1 /*
2 * Copyright 2001-2026 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <openssl/opensslconf.h>
11
12 #ifdef OPENSSL_SYS_VMS
13 /* So fd_set and friends get properly defined on OpenVMS */
14 #define _XOPEN_SOURCE_EXTENDED
15 #endif
16
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <string.h>
20 #include <time.h>
21 #include <ctype.h>
22
23 /* Needs to be included before the openssl headers */
24 #include "apps.h"
25 #include "http_server.h"
26 #include "progs.h"
27 #include "internal/sockets.h"
28 #include <openssl/e_os2.h>
29 #include <openssl/crypto.h>
30 #include <openssl/err.h>
31 #include <openssl/ssl.h>
32 #include <openssl/evp.h>
33 #include <openssl/bn.h>
34 #include <openssl/x509v3.h>
35
36 #if defined(OPENSSL_SYS_VXWORKS)
37 /* not supported */
setpgid(pid_t pid,pid_t pgid)38 int setpgid(pid_t pid, pid_t pgid)
39 {
40 errno = ENOSYS;
41 return 0;
42 }
43 /* not supported */
fork(void)44 pid_t fork(void)
45 {
46 errno = ENOSYS;
47 return (pid_t)-1;
48 }
49 #endif
50 /* Maximum leeway in validity period: default 5 minutes */
51 #define MAX_VALIDITY_PERIOD (5 * 60)
52
53 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
54 const EVP_MD *cert_id_md, X509 *issuer,
55 STACK_OF(OCSP_CERTID) *ids);
56 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
57 const EVP_MD *cert_id_md, X509 *issuer,
58 STACK_OF(OCSP_CERTID) *ids);
59 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
60 STACK_OF(OPENSSL_STRING) *names,
61 STACK_OF(OCSP_CERTID) *ids, long nsec,
62 long maxage);
63 static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req,
64 CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
65 EVP_PKEY *rkey, const EVP_MD *md,
66 STACK_OF(OPENSSL_STRING) *sigopts,
67 STACK_OF(X509) *rother, unsigned long flags,
68 int nmin, int ndays, int badsig,
69 const EVP_MD *resp_md);
70
71 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
72 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
73 int timeout);
74 static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp);
75 static char *prog;
76
77 #ifdef HTTP_DAEMON
78 static int index_changed(CA_DB *);
79 #endif
80
81 typedef enum OPTION_choice {
82 OPT_COMMON,
83 OPT_OUTFILE,
84 OPT_TIMEOUT,
85 OPT_URL,
86 OPT_HOST,
87 OPT_PORT,
88 #ifndef OPENSSL_NO_SOCK
89 OPT_PROXY,
90 OPT_NO_PROXY,
91 #endif
92 OPT_IGNORE_ERR,
93 OPT_NOVERIFY,
94 OPT_NONCE,
95 OPT_NO_NONCE,
96 OPT_RESP_NO_CERTS,
97 OPT_RESP_KEY_ID,
98 OPT_NO_CERTS,
99 OPT_NO_SIGNATURE_VERIFY,
100 OPT_NO_CERT_VERIFY,
101 OPT_NO_CHAIN,
102 OPT_NO_CERT_CHECKS,
103 OPT_NO_EXPLICIT,
104 OPT_TRUST_OTHER,
105 OPT_NO_INTERN,
106 OPT_BADSIG,
107 OPT_TEXT,
108 OPT_REQ_TEXT,
109 OPT_RESP_TEXT,
110 OPT_REQIN,
111 OPT_RESPIN,
112 OPT_SIGNER,
113 OPT_VAFILE,
114 OPT_SIGN_OTHER,
115 OPT_VERIFY_OTHER,
116 OPT_CAFILE,
117 OPT_CAPATH,
118 OPT_CASTORE,
119 OPT_NOCAFILE,
120 OPT_NOCAPATH,
121 OPT_NOCASTORE,
122 OPT_VALIDITY_PERIOD,
123 OPT_STATUS_AGE,
124 OPT_SIGNKEY,
125 OPT_REQOUT,
126 OPT_RESPOUT,
127 OPT_PATH,
128 OPT_ISSUER,
129 OPT_CERT,
130 OPT_SERIAL,
131 OPT_INDEX,
132 OPT_CA,
133 OPT_NMIN,
134 OPT_REQUEST,
135 OPT_NDAYS,
136 OPT_RSIGNER,
137 OPT_RKEY,
138 OPT_ROTHER,
139 OPT_RMD,
140 OPT_RSIGOPT,
141 OPT_HEADER,
142 OPT_PASSIN,
143 OPT_RCID,
144 OPT_V_ENUM,
145 OPT_MD,
146 OPT_MULTI,
147 OPT_PROV_ENUM
148 } OPTION_CHOICE;
149
150 const OPTIONS ocsp_options[] = {
151 OPT_SECTION("General"),
152 { "help", OPT_HELP, '-', "Display this summary" },
153 { "ignore_err", OPT_IGNORE_ERR, '-',
154 "Ignore error on OCSP request or response and continue running" },
155 { "CAfile", OPT_CAFILE, '<', "Trusted certificates file" },
156 { "CApath", OPT_CAPATH, '<', "Trusted certificates directory" },
157 { "CAstore", OPT_CASTORE, ':', "Trusted certificates store URI" },
158 { "no-CAfile", OPT_NOCAFILE, '-',
159 "Do not load the default certificates file" },
160 { "no-CApath", OPT_NOCAPATH, '-',
161 "Do not load certificates from the default certificates directory" },
162 { "no-CAstore", OPT_NOCASTORE, '-',
163 "Do not load certificates from the default certificates store" },
164
165 OPT_SECTION("Responder"),
166 { "timeout", OPT_TIMEOUT, 'p',
167 "Connection timeout (in seconds) to the OCSP responder" },
168 { "resp_no_certs", OPT_RESP_NO_CERTS, '-',
169 "Don't include any certificates in response" },
170 #ifdef HTTP_DAEMON
171 { "multi", OPT_MULTI, 'p', "run multiple responder processes" },
172 #endif
173 { "no_certs", OPT_NO_CERTS, '-',
174 "Don't include any certificates in signed request" },
175 { "badsig", OPT_BADSIG, '-',
176 "Corrupt last byte of loaded OCSP response signature (for test)" },
177 { "CA", OPT_CA, '<', "CA certificates" },
178 { "nmin", OPT_NMIN, 'p', "Number of minutes before next update" },
179 { "nrequest", OPT_REQUEST, 'p',
180 "Number of requests to accept (default unlimited)" },
181 { "reqin", OPT_REQIN, 's', "File with the DER-encoded request" },
182 { "signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with" },
183 { "sign_other", OPT_SIGN_OTHER, '<',
184 "Additional certificates to include in signed request" },
185 { "index", OPT_INDEX, '<', "Certificate status index file" },
186 { "ndays", OPT_NDAYS, 'p', "Number of days before next update" },
187 { "rsigner", OPT_RSIGNER, '<',
188 "Responder certificate to sign responses with" },
189 { "rkey", OPT_RKEY, '<', "Responder key to sign responses with" },
190 { "passin", OPT_PASSIN, 's', "Responder key pass phrase source" },
191 { "rother", OPT_ROTHER, '<', "Other certificates to include in response" },
192 { "rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response" },
193 { "rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form" },
194 { "header", OPT_HEADER, 's', "key=value header to add" },
195 { "rcid", OPT_RCID, 's', "Use specified algorithm for cert id in response" },
196 { "", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )" },
197
198 OPT_SECTION("Client"),
199 { "url", OPT_URL, 's', "Responder URL" },
200 { "host", OPT_HOST, 's', "TCP/IP hostname:port to connect to" },
201 { "port", OPT_PORT, 'N', "Port to run responder on" },
202 { "path", OPT_PATH, 's', "Path to use in OCSP request" },
203 #ifndef OPENSSL_NO_SOCK
204 { "proxy", OPT_PROXY, 's',
205 "[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored" },
206 { "no_proxy", OPT_NO_PROXY, 's',
207 "List of addresses of servers not to use HTTP(S) proxy for" },
208 { OPT_MORE_STR, 0, 0,
209 "Default from environment variable 'no_proxy', else 'NO_PROXY', else none" },
210 #endif
211 { "out", OPT_OUTFILE, '>', "Output filename" },
212 { "noverify", OPT_NOVERIFY, '-', "Don't verify response at all" },
213 { "nonce", OPT_NONCE, '-', "Add OCSP nonce to request" },
214 { "no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request" },
215 { "no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
216 "Don't check signature on response" },
217 { "resp_key_id", OPT_RESP_KEY_ID, '-',
218 "Identify response by signing certificate key ID" },
219 { "no_cert_verify", OPT_NO_CERT_VERIFY, '-',
220 "Don't check signing certificate" },
221 { "text", OPT_TEXT, '-', "Print text form of request and response" },
222 { "req_text", OPT_REQ_TEXT, '-', "Print text form of request" },
223 { "resp_text", OPT_RESP_TEXT, '-', "Print text form of response" },
224 { "no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response" },
225 { "no_cert_checks", OPT_NO_CERT_CHECKS, '-',
226 "Don't do additional checks on signing certificate" },
227 { "no_explicit", OPT_NO_EXPLICIT, '-',
228 "Do not explicitly check the chain, just verify the root" },
229 { "trust_other", OPT_TRUST_OTHER, '-',
230 "Don't verify additional certificates" },
231 { "no_intern", OPT_NO_INTERN, '-',
232 "Don't search certificates contained in response for signer" },
233 { "respin", OPT_RESPIN, 's', "File with the DER-encoded response" },
234 { "VAfile", OPT_VAFILE, '<', "Validator certificates file" },
235 { "verify_other", OPT_VERIFY_OTHER, '<',
236 "Additional certificates to search for signer" },
237 { "cert", OPT_CERT, '<',
238 "Certificate to check; may be given multiple times" },
239 { "serial", OPT_SERIAL, 's',
240 "Serial number to check; may be given multiple times" },
241 { "validity_period", OPT_VALIDITY_PERIOD, 'u',
242 "Maximum validity discrepancy in seconds" },
243 { "signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with" },
244 { "reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request" },
245 { "respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response" },
246 { "issuer", OPT_ISSUER, '<', "Issuer certificate" },
247 { "status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds" },
248
249 OPT_V_OPTIONS,
250 OPT_PROV_OPTIONS,
251 { NULL }
252 };
253
ocsp_main(int argc,char ** argv)254 int ocsp_main(int argc, char **argv)
255 {
256 BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL;
257 EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
258 STACK_OF(OPENSSL_STRING) *rsign_sigopts = NULL;
259 int trailing_md = 0;
260 CA_DB *rdb = NULL;
261 EVP_PKEY *key = NULL, *rkey = NULL;
262 OCSP_BASICRESP *bs = NULL;
263 OCSP_REQUEST *req = NULL;
264 OCSP_RESPONSE *resp = NULL;
265 STACK_OF(CONF_VALUE) *headers = NULL;
266 STACK_OF(OCSP_CERTID) *ids = NULL;
267 STACK_OF(OPENSSL_STRING) *reqnames = NULL;
268 STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
269 STACK_OF(X509) *issuers = NULL;
270 X509 *issuer = NULL, *cert = NULL;
271 STACK_OF(X509) *rca_certs = NULL;
272 EVP_MD *resp_certid_md = NULL;
273 X509 *signer = NULL, *rsigner = NULL;
274 X509_STORE *store = NULL;
275 X509_VERIFY_PARAM *vpm = NULL;
276 const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL;
277 char *header, *value, *respdigname = NULL;
278 char *host = NULL, *port = NULL, *path = "/", *outfile = NULL;
279 #ifndef OPENSSL_NO_SOCK
280 char *opt_proxy = NULL;
281 char *opt_no_proxy = NULL;
282 #endif
283 char *rca_filename = NULL, *reqin = NULL, *respin = NULL;
284 char *reqout = NULL, *respout = NULL, *ridx_filename = NULL;
285 char *rsignfile = NULL, *rkeyfile = NULL;
286 char *passinarg = NULL, *passin = NULL;
287 char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
288 char *signfile = NULL, *keyfile = NULL;
289 char *thost = NULL, *tport = NULL, *tpath = NULL;
290 int noCAfile = 0, noCApath = 0, noCAstore = 0;
291 int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;
292 int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;
293 int req_text = 0, resp_text = 0, res, ret = 1;
294 int req_timeout = -1;
295 long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
296 unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
297 OPTION_CHOICE o;
298
299 if ((reqnames = sk_OPENSSL_STRING_new_null()) == NULL
300 || (ids = sk_OCSP_CERTID_new_null()) == NULL
301 || (vpm = X509_VERIFY_PARAM_new()) == NULL)
302 goto end;
303
304 opt_set_unknown_name("digest");
305 prog = opt_init(argc, argv, ocsp_options);
306 while ((o = opt_next()) != OPT_EOF) {
307 switch (o) {
308 case OPT_EOF:
309 case OPT_ERR:
310 opthelp:
311 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
312 goto end;
313 case OPT_HELP:
314 ret = 0;
315 opt_help(ocsp_options);
316 goto end;
317 case OPT_OUTFILE:
318 outfile = opt_arg();
319 break;
320 case OPT_TIMEOUT:
321 #ifndef OPENSSL_NO_SOCK
322 req_timeout = atoi(opt_arg());
323 #endif
324 break;
325 case OPT_URL:
326 OPENSSL_free(thost);
327 OPENSSL_free(tport);
328 OPENSSL_free(tpath);
329 thost = tport = tpath = NULL;
330 if (!OSSL_HTTP_parse_url(opt_arg(), &use_ssl, NULL /* userinfo */,
331 &host, &port, NULL /* port_num */,
332 &path, NULL /* qry */, NULL /* frag */)) {
333 BIO_printf(bio_err, "%s Error parsing -url argument\n", prog);
334 goto end;
335 }
336 thost = host;
337 tport = port;
338 tpath = path;
339 break;
340 case OPT_HOST:
341 host = opt_arg();
342 break;
343 case OPT_PORT:
344 port = opt_arg();
345 break;
346 case OPT_PATH:
347 path = opt_arg();
348 break;
349 #ifndef OPENSSL_NO_SOCK
350 case OPT_PROXY:
351 opt_proxy = opt_arg();
352 break;
353 case OPT_NO_PROXY:
354 opt_no_proxy = opt_arg();
355 break;
356 #endif
357 case OPT_IGNORE_ERR:
358 ignore_err = 1;
359 break;
360 case OPT_NOVERIFY:
361 noverify = 1;
362 break;
363 case OPT_NONCE:
364 add_nonce = 2;
365 break;
366 case OPT_NO_NONCE:
367 add_nonce = 0;
368 break;
369 case OPT_RESP_NO_CERTS:
370 rflags |= OCSP_NOCERTS;
371 break;
372 case OPT_RESP_KEY_ID:
373 rflags |= OCSP_RESPID_KEY;
374 break;
375 case OPT_NO_CERTS:
376 sign_flags |= OCSP_NOCERTS;
377 break;
378 case OPT_NO_SIGNATURE_VERIFY:
379 verify_flags |= OCSP_NOSIGS;
380 break;
381 case OPT_NO_CERT_VERIFY:
382 verify_flags |= OCSP_NOVERIFY;
383 break;
384 case OPT_NO_CHAIN:
385 verify_flags |= OCSP_NOCHAIN;
386 break;
387 case OPT_NO_CERT_CHECKS:
388 verify_flags |= OCSP_NOCHECKS;
389 break;
390 case OPT_NO_EXPLICIT:
391 verify_flags |= OCSP_NOEXPLICIT;
392 break;
393 case OPT_TRUST_OTHER:
394 verify_flags |= OCSP_TRUSTOTHER;
395 break;
396 case OPT_NO_INTERN:
397 verify_flags |= OCSP_NOINTERN;
398 break;
399 case OPT_BADSIG:
400 badsig = 1;
401 break;
402 case OPT_TEXT:
403 req_text = resp_text = 1;
404 break;
405 case OPT_REQ_TEXT:
406 req_text = 1;
407 break;
408 case OPT_RESP_TEXT:
409 resp_text = 1;
410 break;
411 case OPT_REQIN:
412 reqin = opt_arg();
413 break;
414 case OPT_RESPIN:
415 respin = opt_arg();
416 break;
417 case OPT_SIGNER:
418 signfile = opt_arg();
419 break;
420 case OPT_VAFILE:
421 verify_certfile = opt_arg();
422 verify_flags |= OCSP_TRUSTOTHER;
423 break;
424 case OPT_SIGN_OTHER:
425 sign_certfile = opt_arg();
426 break;
427 case OPT_VERIFY_OTHER:
428 verify_certfile = opt_arg();
429 break;
430 case OPT_CAFILE:
431 CAfile = opt_arg();
432 break;
433 case OPT_CAPATH:
434 CApath = opt_arg();
435 break;
436 case OPT_CASTORE:
437 CAstore = opt_arg();
438 break;
439 case OPT_NOCAFILE:
440 noCAfile = 1;
441 break;
442 case OPT_NOCAPATH:
443 noCApath = 1;
444 break;
445 case OPT_NOCASTORE:
446 noCAstore = 1;
447 break;
448 case OPT_V_CASES:
449 if (!opt_verify(o, vpm))
450 goto end;
451 vpmtouched++;
452 break;
453 case OPT_VALIDITY_PERIOD:
454 opt_long(opt_arg(), &nsec);
455 break;
456 case OPT_STATUS_AGE:
457 opt_long(opt_arg(), &maxage);
458 break;
459 case OPT_SIGNKEY:
460 keyfile = opt_arg();
461 break;
462 case OPT_REQOUT:
463 reqout = opt_arg();
464 break;
465 case OPT_RESPOUT:
466 respout = opt_arg();
467 break;
468 case OPT_ISSUER:
469 issuer = load_cert(opt_arg(), FORMAT_UNDEF, "issuer certificate");
470 if (issuer == NULL)
471 goto end;
472 if (issuers == NULL) {
473 if ((issuers = sk_X509_new_null()) == NULL)
474 goto end;
475 }
476 if (!sk_X509_push(issuers, issuer))
477 goto end;
478 break;
479 case OPT_CERT:
480 reset_unknown();
481 X509_free(cert);
482 cert = load_cert(opt_arg(), FORMAT_UNDEF, "certificate");
483 if (cert == NULL)
484 goto end;
485 if (cert_id_md == NULL)
486 cert_id_md = (EVP_MD *)EVP_sha1();
487 if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
488 goto end;
489 if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
490 goto end;
491 trailing_md = 0;
492 break;
493 case OPT_SERIAL:
494 reset_unknown();
495 if (cert_id_md == NULL)
496 cert_id_md = (EVP_MD *)EVP_sha1();
497 if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids))
498 goto end;
499 if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
500 goto end;
501 trailing_md = 0;
502 break;
503 case OPT_INDEX:
504 ridx_filename = opt_arg();
505 break;
506 case OPT_CA:
507 rca_filename = opt_arg();
508 break;
509 case OPT_NMIN:
510 nmin = opt_int_arg();
511 if (ndays == -1)
512 ndays = 0;
513 break;
514 case OPT_REQUEST:
515 accept_count = opt_int_arg();
516 break;
517 case OPT_NDAYS:
518 ndays = atoi(opt_arg());
519 break;
520 case OPT_RSIGNER:
521 rsignfile = opt_arg();
522 break;
523 case OPT_RKEY:
524 rkeyfile = opt_arg();
525 break;
526 case OPT_PASSIN:
527 passinarg = opt_arg();
528 break;
529 case OPT_ROTHER:
530 rcertfile = opt_arg();
531 break;
532 case OPT_RMD: /* Response MessageDigest */
533 respdigname = opt_arg();
534 break;
535 case OPT_RSIGOPT:
536 if (rsign_sigopts == NULL)
537 rsign_sigopts = sk_OPENSSL_STRING_new_null();
538 if (rsign_sigopts == NULL
539 || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))
540 goto end;
541 break;
542 case OPT_HEADER:
543 header = opt_arg();
544 value = strchr(header, '=');
545 if (value == NULL) {
546 BIO_printf(bio_err, "Missing = in header key=value\n");
547 goto opthelp;
548 }
549 *value++ = '\0';
550 if (!X509V3_add_value(header, value, &headers))
551 goto end;
552 break;
553 case OPT_RCID:
554 if (!opt_md(opt_arg(), &resp_certid_md))
555 goto opthelp;
556 break;
557 case OPT_MD:
558 if (trailing_md) {
559 BIO_printf(bio_err,
560 "%s: Digest must be before -cert or -serial\n",
561 prog);
562 goto opthelp;
563 }
564 if (!opt_md(opt_unknown(), &cert_id_md))
565 goto opthelp;
566 trailing_md = 1;
567 break;
568 case OPT_MULTI:
569 #ifdef HTTP_DAEMON
570 n_responders = atoi(opt_arg());
571 #endif
572 break;
573 case OPT_PROV_CASES:
574 if (!opt_provider(o))
575 goto end;
576 break;
577 }
578 }
579
580 /* No extra arguments. */
581 if (!opt_check_rest_arg(NULL))
582 goto opthelp;
583
584 if (trailing_md) {
585 BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n",
586 prog);
587 goto opthelp;
588 }
589
590 if (respdigname != NULL) {
591 if (!opt_md(respdigname, &rsign_md))
592 goto end;
593 }
594
595 /* Have we anything to do? */
596 if (req == NULL && reqin == NULL
597 && respin == NULL && !(port != NULL && ridx_filename != NULL))
598 goto opthelp;
599
600 if (req == NULL && (add_nonce != 2))
601 add_nonce = 0;
602
603 if (req == NULL && reqin != NULL) {
604 derbio = bio_open_default(reqin, 'r', FORMAT_ASN1);
605 if (derbio == NULL)
606 goto end;
607 req = d2i_OCSP_REQUEST_bio(derbio, NULL);
608 BIO_free(derbio);
609 if (req == NULL) {
610 BIO_printf(bio_err, "Error reading OCSP request\n");
611 goto end;
612 }
613 }
614
615 if (req == NULL && port != NULL) {
616 #ifndef OPENSSL_NO_SOCK
617 acbio = http_server_init(prog, port, -1);
618 if (acbio == NULL)
619 goto end;
620 #else
621 BIO_printf(bio_err, "Cannot act as server - sockets not supported\n");
622 goto end;
623 #endif
624 }
625
626 if (rsignfile != NULL) {
627 if (rkeyfile == NULL)
628 rkeyfile = rsignfile;
629 rsigner = load_cert(rsignfile, FORMAT_UNDEF, "responder certificate");
630 if (rsigner == NULL) {
631 BIO_printf(bio_err, "Error loading responder certificate\n");
632 goto end;
633 }
634 if (!load_certs(rca_filename, 0, &rca_certs, NULL, "CA certificates"))
635 goto end;
636 if (rcertfile != NULL) {
637 if (!load_certs(rcertfile, 0, &rother, NULL,
638 "responder other certificates"))
639 goto end;
640 }
641 if (!app_passwd(passinarg, NULL, &passin, NULL)) {
642 BIO_printf(bio_err, "Error getting password\n");
643 goto end;
644 }
645 rkey = load_key(rkeyfile, FORMAT_UNDEF, 0, passin, NULL,
646 "responder private key");
647 if (rkey == NULL)
648 goto end;
649 }
650
651 if (ridx_filename != NULL
652 && (rkey == NULL || rsigner == NULL || rca_certs == NULL)) {
653 BIO_printf(bio_err,
654 "Responder mode requires certificate, key, and CA.\n");
655 goto end;
656 }
657
658 if (ridx_filename != NULL) {
659 rdb = load_index(ridx_filename, NULL);
660 if (rdb == NULL || index_index(rdb) <= 0) {
661 BIO_printf(bio_err,
662 "Problem with index file: %s (could not load/parse file)\n",
663 ridx_filename);
664 ret = 1;
665 goto end;
666 }
667 }
668
669 #ifdef HTTP_DAEMON
670 if (n_responders != 0 && acbio != NULL)
671 spawn_loop(prog);
672 if (acbio != NULL && req_timeout > 0)
673 signal(SIGALRM, socket_timeout);
674 #endif
675
676 if (acbio != NULL)
677 trace_log_message(-1, prog,
678 LOG_INFO, "waiting for OCSP client connections...");
679
680 redo_accept:
681
682 if (acbio != NULL) {
683 #ifdef HTTP_DAEMON
684 if (index_changed(rdb)) {
685 CA_DB *newrdb = load_index(ridx_filename, NULL);
686
687 if (newrdb != NULL && index_index(newrdb) > 0) {
688 free_index(rdb);
689 rdb = newrdb;
690 } else {
691 free_index(newrdb);
692 trace_log_message(-1, prog,
693 LOG_ERR, "error reloading updated index: %s",
694 ridx_filename);
695 }
696 }
697 #endif
698
699 req = NULL;
700 res = do_responder(&req, &cbio, acbio, req_timeout);
701 if (res == 0)
702 goto redo_accept;
703
704 if (req == NULL) {
705 if (res == 1) {
706 resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST,
707 NULL);
708 if (resp != NULL)
709 send_ocsp_response(cbio, resp);
710 }
711 goto done_resp;
712 }
713 }
714
715 if (req == NULL
716 && (signfile != NULL || reqout != NULL
717 || host != NULL || add_nonce || ridx_filename != NULL)) {
718 BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
719 goto end;
720 }
721
722 if (req != NULL && add_nonce) {
723 if (!OCSP_request_add1_nonce(req, NULL, -1))
724 goto end;
725 }
726
727 if (signfile != NULL) {
728 if (keyfile == NULL)
729 keyfile = signfile;
730 signer = load_cert(signfile, FORMAT_UNDEF, "signer certificate");
731 if (signer == NULL) {
732 BIO_printf(bio_err, "Error loading signer certificate\n");
733 goto end;
734 }
735 if (sign_certfile != NULL) {
736 if (!load_certs(sign_certfile, 0, &sign_other, NULL,
737 "signer certificates"))
738 goto end;
739 }
740 key = load_key(keyfile, FORMAT_UNDEF, 0, NULL, NULL,
741 "signer private key");
742 if (key == NULL)
743 goto end;
744
745 if (!OCSP_request_sign(req, signer, key, NULL,
746 sign_other, sign_flags)) {
747 BIO_printf(bio_err, "Error signing OCSP request\n");
748 goto end;
749 }
750 }
751
752 out = bio_open_default(outfile, 'w', FORMAT_TEXT);
753 if (out == NULL)
754 goto end;
755
756 if (req_text && req != NULL)
757 OCSP_REQUEST_print(out, req, 0);
758
759 if (reqout != NULL) {
760 derbio = bio_open_default(reqout, 'w', FORMAT_ASN1);
761 if (derbio == NULL)
762 goto end;
763 i2d_OCSP_REQUEST_bio(derbio, req);
764 BIO_free(derbio);
765 }
766
767 if (rdb != NULL) {
768 make_ocsp_response(bio_err, &resp, req, rdb, rca_certs, rsigner, rkey,
769 rsign_md, rsign_sigopts, rother, rflags, nmin, ndays,
770 badsig, resp_certid_md);
771 if (resp == NULL)
772 goto end;
773 if (cbio != NULL)
774 send_ocsp_response(cbio, resp);
775 } else if (host != NULL) {
776 #ifndef OPENSSL_NO_SOCK
777 resp = process_responder(req, host, port, path, opt_proxy, opt_no_proxy,
778 use_ssl, headers, req_timeout);
779 if (resp == NULL)
780 goto end;
781 #else
782 BIO_printf(bio_err,
783 "Error creating connect BIO - sockets not supported\n");
784 goto end;
785 #endif
786 } else if (respin != NULL) {
787 derbio = bio_open_default(respin, 'r', FORMAT_ASN1);
788 if (derbio == NULL)
789 goto end;
790 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
791 BIO_free(derbio);
792 if (resp == NULL) {
793 BIO_printf(bio_err, "Error reading OCSP response\n");
794 goto end;
795 }
796 } else {
797 ret = 0;
798 goto end;
799 }
800
801 done_resp:
802
803 if (respout != NULL) {
804 derbio = bio_open_default(respout, 'w', FORMAT_ASN1);
805 if (derbio == NULL)
806 goto end;
807 i2d_OCSP_RESPONSE_bio(derbio, resp);
808 BIO_free(derbio);
809 }
810
811 if (resp != NULL) {
812 i = OCSP_response_status(resp);
813 if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
814 BIO_printf(out, "Responder Error: %s (%d)\n",
815 OCSP_response_status_str(i), i);
816 if (!ignore_err)
817 goto end;
818 }
819
820 if (resp_text)
821 OCSP_RESPONSE_print(out, resp, 0);
822 }
823
824 /* If running as responder don't verify our own response */
825 if (cbio != NULL) {
826 /* If not unlimited, see if we took all we should. */
827 if (accept_count != -1 && --accept_count <= 0) {
828 ret = 0;
829 goto end;
830 }
831 BIO_free_all(cbio);
832 cbio = NULL;
833 OCSP_REQUEST_free(req);
834 req = NULL;
835 OCSP_RESPONSE_free(resp);
836 resp = NULL;
837 goto redo_accept;
838 }
839 if (ridx_filename != NULL) {
840 ret = 0;
841 goto end;
842 }
843
844 if (store == NULL) {
845 store = setup_verify(CAfile, noCAfile, CApath, noCApath,
846 CAstore, noCAstore);
847 if (!store)
848 goto end;
849 }
850 if (vpmtouched)
851 X509_STORE_set1_param(store, vpm);
852 if (verify_certfile != NULL) {
853 if (!load_certs(verify_certfile, 0, &verify_other, NULL,
854 "validator certificates"))
855 goto end;
856 }
857
858 bs = OCSP_response_get1_basic(resp);
859 if (bs == NULL) {
860 BIO_printf(bio_err, "Error parsing response\n");
861 goto end;
862 }
863
864 ret = 0;
865
866 if (!noverify) {
867 if (req != NULL && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
868 if (i == -1)
869 BIO_printf(bio_err, "WARNING: no nonce in response\n");
870 else {
871 BIO_printf(bio_err, "Nonce Verify error\n");
872 ret = 1;
873 goto end;
874 }
875 }
876
877 i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
878 if (i <= 0 && issuers) {
879 i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER);
880 if (i > 0)
881 ERR_clear_error();
882 }
883 if (i <= 0) {
884 BIO_printf(bio_err, "Response Verify Failure\n");
885 ERR_print_errors(bio_err);
886 ret = 1;
887 } else {
888 BIO_printf(bio_err, "Response verify OK\n");
889 }
890 }
891
892 if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
893 ret = 1;
894
895 end:
896 ERR_print_errors(bio_err);
897 X509_free(signer);
898 X509_STORE_free(store);
899 X509_VERIFY_PARAM_free(vpm);
900 sk_OPENSSL_STRING_free(rsign_sigopts);
901 EVP_PKEY_free(key);
902 EVP_PKEY_free(rkey);
903 EVP_MD_free(cert_id_md);
904 EVP_MD_free(rsign_md);
905 EVP_MD_free(resp_certid_md);
906 X509_free(cert);
907 OSSL_STACK_OF_X509_free(issuers);
908 X509_free(rsigner);
909 OSSL_STACK_OF_X509_free(rca_certs);
910 free_index(rdb);
911 BIO_free_all(cbio);
912 BIO_free_all(acbio);
913 BIO_free_all(out);
914 OCSP_REQUEST_free(req);
915 OCSP_RESPONSE_free(resp);
916 OCSP_BASICRESP_free(bs);
917 sk_OPENSSL_STRING_free(reqnames);
918 sk_OCSP_CERTID_free(ids);
919 OSSL_STACK_OF_X509_free(sign_other);
920 OSSL_STACK_OF_X509_free(verify_other);
921 sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
922 OPENSSL_free(thost);
923 OPENSSL_free(tport);
924 OPENSSL_free(tpath);
925
926 return ret;
927 }
928
929 #ifdef HTTP_DAEMON
930
index_changed(CA_DB * rdb)931 static int index_changed(CA_DB *rdb)
932 {
933 struct stat sb;
934
935 if (rdb != NULL && stat(rdb->dbfname, &sb) != -1) {
936 if (rdb->dbst.st_mtime != sb.st_mtime
937 || rdb->dbst.st_ctime != sb.st_ctime
938 || rdb->dbst.st_ino != sb.st_ino
939 || rdb->dbst.st_dev != sb.st_dev) {
940 syslog(LOG_INFO, "index file changed, reloading");
941 return 1;
942 }
943 }
944 return 0;
945 }
946
947 #endif
948
add_ocsp_cert(OCSP_REQUEST ** req,X509 * cert,const EVP_MD * cert_id_md,X509 * issuer,STACK_OF (OCSP_CERTID)* ids)949 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
950 const EVP_MD *cert_id_md, X509 *issuer,
951 STACK_OF(OCSP_CERTID) *ids)
952 {
953 OCSP_CERTID *id;
954
955 if (issuer == NULL) {
956 BIO_printf(bio_err, "No issuer certificate specified\n");
957 return 0;
958 }
959 if (*req == NULL)
960 *req = OCSP_REQUEST_new();
961 if (*req == NULL)
962 goto err;
963 id = OCSP_cert_to_id(cert_id_md, cert, issuer);
964 if (id == NULL || !sk_OCSP_CERTID_push(ids, id))
965 goto err;
966 if (!OCSP_request_add0_id(*req, id))
967 goto err;
968 return 1;
969
970 err:
971 BIO_printf(bio_err, "Error Creating OCSP request\n");
972 return 0;
973 }
974
add_ocsp_serial(OCSP_REQUEST ** req,char * serial,const EVP_MD * cert_id_md,X509 * issuer,STACK_OF (OCSP_CERTID)* ids)975 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,
976 const EVP_MD *cert_id_md, X509 *issuer,
977 STACK_OF(OCSP_CERTID) *ids)
978 {
979 OCSP_CERTID *id;
980 const X509_NAME *iname;
981 ASN1_BIT_STRING *ikey;
982 ASN1_INTEGER *sno;
983
984 if (issuer == NULL) {
985 BIO_printf(bio_err, "No issuer certificate specified\n");
986 return 0;
987 }
988 if (*req == NULL)
989 *req = OCSP_REQUEST_new();
990 if (*req == NULL)
991 goto err;
992 iname = X509_get_subject_name(issuer);
993 ikey = X509_get0_pubkey_bitstr(issuer);
994 sno = s2i_ASN1_INTEGER(NULL, serial);
995 if (sno == NULL) {
996 BIO_printf(bio_err, "Error converting serial number %s\n", serial);
997 return 0;
998 }
999 id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno);
1000 ASN1_INTEGER_free(sno);
1001 if (id == NULL || !sk_OCSP_CERTID_push(ids, id))
1002 goto err;
1003 if (!OCSP_request_add0_id(*req, id))
1004 goto err;
1005 return 1;
1006
1007 err:
1008 BIO_printf(bio_err, "Error Creating OCSP request\n");
1009 return 0;
1010 }
1011
print_ocsp_summary(BIO * out,OCSP_BASICRESP * bs,OCSP_REQUEST * req,STACK_OF (OPENSSL_STRING)* names,STACK_OF (OCSP_CERTID)* ids,long nsec,long maxage)1012 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
1013 STACK_OF(OPENSSL_STRING) *names,
1014 STACK_OF(OCSP_CERTID) *ids, long nsec,
1015 long maxage)
1016 {
1017 OCSP_CERTID *id;
1018 const char *name;
1019 int i, status, reason;
1020 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1021 int ret = 1;
1022
1023 if (req == NULL || !sk_OPENSSL_STRING_num(names))
1024 return 1;
1025
1026 if (bs == NULL || !sk_OCSP_CERTID_num(ids))
1027 return 0;
1028
1029 for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) {
1030 id = sk_OCSP_CERTID_value(ids, i);
1031 name = sk_OPENSSL_STRING_value(names, i);
1032 BIO_printf(out, "%s: ", name);
1033
1034 if (!OCSP_resp_find_status(bs, id, &status, &reason,
1035 &rev, &thisupd, &nextupd)) {
1036 BIO_puts(out, "ERROR: No Status found.\n");
1037 ret = 0;
1038 continue;
1039 }
1040
1041 /*
1042 * Check validity: if invalid write to output BIO so we know which
1043 * response this refers to.
1044 */
1045 if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) {
1046 BIO_puts(out, "WARNING: Status times invalid.\n");
1047 ERR_print_errors(out);
1048 }
1049 BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
1050
1051 BIO_puts(out, "\tThis Update: ");
1052 ASN1_GENERALIZEDTIME_print(out, thisupd);
1053 BIO_puts(out, "\n");
1054
1055 if (nextupd) {
1056 BIO_puts(out, "\tNext Update: ");
1057 ASN1_GENERALIZEDTIME_print(out, nextupd);
1058 BIO_puts(out, "\n");
1059 }
1060
1061 if (status != V_OCSP_CERTSTATUS_REVOKED)
1062 continue;
1063
1064 if (reason != -1)
1065 BIO_printf(out, "\tReason: %s\n", OCSP_crl_reason_str(reason));
1066
1067 BIO_puts(out, "\tRevocation Time: ");
1068 ASN1_GENERALIZEDTIME_print(out, rev);
1069 BIO_puts(out, "\n");
1070 }
1071 return ret;
1072 }
1073
make_ocsp_response(BIO * err,OCSP_RESPONSE ** resp,OCSP_REQUEST * req,CA_DB * db,STACK_OF (X509)* ca,X509 * rcert,EVP_PKEY * rkey,const EVP_MD * rmd,STACK_OF (OPENSSL_STRING)* sigopts,STACK_OF (X509)* rother,unsigned long flags,int nmin,int ndays,int badsig,const EVP_MD * resp_md)1074 static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req,
1075 CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,
1076 EVP_PKEY *rkey, const EVP_MD *rmd,
1077 STACK_OF(OPENSSL_STRING) *sigopts,
1078 STACK_OF(X509) *rother, unsigned long flags,
1079 int nmin, int ndays, int badsig,
1080 const EVP_MD *resp_md)
1081 {
1082 ASN1_TIME *thisupd = NULL, *nextupd = NULL;
1083 OCSP_CERTID *cid;
1084 OCSP_BASICRESP *bs = NULL;
1085 int i, id_count;
1086 EVP_MD_CTX *mctx = NULL;
1087 EVP_PKEY_CTX *pkctx = NULL;
1088
1089 id_count = OCSP_request_onereq_count(req);
1090
1091 if (id_count <= 0) {
1092 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1093 goto end;
1094 }
1095
1096 bs = OCSP_BASICRESP_new();
1097 if (bs == NULL) {
1098 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs);
1099 goto end;
1100 }
1101 thisupd = X509_gmtime_adj(NULL, 0);
1102 if (ndays != -1)
1103 nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
1104
1105 /* Examine each certificate id in the request */
1106 for (i = 0; i < id_count; i++) {
1107 OCSP_ONEREQ *one;
1108 ASN1_INTEGER *serial;
1109 char **inf;
1110 int jj;
1111 int found = 0;
1112 ASN1_OBJECT *cert_id_md_oid;
1113 const EVP_MD *cert_id_md;
1114 OCSP_CERTID *cid_resp_md = NULL;
1115
1116 one = OCSP_request_onereq_get0(req, i);
1117 cid = OCSP_onereq_get0_id(one);
1118
1119 OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid);
1120
1121 cert_id_md = EVP_get_digestbyobj(cert_id_md_oid);
1122 if (cert_id_md == NULL) {
1123 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
1124 NULL);
1125 goto end;
1126 }
1127 for (jj = 0; jj < sk_X509_num(ca) && !found; jj++) {
1128 X509 *ca_cert = sk_X509_value(ca, jj);
1129 OCSP_CERTID *ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca_cert);
1130
1131 if (ca_id == NULL) {
1132 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
1133 NULL);
1134 goto end;
1135 }
1136
1137 if (OCSP_id_issuer_cmp(ca_id, cid) == 0) {
1138 found = 1;
1139 if (resp_md != NULL)
1140 cid_resp_md = OCSP_cert_to_id(resp_md, NULL, ca_cert);
1141 }
1142 OCSP_CERTID_free(ca_id);
1143 }
1144 OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
1145 inf = lookup_serial(db, serial);
1146
1147 /* at this point, we can have cid be an alias of cid_resp_md */
1148 cid = (cid_resp_md != NULL) ? cid_resp_md : cid;
1149
1150 if (!found) {
1151 OCSP_basic_add1_status(bs, cid,
1152 V_OCSP_CERTSTATUS_UNKNOWN,
1153 0, NULL, thisupd, nextupd);
1154 continue;
1155 }
1156 if (inf == NULL) {
1157 OCSP_basic_add1_status(bs, cid,
1158 V_OCSP_CERTSTATUS_UNKNOWN,
1159 0, NULL, thisupd, nextupd);
1160 } else if (inf[DB_type][0] == DB_TYPE_VAL) {
1161 OCSP_basic_add1_status(bs, cid,
1162 V_OCSP_CERTSTATUS_GOOD,
1163 0, NULL, thisupd, nextupd);
1164 } else if (inf[DB_type][0] == DB_TYPE_REV) {
1165 ASN1_OBJECT *inst = NULL;
1166 ASN1_TIME *revtm = NULL;
1167 ASN1_GENERALIZEDTIME *invtm = NULL;
1168 OCSP_SINGLERESP *single;
1169 int reason = -1;
1170
1171 unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
1172 single = OCSP_basic_add1_status(bs, cid,
1173 V_OCSP_CERTSTATUS_REVOKED,
1174 reason, revtm, thisupd, nextupd);
1175 if (single == NULL) {
1176 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
1177 NULL);
1178 goto end;
1179 }
1180 if (invtm != NULL)
1181 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date,
1182 invtm, 0, 0);
1183 else if (inst != NULL)
1184 OCSP_SINGLERESP_add1_ext_i2d(single,
1185 NID_hold_instruction_code, inst,
1186 0, 0);
1187 ASN1_OBJECT_free(inst);
1188 ASN1_TIME_free(revtm);
1189 ASN1_GENERALIZEDTIME_free(invtm);
1190 }
1191 OCSP_CERTID_free(cid_resp_md);
1192 }
1193
1194 OCSP_copy_nonce(bs, req);
1195
1196 mctx = EVP_MD_CTX_new();
1197 if (mctx == NULL || !EVP_DigestSignInit(mctx, &pkctx, rmd, NULL, rkey)) {
1198 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, NULL);
1199 goto end;
1200 }
1201 for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
1202 char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);
1203
1204 if (pkey_ctrl_string(pkctx, sigopt) <= 0) {
1205 BIO_printf(err, "parameter error \"%s\"\n", sigopt);
1206 ERR_print_errors(bio_err);
1207 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,
1208 NULL);
1209 goto end;
1210 }
1211 }
1212 if (!OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags)) {
1213 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs);
1214 goto end;
1215 }
1216
1217 if (badsig) {
1218 const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);
1219 corrupt_signature(sig);
1220 }
1221
1222 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
1223
1224 end:
1225 EVP_MD_CTX_free(mctx);
1226 ASN1_TIME_free(thisupd);
1227 ASN1_TIME_free(nextupd);
1228 OCSP_BASICRESP_free(bs);
1229 }
1230
lookup_serial(CA_DB * db,ASN1_INTEGER * ser)1231 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
1232 {
1233 int i;
1234 BIGNUM *bn = NULL;
1235 char *itmp, *row[DB_NUMBER], **rrow;
1236 for (i = 0; i < DB_NUMBER; i++)
1237 row[i] = NULL;
1238 bn = ASN1_INTEGER_to_BN(ser, NULL);
1239 OPENSSL_assert(bn); /* FIXME: should report an error at this
1240 * point and abort */
1241 if (BN_is_zero(bn)) {
1242 itmp = OPENSSL_strdup("00");
1243 OPENSSL_assert(itmp);
1244 } else {
1245 itmp = BN_bn2hex(bn);
1246 }
1247 row[DB_serial] = itmp;
1248 BN_free(bn);
1249 rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
1250 OPENSSL_free(itmp);
1251 return rrow;
1252 }
1253
do_responder(OCSP_REQUEST ** preq,BIO ** pcbio,BIO * acbio,int timeout)1254 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
1255 int timeout)
1256 {
1257 #ifndef OPENSSL_NO_SOCK
1258 return http_server_get_asn1_req(ASN1_ITEM_rptr(OCSP_REQUEST),
1259 (ASN1_VALUE **)preq, NULL, pcbio, acbio,
1260 NULL /* found_keep_alive */,
1261 prog, 1 /* accept_get */, timeout);
1262 #else
1263 BIO_printf(bio_err,
1264 "Error getting OCSP request - sockets not supported\n");
1265 *preq = NULL;
1266 return 0;
1267 #endif
1268 }
1269
send_ocsp_response(BIO * cbio,const OCSP_RESPONSE * resp)1270 static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp)
1271 {
1272 #ifndef OPENSSL_NO_SOCK
1273 return http_server_send_asn1_resp(prog, cbio,
1274 0 /* no keep-alive */,
1275 "application/ocsp-response",
1276 ASN1_ITEM_rptr(OCSP_RESPONSE),
1277 (const ASN1_VALUE *)resp);
1278 #else
1279 BIO_printf(bio_err,
1280 "Error sending OCSP response - sockets not supported\n");
1281 return 0;
1282 #endif
1283 }
1284
1285 #ifndef OPENSSL_NO_SOCK
process_responder(OCSP_REQUEST * req,const char * host,const char * port,const char * path,const char * proxy,const char * no_proxy,int use_ssl,STACK_OF (CONF_VALUE)* headers,int req_timeout)1286 OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host,
1287 const char *port, const char *path,
1288 const char *proxy, const char *no_proxy,
1289 int use_ssl, STACK_OF(CONF_VALUE) *headers,
1290 int req_timeout)
1291 {
1292 SSL_CTX *ctx = NULL;
1293 OCSP_RESPONSE *resp = NULL;
1294
1295 if (use_ssl == 1) {
1296 ctx = SSL_CTX_new(TLS_client_method());
1297 if (ctx == NULL) {
1298 BIO_printf(bio_err, "Error creating SSL context.\n");
1299 goto end;
1300 }
1301 }
1302
1303 resp = (OCSP_RESPONSE *)
1304 app_http_post_asn1(host, port, path, proxy, no_proxy,
1305 ctx, headers, "application/ocsp-request",
1306 (ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST),
1307 "application/ocsp-response",
1308 req_timeout, ASN1_ITEM_rptr(OCSP_RESPONSE));
1309
1310 if (resp == NULL)
1311 BIO_printf(bio_err, "Error querying OCSP responder\n");
1312
1313 end:
1314 SSL_CTX_free(ctx);
1315 return resp;
1316 }
1317 #endif
1318