d759b2709ca2b0549e08059801f6d31a862d05bd
[openssl.git] / apps / ocsp.c
1 /* ocsp.c */
2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3  * project 2000.
4  */
5 /* ====================================================================
6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer. 
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58
59 #include <stdio.h>
60 #include <string.h>
61 #include "apps.h"
62 #include <openssl/pem.h>
63 #include <openssl/ocsp.h>
64 #include <openssl/err.h>
65 #include <openssl/ssl.h>
66
67 /* Maximum leeway in validity period: default 5 minutes */
68 #define MAX_VALIDITY_PERIOD     (5 * 60)
69
70 /* CA index.txt definitions */
71 #define DB_type         0
72 #define DB_exp_date     1
73 #define DB_rev_date     2
74 #define DB_serial       3       /* index - unique */
75 #define DB_file         4       
76 #define DB_name         5       /* index - unique for active */
77 #define DB_NUMBER       6
78
79 #define DB_TYPE_REV     'R'
80 #define DB_TYPE_EXP     'E'
81 #define DB_TYPE_VAL     'V'
82
83 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
84                                 STACK_OF(OCSP_CERTID) *ids);
85 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
86                                 STACK_OF(OCSP_CERTID) *ids);
87 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
88                                 STACK *names, STACK_OF(OCSP_CERTID) *ids,
89                                 long nsec, long maxage);
90
91 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db,
92                         X509 *ca, X509 *rcert, EVP_PKEY *rkey,
93                         STACK_OF(X509) *rother, unsigned long flags,
94                         int nmin, int ndays);
95
96 static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser);
97 static BIO *init_responder(char *port);
98 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
99 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
100
101 #undef PROG
102 #define PROG ocsp_main
103
104 int MAIN(int, char **);
105
106 int MAIN(int argc, char **argv)
107         {
108         ENGINE *e = NULL;
109         char **args;
110         char *host = NULL, *port = NULL, *path = "/";
111         char *reqin = NULL, *respin = NULL;
112         char *reqout = NULL, *respout = NULL;
113         char *signfile = NULL, *keyfile = NULL;
114         char *rsignfile = NULL, *rkeyfile = NULL;
115         char *outfile = NULL;
116         int add_nonce = 1, noverify = 0, use_ssl = -1;
117         OCSP_REQUEST *req = NULL;
118         OCSP_RESPONSE *resp = NULL;
119         OCSP_BASICRESP *bs = NULL;
120         X509 *issuer = NULL, *cert = NULL;
121         X509 *signer = NULL, *rsigner = NULL;
122         EVP_PKEY *key = NULL, *rkey = NULL;
123         BIO *acbio = NULL, *cbio = NULL;
124         BIO *derbio = NULL;
125         BIO *out = NULL;
126         int req_text = 0, resp_text = 0;
127         long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
128         char *CAfile = NULL, *CApath = NULL;
129         X509_STORE *store = NULL;
130         SSL_CTX *ctx = NULL;
131         STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
132         char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
133         unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
134         int ret = 1;
135         int accept_count = -1;
136         int badarg = 0;
137         int i;
138         STACK *reqnames = NULL;
139         STACK_OF(OCSP_CERTID) *ids = NULL;
140
141         X509 *rca_cert = NULL;
142         char *ridx_filename = NULL;
143         char *rca_filename = NULL;
144         TXT_DB *rdb = NULL;
145         int nmin = 0, ndays = -1;
146
147         if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
148
149         if (!load_config(bio_err, NULL))
150                 goto end;
151         SSL_load_error_strings();
152         args = argv + 1;
153         reqnames = sk_new_null();
154         ids = sk_OCSP_CERTID_new_null();
155         while (!badarg && *args && *args[0] == '-')
156                 {
157                 if (!strcmp(*args, "-out"))
158                         {
159                         if (args[1])
160                                 {
161                                 args++;
162                                 outfile = *args;
163                                 }
164                         else badarg = 1;
165                         }
166                 else if (!strcmp(*args, "-url"))
167                         {
168                         if (args[1])
169                                 {
170                                 args++;
171                                 if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl))
172                                         {
173                                         BIO_printf(bio_err, "Error parsing URL\n");
174                                         badarg = 1;
175                                         }
176                                 }
177                         else badarg = 1;
178                         }
179                 else if (!strcmp(*args, "-host"))
180                         {
181                         if (args[1])
182                                 {
183                                 args++;
184                                 host = *args;
185                                 }
186                         else badarg = 1;
187                         }
188                 else if (!strcmp(*args, "-port"))
189                         {
190                         if (args[1])
191                                 {
192                                 args++;
193                                 port = *args;
194                                 }
195                         else badarg = 1;
196                         }
197                 else if (!strcmp(*args, "-noverify"))
198                         noverify = 1;
199                 else if (!strcmp(*args, "-nonce"))
200                         add_nonce = 2;
201                 else if (!strcmp(*args, "-no_nonce"))
202                         add_nonce = 0;
203                 else if (!strcmp(*args, "-resp_no_certs"))
204                         rflags |= OCSP_NOCERTS;
205                 else if (!strcmp(*args, "-resp_key_id"))
206                         rflags |= OCSP_RESPID_KEY;
207                 else if (!strcmp(*args, "-no_certs"))
208                         sign_flags |= OCSP_NOCERTS;
209                 else if (!strcmp(*args, "-no_signature_verify"))
210                         verify_flags |= OCSP_NOSIGS;
211                 else if (!strcmp(*args, "-no_cert_verify"))
212                         verify_flags |= OCSP_NOVERIFY;
213                 else if (!strcmp(*args, "-no_chain"))
214                         verify_flags |= OCSP_NOCHAIN;
215                 else if (!strcmp(*args, "-no_cert_checks"))
216                         verify_flags |= OCSP_NOCHECKS;
217                 else if (!strcmp(*args, "-no_explicit"))
218                         verify_flags |= OCSP_NOEXPLICIT;
219                 else if (!strcmp(*args, "-trust_other"))
220                         verify_flags |= OCSP_TRUSTOTHER;
221                 else if (!strcmp(*args, "-no_intern"))
222                         verify_flags |= OCSP_NOINTERN;
223                 else if (!strcmp(*args, "-text"))
224                         {
225                         req_text = 1;
226                         resp_text = 1;
227                         }
228                 else if (!strcmp(*args, "-req_text"))
229                         req_text = 1;
230                 else if (!strcmp(*args, "-resp_text"))
231                         resp_text = 1;
232                 else if (!strcmp(*args, "-reqin"))
233                         {
234                         if (args[1])
235                                 {
236                                 args++;
237                                 reqin = *args;
238                                 }
239                         else badarg = 1;
240                         }
241                 else if (!strcmp(*args, "-respin"))
242                         {
243                         if (args[1])
244                                 {
245                                 args++;
246                                 respin = *args;
247                                 }
248                         else badarg = 1;
249                         }
250                 else if (!strcmp(*args, "-signer"))
251                         {
252                         if (args[1])
253                                 {
254                                 args++;
255                                 signfile = *args;
256                                 }
257                         else badarg = 1;
258                         }
259                 else if (!strcmp (*args, "-VAfile"))
260                         {
261                         if (args[1])
262                                 {
263                                 args++;
264                                 verify_certfile = *args;
265                                 verify_flags |= OCSP_TRUSTOTHER;
266                                 }
267                         else badarg = 1;
268                         }
269                 else if (!strcmp(*args, "-sign_other"))
270                         {
271                         if (args[1])
272                                 {
273                                 args++;
274                                 sign_certfile = *args;
275                                 }
276                         else badarg = 1;
277                         }
278                 else if (!strcmp(*args, "-verify_other"))
279                         {
280                         if (args[1])
281                                 {
282                                 args++;
283                                 verify_certfile = *args;
284                                 }
285                         else badarg = 1;
286                         }
287                 else if (!strcmp (*args, "-CAfile"))
288                         {
289                         if (args[1])
290                                 {
291                                 args++;
292                                 CAfile = *args;
293                                 }
294                         else badarg = 1;
295                         }
296                 else if (!strcmp (*args, "-CApath"))
297                         {
298                         if (args[1])
299                                 {
300                                 args++;
301                                 CApath = *args;
302                                 }
303                         else badarg = 1;
304                         }
305                 else if (!strcmp (*args, "-validity_period"))
306                         {
307                         if (args[1])
308                                 {
309                                 args++;
310                                 nsec = atol(*args);
311                                 if (nsec < 0)
312                                         {
313                                         BIO_printf(bio_err,
314                                                 "Illegal validity period %s\n",
315                                                 *args);
316                                         badarg = 1;
317                                         }
318                                 }
319                         else badarg = 1;
320                         }
321                 else if (!strcmp (*args, "-status_age"))
322                         {
323                         if (args[1])
324                                 {
325                                 args++;
326                                 maxage = atol(*args);
327                                 if (maxage < 0)
328                                         {
329                                         BIO_printf(bio_err,
330                                                 "Illegal validity age %s\n",
331                                                 *args);
332                                         badarg = 1;
333                                         }
334                                 }
335                         else badarg = 1;
336                         }
337                  else if (!strcmp(*args, "-signkey"))
338                         {
339                         if (args[1])
340                                 {
341                                 args++;
342                                 keyfile = *args;
343                                 }
344                         else badarg = 1;
345                         }
346                 else if (!strcmp(*args, "-reqout"))
347                         {
348                         if (args[1])
349                                 {
350                                 args++;
351                                 reqout = *args;
352                                 }
353                         else badarg = 1;
354                         }
355                 else if (!strcmp(*args, "-respout"))
356                         {
357                         if (args[1])
358                                 {
359                                 args++;
360                                 respout = *args;
361                                 }
362                         else badarg = 1;
363                         }
364                  else if (!strcmp(*args, "-path"))
365                         {
366                         if (args[1])
367                                 {
368                                 args++;
369                                 path = *args;
370                                 }
371                         else badarg = 1;
372                         }
373                 else if (!strcmp(*args, "-issuer"))
374                         {
375                         if (args[1])
376                                 {
377                                 args++;
378                                 X509_free(issuer);
379                                 issuer = load_cert(bio_err, *args, FORMAT_PEM,
380                                         NULL, e, "issuer certificate");
381                                 if(!issuer) goto end;
382                                 }
383                         else badarg = 1;
384                         }
385                 else if (!strcmp (*args, "-cert"))
386                         {
387                         if (args[1])
388                                 {
389                                 args++;
390                                 X509_free(cert);
391                                 cert = load_cert(bio_err, *args, FORMAT_PEM,
392                                         NULL, e, "certificate");
393                                 if(!cert) goto end;
394                                 if(!add_ocsp_cert(&req, cert, issuer, ids))
395                                         goto end;
396                                 if(!sk_push(reqnames, *args))
397                                         goto end;
398                                 }
399                         else badarg = 1;
400                         }
401                 else if (!strcmp(*args, "-serial"))
402                         {
403                         if (args[1])
404                                 {
405                                 args++;
406                                 if(!add_ocsp_serial(&req, *args, issuer, ids))
407                                         goto end;
408                                 if(!sk_push(reqnames, *args))
409                                         goto end;
410                                 }
411                         else badarg = 1;
412                         }
413                 else if (!strcmp(*args, "-index"))
414                         {
415                         if (args[1])
416                                 {
417                                 args++;
418                                 ridx_filename = *args;
419                                 }
420                         else badarg = 1;
421                         }
422                 else if (!strcmp(*args, "-CA"))
423                         {
424                         if (args[1])
425                                 {
426                                 args++;
427                                 rca_filename = *args;
428                                 }
429                         else badarg = 1;
430                         }
431                 else if (!strcmp (*args, "-nmin"))
432                         {
433                         if (args[1])
434                                 {
435                                 args++;
436                                 nmin = atol(*args);
437                                 if (nmin < 0)
438                                         {
439                                         BIO_printf(bio_err,
440                                                 "Illegal update period %s\n",
441                                                 *args);
442                                         badarg = 1;
443                                         }
444                                 }
445                                 if (ndays == -1)
446                                         ndays = 0;
447                         else badarg = 1;
448                         }
449                 else if (!strcmp (*args, "-nrequest"))
450                         {
451                         if (args[1])
452                                 {
453                                 args++;
454                                 accept_count = atol(*args);
455                                 if (accept_count < 0)
456                                         {
457                                         BIO_printf(bio_err,
458                                                 "Illegal accept count %s\n",
459                                                 *args);
460                                         badarg = 1;
461                                         }
462                                 }
463                         else badarg = 1;
464                         }
465                 else if (!strcmp (*args, "-ndays"))
466                         {
467                         if (args[1])
468                                 {
469                                 args++;
470                                 ndays = atol(*args);
471                                 if (ndays < 0)
472                                         {
473                                         BIO_printf(bio_err,
474                                                 "Illegal update period %s\n",
475                                                 *args);
476                                         badarg = 1;
477                                         }
478                                 }
479                         else badarg = 1;
480                         }
481                 else if (!strcmp(*args, "-rsigner"))
482                         {
483                         if (args[1])
484                                 {
485                                 args++;
486                                 rsignfile = *args;
487                                 }
488                         else badarg = 1;
489                         }
490                 else if (!strcmp(*args, "-rkey"))
491                         {
492                         if (args[1])
493                                 {
494                                 args++;
495                                 rkeyfile = *args;
496                                 }
497                         else badarg = 1;
498                         }
499                 else if (!strcmp(*args, "-rother"))
500                         {
501                         if (args[1])
502                                 {
503                                 args++;
504                                 rcertfile = *args;
505                                 }
506                         else badarg = 1;
507                         }
508                 else badarg = 1;
509                 args++;
510                 }
511
512         /* Have we anything to do? */
513         if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1;
514
515         if (badarg)
516                 {
517                 BIO_printf (bio_err, "OCSP utility\n");
518                 BIO_printf (bio_err, "Usage ocsp [options]\n");
519                 BIO_printf (bio_err, "where options are\n");
520                 BIO_printf (bio_err, "-out file          output filename\n");
521                 BIO_printf (bio_err, "-issuer file       issuer certificate\n");
522                 BIO_printf (bio_err, "-cert file         certificate to check\n");
523                 BIO_printf (bio_err, "-serial n          serial number to check\n");
524                 BIO_printf (bio_err, "-signer file       certificate to sign OCSP request with\n");
525                 BIO_printf (bio_err, "-signkey file      private key to sign OCSP request with\n");
526                 BIO_printf (bio_err, "-sign_certs file   additional certificates to include in signed request\n");
527                 BIO_printf (bio_err, "-no_certs          don't include any certificates in signed request\n");
528                 BIO_printf (bio_err, "-req_text          print text form of request\n");
529                 BIO_printf (bio_err, "-resp_text         print text form of response\n");
530                 BIO_printf (bio_err, "-text              print text form of request and response\n");
531                 BIO_printf (bio_err, "-reqout file       write DER encoded OCSP request to \"file\"\n");
532                 BIO_printf (bio_err, "-respout file      write DER encoded OCSP reponse to \"file\"\n");
533                 BIO_printf (bio_err, "-reqin file        read DER encoded OCSP request from \"file\"\n");
534                 BIO_printf (bio_err, "-respin file       read DER encoded OCSP reponse from \"file\"\n");
535                 BIO_printf (bio_err, "-nonce             add OCSP nonce to request\n");
536                 BIO_printf (bio_err, "-no_nonce          don't add OCSP nonce to request\n");
537                 BIO_printf (bio_err, "-url URL           OCSP responder URL\n");
538                 BIO_printf (bio_err, "-host host:n       send OCSP request to host on port n\n");
539                 BIO_printf (bio_err, "-path              path to use in OCSP request\n");
540                 BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
541                 BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
542                 BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
543                 BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
544                 BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
545                 BIO_printf (bio_err, "-noverify          don't verify response at all\n");
546                 BIO_printf (bio_err, "-verify_certs file additional certificates to search for signer\n");
547                 BIO_printf (bio_err, "-trust_other       don't verify additional certificates\n");
548                 BIO_printf (bio_err, "-no_intern         don't search certificates contained in response for signer\n");
549                 BIO_printf (bio_err, "-no_sig_verify     don't check signature on response\n");
550                 BIO_printf (bio_err, "-no_cert_verify    don't check signing certificate\n");
551                 BIO_printf (bio_err, "-no_chain          don't chain verify response\n");
552                 BIO_printf (bio_err, "-no_cert_checks    don't do additional checks on signing certificate\n");
553                 BIO_printf (bio_err, "-port num          port to run responder on\n");
554                 BIO_printf (bio_err, "-index file        certificate status index file\n");
555                 BIO_printf (bio_err, "-CA file           CA certificate\n");
556                 BIO_printf (bio_err, "-rsigner file      responder certificate to sign responses with\n");
557                 BIO_printf (bio_err, "-rkey file         responder key to sign responses with\n");
558                 BIO_printf (bio_err, "-rother file       other certificates to include in response\n");
559                 BIO_printf (bio_err, "-resp_no_certs     don't include any certificates in response\n");
560                 BIO_printf (bio_err, "-nmin n            number of minutes before next update\n");
561                 BIO_printf (bio_err, "-ndays n           number of days before next update\n");
562                 BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
563                 BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
564                 goto end;
565                 }
566
567         if(outfile) out = BIO_new_file(outfile, "w");
568         else out = BIO_new_fp(stdout, BIO_NOCLOSE);
569
570         if(!out)
571                 {
572                 BIO_printf(bio_err, "Error opening output file\n");
573                 goto end;
574                 }
575
576         if (!req && (add_nonce != 2)) add_nonce = 0;
577
578         if (!req && reqin)
579                 {
580                 derbio = BIO_new_file(reqin, "rb");
581                 if (!derbio)
582                         {
583                         BIO_printf(bio_err, "Error Opening OCSP request file\n");
584                         goto end;
585                         }
586                 req = d2i_OCSP_REQUEST_bio(derbio, NULL);
587                 BIO_free(derbio);
588                 if(!req)
589                         {
590                         BIO_printf(bio_err, "Error reading OCSP request\n");
591                         goto end;
592                         }
593                 }
594
595         if (!req && port)
596                 {
597                 acbio = init_responder(port);
598                 if (!acbio)
599                         goto end;
600                 }
601
602         if (rsignfile && !rdb)
603                 {
604                 if (!rkeyfile) rkeyfile = rsignfile;
605                 rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
606                         NULL, e, "responder certificate");
607                 if (!rsigner)
608                         {
609                         BIO_printf(bio_err, "Error loading responder certificate\n");
610                         goto end;
611                         }
612                 rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
613                         NULL, e, "CA certificate");
614                 if (rcertfile)
615                         {
616                         rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
617                                 NULL, e, "responder other certificates");
618                         if (!rother) goto end;
619                         }
620                 rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
621                         "responder private key");
622                 if (!rkey)
623                         goto end;
624                 }
625         if(acbio)
626                 BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
627
628         redo_accept:
629
630         if (acbio)
631                 {
632                 if (!do_responder(&req, &cbio, acbio, port))
633                         goto end;
634                 if (!req)
635                         {
636                         resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
637                         send_ocsp_response(cbio, resp);
638                         goto done_resp;
639                         }
640                 }
641
642         if (!req && (signfile || reqout || host || add_nonce || ridx_filename))
643                 {
644                 BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
645                 goto end;
646                 }
647
648         if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);
649
650         if (signfile)
651                 {
652                 if (!keyfile) keyfile = signfile;
653                 signer = load_cert(bio_err, signfile, FORMAT_PEM,
654                         NULL, e, "signer certificate");
655                 if (!signer)
656                         {
657                         BIO_printf(bio_err, "Error loading signer certificate\n");
658                         goto end;
659                         }
660                 if (sign_certfile)
661                         {
662                         sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
663                                 NULL, e, "signer certificates");
664                         if (!sign_other) goto end;
665                         }
666                 key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
667                         "signer private key");
668                 if (!key)
669                         goto end;
670                 if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags))
671                         {
672                         BIO_printf(bio_err, "Error signing OCSP request\n");
673                         goto end;
674                         }
675                 }
676
677         if (req_text && req) OCSP_REQUEST_print(out, req, 0);
678
679         if (reqout)
680                 {
681                 derbio = BIO_new_file(reqout, "wb");
682                 if(!derbio)
683                         {
684                         BIO_printf(bio_err, "Error opening file %s\n", reqout);
685                         goto end;
686                         }
687                 i2d_OCSP_REQUEST_bio(derbio, req);
688                 BIO_free(derbio);
689                 }
690
691         if (ridx_filename && (!rkey || !rsigner || !rca_cert))
692                 {
693                 BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
694                 goto end;
695                 }
696
697         if (ridx_filename && !rdb)
698                 {
699                 BIO *db_bio = NULL;
700                 db_bio = BIO_new_file(ridx_filename, "r");
701                 if (!db_bio)
702                         {
703                         BIO_printf(bio_err, "Error opening index file %s\n", ridx_filename);
704                         goto end;
705                         }
706                 rdb = TXT_DB_read(db_bio, DB_NUMBER);
707                 BIO_free(db_bio);
708                 if (!rdb)
709                         {
710                         BIO_printf(bio_err, "Error reading index file %s\n", ridx_filename);
711                         goto end;
712                         }
713                 if (!make_serial_index(rdb))
714                         goto end;
715                 }
716
717         if (rdb)
718                 {
719                 i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
720                 if (cbio)
721                         send_ocsp_response(cbio, resp);
722                 }
723         else if (host)
724                 {
725                 cbio = BIO_new_connect(host);
726                 if (!cbio)
727                         {
728                         BIO_printf(bio_err, "Error creating connect BIO\n");
729                         goto end;
730                         }
731                 if (port) BIO_set_conn_port(cbio, port);
732                 if (use_ssl == 1)
733                         {
734                         BIO *sbio;
735                         ctx = SSL_CTX_new(SSLv23_client_method());
736                         SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
737                         sbio = BIO_new_ssl(ctx, 1);
738                         cbio = BIO_push(sbio, cbio);
739                         }
740                 if (BIO_do_connect(cbio) <= 0)
741                         {
742                         BIO_printf(bio_err, "Error connecting BIO\n");
743                         goto end;
744                         }
745                 resp = OCSP_sendreq_bio(cbio, path, req);
746                 BIO_free_all(cbio);
747                 cbio = NULL;
748                 if (!resp)
749                         {
750                         BIO_printf(bio_err, "Error querying OCSP responsder\n");
751                         goto end;
752                         }
753                 }
754         else if (respin)
755                 {
756                 derbio = BIO_new_file(respin, "rb");
757                 if (!derbio)
758                         {
759                         BIO_printf(bio_err, "Error Opening OCSP response file\n");
760                         goto end;
761                         }
762                 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
763                 BIO_free(derbio);
764                 if(!resp)
765                         {
766                         BIO_printf(bio_err, "Error reading OCSP response\n");
767                         goto end;
768                         }
769         
770                 }
771         else
772                 {
773                 ret = 0;
774                 goto end;
775                 }
776
777         done_resp:
778
779         if (respout)
780                 {
781                 derbio = BIO_new_file(respout, "wb");
782                 if(!derbio)
783                         {
784                         BIO_printf(bio_err, "Error opening file %s\n", respout);
785                         goto end;
786                         }
787                 i2d_OCSP_RESPONSE_bio(derbio, resp);
788                 BIO_free(derbio);
789                 }
790
791         i = OCSP_response_status(resp);
792
793         if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
794                 {
795                 BIO_printf(out, "Responder Error: %s (%ld)\n",
796                                 OCSP_response_status_str(i), i);
797                 ret = 0;
798                 goto end;
799                 }
800
801         if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
802
803         /* If running as responder don't verify our own response */
804         if (cbio)
805                 {
806                 if (accept_count > 0)
807                         accept_count--;
808                 /* Redo if more connections needed */
809                 if (accept_count)
810                         {
811                         BIO_free_all(cbio);
812                         cbio = NULL;
813                         OCSP_REQUEST_free(req);
814                         req = NULL;
815                         OCSP_RESPONSE_free(resp);
816                         resp = NULL;
817                         goto redo_accept;
818                         }
819                 goto end;
820                 }
821
822         if (!store)
823                 store = setup_verify(bio_err, CAfile, CApath);
824         if (!store)
825                 goto end;
826         if (verify_certfile)
827                 {
828                 verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
829                         NULL, e, "validator certificate");
830                 if (!verify_other) goto end;
831                 }
832
833         bs = OCSP_response_get1_basic(resp);
834
835         if (!bs)
836                 {
837                 BIO_printf(bio_err, "Error parsing response\n");
838                 goto end;
839                 }
840
841         if (!noverify)
842                 {
843                 if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
844                         {
845                         if (i == -1)
846                                 BIO_printf(bio_err, "WARNING: no nonce in response\n");
847                         else
848                                 {
849                                 BIO_printf(bio_err, "Nonce Verify error\n");
850                                 goto end;
851                                 }
852                         }
853
854                 i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
855                 if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
856
857                 if(i <= 0)
858                         {
859                         BIO_printf(bio_err, "Response Verify Failure\n", i);
860                         ERR_print_errors(bio_err);
861                         }
862                 else
863                         BIO_printf(bio_err, "Response verify OK\n");
864
865                 }
866
867         if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
868                 goto end;
869
870         ret = 0;
871
872 end:
873         ERR_print_errors(bio_err);
874         X509_free(signer);
875         X509_STORE_free(store);
876         EVP_PKEY_free(key);
877         EVP_PKEY_free(rkey);
878         X509_free(issuer);
879         X509_free(cert);
880         X509_free(rsigner);
881         X509_free(rca_cert);
882         TXT_DB_free(rdb);
883         BIO_free_all(cbio);
884         BIO_free_all(acbio);
885         BIO_free(out);
886         OCSP_REQUEST_free(req);
887         OCSP_RESPONSE_free(resp);
888         OCSP_BASICRESP_free(bs);
889         sk_free(reqnames);
890         sk_OCSP_CERTID_free(ids);
891         sk_X509_pop_free(sign_other, X509_free);
892         sk_X509_pop_free(verify_other, X509_free);
893
894         if (use_ssl != -1)
895                 {
896                 OPENSSL_free(host);
897                 OPENSSL_free(port);
898                 OPENSSL_free(path);
899                 SSL_CTX_free(ctx);
900                 }
901
902         EXIT(ret);
903 }
904
905 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
906                                 STACK_OF(OCSP_CERTID) *ids)
907         {
908         OCSP_CERTID *id;
909         if(!issuer)
910                 {
911                 BIO_printf(bio_err, "No issuer certificate specified\n");
912                 return 0;
913                 }
914         if(!*req) *req = OCSP_REQUEST_new();
915         if(!*req) goto err;
916         id = OCSP_cert_to_id(NULL, cert, issuer);
917         if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
918         if(!OCSP_request_add0_id(*req, id)) goto err;
919         return 1;
920
921         err:
922         BIO_printf(bio_err, "Error Creating OCSP request\n");
923         return 0;
924         }
925
926 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
927                                 STACK_OF(OCSP_CERTID) *ids)
928         {
929         OCSP_CERTID *id;
930         X509_NAME *iname;
931         ASN1_BIT_STRING *ikey;
932         ASN1_INTEGER *sno;
933         if(!issuer)
934                 {
935                 BIO_printf(bio_err, "No issuer certificate specified\n");
936                 return 0;
937                 }
938         if(!*req) *req = OCSP_REQUEST_new();
939         if(!*req) goto err;
940         iname = X509_get_subject_name(issuer);
941         ikey = X509_get0_pubkey_bitstr(issuer);
942         sno = s2i_ASN1_INTEGER(NULL, serial);
943         if(!sno)
944                 {
945                 BIO_printf(bio_err, "Error converting serial number %s\n", serial);
946                 return 0;
947                 }
948         id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
949         ASN1_INTEGER_free(sno);
950         if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
951         if(!OCSP_request_add0_id(*req, id)) goto err;
952         return 1;
953
954         err:
955         BIO_printf(bio_err, "Error Creating OCSP request\n");
956         return 0;
957         }
958
959 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
960                                         STACK *names, STACK_OF(OCSP_CERTID) *ids,
961                                         long nsec, long maxage)
962         {
963         OCSP_CERTID *id;
964         char *name;
965         int i;
966
967         int status, reason;
968
969         ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
970
971         if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids))
972                 return 1;
973
974         for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
975                 {
976                 id = sk_OCSP_CERTID_value(ids, i);
977                 name = sk_value(names, i);
978                 BIO_printf(out, "%s: ", name);
979
980                 if(!OCSP_resp_find_status(bs, id, &status, &reason,
981                                         &rev, &thisupd, &nextupd))
982                         {
983                         BIO_puts(out, "ERROR: No Status found.\n");
984                         continue;
985                         }
986
987                 /* Check validity: if invalid write to output BIO so we
988                  * know which response this refers to.
989                  */
990                 if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage))
991                         {
992                         BIO_puts(out, "WARNING: Status times invalid.\n");
993                         ERR_print_errors(out);
994                         }
995                 BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
996
997                 BIO_puts(out, "\tThis Update: ");
998                 ASN1_GENERALIZEDTIME_print(out, thisupd);
999                 BIO_puts(out, "\n");
1000
1001                 if(nextupd)
1002                         {
1003                         BIO_puts(out, "\tNext Update: ");
1004                         ASN1_GENERALIZEDTIME_print(out, nextupd);
1005                         BIO_puts(out, "\n");
1006                         }
1007
1008                 if (status != V_OCSP_CERTSTATUS_REVOKED)
1009                         continue;
1010
1011                 if (reason != -1)
1012                         BIO_printf(out, "\tReason: %s\n",
1013                                 OCSP_crl_reason_str(reason));
1014
1015                 BIO_puts(out, "\tRevocation Time: ");
1016                 ASN1_GENERALIZEDTIME_print(out, rev);
1017                 BIO_puts(out, "\n");
1018                 }
1019
1020         return 1;
1021         }
1022
1023
1024 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db,
1025                         X509 *ca, X509 *rcert, EVP_PKEY *rkey,
1026                         STACK_OF(X509) *rother, unsigned long flags,
1027                         int nmin, int ndays)
1028         {
1029         ASN1_TIME *thisupd = NULL, *nextupd = NULL;
1030         OCSP_CERTID *cid, *ca_id = NULL;
1031         OCSP_BASICRESP *bs = NULL;
1032         int i, id_count, ret = 1;
1033
1034
1035         id_count = OCSP_request_onereq_count(req);
1036
1037         if (id_count <= 0)
1038                 {
1039                 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1040                 goto end;
1041                 }
1042
1043         ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
1044
1045         bs = OCSP_BASICRESP_new();
1046         thisupd = X509_gmtime_adj(NULL, 0);
1047         if (ndays != -1)
1048                 nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24 );
1049
1050         /* Examine each certificate id in the request */
1051         for (i = 0; i < id_count; i++)
1052                 {
1053                 OCSP_ONEREQ *one;
1054                 ASN1_INTEGER *serial;
1055                 char **inf;
1056                 one = OCSP_request_onereq_get0(req, i);
1057                 cid = OCSP_onereq_get0_id(one);
1058                 /* Is this request about our CA? */
1059                 if (OCSP_id_issuer_cmp(ca_id, cid))
1060                         {
1061                         OCSP_basic_add1_status(bs, cid,
1062                                                 V_OCSP_CERTSTATUS_UNKNOWN,
1063                                                 0, NULL,
1064                                                 thisupd, nextupd);
1065                         continue;
1066                         }
1067                 OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
1068                 inf = lookup_serial(db, serial);
1069                 if (!inf)
1070                         OCSP_basic_add1_status(bs, cid,
1071                                                 V_OCSP_CERTSTATUS_UNKNOWN,
1072                                                 0, NULL,
1073                                                 thisupd, nextupd);
1074                 else if (inf[DB_type][0] == DB_TYPE_VAL)
1075                         OCSP_basic_add1_status(bs, cid,
1076                                                 V_OCSP_CERTSTATUS_GOOD,
1077                                                 0, NULL,
1078                                                 thisupd, nextupd);
1079                 else if (inf[DB_type][0] == DB_TYPE_REV)
1080                         {
1081                         ASN1_OBJECT *inst = NULL;
1082                         ASN1_TIME *revtm = NULL;
1083                         ASN1_GENERALIZEDTIME *invtm = NULL;
1084                         OCSP_SINGLERESP *single;
1085                         int reason = -1;
1086                         unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
1087                         single = OCSP_basic_add1_status(bs, cid,
1088                                                 V_OCSP_CERTSTATUS_REVOKED,
1089                                                 reason, revtm,
1090                                                 thisupd, nextupd);
1091                         if (invtm)
1092                                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
1093                         else if (inst)
1094                                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
1095                         ASN1_OBJECT_free(inst);
1096                         ASN1_TIME_free(revtm);
1097                         ASN1_GENERALIZEDTIME_free(invtm);
1098                         }
1099                 }
1100
1101         OCSP_copy_nonce(bs, req);
1102                 
1103         OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
1104
1105         *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
1106
1107         end:
1108         ASN1_TIME_free(thisupd);
1109         ASN1_TIME_free(nextupd);
1110         OCSP_CERTID_free(ca_id);
1111         OCSP_BASICRESP_free(bs);
1112         return ret;
1113
1114         }
1115
1116 static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser)
1117         {
1118         int i;
1119         BIGNUM *bn = NULL;
1120         char *itmp, *row[DB_NUMBER],**rrow;
1121         for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
1122         bn = ASN1_INTEGER_to_BN(ser,NULL);
1123         if (BN_is_zero(bn))
1124                 itmp = BUF_strdup("00");
1125         else
1126                 itmp = BN_bn2hex(bn);
1127         row[DB_serial] = itmp;
1128         BN_free(bn);
1129         rrow=TXT_DB_get_by_index(db,DB_serial,row);
1130         OPENSSL_free(itmp);
1131         return rrow;
1132         }
1133
1134 /* Quick and dirty OCSP server: read in and parse input request */
1135
1136 static BIO *init_responder(char *port)
1137         {
1138         BIO *acbio = NULL, *bufbio = NULL;
1139         bufbio = BIO_new(BIO_f_buffer());
1140         if (!bufbio) 
1141                 goto err;
1142         acbio = BIO_new_accept(port);
1143         if (!acbio)
1144                 goto err;
1145         BIO_set_accept_bios(acbio, bufbio);
1146         bufbio = NULL;
1147
1148         if (BIO_do_accept(acbio) <= 0)
1149                 {
1150                         BIO_printf(bio_err, "Error setting up accept BIO\n");
1151                         ERR_print_errors(bio_err);
1152                         goto err;
1153                 }
1154
1155         return acbio;
1156
1157         err:
1158         BIO_free_all(acbio);
1159         BIO_free(bufbio);
1160         return NULL;
1161         }
1162
1163 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
1164         {
1165         int have_post = 0, len;
1166         OCSP_REQUEST *req = NULL;
1167         char inbuf[1024];
1168         BIO *cbio = NULL;
1169
1170         if (BIO_do_accept(acbio) <= 0)
1171                 {
1172                         BIO_printf(bio_err, "Error accepting connection\n");
1173                         ERR_print_errors(bio_err);
1174                         return 0;
1175                 }
1176
1177         cbio = BIO_pop(acbio);
1178         *pcbio = cbio;
1179
1180         for(;;)
1181                 {
1182                 len = BIO_gets(cbio, inbuf, sizeof inbuf);
1183                 if (len <= 0)
1184                         return 1;
1185                 /* Look for "POST" signalling start of query */
1186                 if (!have_post)
1187                         {
1188                         if(strncmp(inbuf, "POST", 4))
1189                                 {
1190                                 BIO_printf(bio_err, "Invalid request\n");
1191                                 return 1;
1192                                 }
1193                         have_post = 1;
1194                         }
1195                 /* Look for end of headers */
1196                 if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
1197                         break;
1198                 }
1199
1200         /* Try to read OCSP request */
1201
1202         req = d2i_OCSP_REQUEST_bio(cbio, NULL);
1203
1204         if (!req)
1205                 {
1206                 BIO_printf(bio_err, "Error parsing OCSP request\n");
1207                 ERR_print_errors(bio_err);
1208                 }
1209
1210         *preq = req;
1211
1212         return 1;
1213
1214         }
1215
1216 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
1217         {
1218         char http_resp[] = 
1219                 "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1220                 "Content-Length: %d\r\n\r\n";
1221         if (!cbio)
1222                 return 0;
1223         BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
1224         i2d_OCSP_RESPONSE_bio(cbio, resp);
1225         BIO_flush(cbio);
1226         return 1;
1227         }
1228