properly initialize SSL context, check return value
[openssl.git] / apps / ocsp.c
1 /* ocsp.c */
2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3  * project 2000.
4  */
5 /* ====================================================================
6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer. 
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 #ifndef OPENSSL_NO_OCSP
59
60 #include <stdio.h>
61 #include <string.h>
62 #include <time.h>
63 #include "apps.h"
64 #include <openssl/pem.h>
65 #include <openssl/ocsp.h>
66 #include <openssl/err.h>
67 #include <openssl/ssl.h>
68 #include <openssl/bn.h>
69
70 /* Maximum leeway in validity period: default 5 minutes */
71 #define MAX_VALIDITY_PERIOD     (5 * 60)
72
73 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
74                                 STACK_OF(OCSP_CERTID) *ids);
75 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
76                                 STACK_OF(OCSP_CERTID) *ids);
77 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
78                                 STACK *names, STACK_OF(OCSP_CERTID) *ids,
79                                 long nsec, long maxage);
80
81 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
82                         X509 *ca, X509 *rcert, EVP_PKEY *rkey,
83                         STACK_OF(X509) *rother, unsigned long flags,
84                         int nmin, int ndays);
85
86 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
87 static BIO *init_responder(char *port);
88 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
89 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
90 static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
91                                 OCSP_REQUEST *req, int req_timeout);
92
93 #undef PROG
94 #define PROG ocsp_main
95
96 int MAIN(int, char **);
97
98 int MAIN(int argc, char **argv)
99         {
100         ENGINE *e = NULL;
101         char **args;
102         char *host = NULL, *port = NULL, *path = "/";
103         char *reqin = NULL, *respin = NULL;
104         char *reqout = NULL, *respout = NULL;
105         char *signfile = NULL, *keyfile = NULL;
106         char *rsignfile = NULL, *rkeyfile = NULL;
107         char *outfile = NULL;
108         int add_nonce = 1, noverify = 0, use_ssl = -1;
109         OCSP_REQUEST *req = NULL;
110         OCSP_RESPONSE *resp = NULL;
111         OCSP_BASICRESP *bs = NULL;
112         X509 *issuer = NULL, *cert = NULL;
113         X509 *signer = NULL, *rsigner = NULL;
114         EVP_PKEY *key = NULL, *rkey = NULL;
115         BIO *acbio = NULL, *cbio = NULL;
116         BIO *derbio = NULL;
117         BIO *out = NULL;
118         int req_timeout = -1;
119         int req_text = 0, resp_text = 0;
120         long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
121         char *CAfile = NULL, *CApath = NULL;
122         X509_STORE *store = NULL;
123         SSL_CTX *ctx = NULL;
124         STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
125         char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
126         unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
127         int ret = 1;
128         int accept_count = -1;
129         int badarg = 0;
130         int i;
131         int ignore_err = 0;
132         STACK *reqnames = NULL;
133         STACK_OF(OCSP_CERTID) *ids = NULL;
134
135         X509 *rca_cert = NULL;
136         char *ridx_filename = NULL;
137         char *rca_filename = NULL;
138         CA_DB *rdb = NULL;
139         int nmin = 0, ndays = -1;
140
141         if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
142
143         if (!load_config(bio_err, NULL))
144                 goto end;
145         SSL_load_error_strings();
146         OpenSSL_add_ssl_algorithms();
147         args = argv + 1;
148         reqnames = sk_new_null();
149         ids = sk_OCSP_CERTID_new_null();
150         while (!badarg && *args && *args[0] == '-')
151                 {
152                 if (!strcmp(*args, "-out"))
153                         {
154                         if (args[1])
155                                 {
156                                 args++;
157                                 outfile = *args;
158                                 }
159                         else badarg = 1;
160                         }
161                 else if (!strcmp(*args, "-timeout"))
162                         {
163                         if (args[1])
164                                 {
165                                 args++;
166                                 req_timeout = atol(*args);
167                                 if (req_timeout < 0)
168                                         {
169                                         BIO_printf(bio_err,
170                                                 "Illegal timeout value %s\n",
171                                                 *args);
172                                         badarg = 1;
173                                         }
174                                 }
175                         else badarg = 1;
176                         }
177                 else if (!strcmp(*args, "-url"))
178                         {
179                         if (args[1])
180                                 {
181                                 args++;
182                                 if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl))
183                                         {
184                                         BIO_printf(bio_err, "Error parsing URL\n");
185                                         badarg = 1;
186                                         }
187                                 }
188                         else badarg = 1;
189                         }
190                 else if (!strcmp(*args, "-host"))
191                         {
192                         if (args[1])
193                                 {
194                                 args++;
195                                 host = *args;
196                                 }
197                         else badarg = 1;
198                         }
199                 else if (!strcmp(*args, "-port"))
200                         {
201                         if (args[1])
202                                 {
203                                 args++;
204                                 port = *args;
205                                 }
206                         else badarg = 1;
207                         }
208                 else if (!strcmp(*args, "-ignore_err"))
209                         ignore_err = 1;
210                 else if (!strcmp(*args, "-noverify"))
211                         noverify = 1;
212                 else if (!strcmp(*args, "-nonce"))
213                         add_nonce = 2;
214                 else if (!strcmp(*args, "-no_nonce"))
215                         add_nonce = 0;
216                 else if (!strcmp(*args, "-resp_no_certs"))
217                         rflags |= OCSP_NOCERTS;
218                 else if (!strcmp(*args, "-resp_key_id"))
219                         rflags |= OCSP_RESPID_KEY;
220                 else if (!strcmp(*args, "-no_certs"))
221                         sign_flags |= OCSP_NOCERTS;
222                 else if (!strcmp(*args, "-no_signature_verify"))
223                         verify_flags |= OCSP_NOSIGS;
224                 else if (!strcmp(*args, "-no_cert_verify"))
225                         verify_flags |= OCSP_NOVERIFY;
226                 else if (!strcmp(*args, "-no_chain"))
227                         verify_flags |= OCSP_NOCHAIN;
228                 else if (!strcmp(*args, "-no_cert_checks"))
229                         verify_flags |= OCSP_NOCHECKS;
230                 else if (!strcmp(*args, "-no_explicit"))
231                         verify_flags |= OCSP_NOEXPLICIT;
232                 else if (!strcmp(*args, "-trust_other"))
233                         verify_flags |= OCSP_TRUSTOTHER;
234                 else if (!strcmp(*args, "-no_intern"))
235                         verify_flags |= OCSP_NOINTERN;
236                 else if (!strcmp(*args, "-text"))
237                         {
238                         req_text = 1;
239                         resp_text = 1;
240                         }
241                 else if (!strcmp(*args, "-req_text"))
242                         req_text = 1;
243                 else if (!strcmp(*args, "-resp_text"))
244                         resp_text = 1;
245                 else if (!strcmp(*args, "-reqin"))
246                         {
247                         if (args[1])
248                                 {
249                                 args++;
250                                 reqin = *args;
251                                 }
252                         else badarg = 1;
253                         }
254                 else if (!strcmp(*args, "-respin"))
255                         {
256                         if (args[1])
257                                 {
258                                 args++;
259                                 respin = *args;
260                                 }
261                         else badarg = 1;
262                         }
263                 else if (!strcmp(*args, "-signer"))
264                         {
265                         if (args[1])
266                                 {
267                                 args++;
268                                 signfile = *args;
269                                 }
270                         else badarg = 1;
271                         }
272                 else if (!strcmp (*args, "-VAfile"))
273                         {
274                         if (args[1])
275                                 {
276                                 args++;
277                                 verify_certfile = *args;
278                                 verify_flags |= OCSP_TRUSTOTHER;
279                                 }
280                         else badarg = 1;
281                         }
282                 else if (!strcmp(*args, "-sign_other"))
283                         {
284                         if (args[1])
285                                 {
286                                 args++;
287                                 sign_certfile = *args;
288                                 }
289                         else badarg = 1;
290                         }
291                 else if (!strcmp(*args, "-verify_other"))
292                         {
293                         if (args[1])
294                                 {
295                                 args++;
296                                 verify_certfile = *args;
297                                 }
298                         else badarg = 1;
299                         }
300                 else if (!strcmp (*args, "-CAfile"))
301                         {
302                         if (args[1])
303                                 {
304                                 args++;
305                                 CAfile = *args;
306                                 }
307                         else badarg = 1;
308                         }
309                 else if (!strcmp (*args, "-CApath"))
310                         {
311                         if (args[1])
312                                 {
313                                 args++;
314                                 CApath = *args;
315                                 }
316                         else badarg = 1;
317                         }
318                 else if (!strcmp (*args, "-validity_period"))
319                         {
320                         if (args[1])
321                                 {
322                                 args++;
323                                 nsec = atol(*args);
324                                 if (nsec < 0)
325                                         {
326                                         BIO_printf(bio_err,
327                                                 "Illegal validity period %s\n",
328                                                 *args);
329                                         badarg = 1;
330                                         }
331                                 }
332                         else badarg = 1;
333                         }
334                 else if (!strcmp (*args, "-status_age"))
335                         {
336                         if (args[1])
337                                 {
338                                 args++;
339                                 maxage = atol(*args);
340                                 if (maxage < 0)
341                                         {
342                                         BIO_printf(bio_err,
343                                                 "Illegal validity age %s\n",
344                                                 *args);
345                                         badarg = 1;
346                                         }
347                                 }
348                         else badarg = 1;
349                         }
350                  else if (!strcmp(*args, "-signkey"))
351                         {
352                         if (args[1])
353                                 {
354                                 args++;
355                                 keyfile = *args;
356                                 }
357                         else badarg = 1;
358                         }
359                 else if (!strcmp(*args, "-reqout"))
360                         {
361                         if (args[1])
362                                 {
363                                 args++;
364                                 reqout = *args;
365                                 }
366                         else badarg = 1;
367                         }
368                 else if (!strcmp(*args, "-respout"))
369                         {
370                         if (args[1])
371                                 {
372                                 args++;
373                                 respout = *args;
374                                 }
375                         else badarg = 1;
376                         }
377                  else if (!strcmp(*args, "-path"))
378                         {
379                         if (args[1])
380                                 {
381                                 args++;
382                                 path = *args;
383                                 }
384                         else badarg = 1;
385                         }
386                 else if (!strcmp(*args, "-issuer"))
387                         {
388                         if (args[1])
389                                 {
390                                 args++;
391                                 X509_free(issuer);
392                                 issuer = load_cert(bio_err, *args, FORMAT_PEM,
393                                         NULL, e, "issuer certificate");
394                                 if(!issuer) goto end;
395                                 }
396                         else badarg = 1;
397                         }
398                 else if (!strcmp (*args, "-cert"))
399                         {
400                         if (args[1])
401                                 {
402                                 args++;
403                                 X509_free(cert);
404                                 cert = load_cert(bio_err, *args, FORMAT_PEM,
405                                         NULL, e, "certificate");
406                                 if(!cert) goto end;
407                                 if(!add_ocsp_cert(&req, cert, issuer, ids))
408                                         goto end;
409                                 if(!sk_push(reqnames, *args))
410                                         goto end;
411                                 }
412                         else badarg = 1;
413                         }
414                 else if (!strcmp(*args, "-serial"))
415                         {
416                         if (args[1])
417                                 {
418                                 args++;
419                                 if(!add_ocsp_serial(&req, *args, issuer, ids))
420                                         goto end;
421                                 if(!sk_push(reqnames, *args))
422                                         goto end;
423                                 }
424                         else badarg = 1;
425                         }
426                 else if (!strcmp(*args, "-index"))
427                         {
428                         if (args[1])
429                                 {
430                                 args++;
431                                 ridx_filename = *args;
432                                 }
433                         else badarg = 1;
434                         }
435                 else if (!strcmp(*args, "-CA"))
436                         {
437                         if (args[1])
438                                 {
439                                 args++;
440                                 rca_filename = *args;
441                                 }
442                         else badarg = 1;
443                         }
444                 else if (!strcmp (*args, "-nmin"))
445                         {
446                         if (args[1])
447                                 {
448                                 args++;
449                                 nmin = atol(*args);
450                                 if (nmin < 0)
451                                         {
452                                         BIO_printf(bio_err,
453                                                 "Illegal update period %s\n",
454                                                 *args);
455                                         badarg = 1;
456                                         }
457                                 }
458                                 if (ndays == -1)
459                                         ndays = 0;
460                         else badarg = 1;
461                         }
462                 else if (!strcmp (*args, "-nrequest"))
463                         {
464                         if (args[1])
465                                 {
466                                 args++;
467                                 accept_count = atol(*args);
468                                 if (accept_count < 0)
469                                         {
470                                         BIO_printf(bio_err,
471                                                 "Illegal accept count %s\n",
472                                                 *args);
473                                         badarg = 1;
474                                         }
475                                 }
476                         else badarg = 1;
477                         }
478                 else if (!strcmp (*args, "-ndays"))
479                         {
480                         if (args[1])
481                                 {
482                                 args++;
483                                 ndays = atol(*args);
484                                 if (ndays < 0)
485                                         {
486                                         BIO_printf(bio_err,
487                                                 "Illegal update period %s\n",
488                                                 *args);
489                                         badarg = 1;
490                                         }
491                                 }
492                         else badarg = 1;
493                         }
494                 else if (!strcmp(*args, "-rsigner"))
495                         {
496                         if (args[1])
497                                 {
498                                 args++;
499                                 rsignfile = *args;
500                                 }
501                         else badarg = 1;
502                         }
503                 else if (!strcmp(*args, "-rkey"))
504                         {
505                         if (args[1])
506                                 {
507                                 args++;
508                                 rkeyfile = *args;
509                                 }
510                         else badarg = 1;
511                         }
512                 else if (!strcmp(*args, "-rother"))
513                         {
514                         if (args[1])
515                                 {
516                                 args++;
517                                 rcertfile = *args;
518                                 }
519                         else badarg = 1;
520                         }
521                 else badarg = 1;
522                 args++;
523                 }
524
525         /* Have we anything to do? */
526         if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1;
527
528         if (badarg)
529                 {
530                 BIO_printf (bio_err, "OCSP utility\n");
531                 BIO_printf (bio_err, "Usage ocsp [options]\n");
532                 BIO_printf (bio_err, "where options are\n");
533                 BIO_printf (bio_err, "-out file          output filename\n");
534                 BIO_printf (bio_err, "-issuer file       issuer certificate\n");
535                 BIO_printf (bio_err, "-cert file         certificate to check\n");
536                 BIO_printf (bio_err, "-serial n          serial number to check\n");
537                 BIO_printf (bio_err, "-signer file       certificate to sign OCSP request with\n");
538                 BIO_printf (bio_err, "-signkey file      private key to sign OCSP request with\n");
539                 BIO_printf (bio_err, "-sign_other file   additional certificates to include in signed request\n");
540                 BIO_printf (bio_err, "-no_certs          don't include any certificates in signed request\n");
541                 BIO_printf (bio_err, "-req_text          print text form of request\n");
542                 BIO_printf (bio_err, "-resp_text         print text form of response\n");
543                 BIO_printf (bio_err, "-text              print text form of request and response\n");
544                 BIO_printf (bio_err, "-reqout file       write DER encoded OCSP request to \"file\"\n");
545                 BIO_printf (bio_err, "-respout file      write DER encoded OCSP reponse to \"file\"\n");
546                 BIO_printf (bio_err, "-reqin file        read DER encoded OCSP request from \"file\"\n");
547                 BIO_printf (bio_err, "-respin file       read DER encoded OCSP reponse from \"file\"\n");
548                 BIO_printf (bio_err, "-nonce             add OCSP nonce to request\n");
549                 BIO_printf (bio_err, "-no_nonce          don't add OCSP nonce to request\n");
550                 BIO_printf (bio_err, "-url URL           OCSP responder URL\n");
551                 BIO_printf (bio_err, "-host host:n       send OCSP request to host on port n\n");
552                 BIO_printf (bio_err, "-path              path to use in OCSP request\n");
553                 BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
554                 BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
555                 BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
556                 BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
557                 BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
558                 BIO_printf (bio_err, "-noverify          don't verify response at all\n");
559                 BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
560                 BIO_printf (bio_err, "-trust_other       don't verify additional certificates\n");
561                 BIO_printf (bio_err, "-no_intern         don't search certificates contained in response for signer\n");
562                 BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
563                 BIO_printf (bio_err, "-no_cert_verify    don't check signing certificate\n");
564                 BIO_printf (bio_err, "-no_chain          don't chain verify response\n");
565                 BIO_printf (bio_err, "-no_cert_checks    don't do additional checks on signing certificate\n");
566                 BIO_printf (bio_err, "-port num          port to run responder on\n");
567                 BIO_printf (bio_err, "-index file        certificate status index file\n");
568                 BIO_printf (bio_err, "-CA file           CA certificate\n");
569                 BIO_printf (bio_err, "-rsigner file      responder certificate to sign responses with\n");
570                 BIO_printf (bio_err, "-rkey file         responder key to sign responses with\n");
571                 BIO_printf (bio_err, "-rother file       other certificates to include in response\n");
572                 BIO_printf (bio_err, "-resp_no_certs     don't include any certificates in response\n");
573                 BIO_printf (bio_err, "-nmin n            number of minutes before next update\n");
574                 BIO_printf (bio_err, "-ndays n           number of days before next update\n");
575                 BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
576                 BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
577                 goto end;
578                 }
579
580         if(outfile) out = BIO_new_file(outfile, "w");
581         else out = BIO_new_fp(stdout, BIO_NOCLOSE);
582
583         if(!out)
584                 {
585                 BIO_printf(bio_err, "Error opening output file\n");
586                 goto end;
587                 }
588
589         if (!req && (add_nonce != 2)) add_nonce = 0;
590
591         if (!req && reqin)
592                 {
593                 derbio = BIO_new_file(reqin, "rb");
594                 if (!derbio)
595                         {
596                         BIO_printf(bio_err, "Error Opening OCSP request file\n");
597                         goto end;
598                         }
599                 req = d2i_OCSP_REQUEST_bio(derbio, NULL);
600                 BIO_free(derbio);
601                 if(!req)
602                         {
603                         BIO_printf(bio_err, "Error reading OCSP request\n");
604                         goto end;
605                         }
606                 }
607
608         if (!req && port)
609                 {
610                 acbio = init_responder(port);
611                 if (!acbio)
612                         goto end;
613                 }
614
615         if (rsignfile && !rdb)
616                 {
617                 if (!rkeyfile) rkeyfile = rsignfile;
618                 rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
619                         NULL, e, "responder certificate");
620                 if (!rsigner)
621                         {
622                         BIO_printf(bio_err, "Error loading responder certificate\n");
623                         goto end;
624                         }
625                 rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
626                         NULL, e, "CA certificate");
627                 if (rcertfile)
628                         {
629                         rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
630                                 NULL, e, "responder other certificates");
631                         if (!rother) goto end;
632                         }
633                 rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
634                         "responder private key");
635                 if (!rkey)
636                         goto end;
637                 }
638         if(acbio)
639                 BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
640
641         redo_accept:
642
643         if (acbio)
644                 {
645                 if (!do_responder(&req, &cbio, acbio, port))
646                         goto end;
647                 if (!req)
648                         {
649                         resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
650                         send_ocsp_response(cbio, resp);
651                         goto done_resp;
652                         }
653                 }
654
655         if (!req && (signfile || reqout || host || add_nonce || ridx_filename))
656                 {
657                 BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
658                 goto end;
659                 }
660
661         if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);
662
663         if (signfile)
664                 {
665                 if (!keyfile) keyfile = signfile;
666                 signer = load_cert(bio_err, signfile, FORMAT_PEM,
667                         NULL, e, "signer certificate");
668                 if (!signer)
669                         {
670                         BIO_printf(bio_err, "Error loading signer certificate\n");
671                         goto end;
672                         }
673                 if (sign_certfile)
674                         {
675                         sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
676                                 NULL, e, "signer certificates");
677                         if (!sign_other) goto end;
678                         }
679                 key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
680                         "signer private key");
681                 if (!key)
682                         goto end;
683                 if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags))
684                         {
685                         BIO_printf(bio_err, "Error signing OCSP request\n");
686                         goto end;
687                         }
688                 }
689
690         if (req_text && req) OCSP_REQUEST_print(out, req, 0);
691
692         if (reqout)
693                 {
694                 derbio = BIO_new_file(reqout, "wb");
695                 if(!derbio)
696                         {
697                         BIO_printf(bio_err, "Error opening file %s\n", reqout);
698                         goto end;
699                         }
700                 i2d_OCSP_REQUEST_bio(derbio, req);
701                 BIO_free(derbio);
702                 }
703
704         if (ridx_filename && (!rkey || !rsigner || !rca_cert))
705                 {
706                 BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
707                 goto end;
708                 }
709
710         if (ridx_filename && !rdb)
711                 {
712                 rdb = load_index(ridx_filename, NULL);
713                 if (!rdb) goto end;
714                 if (!index_index(rdb)) goto end;
715                 }
716
717         if (rdb)
718                 {
719                 i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
720                 if (cbio)
721                         send_ocsp_response(cbio, resp);
722                 }
723         else if (host)
724                 {
725 #ifndef OPENSSL_NO_SOCK
726                 cbio = BIO_new_connect(host);
727 #else
728                 BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
729                 goto end;
730 #endif
731                 if (!cbio)
732                         {
733                         BIO_printf(bio_err, "Error creating connect BIO\n");
734                         goto end;
735                         }
736                 if (port) BIO_set_conn_port(cbio, port);
737                 if (use_ssl == 1)
738                         {
739                         BIO *sbio;
740 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
741                         ctx = SSL_CTX_new(SSLv23_client_method());
742 #elif !defined(OPENSSL_NO_SSL3)
743                         ctx = SSL_CTX_new(SSLv3_client_method());
744 #elif !defined(OPENSSL_NO_SSL2)
745                         ctx = SSL_CTX_new(SSLv2_client_method());
746 #else
747                         BIO_printf(bio_err, "SSL is disabled\n");
748                         goto end;
749 #endif
750                         if (ctx == NULL)
751                                 {
752                                 BIO_printf(bio_err, "Error creating SSL context.\n");
753                                 goto end;
754                                 }
755                         SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
756                         sbio = BIO_new_ssl(ctx, 1);
757                         cbio = BIO_push(sbio, cbio);
758                         }
759
760                 resp = query_responder(bio_err, cbio, path, req, req_timeout);
761                 BIO_free_all(cbio);
762                 cbio = NULL;
763                 if (!resp)
764                         {
765                         BIO_printf(bio_err, "Error querying OCSP responsder\n");
766                         goto end;
767                         }
768                 }
769         else if (respin)
770                 {
771                 derbio = BIO_new_file(respin, "rb");
772                 if (!derbio)
773                         {
774                         BIO_printf(bio_err, "Error Opening OCSP response file\n");
775                         goto end;
776                         }
777                 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
778                 BIO_free(derbio);
779                 if(!resp)
780                         {
781                         BIO_printf(bio_err, "Error reading OCSP response\n");
782                         goto end;
783                         }
784         
785                 }
786         else
787                 {
788                 ret = 0;
789                 goto end;
790                 }
791
792         done_resp:
793
794         if (respout)
795                 {
796                 derbio = BIO_new_file(respout, "wb");
797                 if(!derbio)
798                         {
799                         BIO_printf(bio_err, "Error opening file %s\n", respout);
800                         goto end;
801                         }
802                 i2d_OCSP_RESPONSE_bio(derbio, resp);
803                 BIO_free(derbio);
804                 }
805
806         i = OCSP_response_status(resp);
807
808         if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
809                 {
810                 BIO_printf(out, "Responder Error: %s (%d)\n",
811                                 OCSP_response_status_str(i), i);
812                 if (ignore_err)
813                         goto redo_accept;
814                 ret = 0;
815                 goto end;
816                 }
817
818         if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
819
820         /* If running as responder don't verify our own response */
821         if (cbio)
822                 {
823                 if (accept_count > 0)
824                         accept_count--;
825                 /* Redo if more connections needed */
826                 if (accept_count)
827                         {
828                         BIO_free_all(cbio);
829                         cbio = NULL;
830                         OCSP_REQUEST_free(req);
831                         req = NULL;
832                         OCSP_RESPONSE_free(resp);
833                         resp = NULL;
834                         goto redo_accept;
835                         }
836                 goto end;
837                 }
838
839         if (!store)
840                 store = setup_verify(bio_err, CAfile, CApath);
841         if (!store)
842                 goto end;
843         if (verify_certfile)
844                 {
845                 verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
846                         NULL, e, "validator certificate");
847                 if (!verify_other) goto end;
848                 }
849
850         bs = OCSP_response_get1_basic(resp);
851
852         if (!bs)
853                 {
854                 BIO_printf(bio_err, "Error parsing response\n");
855                 goto end;
856                 }
857
858         if (!noverify)
859                 {
860                 if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
861                         {
862                         if (i == -1)
863                                 BIO_printf(bio_err, "WARNING: no nonce in response\n");
864                         else
865                                 {
866                                 BIO_printf(bio_err, "Nonce Verify error\n");
867                                 goto end;
868                                 }
869                         }
870
871                 i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
872                 if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
873
874                 if(i <= 0)
875                         {
876                         BIO_printf(bio_err, "Response Verify Failure\n");
877                         ERR_print_errors(bio_err);
878                         }
879                 else
880                         BIO_printf(bio_err, "Response verify OK\n");
881
882                 }
883
884         if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
885                 goto end;
886
887         ret = 0;
888
889 end:
890         ERR_print_errors(bio_err);
891         X509_free(signer);
892         X509_STORE_free(store);
893         EVP_PKEY_free(key);
894         EVP_PKEY_free(rkey);
895         X509_free(issuer);
896         X509_free(cert);
897         X509_free(rsigner);
898         X509_free(rca_cert);
899         free_index(rdb);
900         BIO_free_all(cbio);
901         BIO_free_all(acbio);
902         BIO_free(out);
903         OCSP_REQUEST_free(req);
904         OCSP_RESPONSE_free(resp);
905         OCSP_BASICRESP_free(bs);
906         sk_free(reqnames);
907         sk_OCSP_CERTID_free(ids);
908         sk_X509_pop_free(sign_other, X509_free);
909         sk_X509_pop_free(verify_other, X509_free);
910
911         if (use_ssl != -1)
912                 {
913                 OPENSSL_free(host);
914                 OPENSSL_free(port);
915                 OPENSSL_free(path);
916                 SSL_CTX_free(ctx);
917                 }
918
919         OPENSSL_EXIT(ret);
920 }
921
922 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
923                                 STACK_OF(OCSP_CERTID) *ids)
924         {
925         OCSP_CERTID *id;
926         if(!issuer)
927                 {
928                 BIO_printf(bio_err, "No issuer certificate specified\n");
929                 return 0;
930                 }
931         if(!*req) *req = OCSP_REQUEST_new();
932         if(!*req) goto err;
933         id = OCSP_cert_to_id(NULL, cert, issuer);
934         if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
935         if(!OCSP_request_add0_id(*req, id)) goto err;
936         return 1;
937
938         err:
939         BIO_printf(bio_err, "Error Creating OCSP request\n");
940         return 0;
941         }
942
943 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
944                                 STACK_OF(OCSP_CERTID) *ids)
945         {
946         OCSP_CERTID *id;
947         X509_NAME *iname;
948         ASN1_BIT_STRING *ikey;
949         ASN1_INTEGER *sno;
950         if(!issuer)
951                 {
952                 BIO_printf(bio_err, "No issuer certificate specified\n");
953                 return 0;
954                 }
955         if(!*req) *req = OCSP_REQUEST_new();
956         if(!*req) goto err;
957         iname = X509_get_subject_name(issuer);
958         ikey = X509_get0_pubkey_bitstr(issuer);
959         sno = s2i_ASN1_INTEGER(NULL, serial);
960         if(!sno)
961                 {
962                 BIO_printf(bio_err, "Error converting serial number %s\n", serial);
963                 return 0;
964                 }
965         id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
966         ASN1_INTEGER_free(sno);
967         if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
968         if(!OCSP_request_add0_id(*req, id)) goto err;
969         return 1;
970
971         err:
972         BIO_printf(bio_err, "Error Creating OCSP request\n");
973         return 0;
974         }
975
976 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
977                                         STACK *names, STACK_OF(OCSP_CERTID) *ids,
978                                         long nsec, long maxage)
979         {
980         OCSP_CERTID *id;
981         char *name;
982         int i;
983
984         int status, reason;
985
986         ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
987
988         if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids))
989                 return 1;
990
991         for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
992                 {
993                 id = sk_OCSP_CERTID_value(ids, i);
994                 name = sk_value(names, i);
995                 BIO_printf(out, "%s: ", name);
996
997                 if(!OCSP_resp_find_status(bs, id, &status, &reason,
998                                         &rev, &thisupd, &nextupd))
999                         {
1000                         BIO_puts(out, "ERROR: No Status found.\n");
1001                         continue;
1002                         }
1003
1004                 /* Check validity: if invalid write to output BIO so we
1005                  * know which response this refers to.
1006                  */
1007                 if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage))
1008                         {
1009                         BIO_puts(out, "WARNING: Status times invalid.\n");
1010                         ERR_print_errors(out);
1011                         }
1012                 BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
1013
1014                 BIO_puts(out, "\tThis Update: ");
1015                 ASN1_GENERALIZEDTIME_print(out, thisupd);
1016                 BIO_puts(out, "\n");
1017
1018                 if(nextupd)
1019                         {
1020                         BIO_puts(out, "\tNext Update: ");
1021                         ASN1_GENERALIZEDTIME_print(out, nextupd);
1022                         BIO_puts(out, "\n");
1023                         }
1024
1025                 if (status != V_OCSP_CERTSTATUS_REVOKED)
1026                         continue;
1027
1028                 if (reason != -1)
1029                         BIO_printf(out, "\tReason: %s\n",
1030                                 OCSP_crl_reason_str(reason));
1031
1032                 BIO_puts(out, "\tRevocation Time: ");
1033                 ASN1_GENERALIZEDTIME_print(out, rev);
1034                 BIO_puts(out, "\n");
1035                 }
1036
1037         return 1;
1038         }
1039
1040
1041 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
1042                         X509 *ca, X509 *rcert, EVP_PKEY *rkey,
1043                         STACK_OF(X509) *rother, unsigned long flags,
1044                         int nmin, int ndays)
1045         {
1046         ASN1_TIME *thisupd = NULL, *nextupd = NULL;
1047         OCSP_CERTID *cid, *ca_id = NULL;
1048         OCSP_BASICRESP *bs = NULL;
1049         int i, id_count, ret = 1;
1050
1051
1052         id_count = OCSP_request_onereq_count(req);
1053
1054         if (id_count <= 0)
1055                 {
1056                 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1057                 goto end;
1058                 }
1059
1060         ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
1061
1062         bs = OCSP_BASICRESP_new();
1063         thisupd = X509_gmtime_adj(NULL, 0);
1064         if (ndays != -1)
1065                 nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24 );
1066
1067         /* Examine each certificate id in the request */
1068         for (i = 0; i < id_count; i++)
1069                 {
1070                 OCSP_ONEREQ *one;
1071                 ASN1_INTEGER *serial;
1072                 char **inf;
1073                 one = OCSP_request_onereq_get0(req, i);
1074                 cid = OCSP_onereq_get0_id(one);
1075                 /* Is this request about our CA? */
1076                 if (OCSP_id_issuer_cmp(ca_id, cid))
1077                         {
1078                         OCSP_basic_add1_status(bs, cid,
1079                                                 V_OCSP_CERTSTATUS_UNKNOWN,
1080                                                 0, NULL,
1081                                                 thisupd, nextupd);
1082                         continue;
1083                         }
1084                 OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
1085                 inf = lookup_serial(db, serial);
1086                 if (!inf)
1087                         OCSP_basic_add1_status(bs, cid,
1088                                                 V_OCSP_CERTSTATUS_UNKNOWN,
1089                                                 0, NULL,
1090                                                 thisupd, nextupd);
1091                 else if (inf[DB_type][0] == DB_TYPE_VAL)
1092                         OCSP_basic_add1_status(bs, cid,
1093                                                 V_OCSP_CERTSTATUS_GOOD,
1094                                                 0, NULL,
1095                                                 thisupd, nextupd);
1096                 else if (inf[DB_type][0] == DB_TYPE_REV)
1097                         {
1098                         ASN1_OBJECT *inst = NULL;
1099                         ASN1_TIME *revtm = NULL;
1100                         ASN1_GENERALIZEDTIME *invtm = NULL;
1101                         OCSP_SINGLERESP *single;
1102                         int reason = -1;
1103                         unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
1104                         single = OCSP_basic_add1_status(bs, cid,
1105                                                 V_OCSP_CERTSTATUS_REVOKED,
1106                                                 reason, revtm,
1107                                                 thisupd, nextupd);
1108                         if (invtm)
1109                                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
1110                         else if (inst)
1111                                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
1112                         ASN1_OBJECT_free(inst);
1113                         ASN1_TIME_free(revtm);
1114                         ASN1_GENERALIZEDTIME_free(invtm);
1115                         }
1116                 }
1117
1118         OCSP_copy_nonce(bs, req);
1119                 
1120         OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
1121
1122         *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
1123
1124         end:
1125         ASN1_TIME_free(thisupd);
1126         ASN1_TIME_free(nextupd);
1127         OCSP_CERTID_free(ca_id);
1128         OCSP_BASICRESP_free(bs);
1129         return ret;
1130
1131         }
1132
1133 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
1134         {
1135         int i;
1136         BIGNUM *bn = NULL;
1137         char *itmp, *row[DB_NUMBER],**rrow;
1138         for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
1139         bn = ASN1_INTEGER_to_BN(ser,NULL);
1140         if (BN_is_zero(bn))
1141                 itmp = BUF_strdup("00");
1142         else
1143                 itmp = BN_bn2hex(bn);
1144         row[DB_serial] = itmp;
1145         BN_free(bn);
1146         rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
1147         OPENSSL_free(itmp);
1148         return rrow;
1149         }
1150
1151 /* Quick and dirty OCSP server: read in and parse input request */
1152
1153 static BIO *init_responder(char *port)
1154         {
1155         BIO *acbio = NULL, *bufbio = NULL;
1156         bufbio = BIO_new(BIO_f_buffer());
1157         if (!bufbio) 
1158                 goto err;
1159 #ifndef OPENSSL_NO_SOCK
1160         acbio = BIO_new_accept(port);
1161 #else
1162         BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n");
1163 #endif
1164         if (!acbio)
1165                 goto err;
1166         BIO_set_accept_bios(acbio, bufbio);
1167         bufbio = NULL;
1168
1169         if (BIO_do_accept(acbio) <= 0)
1170                 {
1171                         BIO_printf(bio_err, "Error setting up accept BIO\n");
1172                         ERR_print_errors(bio_err);
1173                         goto err;
1174                 }
1175
1176         return acbio;
1177
1178         err:
1179         BIO_free_all(acbio);
1180         BIO_free(bufbio);
1181         return NULL;
1182         }
1183
1184 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
1185         {
1186         int have_post = 0, len;
1187         OCSP_REQUEST *req = NULL;
1188         char inbuf[1024];
1189         BIO *cbio = NULL;
1190
1191         if (BIO_do_accept(acbio) <= 0)
1192                 {
1193                         BIO_printf(bio_err, "Error accepting connection\n");
1194                         ERR_print_errors(bio_err);
1195                         return 0;
1196                 }
1197
1198         cbio = BIO_pop(acbio);
1199         *pcbio = cbio;
1200
1201         for(;;)
1202                 {
1203                 len = BIO_gets(cbio, inbuf, sizeof inbuf);
1204                 if (len <= 0)
1205                         return 1;
1206                 /* Look for "POST" signalling start of query */
1207                 if (!have_post)
1208                         {
1209                         if(strncmp(inbuf, "POST", 4))
1210                                 {
1211                                 BIO_printf(bio_err, "Invalid request\n");
1212                                 return 1;
1213                                 }
1214                         have_post = 1;
1215                         }
1216                 /* Look for end of headers */
1217                 if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
1218                         break;
1219                 }
1220
1221         /* Try to read OCSP request */
1222
1223         req = d2i_OCSP_REQUEST_bio(cbio, NULL);
1224
1225         if (!req)
1226                 {
1227                 BIO_printf(bio_err, "Error parsing OCSP request\n");
1228                 ERR_print_errors(bio_err);
1229                 }
1230
1231         *preq = req;
1232
1233         return 1;
1234
1235         }
1236
1237 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
1238         {
1239         char http_resp[] = 
1240                 "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1241                 "Content-Length: %d\r\n\r\n";
1242         if (!cbio)
1243                 return 0;
1244         BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
1245         i2d_OCSP_RESPONSE_bio(cbio, resp);
1246         BIO_flush(cbio);
1247         return 1;
1248         }
1249
1250 static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
1251                                 OCSP_REQUEST *req, int req_timeout)
1252         {
1253         int fd;
1254         int rv;
1255         OCSP_REQ_CTX *ctx = NULL;
1256         OCSP_RESPONSE *rsp = NULL;
1257         fd_set confds;
1258         struct timeval tv;
1259
1260         if (req_timeout != -1)
1261                 BIO_set_nbio(cbio, 1);
1262
1263         rv = BIO_do_connect(cbio);
1264
1265         if ((rv <= 0) && ((req_timeout == -1) || !BIO_should_retry(cbio)))
1266                 {
1267                 BIO_puts(err, "Error connecting BIO\n");
1268                 return NULL;
1269                 }
1270
1271         if (req_timeout == -1)
1272                 return OCSP_sendreq_bio(cbio, path, req);
1273
1274         if (BIO_get_fd(cbio, &fd) <= 0)
1275                 {
1276                 BIO_puts(err, "Can't get connection fd\n");
1277                 goto err;
1278                 }
1279
1280         if (rv <= 0)
1281                 {
1282                 FD_ZERO(&confds);
1283                 openssl_fdset(fd, &confds);
1284                 tv.tv_usec = 0;
1285                 tv.tv_sec = req_timeout;
1286                 rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1287                 if (rv == 0)
1288                         {
1289                         BIO_puts(err, "Timeout on connect\n");
1290                         return NULL;
1291                         }
1292                 }
1293
1294
1295         ctx = OCSP_sendreq_new(cbio, path, req, -1);
1296         if (!ctx)
1297                 return NULL;
1298         
1299         for (;;)
1300                 {
1301                 rv = OCSP_sendreq_nbio(&rsp, ctx);
1302                 if (rv != -1)
1303                         break;
1304                 FD_ZERO(&confds);
1305                 openssl_fdset(fd, &confds);
1306                 tv.tv_usec = 0;
1307                 tv.tv_sec = req_timeout;
1308                 if (BIO_should_read(cbio))
1309                         rv = select(fd + 1, (void *)&confds, NULL, NULL, &tv);
1310                 else if (BIO_should_write(cbio))
1311                         rv = select(fd + 1, NULL, (void *)&confds, NULL, &tv);
1312                 else
1313                         {
1314                         BIO_puts(err, "Unexpected retry condition\n");
1315                         goto err;
1316                         }
1317                 if (rv == 0)
1318                         {
1319                         BIO_puts(err, "Timeout on request\n");
1320                         break;
1321                         }
1322                 if (rv == -1)
1323                         {
1324                         BIO_puts(err, "Select error\n");
1325                         break;
1326                         }
1327                         
1328                 }
1329         err:
1330
1331         OCSP_REQ_CTX_free(ctx);
1332
1333         return rsp;
1334         }
1335
1336 #endif