From: Benjamin Kaduk Date: Wed, 10 Feb 2016 02:29:21 +0000 (-0600) Subject: GH650: Minor tidying around the ocsp app X-Git-Tag: OpenSSL_1_1_0-pre3~35 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=21c6c50fc85a2b6ad8472dcf24f42f5e6da5bfbe GH650: Minor tidying around the ocsp app The ocsp utility is something of a jack-of-all-trades; most anything related to the OCSP can be done with it. In particular, the manual page calls out that it can be used as either a client or a server of the protocol, but there are also a few things that it can do which do not quite fit into either role, such as encoding an OCSP request but not sending it, printing out a text form of an OCSP response (or request) from a file akin to the asn1parse utility, or performing a lookup into the server-side revocation database without actually sending a request or response. All three of these are documented as examples in the manual page, but the documentation prior to this commit is somewhat misleading, in that when printing the text form of an OCSP response, the code also attempts to verify the response, displaying an error message and returning failure if the response does not verify. (It is possible that the response would be able to verify with the given example, since the default trust roots are used for that verification, but OCSP responses frequently have alternate certification authorities that would require passing -CAfile or -CApath for verification.) Tidy up the documentation by passing -noverify for the case of converting from binary to textual representation, and also change a few instances of -respin to -reqin as appropriate, note that the -url option provides the same functionality as the -host and -path options, clarify that the example that saves an OCSP response to a file will also perform verification on that response, and fix a couple grammar nits in the manual page. Also remove an always-true conditional for rdb != NULL -- there are no codepaths in which it could be initialized at the time of this check. Signed-off-by: Rich Salz Reviewed-by: Kurt Roeckx --- diff --git a/apps/ocsp.c b/apps/ocsp.c index d2e3109630..73b407c986 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -521,7 +521,7 @@ int ocsp_main(int argc, char **argv) goto end; } - if (rsignfile && !rdb) { + if (rsignfile) { if (!rkeyfile) rkeyfile = rsignfile; rsigner = load_cert(rsignfile, FORMAT_PEM, diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod index 1ecd92887b..be195bcb30 100644 --- a/doc/apps/ocsp.pod +++ b/doc/apps/ocsp.pod @@ -139,7 +139,7 @@ Additional certificates to include in the signed request. =item B<-nonce>, B<-no_nonce> Add an OCSP nonce extension to a request or disable OCSP nonce addition. -Normally if an OCSP request is input using the B option no +Normally if an OCSP request is input using the B option no nonce is added: using the B option will force addition of a nonce. If an OCSP request is being created (using B and B options) a nonce is automatically added specifying B overrides this. @@ -166,7 +166,8 @@ specify the responder URL. Both HTTP and HTTPS (SSL/TLS) URLs can be specified. if the B option is present then the OCSP request is sent to the host B on port B. B specifies the HTTP path name to use -or "/" by default. +or "/" by default. This is equivalent to specifying B<-url> with scheme +http:// and the given hostname, port, and pathname. =item B<-header name=value> @@ -296,7 +297,7 @@ information. If the B option is specified the B utility is in responder mode, otherwise it is in client mode. The request(s) the responder processes can be either specified on the command line (using B and B options), supplied in a file (using the -B option) or via external OCSP clients (if B or B is specified). +B option) or via external OCSP clients (if B or B is specified). If the B option is present then the B and B options must also be present. @@ -401,7 +402,7 @@ format of revocation is also inefficient for large quantities of revocation data. It is possible to run the B application in responder mode via a CGI -script using the B and B options. +script using the B and B options. =head1 EXAMPLES @@ -410,14 +411,14 @@ Create an OCSP request and write it to a file: openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem -reqout req.der Send a query to an OCSP responder with URL http://ocsp.myhost.com/ save the -response to a file and print it out in text form +response to a file, print it out in text form, and verify the response: openssl ocsp -issuer issuer.pem -cert c1.pem -cert c2.pem \ -url http://ocsp.myhost.com/ -resp_text -respout resp.der Read in an OCSP response and print out text form: - openssl ocsp -respin resp.der -text + openssl ocsp -respin resp.der -text -noverify OCSP server on port 8888 using a standard B configuration, and a separate responder certificate. All requests and responses are printed to a file. @@ -430,13 +431,13 @@ As above but exit after processing one request: openssl ocsp -index demoCA/index.txt -port 8888 -rsigner rcert.pem -CA demoCA/cacert.pem -nrequest 1 -Query status information using internally generated request: +Query status information using an internally generated request: openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -issuer demoCA/cacert.pem -serial 1 -Query status information using request read from a file, write response to a -second file. +Query status information using request read from a file, and write the response +to a second file. openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -reqin req.der -respout resp.der