0	442	{
sl@0	443	if (args[1])
sl@0	444	{
sl@0	445	args++;
sl@0	446	accept_count = atol(*args);
sl@0	447	if (accept_count < 0)
sl@0	448	{
sl@0	449	BIO_printf(bio_err,
sl@0	450	"Illegal accept count %s\n",
sl@0	451	*args);
sl@0	452	badarg = 1;
sl@0	453	}
sl@0	454	}
sl@0	455	else badarg = 1;
sl@0	456	}
sl@0	457	else if (!strcmp (*args, "-ndays"))
sl@0	458	{
sl@0	459	if (args[1])
sl@0	460	{
sl@0	461	args++;
sl@0	462	ndays = atol(*args);
sl@0	463	if (ndays < 0)
sl@0	464	{
sl@0	465	BIO_printf(bio_err,
sl@0	466	"Illegal update period %s\n",
sl@0	467	*args);
sl@0	468	badarg = 1;
sl@0	469	}
sl@0	470	}
sl@0	471	else badarg = 1;
sl@0	472	}
sl@0	473	else if (!strcmp(*args, "-rsigner"))
sl@0	474	{
sl@0	475	if (args[1])
sl@0	476	{
sl@0	477	args++;
sl@0	478	rsignfile = *args;
sl@0	479	}
sl@0	480	else badarg = 1;
sl@0	481	}
sl@0	482	else if (!strcmp(*args, "-rkey"))
sl@0	483	{
sl@0	484	if (args[1])
sl@0	485	{
sl@0	486	args++;
sl@0	487	rkeyfile = *args;
sl@0	488	}
sl@0	489	else badarg = 1;
sl@0	490	}
sl@0	491	else if (!strcmp(*args, "-rother"))
sl@0	492	{
sl@0	493	if (args[1])
sl@0	494	{
sl@0	495	args++;
sl@0	496	rcertfile = *args;
sl@0	497	}
sl@0	498	else badarg = 1;
sl@0	499	}
sl@0	500	else badarg = 1;
sl@0	501	args++;
sl@0	502	}
sl@0	503
sl@0	504	/* Have we anything to do? */
sl@0	505	if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1;
sl@0	506
sl@0	507	if (badarg)
sl@0	508	{
sl@0	509	BIO_printf (bio_err, "OCSP utility\n");
sl@0	510	BIO_printf (bio_err, "Usage ocsp [options]\n");
sl@0	511	BIO_printf (bio_err, "where options are\n");
sl@0	512	BIO_printf (bio_err, "-out file output filename\n");
sl@0	513	BIO_printf (bio_err, "-issuer file issuer certificate\n");
sl@0	514	BIO_printf (bio_err, "-cert file certificate to check\n");
sl@0	515	BIO_printf (bio_err, "-serial n serial number to check\n");
sl@0	516	BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n");
sl@0	517	BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n");
sl@0	518	BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n");
sl@0	519	BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n");
sl@0	520	BIO_printf (bio_err, "-req_text print text form of request\n");
sl@0	521	BIO_printf (bio_err, "-resp_text print text form of response\n");
sl@0	522	BIO_printf (bio_err, "-text print text form of request and response\n");
sl@0	523	BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n");
sl@0	524	BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
sl@0	525	BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n");
sl@0	526	BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
sl@0	527	BIO_printf (bio_err, "-nonce add OCSP nonce to request\n");
sl@0	528	BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n");
sl@0	529	BIO_printf (bio_err, "-url URL OCSP responder URL\n");
sl@0	530	BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n");
sl@0	531	BIO_printf (bio_err, "-path path to use in OCSP request\n");
sl@0	532	BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
sl@0	533	BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
sl@0	534	BIO_printf (bio_err, "-VAfile file validator certificates file\n");
sl@0	535	BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
sl@0	536	BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
sl@0	537	BIO_printf (bio_err, "-noverify don't verify response at all\n");
sl@0	538	BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
sl@0	539	BIO_printf (bio_err, "-trust_other don't verify additional certificates\n");
sl@0	540	BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n");
sl@0	541	BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
sl@0	542	BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n");
sl@0	543	BIO_printf (bio_err, "-no_chain don't chain verify response\n");
sl@0	544	BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n");
sl@0	545	BIO_printf (bio_err, "-port num port to run responder on\n");
sl@0	546	BIO_printf (bio_err, "-index file certificate status index file\n");
sl@0	547	BIO_printf (bio_err, "-CA file CA certificate\n");
sl@0	548	BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n");
sl@0	549	BIO_printf (bio_err, "-rkey file responder key to sign responses with\n");
sl@0	550	BIO_printf (bio_err, "-rother file other certificates to include in response\n");
sl@0	551	BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n");
sl@0	552	BIO_printf (bio_err, "-nmin n number of minutes before next update\n");
sl@0	553	BIO_printf (bio_err, "-ndays n number of days before next update\n");
sl@0	554	BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
sl@0	555	BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
sl@0	556	goto end;
sl@0	557	}
sl@0	558
sl@0	559	if(outfile) out = BIO_new_file(outfile, "w");
sl@0	560	else out = BIO_new_fp(stdout, BIO_NOCLOSE);
sl@0	561	if(!out)
sl@0	562	{
sl@0	563	BIO_printf(bio_err, "Error opening output file\n");
sl@0	564	goto end;
sl@0	565	}
sl@0	566
sl@0	567	if (!req && (add_nonce != 2)) add_nonce = 0;
sl@0	568
sl@0	569	if (!req && reqin)
sl@0	570	{
sl@0	571	derbio = BIO_new_file(reqin, "rb");
sl@0	572	if (!derbio)
sl@0	573	{
sl@0	574	BIO_printf(bio_err, "Error Opening OCSP request file\n");
sl@0	575	goto end;
sl@0	576	}
sl@0	577	req = d2i_OCSP_REQUEST_bio(derbio, NULL);
sl@0	578	BIO_free(derbio);
sl@0	579	if(!req)
sl@0	580	{
sl@0	581	BIO_printf(bio_err, "Error reading OCSP request\n");
sl@0	582	goto end;
sl@0	583	}
sl@0	584	}
sl@0	585
sl@0	586	if (!req && port)
sl@0	587	{
sl@0	588	acbio = init_responder(port);
sl@0	589	if (!acbio)
sl@0	590	goto end;
sl@0	591	}
sl@0	592
sl@0	593	if (rsignfile && !rdb)
sl@0	594	{
sl@0	595	if (!rkeyfile) rkeyfile = rsignfile;
sl@0	596	rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
sl@0	597	NULL, e, "responder certificate");
sl@0	598	if (!rsigner)
sl@0	599	{
sl@0	600	BIO_printf(bio_err, "Error loading responder certificate\n");
sl@0	601	goto end;
sl@0	602	}
sl@0	603	rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
sl@0	604	NULL, e, "CA certificate");
sl@0	605	if (rcertfile)
sl@0	606	{
sl@0	607	rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
sl@0	608	NULL, e, "responder other certificates");
sl@0	609	if (!rother) goto end;
sl@0	610	}
sl@0	611	rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
sl@0	612	"responder private key");
sl@0	613	if (!rkey)
sl@0	614	goto end;
sl@0	615	}
sl@0	616	if(acbio)
sl@0	617	BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
sl@0	618
sl@0	619	redo_accept:
sl@0	620
sl@0	621	if (acbio)
sl@0	622	{
sl@0	623	if (!do_responder(&req, &cbio, acbio, port))
sl@0	624	goto end;
sl@0	625	if (!req)
sl@0	626	{
sl@0	627	resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
sl@0	628	send_ocsp_response(cbio, resp);
sl@0	629	goto done_resp;
sl@0	630	}
sl@0	631	}
sl@0	632
sl@0	633	if (!req && (signfile \|\| reqout \|\| host \|\| add_nonce \|\| ridx_filename))
sl@0	634	{
sl@0	635	BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
sl@0	636	goto end;
sl@0	637	}
sl@0	638
sl@0	639	if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);
sl@0	640
sl@0	641	if (signfile)
sl@0	642	{
sl@0	643	if (!keyfile) keyfile = signfile;
sl@0	644	signer = load_cert(bio_err, signfile, FORMAT_PEM,
sl@0	645	NULL, e, "signer certificate");
sl@0	646	if (!signer)
sl@0	647	{
sl@0	648	BIO_printf(bio_err, "Error loading signer certificate\n");
sl@0	649	goto end;
sl@0	650	}
sl@0	651	if (sign_certfile)
sl@0	652	{
sl@0	653	sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
sl@0	654	NULL, e, "signer certificates");
sl@0	655	if (!sign_other) goto end;
sl@0	656	}
sl@0	657	key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
sl@0	658	"signer private key");
sl@0	659	if (!key)
sl@0	660	goto end;
sl@0	661	if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags))
sl@0	662	{
sl@0	663	BIO_printf(bio_err, "Error signing OCSP request\n");
sl@0	664	goto end;
sl@0	665	}
sl@0	666	}
sl@0	667
sl@0	668	if (req_text && req) OCSP_REQUEST_print(out, req, 0);
sl@0	669
sl@0	670	if (reqout)
sl@0	671	{
sl@0	672	derbio = BIO_new_file(reqout, "wb");
sl@0	673	if(!derbio)
sl@0	674	{
sl@0	675	BIO_printf(bio_err, "Error opening file %s\n", reqout);
sl@0	676	goto end;
sl@0	677	}
sl@0	678	i2d_OCSP_REQUEST_bio(derbio, req);
sl@0	679	BIO_free(derbio);
sl@0	680	}
sl@0	681
sl@0	682	if (ridx_filename && (!rkey \|\| !rsigner \|\| !rca_cert))
sl@0	683	{
sl@0	684	BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
sl@0	685	goto end;
sl@0	686	}
sl@0	687
sl@0	688	if (ridx_filename && !rdb)
sl@0	689	{
sl@0	690	rdb = load_index(ridx_filename, NULL);
sl@0	691	if (!rdb) goto end;
sl@0	692	if (!index_index(rdb)) goto end;
sl@0	693	}
sl@0	694
sl@0	695	if (rdb)
sl@0	696	{
sl@0	697	i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
sl@0	698	if (cbio)
sl@0	699	send_ocsp_response(cbio, resp);
sl@0	700	}
sl@0	701	else if (host)
sl@0	702	{
sl@0	703	#ifndef OPENSSL_NO_SOCK
sl@0	704	cbio = BIO_new_connect(host);
sl@0	705	#else
sl@0	706	BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
sl@0	707	goto end;
sl@0	708	#endif
sl@0	709	if (!cbio)
sl@0	710	{
sl@0	711	BIO_printf(bio_err, "Error creating connect BIO\n");
sl@0	712	goto end;
sl@0	713	}
sl@0	714	if (port) BIO_set_conn_port(cbio, port);
sl@0	715	if (use_ssl == 1)
sl@0	716	{
sl@0	717	BIO *sbio;
sl@0	718	#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
sl@0	719	ctx = SSL_CTX_new(SSLv23_client_method());
sl@0	720	#elif !defined(OPENSSL_NO_SSL3)
sl@0	721	ctx = SSL_CTX_new(SSLv3_client_method());
sl@0	722	#elif !defined(OPENSSL_NO_SSL2)
sl@0	723	ctx = SSL_CTX_new(SSLv2_client_method());
sl@0	724	#else
sl@0	725	BIO_printf(bio_err, "SSL is disabled\n");
sl@0	726	goto end;
sl@0	727	#endif
sl@0	728	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
sl@0	729	sbio = BIO_new_ssl(ctx, 1);
sl@0	730	cbio = BIO_push(sbio, cbio);
sl@0	731	}
sl@0	732	if (BIO_do_connect(cbio) <= 0)
sl@0	733	{
sl@0	734	BIO_printf(bio_err, "Error connecting BIO\n");
sl@0	735	goto end;
sl@0	736	}
sl@0	737	resp = OCSP_sendreq_bio(cbio, path, req);
sl@0	738	BIO_free_all(cbio);
sl@0	739	cbio = NULL;
sl@0	740	if (!resp)
sl@0	741	{
sl@0	742	BIO_printf(bio_err, "Error querying OCSP responsder\n");
sl@0	743	goto end;
sl@0	744	}
sl@0	745	}
sl@0	746	else if (respin)
sl@0	747	{
sl@0	748	derbio = BIO_new_file(respin, "rb");
sl@0	749	if (!derbio)
sl@0	750	{
sl@0	751	BIO_printf(bio_err, "Error Opening OCSP response file\n");
sl@0	752	goto end;
sl@0	753	}
sl@0	754	resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
sl@0	755	BIO_free(derbio);
sl@0	756	if(!resp)
sl@0	757	{
sl@0	758	BIO_printf(bio_err, "Error reading OCSP response\n");
sl@0	759	goto end;
sl@0	760	}
sl@0	761
sl@0	762	}
sl@0	763	else
sl@0	764	{
sl@0	765	ret = 0;
sl@0	766	goto end;
sl@0	767	}
sl@0	768
sl@0	769	done_resp:
sl@0	770
sl@0	771	if (respout)
sl@0	772	{
sl@0	773	derbio = BIO_new_file(respout, "wb");
sl@0	774	if(!derbio)
sl@0	775	{
sl@0	776	BIO_printf(bio_err, "Error opening file %s\n", respout);
sl@0	777	goto end;
sl@0	778	}
sl@0	779	i2d_OCSP_RESPONSE_bio(derbio, resp);
sl@0	780	BIO_free(derbio);
sl@0	781	}
sl@0	782
sl@0	783	i = OCSP_response_status(resp);
sl@0	784
sl@0	785	if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
sl@0	786	{
sl@0	787	BIO_printf(out, "Responder Error: %s (%d)\n",
sl@0	788	OCSP_response_status_str(i), i);
sl@0	789	if (ignore_err)
sl@0	790	goto redo_accept;
sl@0	791	ret = 0;
sl@0	792	goto end;
sl@0	793	}
sl@0	794
sl@0	795	if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
sl@0	796
sl@0	797	/* If running as responder don't verify our own response */
sl@0	798	if (cbio)
sl@0	799	{
sl@0	800	if (accept_count > 0)
sl@0	801	accept_count--;
sl@0	802	/* Redo if more connections needed */
sl@0	803	if (accept_count)
sl@0	804	{
sl@0	805	BIO_free_all(cbio);
sl@0	806	cbio = NULL;
sl@0	807	OCSP_REQUEST_free(req);
sl@0	808	req = NULL;
sl@0	809	OCSP_RESPONSE_free(resp);
sl@0	810	resp = NULL;
sl@0	811	goto redo_accept;
sl@0	812	}
sl@0	813	goto end;
sl@0	814	}
sl@0	815
sl@0	816	if (!store)
sl@0	817	store = setup_verify(bio_err, CAfile, CApath);
sl@0	818	if (!store)
sl@0	819	goto end;
sl@0	820	if (verify_certfile)
sl@0	821	{
sl@0	822	verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
sl@0	823	NULL, e, "validator certificate");
sl@0	824	if (!verify_other) goto end;
sl@0	825	}
sl@0	826
sl@0	827	bs = OCSP_response_get1_basic(resp);
sl@0	828
sl@0	829	if (!bs)
sl@0	830	{
sl@0	831	BIO_printf(bio_err, "Error parsing response\n");
sl@0	832	goto end;
sl@0	833	}
sl@0	834
sl@0	835	if (!noverify)
sl@0	836	{
sl@0	837	if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
sl@0	838	{
sl@0	839	if (i == -1)
sl@0	840	BIO_printf(bio_err, "WARNING: no nonce in response\n");
sl@0	841	else
sl@0	842	{
sl@0	843	BIO_printf(bio_err, "Nonce Verify error\n");
sl@0	844	goto end;
sl@0	845	}
sl@0	846	}
sl@0	847
sl@0	848	i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
sl@0	849	if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
sl@0	850
sl@0	851	if(i <= 0)
sl@0	852	{
sl@0	853	BIO_printf(bio_err, "Response Verify Failure\n");
sl@0	854	ERR_print_errors(bio_err);
sl@0	855	}
sl@0	856	else
sl@0	857	BIO_printf(bio_err, "Response verify OK\n");
sl@0	858
sl@0	859	}
sl@0	860
sl@0	861	if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
sl@0	862	goto end;
sl@0	863
sl@0	864	ret = 0;
sl@0	865
sl@0	866	end:
sl@0	867	ERR_print_errors(bio_err);
sl@0	868	X509_free(signer);
sl@0	869	X509_STORE_free(store);
sl@0	870	EVP_PKEY_free(key);
sl@0	871	EVP_PKEY_free(rkey);
sl@0	872	X509_free(issuer);
sl@0	873	X509_free(cert);
sl@0	874	X509_free(rsigner);
sl@0	875	X509_free(rca_cert);
sl@0	876	free_index(rdb);
sl@0	877	BIO_free_all(cbio);
sl@0	878	BIO_free_all(acbio);
sl@0	879	BIO_free(out);
sl@0	880	OCSP_REQUEST_free(req);
sl@0	881	OCSP_RESPONSE_free(resp);
sl@0	882	OCSP_BASICRESP_free(bs);
sl@0	883	sk_free(reqnames);
sl@0	884	sk_OCSP_CERTID_free(ids);
sl@0	885	sk_X509_pop_free(sign_other, X509_free);
sl@0	886	sk_X509_pop_free(verify_other, X509_free);
sl@0	887
sl@0	888	if (use_ssl != -1)
sl@0	889	{
sl@0	890	OPENSSL_free(host);
sl@0	891	OPENSSL_free(port);
sl@0	892	OPENSSL_free(path);
sl@0	893	SSL_CTX_free(ctx);
sl@0	894	}
sl@0	895
sl@0	896	OPENSSL_EXIT(ret);
sl@0	897	}
sl@0	898
sl@0	899	static int add_ocsp_cert(OCSP_REQUEST *req, X509 cert, X509 *issuer,
sl@0	900	STACK_OF(OCSP_CERTID) *ids)
sl@0	901	{
sl@0	902	OCSP_CERTID *id;
sl@0	903	if(!issuer)
sl@0	904	{
sl@0	905	BIO_printf(bio_err, "No issuer certificate specified\n");
sl@0	906	return 0;
sl@0	907	}
sl@0	908	if(!req) req = OCSP_REQUEST_new();
sl@0	909	if(!*req) goto err;
sl@0	910	id = OCSP_cert_to_id(NULL, cert, issuer);
sl@0	911	if(!id \|\| !sk_OCSP_CERTID_push(ids, id)) goto err;
sl@0	912	if(!OCSP_request_add0_id(*req, id)) goto err;
sl@0	913	return 1;
sl@0	914
sl@0	915	err:
sl@0	916	BIO_printf(bio_err, "Error Creating OCSP request\n");
sl@0	917	return 0;
sl@0	918	}
sl@0	919
sl@0	920	static int add_ocsp_serial(OCSP_REQUEST *req, char serial, X509 *issuer,
sl@0	921	STACK_OF(OCSP_CERTID) *ids)
sl@0	922	{
sl@0	923	OCSP_CERTID *id;
sl@0	924	X509_NAME *iname;
sl@0	925	ASN1_BIT_STRING *ikey;
sl@0	926	ASN1_INTEGER *sno;
sl@0	927	if(!issuer)
sl@0	928	{
sl@0	929	BIO_printf(bio_err, "No issuer certificate specified\n");
sl@0	930	return 0;
sl@0	931	}
sl@0	932	if(!req) req = OCSP_REQUEST_new();
sl@0	933	if(!*req) goto err;
sl@0	934	iname = X509_get_subject_name(issuer);
sl@0	935	ikey = X509_get0_pubkey_bitstr(issuer);
sl@0	936	sno = s2i_ASN1_INTEGER(NULL, serial);
sl@0	937	if(!sno)
sl@0	938	{
sl@0	939	BIO_printf(bio_err, "Error converting serial number %s\n", serial);
sl@0	940	return 0;
sl@0	941	}
sl@0	942	id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
sl@0	943	ASN1_INTEGER_free(sno);
sl@0	944	if(!id \|\| !sk_OCSP_CERTID_push(ids, id)) goto err;
sl@0	945	if(!OCSP_request_add0_id(*req, id)) goto err;
sl@0	946	return 1;
sl@0	947
sl@0	948	err:
sl@0	949	BIO_printf(bio_err, "Error Creating OCSP request\n");
sl@0	950	return 0;
sl@0	951	}
sl@0	952
sl@0	953	static int print_ocsp_summary(BIO out, OCSP_BASICRESP bs, OCSP_REQUEST *req,
sl@0	954	STACK names, STACK_OF(OCSP_CERTID) ids,
sl@0	955	long nsec, long maxage)
sl@0	956	{
sl@0	957	OCSP_CERTID *id;
sl@0	958	char *name;
sl@0	959	int i;
sl@0	960
sl@0	961	int status, reason;
sl@0	962
sl@0	963	ASN1_GENERALIZEDTIME rev, thisupd, *nextupd;
sl@0	964
sl@0	965	if (!bs \|\| !req \|\| !sk_num(names) \|\| !sk_OCSP_CERTID_num(ids))
sl@0	966	return 1;
sl@0	967
sl@0	968	for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
sl@0	969	{
sl@0	970	id = sk_OCSP_CERTID_value(ids, i);
sl@0	971	name = sk_value(names, i);
sl@0	972	BIO_printf(out, "%s: ", name);
sl@0	973
sl@0	974	if(!OCSP_resp_find_status(bs, id, &status, &reason,
sl@0	975	&rev, &thisupd, &nextupd))
sl@0	976	{
sl@0	977	BIO_puts(out, "ERROR: No Status found.\n");
sl@0	978	continue;
sl@0	979	}
sl@0	980
sl@0	981	/* Check validity: if invalid write to output BIO so we
sl@0	982	* know which response this refers to.
sl@0	983	*/
sl@0	984	if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage))
sl@0	985	{
sl@0	986	BIO_puts(out, "WARNING: Status times invalid.\n");
sl@0	987	ERR_print_errors(out);
sl@0	988	}
sl@0	989	BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
sl@0	990
sl@0	991	BIO_puts(out, "\tThis Update: ");
sl@0	992	ASN1_GENERALIZEDTIME_print(out, thisupd);
sl@0	993	BIO_puts(out, "\n");
sl@0	994
sl@0	995	if(nextupd)
sl@0	996	{
sl@0	997	BIO_puts(out, "\tNext Update: ");
sl@0	998	ASN1_GENERALIZEDTIME_print(out, nextupd);
sl@0	999	BIO_puts(out, "\n");
sl@0	1000	}
sl@0	1001
sl@0	1002	if (status != V_OCSP_CERTSTATUS_REVOKED)
sl@0	1003	continue;
sl@0	1004
sl@0	1005	if (reason != -1)
sl@0	1006	BIO_printf(out, "\tReason: %s\n",
sl@0	1007	OCSP_crl_reason_str(reason));
sl@0	1008
sl@0	1009	BIO_puts(out, "\tRevocation Time: ");
sl@0	1010	ASN1_GENERALIZEDTIME_print(out, rev);
sl@0	1011	BIO_puts(out, "\n");
sl@0	1012	}
sl@0	1013
sl@0	1014	return 1;
sl@0	1015	}
sl@0	1016
sl@0	1017
sl@0	1018	static int make_ocsp_response(OCSP_RESPONSE *resp, OCSP_REQUEST req, CA_DB *db,
sl@0	1019	X509 ca, X509 rcert, EVP_PKEY *rkey,
sl@0	1020	STACK_OF(X509) *rother, unsigned long flags,
sl@0	1021	int nmin, int ndays)
sl@0	1022	{
sl@0	1023	ASN1_TIME thisupd = NULL, nextupd = NULL;
sl@0	1024	OCSP_CERTID cid, ca_id = NULL;
sl@0	1025	OCSP_BASICRESP *bs = NULL;
sl@0	1026	int i, id_count, ret = 1;
sl@0	1027
sl@0	1028
sl@0	1029	id_count = OCSP_request_onereq_count(req);
sl@0	1030
sl@0	1031	if (id_count <= 0)
sl@0	1032	{
sl@0	1033	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
sl@0	1034	goto end;
sl@0	1035	}
sl@0	1036
sl@0	1037	ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
sl@0	1038
sl@0	1039	bs = OCSP_BASICRESP_new();
sl@0	1040	thisupd = X509_gmtime_adj(NULL, 0);
sl@0	1041	if (ndays != -1)
sl@0	1042	nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24 );
sl@0	1043
sl@0	1044	/* Examine each certificate id in the request */
sl@0	1045	for (i = 0; i < id_count; i++)
sl@0	1046	{
sl@0	1047	OCSP_ONEREQ *one;
sl@0	1048	ASN1_INTEGER *serial;
sl@0	1049	char **inf;
sl@0	1050	one = OCSP_request_onereq_get0(req, i);
sl@0	1051	cid = OCSP_onereq_get0_id(one);
sl@0	1052	/* Is this request about our CA? */
sl@0	1053	if (OCSP_id_issuer_cmp(ca_id, cid))
sl@0	1054	{
sl@0	1055	OCSP_basic_add1_status(bs, cid,
sl@0	1056	V_OCSP_CERTSTATUS_UNKNOWN,
sl@0	1057	0, NULL,
sl@0	1058	thisupd, nextupd);
sl@0	1059	continue;
sl@0	1060	}
sl@0	1061	OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
sl@0	1062	inf = lookup_serial(db, serial);
sl@0	1063	if (!inf)
sl@0	1064	OCSP_basic_add1_status(bs, cid,
sl@0	1065	V_OCSP_CERTSTATUS_UNKNOWN,
sl@0	1066	0, NULL,
sl@0	1067	thisupd, nextupd);
sl@0	1068	else if (inf[DB_type][0] == DB_TYPE_VAL)
sl@0	1069	OCSP_basic_add1_status(bs, cid,
sl@0	1070	V_OCSP_CERTSTATUS_GOOD,
sl@0	1071	0, NULL,
sl@0	1072	thisupd, nextupd);
sl@0	1073	else if (inf[DB_type][0] == DB_TYPE_REV)
sl@0	1074	{
sl@0	1075	ASN1_OBJECT *inst = NULL;
sl@0	1076	ASN1_TIME *revtm = NULL;
sl@0	1077	ASN1_GENERALIZEDTIME *invtm = NULL;
sl@0	1078	OCSP_SINGLERESP *single;
sl@0	1079	int reason = -1;
sl@0	1080	unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
sl@0	1081	single = OCSP_basic_add1_status(bs, cid,
sl@0	1082	V_OCSP_CERTSTATUS_REVOKED,
sl@0	1083	reason, revtm,
sl@0	1084	thisupd, nextupd);
sl@0	1085	if (invtm)
sl@0	1086	OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
sl@0	1087	else if (inst)
sl@0	1088	OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
sl@0	1089	ASN1_OBJECT_free(inst);
sl@0	1090	ASN1_TIME_free(revtm);
sl@0	1091	ASN1_GENERALIZEDTIME_free(invtm);
sl@0	1092	}
sl@0	1093	}
sl@0	1094
sl@0	1095	OCSP_copy_nonce(bs, req);
sl@0	1096
sl@0	1097	OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
sl@0	1098
sl@0	1099	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
sl@0	1100
sl@0	1101	end:
sl@0	1102	ASN1_TIME_free(thisupd);
sl@0	1103	ASN1_TIME_free(nextupd);
sl@0	1104	OCSP_CERTID_free(ca_id);
sl@0	1105	OCSP_BASICRESP_free(bs);
sl@0	1106	return ret;
sl@0	1107
sl@0	1108	}
sl@0	1109
sl@0	1110	static char *lookup_serial(CA_DB db, ASN1_INTEGER *ser)
sl@0	1111	{
sl@0	1112	int i;
sl@0	1113	BIGNUM *bn = NULL;
sl@0	1114	char itmp, row[DB_NUMBER],**rrow;
sl@0	1115	for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
sl@0	1116	bn = ASN1_INTEGER_to_BN(ser,NULL);
sl@0	1117	if (BN_is_zero(bn))
sl@0	1118	itmp = BUF_strdup("00");
sl@0	1119	else
sl@0	1120	itmp = BN_bn2hex(bn);
sl@0	1121	row[DB_serial] = itmp;
sl@0	1122	BN_free(bn);
sl@0	1123	rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
sl@0	1124	OPENSSL_free(itmp);
sl@0	1125	return rrow;
sl@0	1126	}
sl@0	1127
sl@0	1128	/* Quick and dirty OCSP server: read in and parse input request */
sl@0	1129
sl@0	1130	static BIO init_responder(char port)
sl@0	1131	{
sl@0	1132	BIO acbio = NULL, bufbio = NULL;
sl@0	1133	bufbio = BIO_new(BIO_f_buffer());
sl@0	1134	if (!bufbio)
sl@0	1135	goto err;
sl@0	1136	#ifndef OPENSSL_NO_SOCK
sl@0	1137	acbio = BIO_new_accept(port);
sl@0	1138	#else
sl@0	1139	BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n");
sl@0	1140	#endif
sl@0	1141	if (!acbio)
sl@0	1142	goto err;
sl@0	1143	BIO_set_accept_bios(acbio, bufbio);
sl@0	1144	bufbio = NULL;
sl@0	1145
sl@0	1146	if (BIO_do_accept(acbio) <= 0)
sl@0	1147	{
sl@0	1148	BIO_printf(bio_err, "Error setting up accept BIO\n");
sl@0	1149	ERR_print_errors(bio_err);
sl@0	1150	goto err;
sl@0	1151	}
sl@0	1152
sl@0	1153	return acbio;
sl@0	1154
sl@0	1155	err:
sl@0	1156	BIO_free_all(acbio);
sl@0	1157	BIO_free(bufbio);
sl@0	1158	return NULL;
sl@0	1159	}
sl@0	1160
sl@0	1161	static int do_responder(OCSP_REQUEST preq, BIO pcbio, BIO acbio, char port)
sl@0	1162	{
sl@0	1163	int have_post = 0, len;
sl@0	1164	OCSP_REQUEST *req = NULL;
sl@0	1165	char inbuf[1024];
sl@0	1166	BIO *cbio = NULL;
sl@0	1167
sl@0	1168	if (BIO_do_accept(acbio) <= 0)
sl@0	1169	{
sl@0	1170	BIO_printf(bio_err, "Error accepting connection\n");
sl@0	1171	ERR_print_errors(bio_err);
sl@0	1172	return 0;
sl@0	1173	}
sl@0	1174
sl@0	1175	cbio = BIO_pop(acbio);
sl@0	1176	*pcbio = cbio;
sl@0	1177
sl@0	1178	for(;;)
sl@0	1179	{
sl@0	1180	len = BIO_gets(cbio, inbuf, sizeof inbuf);
sl@0	1181	if (len <= 0)
sl@0	1182	return 1;
sl@0	1183	/* Look for "POST" signalling start of query */
sl@0	1184	if (!have_post)
sl@0	1185	{
sl@0	1186	if(strncmp(inbuf, "POST", 4))
sl@0	1187	{
sl@0	1188	BIO_printf(bio_err, "Invalid request\n");
sl@0	1189	return 1;
sl@0	1190	}
sl@0	1191	have_post = 1;
sl@0	1192	}
sl@0	1193	/* Look for end of headers */
sl@0	1194	if ((inbuf[0] == '\r') \|\| (inbuf[0] == '\n'))
sl@0	1195	break;
sl@0	1196	}
sl@0	1197
sl@0	1198	/* Try to read OCSP request */
sl@0	1199
sl@0	1200	req = d2i_OCSP_REQUEST_bio(cbio, NULL);
sl@0	1201
sl@0	1202	if (!req)
sl@0	1203	{
sl@0	1204	BIO_printf(bio_err, "Error parsing OCSP request\n");
sl@0	1205	ERR_print_errors(bio_err);
sl@0	1206	}
sl@0	1207
sl@0	1208	*preq = req;
sl@0	1209
sl@0	1210	return 1;
sl@0	1211
sl@0	1212	}
sl@0	1213
sl@0	1214	static int send_ocsp_response(BIO cbio, OCSP_RESPONSE resp)
sl@0	1215	{
sl@0	1216	char http_resp[] =
sl@0	1217	"HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
sl@0	1218	"Content-Length: %d\r\n\r\n";
sl@0	1219	if (!cbio)
sl@0	1220	return 0;
sl@0	1221	BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
sl@0	1222	i2d_OCSP_RESPONSE_bio(cbio, resp);
sl@0	1223	BIO_flush(cbio);
sl@0	1224	return 1;
sl@0	1225	}
sl@0	1226
sl@0	1227	#endif

author	sl@SLION-WIN7.fritz.box
	Fri, 15 Jun 2012 03:10:57 +0200
changeset 0	bde4ae8d615e
permissions	-rw-r--r--