[thirdparty/openssl.git] / apps / ocsp.c

/* ocsp.c */
/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
 * project 2000.
 */
/* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <stdio.h>
#include <string.h>
#include <openssl/pem.h>
#include <openssl/ocsp.h>
#include <openssl/err.h>
#include "apps.h"

static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
				STACK_OF(OCSP_CERTID) *ids);
static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
				STACK_OF(OCSP_CERTID) *ids);
static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
				STACK *names, STACK_OF(OCSP_CERTID) *ids);

#undef PROG
#define PROG ocsp_main

int MAIN(int, char **);

int MAIN(int argc, char **argv)
	{
	char **args;
	char *host = NULL, *path = "/";
	char *reqin = NULL, *respin = NULL;
	char *reqout = NULL, *respout = NULL;
	char *signfile = NULL, *keyfile = NULL;
	char *outfile = NULL;
	int add_nonce = 1, noverify = 0;
	OCSP_REQUEST *req = NULL;
	OCSP_RESPONSE *resp = NULL;
	OCSP_BASICRESP *bs = NULL;
	X509 *issuer = NULL, *cert = NULL;
	X509 *signer = NULL;
	EVP_PKEY *key = NULL;
	BIO *cbio = NULL, *derbio = NULL;
	BIO *out = NULL;
	int req_text = 0, resp_text = 0;
	char *CAfile = NULL, *CApath = NULL;
	X509_STORE *store = NULL;
	int ret = 1;
	int badarg = 0;
	int i;
	STACK *reqnames = NULL;
	STACK_OF(OCSP_CERTID) *ids = NULL;
	if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
	ERR_load_crypto_strings();
	args = argv + 1;
	reqnames = sk_new_null();
	ids = sk_OCSP_CERTID_new_null();
	while (!badarg && *args && *args[0] == '-')
		{
		if (!strcmp(*args, "-out"))
			{
			if (args[1])
				{
				args++;
				outfile = *args;
				}
			else badarg = 1;
			}
		else if (!strcmp(*args, "-host"))
			{
			if (args[1])
				{
				args++;
				host = *args;
				}
			else badarg = 1;
			}
		else if (!strcmp(*args, "-noverify"))
			noverify = 1;
		else if (!strcmp(*args, "-nonce"))
			add_nonce = 2;
		else if (!strcmp(*args, "-no_nonce"))
			add_nonce = 0;
		else if (!strcmp(*args, "-text"))
			{
			req_text = 1;
			resp_text = 1;
			}
		else if (!strcmp(*args, "-req_text"))
			req_text = 1;
		else if (!strcmp(*args, "-resp_text"))
			resp_text = 1;
		else if (!strcmp(*args, "-reqin"))
			{
			if (args[1])
				{
				args++;
				reqin = *args;
				}
			else badarg = 1;
			}
		else if (!strcmp(*args, "-respin"))
			{
			if (args[1])
				{
				args++;
				respin = *args;
				}
			else badarg = 1;
			}
		else if (!strcmp(*args, "-signer"))
			{
			if (args[1])
				{
				args++;
				signfile = *args;
				}
			else badarg = 1;
			}
		else if (!strcmp (*args, "-CAfile"))
			{
			if (args[1])
				{
				args++;
				CAfile = *args;
				}
			else badarg = 1;
			}
		else if (!strcmp (*args, "-CApath"))
			{
			if (args[1])
				{
				args++;
				CApath = *args;
				}
			else badarg = 1;
			}
		 else if (!strcmp(*args, "-signkey"))
			{
			if (args[1])
				{
				args++;
				keyfile = *args;
				}
			else badarg = 1;
			}
		else if (!strcmp(*args, "-reqout"))
			{
			if (args[1])
				{
				args++;
				reqout = *args;
				}
			else badarg = 1;
			}
		else if (!strcmp(*args, "-respout"))
			{
			if (args[1])
				{
				args++;
				respout = *args;
				}
			else badarg = 1;
			}
		 else if (!strcmp(*args, "-path"))
			{
			if (args[1])
				{
				args++;
				path = *args;
				}
			else badarg = 1;
			}
		else if (!strcmp(*args, "-issuer"))
			{
			if (args[1])
				{
				args++;
				X509_free(issuer);
				issuer = load_cert(bio_err, *args, FORMAT_PEM);
				if(!issuer) goto end;
				}
			else badarg = 1;
			}
		else if (!strcmp (*args, "-cert"))
			{
			if (args[1])
				{
				args++;
				X509_free(cert);
				cert = load_cert(bio_err, *args, FORMAT_PEM);
				if(!cert) goto end;
				if(!add_ocsp_cert(&req, cert, issuer, ids))
					goto end;
				if(!sk_push(reqnames, *args))
					goto end;
				}
			else badarg = 1;
			}
		else if (!strcmp(*args, "-serial"))
			{
			if (args[1])
				{
				args++;
				if(!add_ocsp_serial(&req, *args, issuer, ids))
					goto end;
				if(!sk_push(reqnames, *args))
					goto end;
				}
			else badarg = 1;
			}
		else badarg = 1;
		args++;
		}

	/* Have we anything to do? */
	if (!req && !reqin && !respin) badarg = 1;

	if (badarg)
		{
		BIO_printf (bio_err, "OCSP utility\n");
		BIO_printf (bio_err, "Usage ocsp [options]\n");
		BIO_printf (bio_err, "where options are\n");
		BIO_printf (bio_err, "-out file     output filename\n");
		BIO_printf (bio_err, "-issuer file  issuer certificate\n");
		BIO_printf (bio_err, "-cert file    certificate to check\n");
		BIO_printf (bio_err, "-serial n     serial number to check\n");
		BIO_printf (bio_err, "-signer file  certificate to sign OCSP request with\n");
		BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n");
		BIO_printf (bio_err, "-req_text     print text form of request\n");
		BIO_printf (bio_err, "-resp_text    print text form of response\n");
		BIO_printf (bio_err, "-text         print text form of request and response\n");
		BIO_printf (bio_err, "-reqout file  write DER encoded OCSP request to \"file\"\n");
		BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
		BIO_printf (bio_err, "-reqin file   read DER encoded OCSP request from \"file\"\n");
		BIO_printf (bio_err, "-respin file  read DER encoded OCSP reponse from \"file\"\n");
		BIO_printf (bio_err, "-nonce        add OCSP nonce to request\n");
		BIO_printf (bio_err, "-no_nonce     don't add OCSP nonce to request\n");
		BIO_printf (bio_err, "-host host:n  send OCSP request to host on port n\n");
		BIO_printf (bio_err, "-path         path to use in OCSP request\n");
		BIO_printf (bio_err, "-CApath dir   trusted certificates directory\n");
		BIO_printf (bio_err, "-CAfile file  trusted certificates file\n");
		BIO_printf (bio_err, "-noverify     don't verify response\n");
		goto end;
		}

	if(outfile) out = BIO_new_file(outfile, "w");
	else out = BIO_new_fp(stdout, BIO_NOCLOSE);

	if(!out)
		{
		BIO_printf(bio_err, "Error opening output file\n");
		goto end;
		}

	if (!req && (add_nonce != 2)) add_nonce = 0;

	if (!req && reqin)
		{
		derbio = BIO_new_file(reqin, "rb");
		if (!derbio)
			{
			BIO_printf(bio_err, "Error Opening OCSP request file\n");
			goto end;
			}
		req = d2i_OCSP_REQUEST_bio(derbio, NULL);
		BIO_free(derbio);
		if(!req)
			{
			BIO_printf(bio_err, "Error reading OCSP request\n");
			goto end;
			}
		}

	if (!req && (signfile || reqout || host || add_nonce))
		{
		BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
		goto end;
		}

	if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);

	if (signfile)
		{
		if (!keyfile) keyfile = signfile;
		signer = load_cert(bio_err, signfile, FORMAT_PEM);
		if (!signer)
			{
			BIO_printf(bio_err, "Error loading signer certificate\n");
			goto end;
			}
		key = load_key(bio_err, keyfile, FORMAT_PEM, NULL, NULL);
		if (!key)
			{
			BIO_printf(bio_err, "Error loading signer private key\n");
			goto end;
			}
		if (!OCSP_request_sign(req, signer, key, EVP_sha1(), NULL, 0))
			{
			BIO_printf(bio_err, "Error signing OCSP request\n");
			goto end;
			}
		}

	if (reqout)
		{
		derbio = BIO_new_file(reqout, "wb");
		if (!derbio)
			{
			BIO_printf(bio_err, "Error opening file %s\n", reqout);
			goto end;
			}
		i2d_OCSP_REQUEST_bio(derbio, req);
		BIO_free(derbio);
		}

	if (req_text && req) OCSP_REQUEST_print(out, req, 0);

	if (host)
		{
		cbio = BIO_new_connect(host);
		if (!cbio)
			{
			BIO_printf(bio_err, "Error creating connect BIO\n");
			goto end;
			}
		if (BIO_do_connect(cbio) <= 0)
			{
			BIO_printf(bio_err, "Error connecting BIO\n");
			goto end;
			}
		resp = OCSP_sendreq_bio(cbio, path, req);
		BIO_free(cbio);
		cbio = NULL;
		if (!resp)
			{
			BIO_printf(bio_err, "Error querying OCSP responsder\n");
			goto end;
			}
		}
	else if (respin)
		{
		derbio = BIO_new_file(respin, "rb");
		if (!derbio)
			{
			BIO_printf(bio_err, "Error Opening OCSP response file\n");
			goto end;
			}
		resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
		BIO_free(derbio);
		if(!resp)
			{
			BIO_printf(bio_err, "Error reading OCSP response\n");
			goto end;
			}
	
		}
	else
		{
		ret = 0;
		goto end;
		}

	if (respout)
		{
		derbio = BIO_new_file(respout, "wb");
		if(!derbio)
			{
			BIO_printf(bio_err, "Error opening file %s\n", respout);
			goto end;
			}
		i2d_OCSP_RESPONSE_bio(derbio, resp);
		BIO_free(derbio);
		}

	i = OCSP_response_status(resp);

	if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
		{
		BIO_printf(out, "Responder Error: %s (%ld)\n",
				OCSP_response_status_str(i), i);
		ret = 0;
		goto end;
		}

	if (resp_text) OCSP_RESPONSE_print(out, resp, 0);

	store = setup_verify(bio_err, CAfile, CApath);
	if(!store) goto end;

	bs = OCSP_response_get1_basic(resp);

	if (!bs)
		{
		BIO_printf(bio_err, "Error parsing response\n");
		goto end;
		}

	if (!noverify)
		{
		if (req && (OCSP_check_nonce(req, bs) <= 0))
			{
			BIO_printf(bio_err, "Nonce Verify error\n");
			goto end;
			}

		i = OCSP_basic_verify(bs, NULL, store, 0);

		if(i <= 0)
			{
			BIO_printf(bio_err, "Response Verify Failure\n", i);
			ERR_print_errors(bio_err);
			}
		else
			BIO_printf(bio_err, "Response verify OK\n");

		}

	if (!print_ocsp_summary(out, bs, req, reqnames, ids))
		goto end;

	ret = 0;

end:
	ERR_print_errors(bio_err);
	X509_free(signer);
	X509_STORE_free(store);
	EVP_PKEY_free(key);
	X509_free(issuer);
	X509_free(cert);
	BIO_free(cbio);
	BIO_free(out);
	OCSP_REQUEST_free(req);
	OCSP_RESPONSE_free(resp);
	OCSP_BASICRESP_free(bs);
	sk_free(reqnames);
	sk_OCSP_CERTID_free(ids);

	EXIT(ret);
}

static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
				STACK_OF(OCSP_CERTID) *ids)
	{
	OCSP_CERTID *id;
	if(!issuer)
		{
		BIO_printf(bio_err, "No issuer certificate specified\n");
		return 0;
		}
	if(!*req) *req = OCSP_REQUEST_new();
	if(!*req) goto err;
	id = OCSP_cert_to_id(NULL, cert, issuer);
	if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
	if(!OCSP_request_add0_id(*req, id)) goto err;
	return 1;

	err:
	BIO_printf(bio_err, "Error Creating OCSP request\n");
	return 0;
	}

static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
				STACK_OF(OCSP_CERTID) *ids)
	{
	OCSP_CERTID *id;
	X509_NAME *iname;
	ASN1_BIT_STRING *ikey;
	ASN1_INTEGER *sno;
	if(!issuer)
		{
		BIO_printf(bio_err, "No issuer certificate specified\n");
		return 0;
		}
	if(!*req) *req = OCSP_REQUEST_new();
	if(!*req) goto err;
	iname = X509_get_subject_name(issuer);
	ikey = issuer->cert_info->key->public_key;
	sno = s2i_ASN1_INTEGER(NULL, serial);
	if(!sno)
		{
		BIO_printf(bio_err, "Error converting serial number %s\n", serial);
		return 0;
		}
	id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
	ASN1_INTEGER_free(sno);
	if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
	if(!OCSP_request_add0_id(*req, id)) goto err;
	return 1;

	err:
	BIO_printf(bio_err, "Error Creating OCSP request\n");
	return 0;
	}

static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
					STACK *names, STACK_OF(OCSP_CERTID) *ids)
	{
	OCSP_CERTID *id;
	char *name;
	int i;

	int status, reason;

	ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;

	if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids))
		return 1;

	for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
		{
		id = sk_OCSP_CERTID_value(ids, i);
		name = sk_value(names, i);
		BIO_printf(out, "%s: ", name);

		if(!OCSP_resp_find_status(bs, id, &status, &reason,
					&rev, &thisupd, &nextupd))
			{
			BIO_puts(out, "ERROR: No Status found.\n");
			continue;
			}
		BIO_printf(out, "%s\n", OCSP_cert_status_str(status));

		BIO_puts(out, "\tThis Update: ");
		ASN1_GENERALIZEDTIME_print(out, thisupd);
		BIO_puts(out, "\n");

		if(nextupd)
			{
			BIO_puts(out, "\tNext Update: ");
			ASN1_GENERALIZEDTIME_print(out, thisupd);
			BIO_puts(out, "\n");
			}

		if (status != V_OCSP_CERTSTATUS_REVOKED)
			continue;

		if (reason > 0)
			BIO_printf(out, "\tReason: %s\n",
				OCSP_crl_reason_str(reason));

		BIO_puts(out, "\tRevocation Time: ");
		ASN1_GENERALIZEDTIME_print(out, rev);
		BIO_puts(out, "\n");
		}

	return 1;
	}
Commit	Line	Data
5782ceb2 DSH	1	/* ocsp.c */
	2	/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
	3	* project 2000.
	4	*/
	5	/* ====================================================================
	6	* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
	58
	59	#include <stdio.h>
	60	#include <string.h>
	61	#include <openssl/pem.h>
	62	#include <openssl/ocsp.h>
	63	#include <openssl/err.h>
	64	#include "apps.h"
65
73758d43 DSH	66	static int add_ocsp_cert(OCSP_REQUEST *req, X509 cert, X509 *issuer,
	67	STACK_OF(OCSP_CERTID) *ids);
	68	static int add_ocsp_serial(OCSP_REQUEST *req, char serial, X509 *issuer,
	69	STACK_OF(OCSP_CERTID) *ids);
	70	static int print_ocsp_summary(BIO out, OCSP_BASICRESP bs, OCSP_REQUEST *req,
	71	STACK names, STACK_OF(OCSP_CERTID) ids);
5782ceb2 DSH	72
	73	#undef PROG
	74	#define PROG ocsp_main
	75
	76	int MAIN(int, char **);
	77
	78	int MAIN(int argc, char **argv)
	79	{
	80	char **args;
	81	char host = NULL, path = "/";
	82	char reqin = NULL, respin = NULL;
	83	char reqout = NULL, respout = NULL;
	84	char signfile = NULL, keyfile = NULL;
	85	char *outfile = NULL;
73758d43	86	int add_nonce = 1, noverify = 0;
5782ceb2 DSH	87	OCSP_REQUEST *req = NULL;
5782ceb2 DSH	88	OCSP_RESPONSE *resp = NULL;
81f169e9	89	OCSP_BASICRESP *bs = NULL;
5782ceb2 DSH	90	X509 issuer = NULL, cert = NULL;
	91	X509 *signer = NULL;
	92	EVP_PKEY *key = NULL;
	93	BIO cbio = NULL, derbio = NULL;
	94	BIO *out = NULL;
	95	int req_text = 0, resp_text = 0;
81f169e9 DSH	96	char CAfile = NULL, CApath = NULL;
81f169e9 DSH	97	X509_STORE *store = NULL;
5782ceb2 DSH	98	int ret = 1;
5782ceb2 DSH	99	int badarg = 0;
81f169e9	100	int i;
73758d43 DSH	101	STACK *reqnames = NULL;
73758d43 DSH	102	STACK_OF(OCSP_CERTID) *ids = NULL;
5782ceb2 DSH	103	if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
	104	ERR_load_crypto_strings();
	105	args = argv + 1;
73758d43 DSH	106	reqnames = sk_new_null();
73758d43 DSH	107	ids = sk_OCSP_CERTID_new_null();
5782ceb2 DSH	108	while (!badarg && args && args[0] == '-')
	109	{
	110	if (!strcmp(*args, "-out"))
	111	{
	112	if (args[1])
	113	{
	114	args++;
	115	outfile = *args;
	116	}
	117	else badarg = 1;
	118	}
	119	else if (!strcmp(*args, "-host"))
	120	{
	121	if (args[1])
	122	{
	123	args++;
	124	host = *args;
	125	}
	126	else badarg = 1;
	127	}
73758d43 DSH	128	else if (!strcmp(*args, "-noverify"))
73758d43 DSH	129	noverify = 1;
5782ceb2 DSH	130	else if (!strcmp(*args, "-nonce"))
	131	add_nonce = 2;
	132	else if (!strcmp(*args, "-no_nonce"))
	133	add_nonce = 0;
	134	else if (!strcmp(*args, "-text"))
	135	{
	136	req_text = 1;
	137	resp_text = 1;
	138	}
	139	else if (!strcmp(*args, "-req_text"))
	140	req_text = 1;
	141	else if (!strcmp(*args, "-resp_text"))
	142	resp_text = 1;
	143	else if (!strcmp(*args, "-reqin"))
	144	{
	145	if (args[1])
	146	{
	147	args++;
	148	reqin = *args;
	149	}
	150	else badarg = 1;
	151	}
	152	else if (!strcmp(*args, "-respin"))
	153	{
	154	if (args[1])
	155	{
	156	args++;
	157	respin = *args;
	158	}
	159	else badarg = 1;
	160	}
	161	else if (!strcmp(*args, "-signer"))
	162	{
	163	if (args[1])
	164	{
	165	args++;
	166	signfile = *args;
	167	}
	168	else badarg = 1;
	169	}
81f169e9 DSH	170	else if (!strcmp (*args, "-CAfile"))
	171	{
	172	if (args[1])
	173	{
	174	args++;
	175	CAfile = *args;
	176	}
	177	else badarg = 1;
	178	}
	179	else if (!strcmp (*args, "-CApath"))
	180	{
	181	if (args[1])
	182	{
	183	args++;
	184	CApath = *args;
	185	}
	186	else badarg = 1;
	187	}
5782ceb2 DSH	188	else if (!strcmp(*args, "-signkey"))
	189	{
	190	if (args[1])
	191	{
	192	args++;
	193	keyfile = *args;
	194	}
	195	else badarg = 1;
	196	}
	197	else if (!strcmp(*args, "-reqout"))
	198	{
	199	if (args[1])
	200	{
	201	args++;
	202	reqout = *args;
	203	}
	204	else badarg = 1;
	205	}
	206	else if (!strcmp(*args, "-respout"))
	207	{
	208	if (args[1])
	209	{
	210	args++;
	211	respout = *args;
	212	}
	213	else badarg = 1;
	214	}
	215	else if (!strcmp(*args, "-path"))
	216	{
	217	if (args[1])
	218	{
	219	args++;
	220	path = *args;
	221	}
	222	else badarg = 1;
	223	}
	224	else if (!strcmp(*args, "-issuer"))
	225	{
	226	if (args[1])
	227	{
	228	args++;
	229	X509_free(issuer);
	230	issuer = load_cert(bio_err, *args, FORMAT_PEM);
	231	if(!issuer) goto end;
	232	}
	233	else badarg = 1;
	234	}
	235	else if (!strcmp (*args, "-cert"))
	236	{
	237	if (args[1])
	238	{
	239	args++;
	240	X509_free(cert);
	241	cert = load_cert(bio_err, *args, FORMAT_PEM);
	242	if(!cert) goto end;
73758d43 DSH	243	if(!add_ocsp_cert(&req, cert, issuer, ids))
	244	goto end;
	245	if(!sk_push(reqnames, *args))
5782ceb2 DSH	246	goto end;
	247	}
	248	else badarg = 1;
	249	}
	250	else if (!strcmp(*args, "-serial"))
	251	{
	252	if (args[1])
	253	{
	254	args++;
73758d43 DSH	255	if(!add_ocsp_serial(&req, *args, issuer, ids))
	256	goto end;
	257	if(!sk_push(reqnames, *args))
5782ceb2 DSH	258	goto end;
	259	}
	260	else badarg = 1;
	261	}
	262	else badarg = 1;
	263	args++;
	264	}
	265
	266	/* Have we anything to do? */
	267	if (!req && !reqin && !respin) badarg = 1;
	268
	269	if (badarg)
	270	{
	271	BIO_printf (bio_err, "OCSP utility\n");
	272	BIO_printf (bio_err, "Usage ocsp [options]\n");
	273	BIO_printf (bio_err, "where options are\n");
b4b1bdd5	274	BIO_printf (bio_err, "-out file output filename\n");
5782ceb2 DSH	275	BIO_printf (bio_err, "-issuer file issuer certificate\n");
	276	BIO_printf (bio_err, "-cert file certificate to check\n");
	277	BIO_printf (bio_err, "-serial n serial number to check\n");
b4b1bdd5 DSH	278	BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n");
b4b1bdd5 DSH	279	BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n");
5782ceb2 DSH	280	BIO_printf (bio_err, "-req_text print text form of request\n");
	281	BIO_printf (bio_err, "-resp_text print text form of response\n");
	282	BIO_printf (bio_err, "-text print text form of request and response\n");
	283	BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n");
	284	BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
	285	BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n");
	286	BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
	287	BIO_printf (bio_err, "-nonce add OCSP nonce to request\n");
	288	BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n");
	289	BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n");
	290	BIO_printf (bio_err, "-path path to use in OCSP request\n");
73758d43 DSH	291	BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
	292	BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
	293	BIO_printf (bio_err, "-noverify don't verify response\n");
5782ceb2 DSH	294	goto end;
	295	}
	296
	297	if(outfile) out = BIO_new_file(outfile, "w");
	298	else out = BIO_new_fp(stdout, BIO_NOCLOSE);
	299
	300	if(!out)
	301	{
	302	BIO_printf(bio_err, "Error opening output file\n");
	303	goto end;
	304	}
	305
	306	if (!req && (add_nonce != 2)) add_nonce = 0;
	307
	308	if (!req && reqin)
	309	{
	310	derbio = BIO_new_file(reqin, "rb");
	311	if (!derbio)
	312	{
	313	BIO_printf(bio_err, "Error Opening OCSP request file\n");
	314	goto end;
	315	}
	316	req = d2i_OCSP_REQUEST_bio(derbio, NULL);
	317	BIO_free(derbio);
	318	if(!req)
	319	{
	320	BIO_printf(bio_err, "Error reading OCSP request\n");
	321	goto end;
	322	}
	323	}
	324
	325	if (!req && (signfile \|\| reqout \|\| host \|\| add_nonce))
	326	{
	327	BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
	328	goto end;
	329	}
	330
73758d43	331	if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);
5782ceb2 DSH	332
	333	if (signfile)
	334	{
	335	if (!keyfile) keyfile = signfile;
	336	signer = load_cert(bio_err, signfile, FORMAT_PEM);
	337	if (!signer)
	338	{
	339	BIO_printf(bio_err, "Error loading signer certificate\n");
	340	goto end;
	341	}
	342	key = load_key(bio_err, keyfile, FORMAT_PEM, NULL, NULL);
	343	if (!key)
	344	{
	345	BIO_printf(bio_err, "Error loading signer private key\n");
	346	goto end;
	347	}
	348	if (!OCSP_request_sign(req, signer, key, EVP_sha1(), NULL, 0))
	349	{
	350	BIO_printf(bio_err, "Error signing OCSP request\n");
	351	goto end;
	352	}
	353	}
	354
	355	if (reqout)
	356	{
	357	derbio = BIO_new_file(reqout, "wb");
	358	if (!derbio)
	359	{
	360	BIO_printf(bio_err, "Error opening file %s\n", reqout);
	361	goto end;
	362	}
	363	i2d_OCSP_REQUEST_bio(derbio, req);
	364	BIO_free(derbio);
	365	}
	366
	367	if (req_text && req) OCSP_REQUEST_print(out, req, 0);
	368
	369	if (host)
	370	{
	371	cbio = BIO_new_connect(host);
	372	if (!cbio)
	373	{
	374	BIO_printf(bio_err, "Error creating connect BIO\n");
	375	goto end;
	376	}
	377	if (BIO_do_connect(cbio) <= 0)
	378	{
	379	BIO_printf(bio_err, "Error connecting BIO\n");
	380	goto end;
	381	}
	382	resp = OCSP_sendreq_bio(cbio, path, req);
	383	BIO_free(cbio);
	384	cbio = NULL;
	385	if (!resp)
	386	{
	387	BIO_printf(bio_err, "Error querying OCSP responsder\n");
	388	goto end;
	389	}
	390	}
	391	else if (respin)
	392	{
	393	derbio = BIO_new_file(respin, "rb");
	394	if (!derbio)
	395	{
396	BIO_printf(bio_err, "Error Opening OCSP response file\n");
397	goto end;
398	}
399	resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
400	BIO_free(derbio);
401	if(!resp)
402	{
403	BIO_printf(bio_err, "Error reading OCSP response\n");
404	goto end;
405	}
406
407	}
408	else
409	{
410	ret = 0;
411	goto end;
412	}
413
414	if (respout)
415	{
416	derbio = BIO_new_file(respout, "wb");
417	if(!derbio)
418	{
419	BIO_printf(bio_err, "Error opening file %s\n", respout);
420	goto end;
421	}
422	i2d_OCSP_RESPONSE_bio(derbio, resp);
423	BIO_free(derbio);
424	}
425
73758d43 DSH	426	i = OCSP_response_status(resp);
	427
	428	if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
	429	{
	430	BIO_printf(out, "Responder Error: %s (%ld)\n",
	431	OCSP_response_status_str(i), i);
	432	ret = 0;
	433	goto end;
	434	}
	435
5782ceb2 DSH	436	if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
5782ceb2 DSH	437
81f169e9 DSH	438	store = setup_verify(bio_err, CAfile, CApath);
	439	if(!store) goto end;
	440
	441	bs = OCSP_response_get1_basic(resp);
	442
73758d43 DSH	443	if (!bs)
	444	{
	445	BIO_printf(bio_err, "Error parsing response\n");
	446	goto end;
	447	}
81f169e9	448
73758d43	449	if (!noverify)
81f169e9	450	{
73758d43 DSH	451	if (req && (OCSP_check_nonce(req, bs) <= 0))
	452	{
	453	BIO_printf(bio_err, "Nonce Verify error\n");
	454	goto end;
	455	}
	456
	457	i = OCSP_basic_verify(bs, NULL, store, 0);
	458
	459	if(i <= 0)
	460	{
	461	BIO_printf(bio_err, "Response Verify Failure\n", i);
	462	ERR_print_errors(bio_err);
	463	}
	464	else
	465	BIO_printf(bio_err, "Response verify OK\n");
	466
81f169e9	467	}
73758d43 DSH	468
	469	if (!print_ocsp_summary(out, bs, req, reqnames, ids))
	470	goto end;
81f169e9	471
5782ceb2 DSH	472	ret = 0;
	473
	474	end:
	475	ERR_print_errors(bio_err);
	476	X509_free(signer);
81f169e9	477	X509_STORE_free(store);
5782ceb2 DSH	478	EVP_PKEY_free(key);
	479	X509_free(issuer);
	480	X509_free(cert);
	481	BIO_free(cbio);
	482	BIO_free(out);
	483	OCSP_REQUEST_free(req);
	484	OCSP_RESPONSE_free(resp);
81f169e9	485	OCSP_BASICRESP_free(bs);
73758d43 DSH	486	sk_free(reqnames);
73758d43 DSH	487	sk_OCSP_CERTID_free(ids);
5782ceb2 DSH	488
	489	EXIT(ret);
	490	}
	491
73758d43 DSH	492	static int add_ocsp_cert(OCSP_REQUEST *req, X509 cert, X509 *issuer,
73758d43 DSH	493	STACK_OF(OCSP_CERTID) *ids)
5782ceb2 DSH	494	{
	495	OCSP_CERTID *id;
	496	if(!issuer)
	497	{
	498	BIO_printf(bio_err, "No issuer certificate specified\n");
	499	return 0;
	500	}
	501	if(!req) req = OCSP_REQUEST_new();
	502	if(!*req) goto err;
	503	id = OCSP_cert_to_id(NULL, cert, issuer);
73758d43	504	if(!id \|\| !sk_OCSP_CERTID_push(ids, id)) goto err;
5782ceb2 DSH	505	if(!OCSP_request_add0_id(*req, id)) goto err;
	506	return 1;
	507
	508	err:
	509	BIO_printf(bio_err, "Error Creating OCSP request\n");
	510	return 0;
	511	}
	512
73758d43 DSH	513	static int add_ocsp_serial(OCSP_REQUEST *req, char serial, X509 *issuer,
73758d43 DSH	514	STACK_OF(OCSP_CERTID) *ids)
5782ceb2 DSH	515	{
	516	OCSP_CERTID *id;
	517	X509_NAME *iname;
	518	ASN1_BIT_STRING *ikey;
	519	ASN1_INTEGER *sno;
	520	if(!issuer)
	521	{
	522	BIO_printf(bio_err, "No issuer certificate specified\n");
	523	return 0;
	524	}
	525	if(!req) req = OCSP_REQUEST_new();
	526	if(!*req) goto err;
	527	iname = X509_get_subject_name(issuer);
	528	ikey = issuer->cert_info->key->public_key;
	529	sno = s2i_ASN1_INTEGER(NULL, serial);
	530	if(!sno)
	531	{
	532	BIO_printf(bio_err, "Error converting serial number %s\n", serial);
	533	return 0;
	534	}
	535	id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
	536	ASN1_INTEGER_free(sno);
73758d43	537	if(!id \|\| !sk_OCSP_CERTID_push(ids, id)) goto err;
5782ceb2 DSH	538	if(!OCSP_request_add0_id(*req, id)) goto err;
	539	return 1;
	540
	541	err:
	542	BIO_printf(bio_err, "Error Creating OCSP request\n");
	543	return 0;
	544	}
73758d43 DSH	545
	546	static int print_ocsp_summary(BIO out, OCSP_BASICRESP bs, OCSP_REQUEST *req,
	547	STACK names, STACK_OF(OCSP_CERTID) ids)
	548	{
	549	OCSP_CERTID *id;
	550	char *name;
	551	int i;
	552
	553	int status, reason;
	554
	555	ASN1_GENERALIZEDTIME rev, thisupd, *nextupd;
	556
	557	if (!bs \|\| !req \|\| !sk_num(names) \|\| !sk_OCSP_CERTID_num(ids))
	558	return 1;
	559
	560	for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
	561	{
	562	id = sk_OCSP_CERTID_value(ids, i);
	563	name = sk_value(names, i);
	564	BIO_printf(out, "%s: ", name);
	565
	566	if(!OCSP_resp_find_status(bs, id, &status, &reason,
	567	&rev, &thisupd, &nextupd))
	568	{
	569	BIO_puts(out, "ERROR: No Status found.\n");
	570	continue;
	571	}
	572	BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
	573
	574	BIO_puts(out, "\tThis Update: ");
	575	ASN1_GENERALIZEDTIME_print(out, thisupd);
	576	BIO_puts(out, "\n");
	577
	578	if(nextupd)
	579	{
	580	BIO_puts(out, "\tNext Update: ");
	581	ASN1_GENERALIZEDTIME_print(out, thisupd);
	582	BIO_puts(out, "\n");
	583	}
	584
	585	if (status != V_OCSP_CERTSTATUS_REVOKED)
	586	continue;
	587
	588	if (reason > 0)
	589	BIO_printf(out, "\tReason: %s\n",
	590	OCSP_crl_reason_str(reason));
	591
	592	BIO_puts(out, "\tRevocation Time: ");
	593	ASN1_GENERALIZEDTIME_print(out, rev);
	594	BIO_puts(out, "\n");
	595	}
	596
	597	return 1;
	598	}
	599