Symaptic: os/ossrv/ssl/tsrc/topenssl/src/ocsp.c@bde4ae8d615e (annotated)

sl@0	1	/* ocsp.c */
sl@0	2	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
sl@0	3	* project 2000.
sl@0	4	*/
sl@0	5	/* ====================================================================
sl@0	6	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
sl@0	7	*
sl@0	8	* Redistribution and use in source and binary forms, with or without
sl@0	9	* modification, are permitted provided that the following conditions
sl@0	10	* are met:
sl@0	11	*
sl@0	12	* 1. Redistributions of source code must retain the above copyright
sl@0	13	* notice, this list of conditions and the following disclaimer.
sl@0	14	*
sl@0	15	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	16	* notice, this list of conditions and the following disclaimer in
sl@0	17	* the documentation and/or other materials provided with the
sl@0	18	* distribution.
sl@0	19	*
sl@0	20	* 3. All advertising materials mentioning features or use of this
sl@0	21	* software must display the following acknowledgment:
sl@0	22	* "This product includes software developed by the OpenSSL Project
sl@0	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
sl@0	24	*
sl@0	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	26	* endorse or promote products derived from this software without
sl@0	27	* prior written permission. For written permission, please contact
sl@0	28	* licensing@OpenSSL.org.
sl@0	29	*
sl@0	30	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	31	* nor may "OpenSSL" appear in their names without prior written
sl@0	32	* permission of the OpenSSL Project.
sl@0	33	*
sl@0	34	* 6. Redistributions of any form whatsoever must retain the following
sl@0	35	* acknowledgment:
sl@0	36	* "This product includes software developed by the OpenSSL Project
sl@0	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
sl@0	38	*
sl@0	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	51	* ====================================================================
sl@0	52	*
sl@0	53	* This product includes cryptographic software written by Eric Young
sl@0	54	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	55	* Hudson (tjh@cryptsoft.com).
sl@0	56	*
sl@0	57	*/
sl@0	58	#ifndef OPENSSL_NO_OCSP
sl@0	59
sl@0	60	#include <stdio.h>
sl@0	61	#include <string.h>
sl@0	62	#include "apps.h"
sl@0	63	#include <openssl/pem.h>
sl@0	64	#include <openssl/ocsp.h>
sl@0	65	#include <openssl/err.h>
sl@0	66	#include <openssl/ssl.h>
sl@0	67	#include <openssl/bn.h>
sl@0	68
sl@0	69	/* Maximum leeway in validity period: default 5 minutes */
sl@0	70	#define MAX_VALIDITY_PERIOD (5 * 60)
sl@0	71
sl@0	72	static int add_ocsp_cert(OCSP_REQUEST *req, X509 cert, X509 *issuer,
sl@0	73	STACK_OF(OCSP_CERTID) *ids);
sl@0	74	static int add_ocsp_serial(OCSP_REQUEST *req, char serial, X509 *issuer,
sl@0	75	STACK_OF(OCSP_CERTID) *ids);
sl@0	76	static int print_ocsp_summary(BIO out, OCSP_BASICRESP bs, OCSP_REQUEST *req,
sl@0	77	STACK names, STACK_OF(OCSP_CERTID) ids,
sl@0	78	long nsec, long maxage);
sl@0	79
sl@0	80	static int make_ocsp_response(OCSP_RESPONSE *resp, OCSP_REQUEST req, CA_DB *db,
sl@0	81	X509 ca, X509 rcert, EVP_PKEY *rkey,
sl@0	82	STACK_OF(X509) *rother, unsigned long flags,
sl@0	83	int nmin, int ndays);
sl@0	84
sl@0	85	static char *lookup_serial(CA_DB db, ASN1_INTEGER *ser);
sl@0	86	static BIO init_responder(char port);
sl@0	87	static int do_responder(OCSP_REQUEST preq, BIO pcbio, BIO acbio, char port);
sl@0	88	static int send_ocsp_response(BIO cbio, OCSP_RESPONSE resp);
sl@0	89
sl@0	90	#undef PROG
sl@0	91	#define PROG ocsp_main
sl@0	92
sl@0	93	int MAIN(int, char **);
sl@0	94
sl@0	95	int MAIN(int argc, char **argv)
sl@0	96	{
sl@0	97	ENGINE *e = NULL;
sl@0	98	char **args;
sl@0	99	char host = NULL, port = NULL, *path = "/";
sl@0	100	char reqin = NULL, respin = NULL;
sl@0	101	char reqout = NULL, respout = NULL;
sl@0	102	char signfile = NULL, keyfile = NULL;
sl@0	103	char rsignfile = NULL, rkeyfile = NULL;
sl@0	104	char *outfile = NULL;
sl@0	105	int add_nonce = 1, noverify = 0, use_ssl = -1;
sl@0	106	OCSP_REQUEST *req = NULL;
sl@0	107	OCSP_RESPONSE *resp = NULL;
sl@0	108	OCSP_BASICRESP *bs = NULL;
sl@0	109	X509 issuer = NULL, cert = NULL;
sl@0	110	X509 signer = NULL, rsigner = NULL;
sl@0	111	EVP_PKEY key = NULL, rkey = NULL;
sl@0	112	BIO acbio = NULL, cbio = NULL;
sl@0	113	BIO *derbio = NULL;
sl@0	114	BIO *out = NULL;
sl@0	115	int req_text = 0, resp_text = 0;
sl@0	116	long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
sl@0	117	char CAfile = NULL, CApath = NULL;
sl@0	118	X509_STORE *store = NULL;
sl@0	119	SSL_CTX *ctx = NULL;
sl@0	120	STACK_OF(X509) sign_other = NULL, verify_other = NULL, *rother = NULL;
sl@0	121	char sign_certfile = NULL, verify_certfile = NULL, *rcertfile = NULL;
sl@0	122	unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
sl@0	123	int ret = 1;
sl@0	124	int accept_count = -1;
sl@0	125	int badarg = 0;
sl@0	126	int i;
sl@0	127	int ignore_err = 0;
sl@0	128	STACK *reqnames = NULL;
sl@0	129	STACK_OF(OCSP_CERTID) *ids = NULL;
sl@0	130
sl@0	131	X509 *rca_cert = NULL;
sl@0	132	char *ridx_filename = NULL;
sl@0	133	char *rca_filename = NULL;
sl@0	134	CA_DB *rdb = NULL;
sl@0	135	int nmin = 0, ndays = -1;
sl@0	136
sl@0	137	if (bio_err == NULL)
sl@0	138	bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
sl@0	139	if (!load_config(bio_err, NULL))
sl@0	140	goto end;
sl@0	141	SSL_load_error_strings();
sl@0	142	OpenSSL_add_ssl_algorithms();
sl@0	143	args = argv + 1;
sl@0	144	reqnames = sk_new_null();
sl@0	145	ids = sk_OCSP_CERTID_new_null();
sl@0	146	while (!badarg && args && args[0] == '-')
sl@0	147	{
sl@0	148	if (!strcmp(*args, "-out"))
sl@0	149	{
sl@0	150	if (args[1])
sl@0	151	{
sl@0	152	args++;
sl@0	153	outfile = *args;
sl@0	154	}
sl@0	155	else badarg = 1;
sl@0	156	}
sl@0	157	else if (!strcmp(*args, "-url"))
sl@0	158	{
sl@0	159	if (args[1])
sl@0	160	{
sl@0	161	args++;
sl@0	162	if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl))
sl@0	163	{
sl@0	164	BIO_printf(bio_err, "Error parsing URL\n");
sl@0	165	badarg = 1;
sl@0	166	}
sl@0	167	}
sl@0	168	else badarg = 1;
sl@0	169	}
sl@0	170	else if (!strcmp(*args, "-host"))
sl@0	171	{
sl@0	172	if (args[1])
sl@0	173	{
sl@0	174	args++;
sl@0	175	host = *args;
sl@0	176	}
sl@0	177	else badarg = 1;
sl@0	178	}
sl@0	179	else if (!strcmp(*args, "-port"))
sl@0	180	{
sl@0	181	if (args[1])
sl@0	182	{
sl@0	183	args++;
sl@0	184	port = *args;
sl@0	185	}
sl@0	186	else badarg = 1;
sl@0	187	}
sl@0	188	else if (!strcmp(*args, "-ignore_err"))
sl@0	189	ignore_err = 1;
sl@0	190	else if (!strcmp(*args, "-noverify"))
sl@0	191	noverify = 1;
sl@0	192	else if (!strcmp(*args, "-nonce"))
sl@0	193	add_nonce = 2;
sl@0	194	else if (!strcmp(*args, "-no_nonce"))
sl@0	195	add_nonce = 0;
sl@0	196	else if (!strcmp(*args, "-resp_no_certs"))
sl@0	197	rflags \|= OCSP_NOCERTS;
sl@0	198	else if (!strcmp(*args, "-resp_key_id"))
sl@0	199	rflags \|= OCSP_RESPID_KEY;
sl@0	200	else if (!strcmp(*args, "-no_certs"))
sl@0	201	sign_flags \|= OCSP_NOCERTS;
sl@0	202	else if (!strcmp(*args, "-no_signature_verify"))
sl@0	203	verify_flags \|= OCSP_NOSIGS;
sl@0	204	else if (!strcmp(*args, "-no_cert_verify"))
sl@0	205	verify_flags \|= OCSP_NOVERIFY;
sl@0	206	else if (!strcmp(*args, "-no_chain"))
sl@0	207	verify_flags \|= OCSP_NOCHAIN;
sl@0	208	else if (!strcmp(*args, "-no_cert_checks"))
sl@0	209	verify_flags \|= OCSP_NOCHECKS;
sl@0	210	else if (!strcmp(*args, "-no_explicit"))
sl@0	211	verify_flags \|= OCSP_NOEXPLICIT;
sl@0	212	else if (!strcmp(*args, "-trust_other"))
sl@0	213	verify_flags \|= OCSP_TRUSTOTHER;
sl@0	214	else if (!strcmp(*args, "-no_intern"))
sl@0	215	verify_flags \|= OCSP_NOINTERN;
sl@0	216	else if (!strcmp(*args, "-text"))
sl@0	217	{
sl@0	218	req_text = 1;
sl@0	219	resp_text = 1;
sl@0	220	}
sl@0	221	else if (!strcmp(*args, "-req_text"))
sl@0	222	req_text = 1;
sl@0	223	else if (!strcmp(*args, "-resp_text"))
sl@0	224	resp_text = 1;
sl@0	225	else if (!strcmp(*args, "-reqin"))
sl@0	226	{
sl@0	227	if (args[1])
sl@0	228	{
sl@0	229	args++;
sl@0	230	reqin = *args;
sl@0	231	}
sl@0	232	else badarg = 1;
sl@0	233	}
sl@0	234	else if (!strcmp(*args, "-respin"))
sl@0	235	{
sl@0	236	if (args[1])
sl@0	237	{
sl@0	238	args++;
sl@0	239	respin = *args;
sl@0	240	}
sl@0	241	else badarg = 1;
sl@0	242	}
sl@0	243	else if (!strcmp(*args, "-signer"))
sl@0	244	{
sl@0	245	if (args[1])
sl@0	246	{
sl@0	247	args++;
sl@0	248	signfile = *args;
sl@0	249	}
sl@0	250	else badarg = 1;
sl@0	251	}
sl@0	252	else if (!strcmp (*args, "-VAfile"))
sl@0	253	{
sl@0	254	if (args[1])
sl@0	255	{
sl@0	256	args++;
sl@0	257	verify_certfile = *args;
sl@0	258	verify_flags \|= OCSP_TRUSTOTHER;
sl@0	259	}
sl@0	260	else badarg = 1;
sl@0	261	}
sl@0	262	else if (!strcmp(*args, "-sign_other"))
sl@0	263	{
sl@0	264	if (args[1])
sl@0	265	{
sl@0	266	args++;
sl@0	267	sign_certfile = *args;
sl@0	268	}
sl@0	269	else badarg = 1;
sl@0	270	}
sl@0	271	else if (!strcmp(*args, "-verify_other"))
sl@0	272	{
sl@0	273	if (args[1])
sl@0	274	{
sl@0	275	args++;
sl@0	276	verify_certfile = *args;
sl@0	277	}
sl@0	278	else badarg = 1;
sl@0	279	}
sl@0	280	else if (!strcmp (*args, "-CAfile"))
sl@0	281	{
sl@0	282	if (args[1])
sl@0	283	{
sl@0	284	args++;
sl@0	285	CAfile = *args;
sl@0	286	}
sl@0	287	else badarg = 1;
sl@0	288	}
sl@0	289	else if (!strcmp (*args, "-CApath"))
sl@0	290	{
sl@0	291	if (args[1])
sl@0	292	{
sl@0	293	args++;
sl@0	294	CApath = *args;
sl@0	295	}
sl@0	296	else badarg = 1;
sl@0	297	}
sl@0	298	else if (!strcmp (*args, "-validity_period"))
sl@0	299	{
sl@0	300	if (args[1])
sl@0	301	{
sl@0	302	args++;
sl@0	303	nsec = atol(*args);
sl@0	304	if (nsec < 0)
sl@0	305	{
sl@0	306	BIO_printf(bio_err,
sl@0	307	"Illegal validity period %s\n",
sl@0	308	*args);
sl@0	309	badarg = 1;
sl@0	310	}
sl@0	311	}
sl@0	312	else badarg = 1;
sl@0	313	}
sl@0	314	else if (!strcmp (*args, "-status_age"))
sl@0	315	{
sl@0	316	if (args[1])
sl@0	317	{
sl@0	318	args++;
sl@0	319	maxage = atol(*args);
sl@0	320	if (maxage < 0)
sl@0	321	{
sl@0	322	BIO_printf(bio_err,
sl@0	323	"Illegal validity age %s\n",
sl@0	324	*args);
sl@0	325	badarg = 1;
sl@0	326	}
sl@0	327	}
sl@0	328	else badarg = 1;
sl@0	329	}
sl@0	330	else if (!strcmp(*args, "-signkey"))
sl@0	331	{
sl@0	332	if (args[1])
sl@0	333	{
sl@0	334	args++;
sl@0	335	keyfile = *args;
sl@0	336	}
sl@0	337	else badarg = 1;
sl@0	338	}
sl@0	339	else if (!strcmp(*args, "-reqout"))
sl@0	340	{
sl@0	341	if (args[1])
sl@0	342	{
sl@0	343	args++;
sl@0	344	reqout = *args;
sl@0	345	}
sl@0	346	else badarg = 1;
sl@0	347	}
sl@0	348	else if (!strcmp(*args, "-respout"))
sl@0	349	{
sl@0	350	if (args[1])
sl@0	351	{
sl@0	352	args++;
sl@0	353	respout = *args;
sl@0	354	}
sl@0	355	else badarg = 1;
sl@0	356	}
sl@0	357	else if (!strcmp(*args, "-path"))
sl@0	358	{
sl@0	359	if (args[1])
sl@0	360	{
sl@0	361	args++;
sl@0	362	path = *args;
sl@0	363	}
sl@0	364	else badarg = 1;
sl@0	365	}
sl@0	366	else if (!strcmp(*args, "-issuer"))
sl@0	367	{
sl@0	368	if (args[1])
sl@0	369	{
sl@0	370	args++;
sl@0	371	X509_free(issuer);
sl@0	372	issuer = load_cert(bio_err, *args, FORMAT_PEM,
sl@0	373	NULL, e, "issuer certificate");
sl@0	374	if(!issuer) goto end;
sl@0	375	}
sl@0	376	else badarg = 1;
sl@0	377	}
sl@0	378	else if (!strcmp (*args, "-cert"))
sl@0	379	{
sl@0	380	if (args[1])
sl@0	381	{
sl@0	382	args++;
sl@0	383	X509_free(cert);
sl@0	384	cert = load_cert(bio_err, *args, FORMAT_PEM,
sl@0	385	NULL, e, "certificate");
sl@0	386	if(!cert) goto end;
sl@0	387	if(!add_ocsp_cert(&req, cert, issuer, ids))
sl@0	388	goto end;
sl@0	389	if(!sk_push(reqnames, *args))
sl@0	390	goto end;
sl@0	391	}
sl@0	392	else badarg = 1;
sl@0	393	}
sl@0	394	else if (!strcmp(*args, "-serial"))
sl@0	395	{
sl@0	396	if (args[1])
sl@0	397	{
sl@0	398	args++;
sl@0	399	if(!add_ocsp_serial(&req, *args, issuer, ids))
sl@0	400	goto end;
sl@0	401	if(!sk_push(reqnames, *args))
sl@0	402	goto end;
sl@0	403	}
sl@0	404	else badarg = 1;
sl@0	405	}
sl@0	406	else if (!strcmp(*args, "-index"))
sl@0	407	{
sl@0	408	if (args[1])
sl@0	409	{
sl@0	410	args++;
sl@0	411	ridx_filename = *args;
sl@0	412	}
sl@0	413	else badarg = 1;
sl@0	414	}
sl@0	415	else if (!strcmp(*args, "-CA"))
sl@0	416	{
sl@0	417	if (args[1])
sl@0	418	{
sl@0	419	args++;
sl@0	420	rca_filename = *args;
sl@0	421	}
sl@0	422	else badarg = 1;
sl@0	423	}
sl@0	424	else if (!strcmp (*args, "-nmin"))
sl@0	425	{
sl@0	426	if (args[1])
sl@0	427	{
sl@0	428	args++;
sl@0	429	nmin = atol(*args);
sl@0	430	if (nmin < 0)
sl@0	431	{
sl@0	432	BIO_printf(bio_err,
sl@0	433	"Illegal update period %s\n",
sl@0	434	*args);
sl@0	435	badarg = 1;
sl@0	436	}
sl@0	437	}
sl@0	438	if (ndays == -1)
sl@0	439	ndays = 0;
sl@0	440	else badarg = 1;
sl@0	441	}
sl@0	442	else if (!strcmp (*args, "-nrequest"))
sl@0	443	{
sl@0	444	if (args[1])
sl@0	445	{
sl@0	446	args++;
sl@0	447	accept_count = atol(*args);
sl@0	448	if (accept_count < 0)
sl@0	449	{
sl@0	450	BIO_printf(bio_err,
sl@0	451	"Illegal accept count %s\n",
sl@0	452	*args);
sl@0	453	badarg = 1;
sl@0	454	}
sl@0	455	}
sl@0	456	else badarg = 1;
sl@0	457	}
sl@0	458	else if (!strcmp (*args, "-ndays"))
sl@0	459	{
sl@0	460	if (args[1])
sl@0	461	{
sl@0	462	args++;
sl@0	463	ndays = atol(*args);
sl@0	464	if (ndays < 0)
sl@0	465	{
sl@0	466	BIO_printf(bio_err,
sl@0	467	"Illegal update period %s\n",
sl@0	468	*args);
sl@0	469	badarg = 1;
sl@0	470	}
sl@0	471	}
sl@0	472	else badarg = 1;
sl@0	473	}
sl@0	474	else if (!strcmp(*args, "-rsigner"))
sl@0	475	{
sl@0	476	if (args[1])
sl@0	477	{
sl@0	478	args++;
sl@0	479	rsignfile = *args;
sl@0	480	}
sl@0	481	else badarg = 1;
sl@0	482	}
sl@0	483	else if (!strcmp(*args, "-rkey"))
sl@0	484	{
sl@0	485	if (args[1])
sl@0	486	{
sl@0	487	args++;
sl@0	488	rkeyfile = *args;
sl@0	489	}
sl@0	490	else badarg = 1;
sl@0	491	}
sl@0	492	else if (!strcmp(*args, "-rother"))
sl@0	493	{
sl@0	494	if (args[1])
sl@0	495	{
sl@0	496	args++;
sl@0	497	rcertfile = *args;
sl@0	498	}
sl@0	499	else badarg = 1;
sl@0	500	}
sl@0	501	else badarg = 1;
sl@0	502	args++;
sl@0	503	}
sl@0	504
sl@0	505	/* Have we anything to do? */
sl@0	506	if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1;
sl@0	507
sl@0	508	if (badarg)
sl@0	509	{
sl@0	510	BIO_printf (bio_err, "OCSP utility\n");
sl@0	511	BIO_printf (bio_err, "Usage ocsp [options]\n");
sl@0	512	BIO_printf (bio_err, "where options are\n");
sl@0	513	BIO_printf (bio_err, "-out file output filename\n");
sl@0	514	BIO_printf (bio_err, "-issuer file issuer certificate\n");
sl@0	515	BIO_printf (bio_err, "-cert file certificate to check\n");
sl@0	516	BIO_printf (bio_err, "-serial n serial number to check\n");
sl@0	517	BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n");
sl@0	518	BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n");
sl@0	519	BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n");
sl@0	520	BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n");
sl@0	521	BIO_printf (bio_err, "-req_text print text form of request\n");
sl@0	522	BIO_printf (bio_err, "-resp_text print text form of response\n");
sl@0	523	BIO_printf (bio_err, "-text print text form of request and response\n");
sl@0	524	BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n");
sl@0	525	BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
sl@0	526	BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n");
sl@0	527	BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
sl@0	528	BIO_printf (bio_err, "-nonce add OCSP nonce to request\n");
sl@0	529	BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n");
sl@0	530	BIO_printf (bio_err, "-url URL OCSP responder URL\n");
sl@0	531	BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n");
sl@0	532	BIO_printf (bio_err, "-path path to use in OCSP request\n");
sl@0	533	BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
sl@0	534	BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
sl@0	535	BIO_printf (bio_err, "-VAfile file validator certificates file\n");
sl@0	536	BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
sl@0	537	BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
sl@0	538	BIO_printf (bio_err, "-noverify don't verify response at all\n");
sl@0	539	BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
sl@0	540	BIO_printf (bio_err, "-trust_other don't verify additional certificates\n");
sl@0	541	BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n");
sl@0	542	BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
sl@0	543	BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n");
sl@0	544	BIO_printf (bio_err, "-no_chain don't chain verify response\n");
sl@0	545	BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n");
sl@0	546	BIO_printf (bio_err, "-port num port to run responder on\n");
sl@0	547	BIO_printf (bio_err, "-index file certificate status index file\n");
sl@0	548	BIO_printf (bio_err, "-CA file CA certificate\n");
sl@0	549	BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n");
sl@0	550	BIO_printf (bio_err, "-rkey file responder key to sign responses with\n");
sl@0	551	BIO_printf (bio_err, "-rother file other certificates to include in response\n");
sl@0	552	BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n");
sl@0	553	BIO_printf (bio_err, "-nmin n number of minutes before next update\n");
sl@0	554	BIO_printf (bio_err, "-ndays n number of days before next update\n");
sl@0	555	BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
sl@0	556	BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
sl@0	557	goto end;
sl@0	558	}
sl@0	559
sl@0	560	if(outfile) out = BIO_new_file(outfile, "w");
sl@0	561	else out = BIO_new_fp(stdout, BIO_NOCLOSE);
sl@0	562	if(!out)
sl@0	563	{
sl@0	564	BIO_printf(bio_err, "Error opening output file\n");
sl@0	565	goto end;
sl@0	566	}
sl@0	567
sl@0	568	if (!req && (add_nonce != 2)) add_nonce = 0;
sl@0	569
sl@0	570	if (!req && reqin)
sl@0	571	{
sl@0	572	derbio = BIO_new_file(reqin, "rb");
sl@0	573	if (!derbio)
sl@0	574	{
sl@0	575	BIO_printf(bio_err, "Error Opening OCSP request file\n");
sl@0	576	goto end;
sl@0	577	}
sl@0	578	req = d2i_OCSP_REQUEST_bio(derbio, NULL);
sl@0	579	BIO_free(derbio);
sl@0	580	if(!req)
sl@0	581	{
sl@0	582	BIO_printf(bio_err, "Error reading OCSP request\n");
sl@0	583	goto end;
sl@0	584	}
sl@0	585	}
sl@0	586
sl@0	587	if (!req && port)
sl@0	588	{
sl@0	589	acbio = init_responder(port);
sl@0	590	if (!acbio)
sl@0	591	goto end;
sl@0	592	}
sl@0	593
sl@0	594	if (rsignfile && !rdb)
sl@0	595	{
sl@0	596	if (!rkeyfile) rkeyfile = rsignfile;
sl@0	597	rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
sl@0	598	NULL, e, "responder certificate");
sl@0	599	if (!rsigner)
sl@0	600	{
sl@0	601	BIO_printf(bio_err, "Error loading responder certificate\n");
sl@0	602	goto end;
sl@0	603	}
sl@0	604	rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
sl@0	605	NULL, e, "CA certificate");
sl@0	606	if (rcertfile)
sl@0	607	{
sl@0	608	rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
sl@0	609	NULL, e, "responder other certificates");
sl@0	610	if (!rother) goto end;
sl@0	611	}
sl@0	612	rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
sl@0	613	"responder private key");
sl@0	614	if (!rkey)
sl@0	615	goto end;
sl@0	616	}
sl@0	617	if(acbio)
sl@0	618	BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
sl@0	619
sl@0	620	redo_accept:
sl@0	621
sl@0	622	if (acbio)
sl@0	623	{
sl@0	624	if (!do_responder(&req, &cbio, acbio, port))
sl@0	625	goto end;
sl@0	626	if (!req)
sl@0	627	{
sl@0	628	resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
sl@0	629	send_ocsp_response(cbio, resp);
sl@0	630	goto done_resp;
sl@0	631	}
sl@0	632	}
sl@0	633
sl@0	634	if (!req && (signfile \|\| reqout \|\| host \|\| add_nonce \|\| ridx_filename))
sl@0	635	{
sl@0	636	BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
sl@0	637	goto end;
sl@0	638	}
sl@0	639
sl@0	640	if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);
sl@0	641
sl@0	642	if (signfile)
sl@0	643	{
sl@0	644	if (!keyfile) keyfile = signfile;
sl@0	645	signer = load_cert(bio_err, signfile, FORMAT_PEM,
sl@0	646	NULL, e, "signer certificate");
sl@0	647	if (!signer)
sl@0	648	{
sl@0	649	BIO_printf(bio_err, "Error loading signer certificate\n");
sl@0	650	goto end;
sl@0	651	}
sl@0	652	if (sign_certfile)
sl@0	653	{
sl@0	654	sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
sl@0	655	NULL, e, "signer certificates");
sl@0	656	if (!sign_other) goto end;
sl@0	657	}
sl@0	658	key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
sl@0	659	"signer private key");
sl@0	660	if (!key)
sl@0	661	goto end;
sl@0	662	if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags))
sl@0	663	{
sl@0	664	BIO_printf(bio_err, "Error signing OCSP request\n");
sl@0	665	goto end;
sl@0	666	}
sl@0	667	}
sl@0	668
sl@0	669	if (req_text && req) OCSP_REQUEST_print(out, req, 0);
sl@0	670
sl@0	671	if (reqout)
sl@0	672	{
sl@0	673	derbio = BIO_new_file(reqout, "wb");
sl@0	674	if(!derbio)
sl@0	675	{
sl@0	676	BIO_printf(bio_err, "Error opening file %s\n", reqout);
sl@0	677	goto end;
sl@0	678	}
sl@0	679	i2d_OCSP_REQUEST_bio(derbio, req);
sl@0	680	BIO_free(derbio);
sl@0	681	}
sl@0	682
sl@0	683	if (ridx_filename && (!rkey \|\| !rsigner \|\| !rca_cert))
sl@0	684	{
sl@0	685	BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
sl@0	686	goto end;
sl@0	687	}
sl@0	688
sl@0	689	if (ridx_filename && !rdb)
sl@0	690	{
sl@0	691	rdb = load_index(ridx_filename, NULL);
sl@0	692	if (!rdb) goto end;
sl@0	693	if (!index_index(rdb)) goto end;
sl@0	694	}
sl@0	695
sl@0	696	if (rdb)
sl@0	697	{
sl@0	698	i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
sl@0	699	if (cbio)
sl@0	700	send_ocsp_response(cbio, resp);
sl@0	701	}
sl@0	702	else if (host)
sl@0	703	{
sl@0	704	#ifndef OPENSSL_NO_SOCK
sl@0	705	cbio = BIO_new_connect(host);
sl@0	706	#else
sl@0	707	BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
sl@0	708	goto end;
sl@0	709	#endif
sl@0	710	if (!cbio)
sl@0	711	{
sl@0	712	BIO_printf(bio_err, "Error creating connect BIO\n");
sl@0	713	goto end;
sl@0	714	}
sl@0	715	if (port) BIO_set_conn_port(cbio, port);
sl@0	716	if (use_ssl == 1)
sl@0	717	{
sl@0	718	BIO *sbio;
sl@0	719	#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
sl@0	720	ctx = SSL_CTX_new(SSLv23_client_method());
sl@0	721	#elif !defined(OPENSSL_NO_SSL3)
sl@0	722	ctx = SSL_CTX_new(SSLv3_client_method());
sl@0	723	#elif !defined(OPENSSL_NO_SSL2)
sl@0	724	ctx = SSL_CTX_new(SSLv2_client_method());
sl@0	725	#else
sl@0	726	BIO_printf(bio_err, "SSL is disabled\n");
sl@0	727	goto end;
sl@0	728	#endif
sl@0	729	if (ctx == NULL)
sl@0	730	{
sl@0	731	BIO_printf(bio_err, "Error creating SSL context.\n");
sl@0	732	goto end;
sl@0	733	}
sl@0	734	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
sl@0	735	sbio = BIO_new_ssl(ctx, 1);
sl@0	736	cbio = BIO_push(sbio, cbio);
sl@0	737	}
sl@0	738	if (BIO_do_connect(cbio) <= 0)
sl@0	739	{
sl@0	740	BIO_printf(bio_err, "Error connecting BIO\n");
sl@0	741	goto end;
sl@0	742	}
sl@0	743	resp = OCSP_sendreq_bio(cbio, path, req);
sl@0	744	BIO_free_all(cbio);
sl@0	745	cbio = NULL;
sl@0	746	if (!resp)
sl@0	747	{
sl@0	748	BIO_printf(bio_err, "Error querying OCSP responsder\n");
sl@0	749	goto end;
sl@0	750	}
sl@0	751	}
sl@0	752	else if (respin)
sl@0	753	{
sl@0	754	derbio = BIO_new_file(respin, "rb");
sl@0	755	if (!derbio)
sl@0	756	{
sl@0	757	BIO_printf(bio_err, "Error Opening OCSP response file\n");
sl@0	758	goto end;
sl@0	759	}
sl@0	760	resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
sl@0	761	BIO_free(derbio);
sl@0	762	if(!resp)
sl@0	763	{
sl@0	764	BIO_printf(bio_err, "Error reading OCSP response\n");
sl@0	765	goto end;
sl@0	766	}
sl@0	767
sl@0	768	}
sl@0	769	else
sl@0	770	{
sl@0	771	ret = 0;
sl@0	772	goto end;
sl@0	773	}
sl@0	774
sl@0	775	done_resp:
sl@0	776
sl@0	777	if (respout)
sl@0	778	{
sl@0	779	derbio = BIO_new_file(respout, "wb");
sl@0	780	if(!derbio)
sl@0	781	{
sl@0	782	BIO_printf(bio_err, "Error opening file %s\n", respout);
sl@0	783	goto end;
sl@0	784	}
sl@0	785	i2d_OCSP_RESPONSE_bio(derbio, resp);
sl@0	786	BIO_free(derbio);
sl@0	787	}
sl@0	788
sl@0	789	i = OCSP_response_status(resp);
sl@0	790
sl@0	791	if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
sl@0	792	{
sl@0	793	BIO_printf(out, "Responder Error: %s (%d)\n",
sl@0	794	OCSP_response_status_str(i), i);
sl@0	795	if (ignore_err)
sl@0	796	goto redo_accept;
sl@0	797	ret = 0;
sl@0	798	goto end;
sl@0	799	}
sl@0	800
sl@0	801	if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
sl@0	802
sl@0	803	/* If running as responder don't verify our own response */
sl@0	804	if (cbio)
sl@0	805	{
sl@0	806	if (accept_count > 0)
sl@0	807	accept_count--;
sl@0	808	/* Redo if more connections needed */
sl@0	809	if (accept_count)
sl@0	810	{
sl@0	811	BIO_free_all(cbio);
sl@0	812	cbio = NULL;
sl@0	813	OCSP_REQUEST_free(req);
sl@0	814	req = NULL;
sl@0	815	OCSP_RESPONSE_free(resp);
sl@0	816	resp = NULL;
sl@0	817	goto redo_accept;
sl@0	818	}
sl@0	819	goto end;
sl@0	820	}
sl@0	821
sl@0	822	if (!store)
sl@0	823	store = setup_verify(bio_err, CAfile, CApath);
sl@0	824	if (!store)
sl@0	825	goto end;
sl@0	826	if (verify_certfile)
sl@0	827	{
sl@0	828	verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
sl@0	829	NULL, e, "validator certificate");
sl@0	830	if (!verify_other) goto end;
sl@0	831	}
sl@0	832
sl@0	833	bs = OCSP_response_get1_basic(resp);
sl@0	834
sl@0	835	if (!bs)
sl@0	836	{
sl@0	837	BIO_printf(bio_err, "Error parsing response\n");
sl@0	838	goto end;
sl@0	839	}
sl@0	840
sl@0	841	if (!noverify)
sl@0	842	{
sl@0	843	if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
sl@0	844	{
sl@0	845	if (i == -1)
sl@0	846	BIO_printf(bio_err, "WARNING: no nonce in response\n");
sl@0	847	else
sl@0	848	{
sl@0	849	BIO_printf(bio_err, "Nonce Verify error\n");
sl@0	850	goto end;
sl@0	851	}
sl@0	852	}
sl@0	853
sl@0	854	i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
sl@0	855	if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
sl@0	856
sl@0	857	if(i <= 0)
sl@0	858	{
sl@0	859	BIO_printf(bio_err, "Response Verify Failure\n");
sl@0	860	ERR_print_errors(bio_err);
sl@0	861	}
sl@0	862	else
sl@0	863	BIO_printf(bio_err, "Response verify OK\n");
sl@0	864
sl@0	865	}
sl@0	866
sl@0	867	if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
sl@0	868	goto end;
sl@0	869
sl@0	870	ret = 0;
sl@0	871
sl@0	872	end:
sl@0	873	ERR_print_errors(bio_err);
sl@0	874	X509_free(signer);
sl@0	875	X509_STORE_free(store);
sl@0	876	EVP_PKEY_free(key);
sl@0	877	EVP_PKEY_free(rkey);
sl@0	878	X509_free(issuer);
sl@0	879	X509_free(cert);
sl@0	880	X509_free(rsigner);
sl@0	881	X509_free(rca_cert);
sl@0	882	free_index(rdb);
sl@0	883	BIO_free_all(cbio);
sl@0	884	BIO_free_all(acbio);
sl@0	885	BIO_free(out);
sl@0	886	OCSP_REQUEST_free(req);
sl@0	887	OCSP_RESPONSE_free(resp);
sl@0	888	OCSP_BASICRESP_free(bs);
sl@0	889	sk_free(reqnames);
sl@0	890	sk_OCSP_CERTID_free(ids);
sl@0	891	sk_X509_pop_free(sign_other, X509_free);
sl@0	892	sk_X509_pop_free(verify_other, X509_free);
sl@0	893
sl@0	894	if (use_ssl != -1)
sl@0	895	{
sl@0	896	OPENSSL_free(host);
sl@0	897	OPENSSL_free(port);
sl@0	898	OPENSSL_free(path);
sl@0	899	SSL_CTX_free(ctx);
sl@0	900	}
sl@0	901
sl@0	902	OPENSSL_EXIT(ret);
sl@0	903	}
sl@0	904
sl@0	905	static int add_ocsp_cert(OCSP_REQUEST *req, X509 cert, X509 *issuer,
sl@0	906	STACK_OF(OCSP_CERTID) *ids)
sl@0	907	{
sl@0	908	OCSP_CERTID *id;
sl@0	909	if(!issuer)
sl@0	910	{
sl@0	911	BIO_printf(bio_err, "No issuer certificate specified\n");
sl@0	912	return 0;
sl@0	913	}
sl@0	914	if(!req) req = OCSP_REQUEST_new();
sl@0	915	if(!*req) goto err;
sl@0	916	id = OCSP_cert_to_id(NULL, cert, issuer);
sl@0	917	if(!id \|\| !sk_OCSP_CERTID_push(ids, id)) goto err;
sl@0	918	if(!OCSP_request_add0_id(*req, id)) goto err;
sl@0	919	return 1;
sl@0	920
sl@0	921	err:
sl@0	922	BIO_printf(bio_err, "Error Creating OCSP request\n");
sl@0	923	return 0;
sl@0	924	}
sl@0	925
sl@0	926	static int add_ocsp_serial(OCSP_REQUEST *req, char serial, X509 *issuer,
sl@0	927	STACK_OF(OCSP_CERTID) *ids)
sl@0	928	{
sl@0	929	OCSP_CERTID *id;
sl@0	930	X509_NAME *iname;
sl@0	931	ASN1_BIT_STRING *ikey;
sl@0	932	ASN1_INTEGER *sno;
sl@0	933	if(!issuer)
sl@0	934	{
sl@0	935	BIO_printf(bio_err, "No issuer certificate specified\n");
sl@0	936	return 0;
sl@0	937	}
sl@0	938	if(!req) req = OCSP_REQUEST_new();
sl@0	939	if(!*req) goto err;
sl@0	940	iname = X509_get_subject_name(issuer);
sl@0	941	ikey = X509_get0_pubkey_bitstr(issuer);
sl@0	942	sno = s2i_ASN1_INTEGER(NULL, serial);
sl@0	943	if(!sno)
sl@0	944	{
sl@0	945	BIO_printf(bio_err, "Error converting serial number %s\n", serial);
sl@0	946	return 0;
sl@0	947	}
sl@0	948	id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
sl@0	949	ASN1_INTEGER_free(sno);
sl@0	950	if(!id \|\| !sk_OCSP_CERTID_push(ids, id)) goto err;
sl@0	951	if(!OCSP_request_add0_id(*req, id)) goto err;
sl@0	952	return 1;
sl@0	953
sl@0	954	err:
sl@0	955	BIO_printf(bio_err, "Error Creating OCSP request\n");
sl@0	956	return 0;
sl@0	957	}
sl@0	958
sl@0	959	static int print_ocsp_summary(BIO out, OCSP_BASICRESP bs, OCSP_REQUEST *req,
sl@0	960	STACK names, STACK_OF(OCSP_CERTID) ids,
sl@0	961	long nsec, long maxage)
sl@0	962	{
sl@0	963	OCSP_CERTID *id;
sl@0	964	char *name;
sl@0	965	int i;
sl@0	966
sl@0	967	int status, reason;
sl@0	968
sl@0	969	ASN1_GENERALIZEDTIME rev, thisupd, *nextupd;
sl@0	970
sl@0	971	if (!bs \|\| !req \|\| !sk_num(names) \|\| !sk_OCSP_CERTID_num(ids))
sl@0	972	return 1;
sl@0	973
sl@0	974	for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
sl@0	975	{
sl@0	976	id = sk_OCSP_CERTID_value(ids, i);
sl@0	977	name = sk_value(names, i);
sl@0	978	BIO_printf(out, "%s: ", name);
sl@0	979
sl@0	980	if(!OCSP_resp_find_status(bs, id, &status, &reason,
sl@0	981	&rev, &thisupd, &nextupd))
sl@0	982	{
sl@0	983	BIO_puts(out, "ERROR: No Status found.\n");
sl@0	984	continue;
sl@0	985	}
sl@0	986
sl@0	987	/* Check validity: if invalid write to output BIO so we
sl@0	988	* know which response this refers to.
sl@0	989	*/
sl@0	990	if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage))
sl@0	991	{
sl@0	992	BIO_puts(out, "WARNING: Status times invalid.\n");
sl@0	993	ERR_print_errors(out);
sl@0	994	}
sl@0	995	BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
sl@0	996
sl@0	997	BIO_puts(out, "\tThis Update: ");
sl@0	998	ASN1_GENERALIZEDTIME_print(out, thisupd);
sl@0	999	BIO_puts(out, "\n");
sl@0	1000
sl@0	1001	if(nextupd)
sl@0	1002	{
sl@0	1003	BIO_puts(out, "\tNext Update: ");
sl@0	1004	ASN1_GENERALIZEDTIME_print(out, nextupd);
sl@0	1005	BIO_puts(out, "\n");
sl@0	1006	}
sl@0	1007
sl@0	1008	if (status != V_OCSP_CERTSTATUS_REVOKED)
sl@0	1009	continue;
sl@0	1010
sl@0	1011	if (reason != -1)
sl@0	1012	BIO_printf(out, "\tReason: %s\n",
sl@0	1013	OCSP_crl_reason_str(reason));
sl@0	1014
sl@0	1015	BIO_puts(out, "\tRevocation Time: ");
sl@0	1016	ASN1_GENERALIZEDTIME_print(out, rev);
sl@0	1017	BIO_puts(out, "\n");
sl@0	1018	}
sl@0	1019
sl@0	1020	return 1;
sl@0	1021	}
sl@0	1022
sl@0	1023
sl@0	1024	static int make_ocsp_response(OCSP_RESPONSE *resp, OCSP_REQUEST req, CA_DB *db,
sl@0	1025	X509 ca, X509 rcert, EVP_PKEY *rkey,
sl@0	1026	STACK_OF(X509) *rother, unsigned long flags,
sl@0	1027	int nmin, int ndays)
sl@0	1028	{
sl@0	1029	ASN1_TIME thisupd = NULL, nextupd = NULL;
sl@0	1030	OCSP_CERTID cid, ca_id = NULL;
sl@0	1031	OCSP_BASICRESP *bs = NULL;
sl@0	1032	int i, id_count, ret = 1;
sl@0	1033
sl@0	1034
sl@0	1035	id_count = OCSP_request_onereq_count(req);
sl@0	1036
sl@0	1037	if (id_count <= 0)
sl@0	1038	{
sl@0	1039	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
sl@0	1040	goto end;
sl@0	1041	}
sl@0	1042
sl@0	1043	ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
sl@0	1044
sl@0	1045	bs = OCSP_BASICRESP_new();
sl@0	1046	thisupd = X509_gmtime_adj(NULL, 0);
sl@0	1047	if (ndays != -1)
sl@0	1048	nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24 );
sl@0	1049
sl@0	1050	/* Examine each certificate id in the request */
sl@0	1051	for (i = 0; i < id_count; i++)
sl@0	1052	{
sl@0	1053	OCSP_ONEREQ *one;
sl@0	1054	ASN1_INTEGER *serial;
sl@0	1055	char **inf;
sl@0	1056	one = OCSP_request_onereq_get0(req, i);
sl@0	1057	cid = OCSP_onereq_get0_id(one);
sl@0	1058	/* Is this request about our CA? */
sl@0	1059	if (OCSP_id_issuer_cmp(ca_id, cid))
sl@0	1060	{
sl@0	1061	OCSP_basic_add1_status(bs, cid,
sl@0	1062	V_OCSP_CERTSTATUS_UNKNOWN,
sl@0	1063	0, NULL,
sl@0	1064	thisupd, nextupd);
sl@0	1065	continue;
sl@0	1066	}
sl@0	1067	OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
sl@0	1068	inf = lookup_serial(db, serial);
sl@0	1069	if (!inf)
sl@0	1070	OCSP_basic_add1_status(bs, cid,
sl@0	1071	V_OCSP_CERTSTATUS_UNKNOWN,
sl@0	1072	0, NULL,
sl@0	1073	thisupd, nextupd);
sl@0	1074	else if (inf[DB_type][0] == DB_TYPE_VAL)
sl@0	1075	OCSP_basic_add1_status(bs, cid,
sl@0	1076	V_OCSP_CERTSTATUS_GOOD,
sl@0	1077	0, NULL,
sl@0	1078	thisupd, nextupd);
sl@0	1079	else if (inf[DB_type][0] == DB_TYPE_REV)
sl@0	1080	{
sl@0	1081	ASN1_OBJECT *inst = NULL;
sl@0	1082	ASN1_TIME *revtm = NULL;
sl@0	1083	ASN1_GENERALIZEDTIME *invtm = NULL;
sl@0	1084	OCSP_SINGLERESP *single;
sl@0	1085	int reason = -1;
sl@0	1086	unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
sl@0	1087	single = OCSP_basic_add1_status(bs, cid,
sl@0	1088	V_OCSP_CERTSTATUS_REVOKED,
sl@0	1089	reason, revtm,
sl@0	1090	thisupd, nextupd);
sl@0	1091	if (invtm)
sl@0	1092	OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
sl@0	1093	else if (inst)
sl@0	1094	OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
sl@0	1095	ASN1_OBJECT_free(inst);
sl@0	1096	ASN1_TIME_free(revtm);
sl@0	1097	ASN1_GENERALIZEDTIME_free(invtm);
sl@0	1098	}
sl@0	1099	}
sl@0	1100
sl@0	1101	OCSP_copy_nonce(bs, req);
sl@0	1102
sl@0	1103	OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
sl@0	1104
sl@0	1105	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
sl@0	1106
sl@0	1107	end:
sl@0	1108	ASN1_TIME_free(thisupd);
sl@0	1109	ASN1_TIME_free(nextupd);
sl@0	1110	OCSP_CERTID_free(ca_id);
sl@0	1111	OCSP_BASICRESP_free(bs);
sl@0	1112	return ret;
sl@0	1113
sl@0	1114	}
sl@0	1115
sl@0	1116	static char *lookup_serial(CA_DB db, ASN1_INTEGER *ser)
sl@0	1117	{
sl@0	1118	int i;
sl@0	1119	BIGNUM *bn = NULL;
sl@0	1120	char itmp, row[DB_NUMBER],**rrow;
sl@0	1121	for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
sl@0	1122	bn = ASN1_INTEGER_to_BN(ser,NULL);
sl@0	1123	if (BN_is_zero(bn))
sl@0	1124	itmp = BUF_strdup("00");
sl@0	1125	else
sl@0	1126	itmp = BN_bn2hex(bn);
sl@0	1127	row[DB_serial] = itmp;
sl@0	1128	BN_free(bn);
sl@0	1129	rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
sl@0	1130	OPENSSL_free(itmp);
sl@0	1131	return rrow;
sl@0	1132	}
sl@0	1133
sl@0	1134	/* Quick and dirty OCSP server: read in and parse input request */
sl@0	1135
sl@0	1136	static BIO init_responder(char port)
sl@0	1137	{
sl@0	1138	BIO acbio = NULL, bufbio = NULL;
sl@0	1139	bufbio = BIO_new(BIO_f_buffer());
sl@0	1140	if (!bufbio)
sl@0	1141	goto err;
sl@0	1142	#ifndef OPENSSL_NO_SOCK
sl@0	1143	acbio = BIO_new_accept(port);
sl@0	1144	#else
sl@0	1145	BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n");
sl@0	1146	#endif
sl@0	1147	if (!acbio)
sl@0	1148	goto err;
sl@0	1149	BIO_set_accept_bios(acbio, bufbio);
sl@0	1150	bufbio = NULL;
sl@0	1151
sl@0	1152	if (BIO_do_accept(acbio) <= 0)
sl@0	1153	{
sl@0	1154	BIO_printf(bio_err, "Error setting up accept BIO\n");
sl@0	1155	ERR_print_errors(bio_err);
sl@0	1156	goto err;
sl@0	1157	}
sl@0	1158
sl@0	1159	return acbio;
sl@0	1160
sl@0	1161	err:
sl@0	1162	BIO_free_all(acbio);
sl@0	1163	BIO_free(bufbio);
sl@0	1164	return NULL;
sl@0	1165	}
sl@0	1166
sl@0	1167	static int do_responder(OCSP_REQUEST preq, BIO pcbio, BIO acbio, char port)
sl@0	1168	{
sl@0	1169	int have_post = 0, len;
sl@0	1170	OCSP_REQUEST *req = NULL;
sl@0	1171	char inbuf[1024];
sl@0	1172	BIO *cbio = NULL;
sl@0	1173
sl@0	1174	if (BIO_do_accept(acbio) <= 0)
sl@0	1175	{
sl@0	1176	BIO_printf(bio_err, "Error accepting connection\n");
sl@0	1177	ERR_print_errors(bio_err);
sl@0	1178	return 0;
sl@0	1179	}
sl@0	1180
sl@0	1181	cbio = BIO_pop(acbio);
sl@0	1182	*pcbio = cbio;
sl@0	1183
sl@0	1184	for(;;)
sl@0	1185	{
sl@0	1186	len = BIO_gets(cbio, inbuf, sizeof inbuf);
sl@0	1187	if (len <= 0)
sl@0	1188	return 1;
sl@0	1189	/* Look for "POST" signalling start of query */
sl@0	1190	if (!have_post)
sl@0	1191	{
sl@0	1192	if(strncmp(inbuf, "POST", 4))
sl@0	1193	{
sl@0	1194	BIO_printf(bio_err, "Invalid request\n");
sl@0	1195	return 1;
sl@0	1196	}
sl@0	1197	have_post = 1;
sl@0	1198	}
sl@0	1199	/* Look for end of headers */
sl@0	1200	if ((inbuf[0] == '\r') \|\| (inbuf[0] == '\n'))
sl@0	1201	break;
sl@0	1202	}
sl@0	1203
sl@0	1204	/* Try to read OCSP request */
sl@0	1205
sl@0	1206	req = d2i_OCSP_REQUEST_bio(cbio, NULL);
sl@0	1207
sl@0	1208	if (!req)
sl@0	1209	{
sl@0	1210	BIO_printf(bio_err, "Error parsing OCSP request\n");
sl@0	1211	ERR_print_errors(bio_err);
sl@0	1212	}
sl@0	1213
sl@0	1214	*preq = req;
sl@0	1215
sl@0	1216	return 1;
sl@0	1217
sl@0	1218	}
sl@0	1219
sl@0	1220	static int send_ocsp_response(BIO cbio, OCSP_RESPONSE resp)
sl@0	1221	{
sl@0	1222	char http_resp[] =
sl@0	1223	"HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
sl@0	1224	"Content-Length: %d\r\n\r\n";
sl@0	1225	if (!cbio)
sl@0	1226	return 0;
sl@0	1227	BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
sl@0	1228	i2d_OCSP_RESPONSE_bio(cbio, resp);
sl@0	1229	(void)BIO_flush(cbio);
sl@0	1230	return 1;
sl@0	1231	}
sl@0	1232
sl@0	1233	#endif

author	sl@SLION-WIN7.fritz.box
	Fri, 15 Jun 2012 03:10:57 +0200
changeset 0	bde4ae8d615e
permissions	-rw-r--r--