]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
33388b44 | 2 | * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. |
5782ceb2 | 3 | * |
dffa7520 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
846e33c7 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
5782ceb2 DSH |
8 | */ |
9 | ||
3e41ac35 MC |
10 | #include <openssl/opensslconf.h> |
11 | ||
1ae56f2f RS |
12 | #ifdef OPENSSL_SYS_VMS |
13 | /* So fd_set and friends get properly defined on OpenVMS */ | |
14 | # define _XOPEN_SOURCE_EXTENDED | |
15 | #endif | |
0f113f3e | 16 | |
1ae56f2f RS |
17 | #include <stdio.h> |
18 | #include <stdlib.h> | |
19 | #include <string.h> | |
20 | #include <time.h> | |
21 | #include <ctype.h> | |
3e41ac35 MC |
22 | |
23 | /* Needs to be included before the openssl headers */ | |
1ae56f2f | 24 | #include "apps.h" |
582311d7 | 25 | #include "http_server.h" |
1ae56f2f RS |
26 | #include "progs.h" |
27 | #include "internal/sockets.h" | |
28 | #include <openssl/e_os2.h> | |
29 | #include <openssl/crypto.h> | |
30 | #include <openssl/err.h> | |
31 | #include <openssl/ssl.h> | |
32 | #include <openssl/evp.h> | |
33 | #include <openssl/bn.h> | |
34 | #include <openssl/x509v3.h> | |
3e3c7c36 | 35 | |
852c2ed2 RS |
36 | DEFINE_STACK_OF(OCSP_CERTID) |
37 | DEFINE_STACK_OF(CONF_VALUE) | |
38 | DEFINE_STACK_OF(X509) | |
39 | DEFINE_STACK_OF_STRING() | |
40 | ||
1ae56f2f | 41 | #if defined(OPENSSL_SYS_VXWORKS) |
5c8b7b4c KT |
42 | /* not supported */ |
43 | int setpgid(pid_t pid, pid_t pgid) | |
44 | { | |
45 | errno = ENOSYS; | |
46 | return 0; | |
47 | } | |
48 | /* not supported */ | |
49 | pid_t fork(void) | |
50 | { | |
51 | errno = ENOSYS; | |
52 | return (pid_t) -1; | |
53 | } | |
1ae56f2f | 54 | #endif |
0f113f3e | 55 | /* Maximum leeway in validity period: default 5 minutes */ |
1ae56f2f | 56 | #define MAX_VALIDITY_PERIOD (5 * 60) |
0f113f3e MC |
57 | |
58 | static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, | |
59 | const EVP_MD *cert_id_md, X509 *issuer, | |
60 | STACK_OF(OCSP_CERTID) *ids); | |
61 | static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, | |
62 | const EVP_MD *cert_id_md, X509 *issuer, | |
63 | STACK_OF(OCSP_CERTID) *ids); | |
7e1b7485 | 64 | static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, |
0f113f3e MC |
65 | STACK_OF(OPENSSL_STRING) *names, |
66 | STACK_OF(OCSP_CERTID) *ids, long nsec, | |
67 | long maxage); | |
b4dd21a7 | 68 | static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req, |
3bb0f989 | 69 | CA_DB *db, STACK_OF(X509) *ca, X509 *rcert, |
0f113f3e | 70 | EVP_PKEY *rkey, const EVP_MD *md, |
b4dd21a7 | 71 | STACK_OF(OPENSSL_STRING) *sigopts, |
0f113f3e | 72 | STACK_OF(X509) *rother, unsigned long flags, |
0770c882 TS |
73 | int nmin, int ndays, int badsig, |
74 | const EVP_MD *resp_md); | |
ee306a13 | 75 | |
f85b68cd | 76 | static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); |
582311d7 DDO |
77 | static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, |
78 | int timeout); | |
79 | static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp); | |
3e3c7c36 | 80 | static char *prog; |
3e3c7c36 | 81 | |
582311d7 | 82 | #ifdef HTTP_DAEMON |
3e3c7c36 | 83 | static int index_changed(CA_DB *); |
1ae56f2f | 84 | #endif |
f9e55034 | 85 | |
7e1b7485 RS |
86 | typedef enum OPTION_choice { |
87 | OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, | |
88 | OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT, | |
89 | OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE, | |
90 | OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS, | |
91 | OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN, | |
92 | OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER, | |
93 | OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT, | |
94 | OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER, | |
fd3397fc RL |
95 | OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE, |
96 | OPT_NOCAPATH, OPT_NOCASTORE, | |
7e1b7485 | 97 | OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT, |
c6724060 | 98 | OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL, |
7e1b7485 | 99 | OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER, |
04940147 | 100 | OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_RSIGOPT, OPT_HEADER, |
1cf20ca3 | 101 | OPT_PASSIN, |
0770c882 | 102 | OPT_RCID, |
7e1b7485 | 103 | OPT_V_ENUM, |
3e3c7c36 | 104 | OPT_MD, |
6bd4e3f2 | 105 | OPT_MULTI, OPT_PROV_ENUM |
7e1b7485 RS |
106 | } OPTION_CHOICE; |
107 | ||
44c83ebd | 108 | const OPTIONS ocsp_options[] = { |
5388f986 | 109 | OPT_SECTION("General"), |
7e1b7485 | 110 | {"help", OPT_HELP, '-', "Display this summary"}, |
12d56b29 | 111 | {"ignore_err", OPT_IGNORE_ERR, '-', |
bbe9c3d5 | 112 | "Ignore error on OCSP request or response and continue running"}, |
5388f986 RS |
113 | {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, |
114 | {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"}, | |
115 | {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"}, | |
116 | {"no-CAfile", OPT_NOCAFILE, '-', | |
117 | "Do not load the default certificates file"}, | |
118 | {"no-CApath", OPT_NOCAPATH, '-', | |
119 | "Do not load certificates from the default certificates directory"}, | |
120 | {"no-CAstore", OPT_NOCAPATH, '-', | |
121 | "Do not load certificates from the default certificates store"}, | |
122 | ||
123 | OPT_SECTION("Responder"), | |
124 | {"timeout", OPT_TIMEOUT, 'p', | |
125 | "Connection timeout (in seconds) to the OCSP responder"}, | |
7e1b7485 RS |
126 | {"resp_no_certs", OPT_RESP_NO_CERTS, '-', |
127 | "Don't include any certificates in response"}, | |
582311d7 | 128 | #ifdef HTTP_DAEMON |
3e3c7c36 | 129 | {"multi", OPT_MULTI, 'p', "run multiple responder processes"}, |
1ae56f2f | 130 | #endif |
7e1b7485 RS |
131 | {"no_certs", OPT_NO_CERTS, '-', |
132 | "Don't include any certificates in signed request"}, | |
5388f986 RS |
133 | {"badsig", OPT_BADSIG, '-', |
134 | "Corrupt last byte of loaded OSCP response signature (for test)"}, | |
135 | {"CA", OPT_CA, '<', "CA certificate"}, | |
136 | {"nmin", OPT_NMIN, 'p', "Number of minutes before next update"}, | |
137 | {"nrequest", OPT_REQUEST, 'p', | |
138 | "Number of requests to accept (default unlimited)"}, | |
139 | {"reqin", OPT_REQIN, 's', "File with the DER-encoded request"}, | |
140 | {"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"}, | |
141 | {"sign_other", OPT_SIGN_OTHER, '<', | |
142 | "Additional certificates to include in signed request"}, | |
143 | {"index", OPT_INDEX, '<', "Certificate status index file"}, | |
144 | {"ndays", OPT_NDAYS, 'p', "Number of days before next update"}, | |
145 | {"rsigner", OPT_RSIGNER, '<', | |
146 | "Responder certificate to sign responses with"}, | |
147 | {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"}, | |
1cf20ca3 | 148 | {"passin", OPT_PASSIN, 's', "Responder key pass phrase source"}, |
5388f986 RS |
149 | {"rother", OPT_ROTHER, '<', "Other certificates to include in response"}, |
150 | {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"}, | |
151 | {"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"}, | |
152 | {"header", OPT_HEADER, 's', "key=value header to add"}, | |
153 | {"rcid", OPT_RCID, 's', "Use specified algorithm for cert id in response"}, | |
154 | {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"}, | |
155 | ||
156 | OPT_SECTION("Client"), | |
157 | {"url", OPT_URL, 's', "Responder URL"}, | |
158 | {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"}, | |
159 | {"port", OPT_PORT, 'p', "Port to run responder on"}, | |
160 | {"out", OPT_OUTFILE, '>', "Output filename"}, | |
161 | {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"}, | |
162 | {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"}, | |
163 | {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"}, | |
7e1b7485 RS |
164 | {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-', |
165 | "Don't check signature on response"}, | |
5388f986 RS |
166 | {"resp_key_id", OPT_RESP_KEY_ID, '-', |
167 | "Identify response by signing certificate key ID"}, | |
7e1b7485 RS |
168 | {"no_cert_verify", OPT_NO_CERT_VERIFY, '-', |
169 | "Don't check signing certificate"}, | |
5388f986 RS |
170 | {"text", OPT_TEXT, '-', "Print text form of request and response"}, |
171 | {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"}, | |
172 | {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"}, | |
7e1b7485 RS |
173 | {"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"}, |
174 | {"no_cert_checks", OPT_NO_CERT_CHECKS, '-', | |
175 | "Don't do additional checks on signing certificate"}, | |
12d56b29 F |
176 | {"no_explicit", OPT_NO_EXPLICIT, '-', |
177 | "Do not explicitly check the chain, just verify the root"}, | |
7e1b7485 RS |
178 | {"trust_other", OPT_TRUST_OTHER, '-', |
179 | "Don't verify additional certificates"}, | |
180 | {"no_intern", OPT_NO_INTERN, '-', | |
181 | "Don't search certificates contained in response for signer"}, | |
7e1b7485 | 182 | {"respin", OPT_RESPIN, 's', "File with the DER-encoded response"}, |
7e1b7485 | 183 | {"VAfile", OPT_VAFILE, '<', "Validator certificates file"}, |
7e1b7485 RS |
184 | {"verify_other", OPT_VERIFY_OTHER, '<', |
185 | "Additional certificates to search for signer"}, | |
5388f986 RS |
186 | {"path", OPT_PATH, 's', "Path to use in OCSP request"}, |
187 | {"cert", OPT_CERT, '<', "Certificate to check"}, | |
188 | {"serial", OPT_SERIAL, 's', "Serial number to check"}, | |
7e1b7485 RS |
189 | {"validity_period", OPT_VALIDITY_PERIOD, 'u', |
190 | "Maximum validity discrepancy in seconds"}, | |
7e1b7485 RS |
191 | {"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"}, |
192 | {"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"}, | |
193 | {"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"}, | |
c6724060 | 194 | {"issuer", OPT_ISSUER, '<', "Issuer certificate"}, |
5388f986 RS |
195 | {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"}, |
196 | ||
7e1b7485 | 197 | OPT_V_OPTIONS, |
6bd4e3f2 | 198 | OPT_PROV_OPTIONS, |
7e1b7485 RS |
199 | {NULL} |
200 | }; | |
201 | ||
202 | int ocsp_main(int argc, char **argv) | |
0f113f3e | 203 | { |
7e1b7485 RS |
204 | BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL; |
205 | const EVP_MD *cert_id_md = NULL, *rsign_md = NULL; | |
b4dd21a7 | 206 | STACK_OF(OPENSSL_STRING) *rsign_sigopts = NULL; |
6302bbd2 | 207 | int trailing_md = 0; |
7e1b7485 RS |
208 | CA_DB *rdb = NULL; |
209 | EVP_PKEY *key = NULL, *rkey = NULL; | |
210 | OCSP_BASICRESP *bs = NULL; | |
0f113f3e MC |
211 | OCSP_REQUEST *req = NULL; |
212 | OCSP_RESPONSE *resp = NULL; | |
7e1b7485 RS |
213 | STACK_OF(CONF_VALUE) *headers = NULL; |
214 | STACK_OF(OCSP_CERTID) *ids = NULL; | |
215 | STACK_OF(OPENSSL_STRING) *reqnames = NULL; | |
216 | STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; | |
88806cfc | 217 | STACK_OF(X509) *issuers = NULL; |
3bb0f989 TS |
218 | X509 *issuer = NULL, *cert = NULL; |
219 | STACK_OF(X509) *rca_cert = NULL; | |
0770c882 | 220 | const EVP_MD *resp_certid_md = NULL; |
0f113f3e | 221 | X509 *signer = NULL, *rsigner = NULL; |
0f113f3e MC |
222 | X509_STORE *store = NULL; |
223 | X509_VERIFY_PARAM *vpm = NULL; | |
fd3397fc | 224 | const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL; |
cc696296 | 225 | char *header, *value; |
7e1b7485 RS |
226 | char *host = NULL, *port = NULL, *path = "/", *outfile = NULL; |
227 | char *rca_filename = NULL, *reqin = NULL, *respin = NULL; | |
228 | char *reqout = NULL, *respout = NULL, *ridx_filename = NULL; | |
229 | char *rsignfile = NULL, *rkeyfile = NULL; | |
1cf20ca3 | 230 | char *passinarg = NULL, *passin = NULL; |
0f113f3e | 231 | char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; |
7e1b7485 RS |
232 | char *signfile = NULL, *keyfile = NULL; |
233 | char *thost = NULL, *tport = NULL, *tpath = NULL; | |
fd3397fc | 234 | int noCAfile = 0, noCApath = 0, noCAstore = 0; |
7e1b7485 RS |
235 | int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1; |
236 | int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1; | |
f9e55034 | 237 | int req_text = 0, resp_text = 0, ret = 1; |
f9e55034 | 238 | int req_timeout = -1; |
7e1b7485 | 239 | long nsec = MAX_VALIDITY_PERIOD, maxage = -1; |
0f113f3e | 240 | unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; |
7e1b7485 | 241 | OPTION_CHOICE o; |
0f113f3e | 242 | |
0f113f3e | 243 | reqnames = sk_OPENSSL_STRING_new_null(); |
2234212c | 244 | if (reqnames == NULL) |
7e1b7485 | 245 | goto end; |
0f113f3e | 246 | ids = sk_OCSP_CERTID_new_null(); |
2234212c | 247 | if (ids == NULL) |
7e1b7485 RS |
248 | goto end; |
249 | if ((vpm = X509_VERIFY_PARAM_new()) == NULL) | |
250 | return 1; | |
251 | ||
252 | prog = opt_init(argc, argv, ocsp_options); | |
253 | while ((o = opt_next()) != OPT_EOF) { | |
254 | switch (o) { | |
255 | case OPT_EOF: | |
256 | case OPT_ERR: | |
257 | opthelp: | |
258 | BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); | |
259 | goto end; | |
260 | case OPT_HELP: | |
261 | ret = 0; | |
262 | opt_help(ocsp_options); | |
263 | goto end; | |
264 | case OPT_OUTFILE: | |
265 | outfile = opt_arg(); | |
266 | break; | |
267 | case OPT_TIMEOUT: | |
f9e55034 | 268 | #ifndef OPENSSL_NO_SOCK |
7e1b7485 | 269 | req_timeout = atoi(opt_arg()); |
f9e55034 | 270 | #endif |
7e1b7485 RS |
271 | break; |
272 | case OPT_URL: | |
b548a1f1 RS |
273 | OPENSSL_free(thost); |
274 | OPENSSL_free(tport); | |
275 | OPENSSL_free(tpath); | |
4b8d8e2a | 276 | thost = tport = tpath = NULL; |
29f178bd DDO |
277 | if (!OSSL_HTTP_parse_url(opt_arg(), |
278 | &host, &port, &path, &use_ssl)) { | |
7e1b7485 RS |
279 | BIO_printf(bio_err, "%s Error parsing URL\n", prog); |
280 | goto end; | |
281 | } | |
282 | thost = host; | |
283 | tport = port; | |
284 | tpath = path; | |
285 | break; | |
286 | case OPT_HOST: | |
287 | host = opt_arg(); | |
288 | break; | |
289 | case OPT_PORT: | |
290 | port = opt_arg(); | |
291 | break; | |
292 | case OPT_IGNORE_ERR: | |
0f113f3e | 293 | ignore_err = 1; |
7e1b7485 RS |
294 | break; |
295 | case OPT_NOVERIFY: | |
0f113f3e | 296 | noverify = 1; |
7e1b7485 RS |
297 | break; |
298 | case OPT_NONCE: | |
0f113f3e | 299 | add_nonce = 2; |
7e1b7485 RS |
300 | break; |
301 | case OPT_NO_NONCE: | |
0f113f3e | 302 | add_nonce = 0; |
7e1b7485 RS |
303 | break; |
304 | case OPT_RESP_NO_CERTS: | |
0f113f3e | 305 | rflags |= OCSP_NOCERTS; |
7e1b7485 RS |
306 | break; |
307 | case OPT_RESP_KEY_ID: | |
0f113f3e | 308 | rflags |= OCSP_RESPID_KEY; |
7e1b7485 RS |
309 | break; |
310 | case OPT_NO_CERTS: | |
0f113f3e | 311 | sign_flags |= OCSP_NOCERTS; |
7e1b7485 RS |
312 | break; |
313 | case OPT_NO_SIGNATURE_VERIFY: | |
0f113f3e | 314 | verify_flags |= OCSP_NOSIGS; |
7e1b7485 RS |
315 | break; |
316 | case OPT_NO_CERT_VERIFY: | |
0f113f3e | 317 | verify_flags |= OCSP_NOVERIFY; |
7e1b7485 RS |
318 | break; |
319 | case OPT_NO_CHAIN: | |
0f113f3e | 320 | verify_flags |= OCSP_NOCHAIN; |
7e1b7485 RS |
321 | break; |
322 | case OPT_NO_CERT_CHECKS: | |
0f113f3e | 323 | verify_flags |= OCSP_NOCHECKS; |
7e1b7485 RS |
324 | break; |
325 | case OPT_NO_EXPLICIT: | |
0f113f3e | 326 | verify_flags |= OCSP_NOEXPLICIT; |
7e1b7485 RS |
327 | break; |
328 | case OPT_TRUST_OTHER: | |
0f113f3e | 329 | verify_flags |= OCSP_TRUSTOTHER; |
7e1b7485 RS |
330 | break; |
331 | case OPT_NO_INTERN: | |
0f113f3e | 332 | verify_flags |= OCSP_NOINTERN; |
7e1b7485 RS |
333 | break; |
334 | case OPT_BADSIG: | |
0f113f3e | 335 | badsig = 1; |
7e1b7485 RS |
336 | break; |
337 | case OPT_TEXT: | |
338 | req_text = resp_text = 1; | |
339 | break; | |
340 | case OPT_REQ_TEXT: | |
0f113f3e | 341 | req_text = 1; |
7e1b7485 RS |
342 | break; |
343 | case OPT_RESP_TEXT: | |
0f113f3e | 344 | resp_text = 1; |
7e1b7485 RS |
345 | break; |
346 | case OPT_REQIN: | |
347 | reqin = opt_arg(); | |
348 | break; | |
349 | case OPT_RESPIN: | |
350 | respin = opt_arg(); | |
351 | break; | |
352 | case OPT_SIGNER: | |
353 | signfile = opt_arg(); | |
354 | break; | |
355 | case OPT_VAFILE: | |
356 | verify_certfile = opt_arg(); | |
357 | verify_flags |= OCSP_TRUSTOTHER; | |
358 | break; | |
359 | case OPT_SIGN_OTHER: | |
360 | sign_certfile = opt_arg(); | |
361 | break; | |
362 | case OPT_VERIFY_OTHER: | |
363 | verify_certfile = opt_arg(); | |
364 | break; | |
365 | case OPT_CAFILE: | |
366 | CAfile = opt_arg(); | |
367 | break; | |
368 | case OPT_CAPATH: | |
369 | CApath = opt_arg(); | |
370 | break; | |
fd3397fc RL |
371 | case OPT_CASTORE: |
372 | CAstore = opt_arg(); | |
373 | break; | |
2b6bcb70 MC |
374 | case OPT_NOCAFILE: |
375 | noCAfile = 1; | |
376 | break; | |
377 | case OPT_NOCAPATH: | |
378 | noCApath = 1; | |
379 | break; | |
fd3397fc RL |
380 | case OPT_NOCASTORE: |
381 | noCAstore = 1; | |
382 | break; | |
7e1b7485 RS |
383 | case OPT_V_CASES: |
384 | if (!opt_verify(o, vpm)) | |
0f113f3e | 385 | goto end; |
7e1b7485 RS |
386 | vpmtouched++; |
387 | break; | |
388 | case OPT_VALIDITY_PERIOD: | |
389 | opt_long(opt_arg(), &nsec); | |
390 | break; | |
391 | case OPT_STATUS_AGE: | |
392 | opt_long(opt_arg(), &maxage); | |
393 | break; | |
394 | case OPT_SIGNKEY: | |
395 | keyfile = opt_arg(); | |
396 | break; | |
397 | case OPT_REQOUT: | |
398 | reqout = opt_arg(); | |
399 | break; | |
400 | case OPT_RESPOUT: | |
401 | respout = opt_arg(); | |
402 | break; | |
403 | case OPT_PATH: | |
404 | path = opt_arg(); | |
405 | break; | |
c6724060 | 406 | case OPT_ISSUER: |
6d382c74 DDO |
407 | issuer = load_cert(opt_arg(), FORMAT_UNDEF, |
408 | "issuer certificate"); | |
c6724060 RS |
409 | if (issuer == NULL) |
410 | goto end; | |
bb7fc98c DSH |
411 | if (issuers == NULL) { |
412 | if ((issuers = sk_X509_new_null()) == NULL) | |
413 | goto end; | |
414 | } | |
d5e66eab SL |
415 | if (!sk_X509_push(issuers, issuer)) |
416 | goto end; | |
c6724060 | 417 | break; |
7e1b7485 RS |
418 | case OPT_CERT: |
419 | X509_free(cert); | |
6d382c74 | 420 | cert = load_cert(opt_arg(), FORMAT_UNDEF, "certificate"); |
7e1b7485 RS |
421 | if (cert == NULL) |
422 | goto end; | |
423 | if (cert_id_md == NULL) | |
424 | cert_id_md = EVP_sha1(); | |
425 | if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) | |
426 | goto end; | |
427 | if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) | |
428 | goto end; | |
6302bbd2 | 429 | trailing_md = 0; |
7e1b7485 RS |
430 | break; |
431 | case OPT_SERIAL: | |
432 | if (cert_id_md == NULL) | |
433 | cert_id_md = EVP_sha1(); | |
434 | if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids)) | |
435 | goto end; | |
436 | if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) | |
437 | goto end; | |
6302bbd2 | 438 | trailing_md = 0; |
7e1b7485 RS |
439 | break; |
440 | case OPT_INDEX: | |
441 | ridx_filename = opt_arg(); | |
442 | break; | |
443 | case OPT_CA: | |
444 | rca_filename = opt_arg(); | |
445 | break; | |
446 | case OPT_NMIN: | |
447 | opt_int(opt_arg(), &nmin); | |
0f113f3e MC |
448 | if (ndays == -1) |
449 | ndays = 0; | |
7e1b7485 RS |
450 | break; |
451 | case OPT_REQUEST: | |
452 | opt_int(opt_arg(), &accept_count); | |
453 | break; | |
454 | case OPT_NDAYS: | |
455 | ndays = atoi(opt_arg()); | |
456 | break; | |
457 | case OPT_RSIGNER: | |
458 | rsignfile = opt_arg(); | |
459 | break; | |
460 | case OPT_RKEY: | |
461 | rkeyfile = opt_arg(); | |
462 | break; | |
1cf20ca3 | 463 | case OPT_PASSIN: |
464 | passinarg = opt_arg(); | |
465 | break; | |
7e1b7485 RS |
466 | case OPT_ROTHER: |
467 | rcertfile = opt_arg(); | |
468 | break; | |
16e1b281 | 469 | case OPT_RMD: /* Response MessageDigest */ |
7e1b7485 RS |
470 | if (!opt_md(opt_arg(), &rsign_md)) |
471 | goto end; | |
472 | break; | |
04940147 | 473 | case OPT_RSIGOPT: |
b4dd21a7 DC |
474 | if (rsign_sigopts == NULL) |
475 | rsign_sigopts = sk_OPENSSL_STRING_new_null(); | |
476 | if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg())) | |
477 | goto end; | |
478 | break; | |
7e1b7485 RS |
479 | case OPT_HEADER: |
480 | header = opt_arg(); | |
481 | value = strchr(header, '='); | |
482 | if (value == NULL) { | |
483 | BIO_printf(bio_err, "Missing = in header key=value\n"); | |
484 | goto opthelp; | |
485 | } | |
486 | *value++ = '\0'; | |
487 | if (!X509V3_add_value(header, value, &headers)) | |
488 | goto end; | |
489 | break; | |
0770c882 TS |
490 | case OPT_RCID: |
491 | resp_certid_md = EVP_get_digestbyname(opt_arg()); | |
492 | if (resp_certid_md == NULL) | |
493 | goto opthelp; | |
494 | break; | |
7e1b7485 | 495 | case OPT_MD: |
6302bbd2 | 496 | if (trailing_md) { |
7e1b7485 RS |
497 | BIO_printf(bio_err, |
498 | "%s: Digest must be before -cert or -serial\n", | |
499 | prog); | |
500 | goto opthelp; | |
501 | } | |
502 | if (!opt_md(opt_unknown(), &cert_id_md)) | |
503 | goto opthelp; | |
6302bbd2 | 504 | trailing_md = 1; |
7e1b7485 | 505 | break; |
3e3c7c36 | 506 | case OPT_MULTI: |
582311d7 | 507 | #ifdef HTTP_DAEMON |
3e3c7c36 | 508 | multi = atoi(opt_arg()); |
1ae56f2f | 509 | #endif |
a7fb4fa1 | 510 | break; |
6bd4e3f2 P |
511 | case OPT_PROV_CASES: |
512 | if (!opt_provider(o)) | |
513 | goto end; | |
514 | break; | |
0f113f3e | 515 | } |
0f113f3e | 516 | } |
6302bbd2 DSH |
517 | if (trailing_md) { |
518 | BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n", | |
519 | prog); | |
520 | goto opthelp; | |
521 | } | |
7e1b7485 | 522 | argc = opt_num_rest(); |
03358517 KR |
523 | if (argc != 0) |
524 | goto opthelp; | |
0f113f3e MC |
525 | |
526 | /* Have we anything to do? */ | |
3e3c7c36 | 527 | if (req == NULL && reqin == NULL |
2234212c | 528 | && respin == NULL && !(port != NULL && ridx_filename != NULL)) |
7e1b7485 | 529 | goto opthelp; |
0f113f3e | 530 | |
bdd58d98 | 531 | out = bio_open_default(outfile, 'w', FORMAT_TEXT); |
7e1b7485 | 532 | if (out == NULL) |
0f113f3e | 533 | goto end; |
0f113f3e | 534 | |
2234212c | 535 | if (req == NULL && (add_nonce != 2)) |
0f113f3e MC |
536 | add_nonce = 0; |
537 | ||
2234212c | 538 | if (req == NULL && reqin != NULL) { |
bdd58d98 | 539 | derbio = bio_open_default(reqin, 'r', FORMAT_ASN1); |
7e1b7485 | 540 | if (derbio == NULL) |
0f113f3e | 541 | goto end; |
0f113f3e MC |
542 | req = d2i_OCSP_REQUEST_bio(derbio, NULL); |
543 | BIO_free(derbio); | |
2234212c | 544 | if (req == NULL) { |
0f113f3e MC |
545 | BIO_printf(bio_err, "Error reading OCSP request\n"); |
546 | goto end; | |
547 | } | |
548 | } | |
549 | ||
2234212c | 550 | if (req == NULL && port != NULL) { |
582311d7 DDO |
551 | #ifndef OPENSSL_NO_SOCK |
552 | acbio = http_server_init_bio(prog, port); | |
2234212c | 553 | if (acbio == NULL) |
0f113f3e | 554 | goto end; |
582311d7 DDO |
555 | #else |
556 | BIO_printf(bio_err, "Cannot act as server - sockets not supported\n"); | |
557 | goto end; | |
558 | #endif | |
0f113f3e MC |
559 | } |
560 | ||
2234212c PY |
561 | if (rsignfile != NULL) { |
562 | if (rkeyfile == NULL) | |
0f113f3e | 563 | rkeyfile = rsignfile; |
6d382c74 DDO |
564 | rsigner = load_cert(rsignfile, FORMAT_UNDEF, |
565 | "responder certificate"); | |
2234212c | 566 | if (rsigner == NULL) { |
0f113f3e MC |
567 | BIO_printf(bio_err, "Error loading responder certificate\n"); |
568 | goto end; | |
569 | } | |
3bb0f989 TS |
570 | if (!load_certs(rca_filename, &rca_cert, FORMAT_PEM, |
571 | NULL, "CA certificate")) | |
572 | goto end; | |
2234212c | 573 | if (rcertfile != NULL) { |
a773b52a | 574 | if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL, |
0996dc54 | 575 | "responder other certificates")) |
0f113f3e MC |
576 | goto end; |
577 | } | |
1cf20ca3 | 578 | if (!app_passwd(passinarg, NULL, &passin, NULL)) { |
579 | BIO_printf(bio_err, "Error getting password\n"); | |
580 | goto end; | |
581 | } | |
582 | rkey = load_key(rkeyfile, FORMAT_PEM, 0, passin, NULL, | |
0f113f3e | 583 | "responder private key"); |
2234212c | 584 | if (rkey == NULL) |
0f113f3e MC |
585 | goto end; |
586 | } | |
c7d5ea26 | 587 | |
3e3c7c36 | 588 | if (ridx_filename != NULL |
e4693110 | 589 | && (rkey == NULL || rsigner == NULL || rca_cert == NULL)) { |
c7d5ea26 VD |
590 | BIO_printf(bio_err, |
591 | "Responder mode requires certificate, key, and CA.\n"); | |
592 | goto end; | |
593 | } | |
594 | ||
3e3c7c36 | 595 | if (ridx_filename != NULL) { |
c7d5ea26 | 596 | rdb = load_index(ridx_filename, NULL); |
a4107d73 | 597 | if (rdb == NULL || index_index(rdb) <= 0) { |
c7d5ea26 VD |
598 | ret = 1; |
599 | goto end; | |
600 | } | |
601 | } | |
602 | ||
582311d7 | 603 | #ifdef HTTP_DAEMON |
3e3c7c36 | 604 | if (multi && acbio != NULL) |
582311d7 | 605 | spawn_loop(prog); |
3e3c7c36 | 606 | if (acbio != NULL && req_timeout > 0) |
e9b95e42 | 607 | signal(SIGALRM, socket_timeout); |
3e3c7c36 VD |
608 | #endif |
609 | ||
2234212c | 610 | if (acbio != NULL) |
582311d7 | 611 | log_message(prog, LOG_INFO, "waiting for OCSP client connections..."); |
0f113f3e | 612 | |
2234212c | 613 | redo_accept: |
0f113f3e | 614 | |
2234212c | 615 | if (acbio != NULL) { |
582311d7 | 616 | #ifdef HTTP_DAEMON |
3e3c7c36 VD |
617 | if (index_changed(rdb)) { |
618 | CA_DB *newrdb = load_index(ridx_filename, NULL); | |
619 | ||
a4107d73 | 620 | if (newrdb != NULL && index_index(newrdb) > 0) { |
3e3c7c36 VD |
621 | free_index(rdb); |
622 | rdb = newrdb; | |
623 | } else { | |
a4107d73 | 624 | free_index(newrdb); |
582311d7 | 625 | log_message(prog, LOG_ERR, "error reloading updated index: %s", |
3e3c7c36 VD |
626 | ridx_filename); |
627 | } | |
628 | } | |
1ae56f2f | 629 | #endif |
3e3c7c36 VD |
630 | |
631 | req = NULL; | |
632 | if (!do_responder(&req, &cbio, acbio, req_timeout)) | |
633 | goto redo_accept; | |
634 | ||
2234212c | 635 | if (req == NULL) { |
582311d7 DDO |
636 | resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, |
637 | NULL); | |
0f113f3e MC |
638 | send_ocsp_response(cbio, resp); |
639 | goto done_resp; | |
640 | } | |
641 | } | |
642 | ||
2234212c PY |
643 | if (req == NULL |
644 | && (signfile != NULL || reqout != NULL | |
645 | || host != NULL || add_nonce || ridx_filename != NULL)) { | |
0f113f3e MC |
646 | BIO_printf(bio_err, "Need an OCSP request for this operation!\n"); |
647 | goto end; | |
648 | } | |
649 | ||
72b89b8e DB |
650 | if (req != NULL && add_nonce) { |
651 | if (!OCSP_request_add1_nonce(req, NULL, -1)) | |
652 | goto end; | |
653 | } | |
0f113f3e | 654 | |
2234212c PY |
655 | if (signfile != NULL) { |
656 | if (keyfile == NULL) | |
0f113f3e | 657 | keyfile = signfile; |
6d382c74 | 658 | signer = load_cert(signfile, FORMAT_UNDEF, "signer certificate"); |
2234212c | 659 | if (signer == NULL) { |
0f113f3e MC |
660 | BIO_printf(bio_err, "Error loading signer certificate\n"); |
661 | goto end; | |
662 | } | |
2234212c | 663 | if (sign_certfile != NULL) { |
a773b52a | 664 | if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL, |
0996dc54 | 665 | "signer certificates")) |
0f113f3e MC |
666 | goto end; |
667 | } | |
7e1b7485 | 668 | key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL, |
0f113f3e | 669 | "signer private key"); |
2234212c | 670 | if (key == NULL) |
0f113f3e MC |
671 | goto end; |
672 | ||
673 | if (!OCSP_request_sign | |
674 | (req, signer, key, NULL, sign_other, sign_flags)) { | |
675 | BIO_printf(bio_err, "Error signing OCSP request\n"); | |
676 | goto end; | |
677 | } | |
678 | } | |
679 | ||
2234212c | 680 | if (req_text && req != NULL) |
0f113f3e MC |
681 | OCSP_REQUEST_print(out, req, 0); |
682 | ||
2234212c | 683 | if (reqout != NULL) { |
bdd58d98 | 684 | derbio = bio_open_default(reqout, 'w', FORMAT_ASN1); |
7e1b7485 | 685 | if (derbio == NULL) |
0f113f3e | 686 | goto end; |
0f113f3e MC |
687 | i2d_OCSP_REQUEST_bio(derbio, req); |
688 | BIO_free(derbio); | |
689 | } | |
690 | ||
2234212c | 691 | if (rdb != NULL) { |
b4dd21a7 | 692 | make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey, |
0770c882 TS |
693 | rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig, |
694 | resp_certid_md); | |
2234212c | 695 | if (cbio != NULL) |
0f113f3e | 696 | send_ocsp_response(cbio, resp); |
2234212c | 697 | } else if (host != NULL) { |
1ae56f2f | 698 | #ifndef OPENSSL_NO_SOCK |
7e1b7485 | 699 | resp = process_responder(req, host, path, |
0f113f3e | 700 | port, use_ssl, headers, req_timeout); |
2234212c | 701 | if (resp == NULL) |
0f113f3e | 702 | goto end; |
1ae56f2f | 703 | #else |
0f113f3e | 704 | BIO_printf(bio_err, |
582311d7 | 705 | "Error creating connect BIO - sockets not supported\n"); |
0f113f3e | 706 | goto end; |
1ae56f2f | 707 | #endif |
2234212c | 708 | } else if (respin != NULL) { |
bdd58d98 | 709 | derbio = bio_open_default(respin, 'r', FORMAT_ASN1); |
7e1b7485 | 710 | if (derbio == NULL) |
0f113f3e | 711 | goto end; |
0f113f3e MC |
712 | resp = d2i_OCSP_RESPONSE_bio(derbio, NULL); |
713 | BIO_free(derbio); | |
2234212c | 714 | if (resp == NULL) { |
0f113f3e MC |
715 | BIO_printf(bio_err, "Error reading OCSP response\n"); |
716 | goto end; | |
717 | } | |
0f113f3e MC |
718 | } else { |
719 | ret = 0; | |
720 | goto end; | |
721 | } | |
722 | ||
723 | done_resp: | |
724 | ||
2234212c | 725 | if (respout != NULL) { |
bdd58d98 | 726 | derbio = bio_open_default(respout, 'w', FORMAT_ASN1); |
7e1b7485 | 727 | if (derbio == NULL) |
0f113f3e | 728 | goto end; |
0f113f3e MC |
729 | i2d_OCSP_RESPONSE_bio(derbio, resp); |
730 | BIO_free(derbio); | |
731 | } | |
732 | ||
733 | i = OCSP_response_status(resp); | |
0f113f3e MC |
734 | if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { |
735 | BIO_printf(out, "Responder Error: %s (%d)\n", | |
736 | OCSP_response_status_str(i), i); | |
c324ecfb | 737 | if (!ignore_err) |
3e3c7c36 | 738 | goto end; |
0f113f3e MC |
739 | } |
740 | ||
741 | if (resp_text) | |
742 | OCSP_RESPONSE_print(out, resp, 0); | |
743 | ||
744 | /* If running as responder don't verify our own response */ | |
2234212c | 745 | if (cbio != NULL) { |
e46bcca2 AE |
746 | /* If not unlimited, see if we took all we should. */ |
747 | if (accept_count != -1 && --accept_count <= 0) { | |
7e1b7485 RS |
748 | ret = 0; |
749 | goto end; | |
0f113f3e | 750 | } |
7e1b7485 RS |
751 | BIO_free_all(cbio); |
752 | cbio = NULL; | |
753 | OCSP_REQUEST_free(req); | |
754 | req = NULL; | |
755 | OCSP_RESPONSE_free(resp); | |
756 | resp = NULL; | |
757 | goto redo_accept; | |
758 | } | |
2234212c | 759 | if (ridx_filename != NULL) { |
0f113f3e MC |
760 | ret = 0; |
761 | goto end; | |
762 | } | |
763 | ||
2234212c | 764 | if (store == NULL) { |
fd3397fc RL |
765 | store = setup_verify(CAfile, noCAfile, CApath, noCApath, |
766 | CAstore, noCAstore); | |
7e1b7485 RS |
767 | if (!store) |
768 | goto end; | |
769 | } | |
770 | if (vpmtouched) | |
0f113f3e | 771 | X509_STORE_set1_param(store, vpm); |
2234212c | 772 | if (verify_certfile != NULL) { |
a773b52a | 773 | if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL, |
0996dc54 | 774 | "validator certificate")) |
0f113f3e MC |
775 | goto end; |
776 | } | |
777 | ||
778 | bs = OCSP_response_get1_basic(resp); | |
2234212c | 779 | if (bs == NULL) { |
0f113f3e MC |
780 | BIO_printf(bio_err, "Error parsing response\n"); |
781 | goto end; | |
782 | } | |
783 | ||
784 | ret = 0; | |
785 | ||
786 | if (!noverify) { | |
2234212c | 787 | if (req != NULL && ((i = OCSP_check_nonce(req, bs)) <= 0)) { |
0f113f3e MC |
788 | if (i == -1) |
789 | BIO_printf(bio_err, "WARNING: no nonce in response\n"); | |
790 | else { | |
791 | BIO_printf(bio_err, "Nonce Verify error\n"); | |
792 | ret = 1; | |
793 | goto end; | |
794 | } | |
795 | } | |
796 | ||
797 | i = OCSP_basic_verify(bs, verify_other, store, verify_flags); | |
c6724060 RS |
798 | if (i <= 0 && issuers) { |
799 | i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER); | |
800 | if (i > 0) | |
801 | ERR_clear_error(); | |
802 | } | |
0f113f3e MC |
803 | if (i <= 0) { |
804 | BIO_printf(bio_err, "Response Verify Failure\n"); | |
805 | ERR_print_errors(bio_err); | |
806 | ret = 1; | |
2234212c | 807 | } else { |
0f113f3e | 808 | BIO_printf(bio_err, "Response verify OK\n"); |
2234212c | 809 | } |
0f113f3e MC |
810 | } |
811 | ||
7e1b7485 | 812 | print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage); |
0f113f3e MC |
813 | |
814 | end: | |
815 | ERR_print_errors(bio_err); | |
816 | X509_free(signer); | |
817 | X509_STORE_free(store); | |
222561fe | 818 | X509_VERIFY_PARAM_free(vpm); |
89623f84 | 819 | sk_OPENSSL_STRING_free(rsign_sigopts); |
0f113f3e MC |
820 | EVP_PKEY_free(key); |
821 | EVP_PKEY_free(rkey); | |
0f113f3e | 822 | X509_free(cert); |
bb7fc98c | 823 | sk_X509_pop_free(issuers, X509_free); |
0f113f3e | 824 | X509_free(rsigner); |
3bb0f989 | 825 | sk_X509_pop_free(rca_cert, X509_free); |
0f113f3e MC |
826 | free_index(rdb); |
827 | BIO_free_all(cbio); | |
828 | BIO_free_all(acbio); | |
4e525a0b | 829 | BIO_free_all(out); |
0f113f3e MC |
830 | OCSP_REQUEST_free(req); |
831 | OCSP_RESPONSE_free(resp); | |
832 | OCSP_BASICRESP_free(bs); | |
833 | sk_OPENSSL_STRING_free(reqnames); | |
834 | sk_OCSP_CERTID_free(ids); | |
835 | sk_X509_pop_free(sign_other, X509_free); | |
836 | sk_X509_pop_free(verify_other, X509_free); | |
837 | sk_CONF_VALUE_pop_free(headers, X509V3_conf_free); | |
b548a1f1 RS |
838 | OPENSSL_free(thost); |
839 | OPENSSL_free(tport); | |
840 | OPENSSL_free(tpath); | |
0f113f3e | 841 | |
26a7d938 | 842 | return ret; |
5782ceb2 DSH |
843 | } |
844 | ||
582311d7 | 845 | #ifdef HTTP_DAEMON |
3e3c7c36 VD |
846 | |
847 | static int index_changed(CA_DB *rdb) | |
848 | { | |
849 | struct stat sb; | |
850 | ||
851 | if (rdb != NULL && stat(rdb->dbfname, &sb) != -1) { | |
852 | if (rdb->dbst.st_mtime != sb.st_mtime | |
853 | || rdb->dbst.st_ctime != sb.st_ctime | |
854 | || rdb->dbst.st_ino != sb.st_ino | |
855 | || rdb->dbst.st_dev != sb.st_dev) { | |
856 | syslog(LOG_INFO, "index file changed, reloading"); | |
857 | return 1; | |
858 | } | |
859 | } | |
860 | return 0; | |
861 | } | |
862 | ||
1ae56f2f | 863 | #endif |
3e3c7c36 | 864 | |
0f113f3e MC |
865 | static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, |
866 | const EVP_MD *cert_id_md, X509 *issuer, | |
867 | STACK_OF(OCSP_CERTID) *ids) | |
868 | { | |
869 | OCSP_CERTID *id; | |
2234212c PY |
870 | |
871 | if (issuer == NULL) { | |
0f113f3e MC |
872 | BIO_printf(bio_err, "No issuer certificate specified\n"); |
873 | return 0; | |
874 | } | |
96487cdd | 875 | if (*req == NULL) |
0f113f3e | 876 | *req = OCSP_REQUEST_new(); |
96487cdd | 877 | if (*req == NULL) |
0f113f3e MC |
878 | goto err; |
879 | id = OCSP_cert_to_id(cert_id_md, cert, issuer); | |
2234212c | 880 | if (id == NULL || !sk_OCSP_CERTID_push(ids, id)) |
0f113f3e MC |
881 | goto err; |
882 | if (!OCSP_request_add0_id(*req, id)) | |
883 | goto err; | |
884 | return 1; | |
885 | ||
886 | err: | |
887 | BIO_printf(bio_err, "Error Creating OCSP request\n"); | |
888 | return 0; | |
889 | } | |
890 | ||
891 | static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, | |
892 | const EVP_MD *cert_id_md, X509 *issuer, | |
893 | STACK_OF(OCSP_CERTID) *ids) | |
894 | { | |
895 | OCSP_CERTID *id; | |
8cc86b81 | 896 | const X509_NAME *iname; |
0f113f3e MC |
897 | ASN1_BIT_STRING *ikey; |
898 | ASN1_INTEGER *sno; | |
2234212c PY |
899 | |
900 | if (issuer == NULL) { | |
0f113f3e MC |
901 | BIO_printf(bio_err, "No issuer certificate specified\n"); |
902 | return 0; | |
903 | } | |
96487cdd | 904 | if (*req == NULL) |
0f113f3e | 905 | *req = OCSP_REQUEST_new(); |
96487cdd | 906 | if (*req == NULL) |
0f113f3e MC |
907 | goto err; |
908 | iname = X509_get_subject_name(issuer); | |
909 | ikey = X509_get0_pubkey_bitstr(issuer); | |
910 | sno = s2i_ASN1_INTEGER(NULL, serial); | |
2234212c | 911 | if (sno == NULL) { |
0f113f3e MC |
912 | BIO_printf(bio_err, "Error converting serial number %s\n", serial); |
913 | return 0; | |
914 | } | |
915 | id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno); | |
916 | ASN1_INTEGER_free(sno); | |
96487cdd | 917 | if (id == NULL || !sk_OCSP_CERTID_push(ids, id)) |
0f113f3e MC |
918 | goto err; |
919 | if (!OCSP_request_add0_id(*req, id)) | |
920 | goto err; | |
921 | return 1; | |
922 | ||
923 | err: | |
924 | BIO_printf(bio_err, "Error Creating OCSP request\n"); | |
925 | return 0; | |
926 | } | |
73758d43 | 927 | |
7e1b7485 | 928 | static void print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, |
0f113f3e MC |
929 | STACK_OF(OPENSSL_STRING) *names, |
930 | STACK_OF(OCSP_CERTID) *ids, long nsec, | |
931 | long maxage) | |
932 | { | |
933 | OCSP_CERTID *id; | |
cc696296 | 934 | const char *name; |
7e1b7485 | 935 | int i, status, reason; |
0f113f3e MC |
936 | ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; |
937 | ||
2234212c | 938 | if (bs == NULL || req == NULL || !sk_OPENSSL_STRING_num(names) |
0f113f3e | 939 | || !sk_OCSP_CERTID_num(ids)) |
7e1b7485 | 940 | return; |
0f113f3e MC |
941 | |
942 | for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) { | |
943 | id = sk_OCSP_CERTID_value(ids, i); | |
944 | name = sk_OPENSSL_STRING_value(names, i); | |
945 | BIO_printf(out, "%s: ", name); | |
946 | ||
947 | if (!OCSP_resp_find_status(bs, id, &status, &reason, | |
948 | &rev, &thisupd, &nextupd)) { | |
949 | BIO_puts(out, "ERROR: No Status found.\n"); | |
950 | continue; | |
951 | } | |
952 | ||
953 | /* | |
954 | * Check validity: if invalid write to output BIO so we know which | |
955 | * response this refers to. | |
956 | */ | |
957 | if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) { | |
958 | BIO_puts(out, "WARNING: Status times invalid.\n"); | |
959 | ERR_print_errors(out); | |
960 | } | |
961 | BIO_printf(out, "%s\n", OCSP_cert_status_str(status)); | |
962 | ||
963 | BIO_puts(out, "\tThis Update: "); | |
964 | ASN1_GENERALIZEDTIME_print(out, thisupd); | |
965 | BIO_puts(out, "\n"); | |
966 | ||
967 | if (nextupd) { | |
968 | BIO_puts(out, "\tNext Update: "); | |
969 | ASN1_GENERALIZEDTIME_print(out, nextupd); | |
970 | BIO_puts(out, "\n"); | |
971 | } | |
972 | ||
973 | if (status != V_OCSP_CERTSTATUS_REVOKED) | |
974 | continue; | |
975 | ||
976 | if (reason != -1) | |
977 | BIO_printf(out, "\tReason: %s\n", OCSP_crl_reason_str(reason)); | |
978 | ||
979 | BIO_puts(out, "\tRevocation Time: "); | |
980 | ASN1_GENERALIZEDTIME_print(out, rev); | |
981 | BIO_puts(out, "\n"); | |
982 | } | |
0f113f3e MC |
983 | } |
984 | ||
b4dd21a7 | 985 | static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req, |
3bb0f989 | 986 | CA_DB *db, STACK_OF(X509) *ca, X509 *rcert, |
0f113f3e | 987 | EVP_PKEY *rkey, const EVP_MD *rmd, |
b4dd21a7 | 988 | STACK_OF(OPENSSL_STRING) *sigopts, |
0f113f3e | 989 | STACK_OF(X509) *rother, unsigned long flags, |
0770c882 TS |
990 | int nmin, int ndays, int badsig, |
991 | const EVP_MD *resp_md) | |
0f113f3e MC |
992 | { |
993 | ASN1_TIME *thisupd = NULL, *nextupd = NULL; | |
3bb0f989 | 994 | OCSP_CERTID *cid; |
0f113f3e | 995 | OCSP_BASICRESP *bs = NULL; |
7e1b7485 | 996 | int i, id_count; |
b4dd21a7 DC |
997 | EVP_MD_CTX *mctx = NULL; |
998 | EVP_PKEY_CTX *pkctx = NULL; | |
0f113f3e MC |
999 | |
1000 | id_count = OCSP_request_onereq_count(req); | |
1001 | ||
1002 | if (id_count <= 0) { | |
1003 | *resp = | |
1004 | OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); | |
1005 | goto end; | |
1006 | } | |
1007 | ||
1008 | bs = OCSP_BASICRESP_new(); | |
1009 | thisupd = X509_gmtime_adj(NULL, 0); | |
1010 | if (ndays != -1) | |
9aa00b18 | 1011 | nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL); |
0f113f3e MC |
1012 | |
1013 | /* Examine each certificate id in the request */ | |
1014 | for (i = 0; i < id_count; i++) { | |
1015 | OCSP_ONEREQ *one; | |
1016 | ASN1_INTEGER *serial; | |
1017 | char **inf; | |
3bb0f989 TS |
1018 | int jj; |
1019 | int found = 0; | |
0f113f3e MC |
1020 | ASN1_OBJECT *cert_id_md_oid; |
1021 | const EVP_MD *cert_id_md; | |
0770c882 TS |
1022 | OCSP_CERTID *cid_resp_md = NULL; |
1023 | ||
0f113f3e MC |
1024 | one = OCSP_request_onereq_get0(req, i); |
1025 | cid = OCSP_onereq_get0_id(one); | |
1026 | ||
1027 | OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid); | |
1028 | ||
1029 | cert_id_md = EVP_get_digestbyobj(cert_id_md_oid); | |
2234212c | 1030 | if (cert_id_md == NULL) { |
0f113f3e MC |
1031 | *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, |
1032 | NULL); | |
1033 | goto end; | |
1034 | } | |
3bb0f989 TS |
1035 | for (jj = 0; jj < sk_X509_num(ca) && !found; jj++) { |
1036 | X509 *ca_cert = sk_X509_value(ca, jj); | |
1037 | OCSP_CERTID *ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca_cert); | |
1038 | ||
0770c882 | 1039 | if (OCSP_id_issuer_cmp(ca_id, cid) == 0) { |
3bb0f989 | 1040 | found = 1; |
0770c882 TS |
1041 | if (resp_md != NULL) |
1042 | cid_resp_md = OCSP_cert_to_id(resp_md, NULL, ca_cert); | |
1043 | } | |
3bb0f989 TS |
1044 | OCSP_CERTID_free(ca_id); |
1045 | } | |
0770c882 TS |
1046 | OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid); |
1047 | inf = lookup_serial(db, serial); | |
1048 | ||
1049 | /* at this point, we can have cid be an alias of cid_resp_md */ | |
1050 | cid = (cid_resp_md != NULL) ? cid_resp_md : cid; | |
0f113f3e | 1051 | |
3bb0f989 | 1052 | if (!found) { |
0f113f3e MC |
1053 | OCSP_basic_add1_status(bs, cid, |
1054 | V_OCSP_CERTSTATUS_UNKNOWN, | |
1055 | 0, NULL, thisupd, nextupd); | |
1056 | continue; | |
1057 | } | |
2234212c | 1058 | if (inf == NULL) { |
0f113f3e MC |
1059 | OCSP_basic_add1_status(bs, cid, |
1060 | V_OCSP_CERTSTATUS_UNKNOWN, | |
1061 | 0, NULL, thisupd, nextupd); | |
2234212c | 1062 | } else if (inf[DB_type][0] == DB_TYPE_VAL) { |
0f113f3e MC |
1063 | OCSP_basic_add1_status(bs, cid, |
1064 | V_OCSP_CERTSTATUS_GOOD, | |
1065 | 0, NULL, thisupd, nextupd); | |
2234212c | 1066 | } else if (inf[DB_type][0] == DB_TYPE_REV) { |
0f113f3e MC |
1067 | ASN1_OBJECT *inst = NULL; |
1068 | ASN1_TIME *revtm = NULL; | |
1069 | ASN1_GENERALIZEDTIME *invtm = NULL; | |
1070 | OCSP_SINGLERESP *single; | |
1071 | int reason = -1; | |
0770c882 | 1072 | |
0f113f3e MC |
1073 | unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]); |
1074 | single = OCSP_basic_add1_status(bs, cid, | |
1075 | V_OCSP_CERTSTATUS_REVOKED, | |
1076 | reason, revtm, thisupd, nextupd); | |
2234212c | 1077 | if (invtm != NULL) |
0f113f3e MC |
1078 | OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, |
1079 | invtm, 0, 0); | |
2234212c | 1080 | else if (inst != NULL) |
0f113f3e MC |
1081 | OCSP_SINGLERESP_add1_ext_i2d(single, |
1082 | NID_hold_instruction_code, inst, | |
1083 | 0, 0); | |
1084 | ASN1_OBJECT_free(inst); | |
1085 | ASN1_TIME_free(revtm); | |
1086 | ASN1_GENERALIZEDTIME_free(invtm); | |
1087 | } | |
0770c882 | 1088 | OCSP_CERTID_free(cid_resp_md); |
0f113f3e MC |
1089 | } |
1090 | ||
1091 | OCSP_copy_nonce(bs, req); | |
1092 | ||
b4dd21a7 DC |
1093 | mctx = EVP_MD_CTX_new(); |
1094 | if ( mctx == NULL || !EVP_DigestSignInit(mctx, &pkctx, rmd, NULL, rkey)) { | |
1095 | *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, NULL); | |
1096 | goto end; | |
1097 | } | |
1098 | for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { | |
1099 | char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); | |
89623f84 | 1100 | |
b4dd21a7 DC |
1101 | if (pkey_ctrl_string(pkctx, sigopt) <= 0) { |
1102 | BIO_printf(err, "parameter error \"%s\"\n", sigopt); | |
1103 | ERR_print_errors(bio_err); | |
1104 | *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, | |
1105 | NULL); | |
1106 | goto end; | |
1107 | } | |
1108 | } | |
72b89b8e DB |
1109 | if (!OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags)) { |
1110 | *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs); | |
1111 | goto end; | |
1112 | } | |
0f113f3e | 1113 | |
6ef869d7 | 1114 | if (badsig) { |
a0754084 DSH |
1115 | const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs); |
1116 | corrupt_signature(sig); | |
6ef869d7 | 1117 | } |
0f113f3e MC |
1118 | |
1119 | *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); | |
1120 | ||
1121 | end: | |
89623f84 | 1122 | EVP_MD_CTX_free(mctx); |
0f113f3e MC |
1123 | ASN1_TIME_free(thisupd); |
1124 | ASN1_TIME_free(nextupd); | |
0f113f3e | 1125 | OCSP_BASICRESP_free(bs); |
0f113f3e | 1126 | } |
ee306a13 | 1127 | |
f85b68cd | 1128 | static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) |
0f113f3e MC |
1129 | { |
1130 | int i; | |
1131 | BIGNUM *bn = NULL; | |
1132 | char *itmp, *row[DB_NUMBER], **rrow; | |
1133 | for (i = 0; i < DB_NUMBER; i++) | |
1134 | row[i] = NULL; | |
1135 | bn = ASN1_INTEGER_to_BN(ser, NULL); | |
1136 | OPENSSL_assert(bn); /* FIXME: should report an error at this | |
1137 | * point and abort */ | |
1138 | if (BN_is_zero(bn)) | |
7644a9ae | 1139 | itmp = OPENSSL_strdup("00"); |
0f113f3e MC |
1140 | else |
1141 | itmp = BN_bn2hex(bn); | |
1142 | row[DB_serial] = itmp; | |
1143 | BN_free(bn); | |
1144 | rrow = TXT_DB_get_by_index(db->db, DB_serial, row); | |
1145 | OPENSSL_free(itmp); | |
1146 | return rrow; | |
1147 | } | |
ee306a13 | 1148 | |
3e3c7c36 VD |
1149 | static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, |
1150 | int timeout) | |
0f113f3e | 1151 | { |
582311d7 DDO |
1152 | #ifndef OPENSSL_NO_SOCK |
1153 | return http_server_get_asn1_req(ASN1_ITEM_rptr(OCSP_RESPONSE), | |
1154 | (ASN1_VALUE **)preq, pcbio, acbio, | |
1155 | prog, 1 /* accept_get */, timeout); | |
1ae56f2f | 1156 | #else |
582311d7 DDO |
1157 | BIO_printf(bio_err, |
1158 | "Error getting OCSP request - sockets not supported\n"); | |
3e3c7c36 | 1159 | *preq = NULL; |
582311d7 | 1160 | return 0; |
1ae56f2f | 1161 | #endif |
0f113f3e | 1162 | } |
ee306a13 | 1163 | |
582311d7 | 1164 | static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp) |
0f113f3e | 1165 | { |
582311d7 DDO |
1166 | #ifndef OPENSSL_NO_SOCK |
1167 | return http_server_send_asn1_resp(cbio, "application/ocsp-response", | |
1168 | ASN1_ITEM_rptr(OCSP_RESPONSE), | |
1169 | (const ASN1_VALUE *)resp); | |
1170 | #else | |
1171 | BIO_printf(bio_err, | |
1172 | "Error sending OCSP response - sockets not supported\n"); | |
1173 | return 0; | |
1174 | #endif | |
0f113f3e | 1175 | } |
ee306a13 | 1176 | |
1ae56f2f | 1177 | #ifndef OPENSSL_NO_SOCK |
7e1b7485 | 1178 | OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, |
0f113f3e MC |
1179 | const char *host, const char *path, |
1180 | const char *port, int use_ssl, | |
82c49427 | 1181 | STACK_OF(CONF_VALUE) *headers, |
0f113f3e MC |
1182 | int req_timeout) |
1183 | { | |
0f113f3e MC |
1184 | SSL_CTX *ctx = NULL; |
1185 | OCSP_RESPONSE *resp = NULL; | |
ff4a9394 | 1186 | |
0f113f3e | 1187 | if (use_ssl == 1) { |
13c9bb3e | 1188 | ctx = SSL_CTX_new(TLS_client_method()); |
0f113f3e | 1189 | if (ctx == NULL) { |
7e1b7485 | 1190 | BIO_printf(bio_err, "Error creating SSL context.\n"); |
0f113f3e MC |
1191 | goto end; |
1192 | } | |
1193 | SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); | |
0f113f3e | 1194 | } |
ff4a9394 | 1195 | |
29f178bd DDO |
1196 | resp = (OCSP_RESPONSE *) |
1197 | app_http_post_asn1(host, port, path, NULL, NULL /* no proxy used */, | |
1198 | ctx, headers, "application/ocsp-request", | |
1199 | (ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST), | |
1200 | req_timeout, ASN1_ITEM_rptr(OCSP_RESPONSE)); | |
1201 | ||
2234212c | 1202 | if (resp == NULL) |
0f113f3e | 1203 | BIO_printf(bio_err, "Error querying OCSP responder\n"); |
29f178bd | 1204 | |
0f113f3e | 1205 | end: |
62adbcee | 1206 | SSL_CTX_free(ctx); |
0f113f3e MC |
1207 | return resp; |
1208 | } | |
85d686e7 | 1209 | #endif |