add -badsig option to ocsp utility too.

[openssl.git] / apps / ocsp.c
diff --git a/apps/ocsp.c b/apps/ocsp.c

index c436c8b6f390ed174a53e5dd6c5ca6e1e383dfc1..16aa23b6f6cc078adc413bb53e9656a3f33115cb 100644 (file)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1,5 +1,5 @@
  /* ocsp.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   * project 2000.
   */
  /* ====================================================================
@@ -57,14 +57,25 @@
   */
  #ifndef OPENSSL_NO_OCSP
  
+#ifdef OPENSSL_SYS_VMS
+#define _XOPEN_SOURCE_EXTENDED /* So fd_set and friends get properly defined
+                                  on OpenVMS */
+#endif
+
+#define USE_SOCKETS
+
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <time.h>
  #include "apps.h" /* needs to be included before the openssl headers! */
  #include <openssl/e_os2.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
  #include <openssl/ssl.h>
  #include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/x509v3.h>
  
  #if defined(NETWARE_CLIB)
  #  ifdef NETWARE_BSDSOCK
@@ -89,19 +100,21 @@ static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_m
  static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, const EVP_MD * cert_id_md, X509 *issuer,
                                 STACK_OF(OCSP_CERTID) *ids);
  static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
-                               STACK *names, STACK_OF(OCSP_CERTID) *ids,
-                               long nsec, long maxage);
+                             STACK_OF(OPENSSL_STRING) *names,
+                             STACK_OF(OCSP_CERTID) *ids, long nsec,
+                             long maxage);
  
  static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
                         X509 *ca, X509 *rcert, EVP_PKEY *rkey,
                         STACK_OF(X509) *rother, unsigned long flags,
-                       int nmin, int ndays);
+                       int nmin, int ndays, int badsig);
  
  static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
  static BIO *init_responder(char *port);
  static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
  static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
  static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
+                               STACK_OF(CONF_VALUE) *headers,
                                 OCSP_REQUEST *req, int req_timeout);
  
  #undef PROG
@@ -120,6 +133,7 @@ int MAIN(int argc, char **argv)
         char *rsignfile = NULL, *rkeyfile = NULL;
         char *outfile = NULL;
         int add_nonce = 1, noverify = 0, use_ssl = -1;
+       STACK_OF(CONF_VALUE) *headers = NULL;
         OCSP_REQUEST *req = NULL;
         OCSP_RESPONSE *resp = NULL;
         OCSP_BASICRESP *bs = NULL;
@@ -140,9 +154,10 @@ int MAIN(int argc, char **argv)
         int ret = 1;
         int accept_count = -1;
         int badarg = 0;
+       int badsig = 0;
         int i;
         int ignore_err = 0;
-       STACK *reqnames = NULL;
+       STACK_OF(OPENSSL_STRING) *reqnames = NULL;
         STACK_OF(OCSP_CERTID) *ids = NULL;
  
         X509 *rca_cert = NULL;
@@ -159,7 +174,7 @@ int MAIN(int argc, char **argv)
         SSL_load_error_strings();
         OpenSSL_add_ssl_algorithms();
         args = argv + 1;
-       reqnames = sk_new_null();
+       reqnames = sk_OPENSSL_STRING_new_null();
         ids = sk_OCSP_CERTID_new_null();
         while (!badarg && *args && *args[0] == '-')
                 {
@@ -219,6 +234,16 @@ int MAIN(int argc, char **argv)
                                 }
                         else badarg = 1;
                         }
+               else if (!strcmp(*args, "-header"))
+                       {
+                       if (args[1] && args[2])
+                               {
+                               if (!X509V3_add_value(args[1], args[2], &headers))
+                                       goto end;
+                               args += 2;
+                               }
+                       else badarg = 1;
+                       }
                 else if (!strcmp(*args, "-ignore_err"))
                         ignore_err = 1;
                 else if (!strcmp(*args, "-noverify"))
@@ -247,6 +272,8 @@ int MAIN(int argc, char **argv)
                         verify_flags |= OCSP_TRUSTOTHER;
                 else if (!strcmp(*args, "-no_intern"))
                         verify_flags |= OCSP_NOINTERN;
+               else if (!strcmp(*args, "-badsig"))
+                       badsig = 1;
                 else if (!strcmp(*args, "-text"))
                         {
                         req_text = 1;
@@ -421,7 +448,7 @@ int MAIN(int argc, char **argv)
                                 if (!cert_id_md) cert_id_md = EVP_sha1();
                                 if(!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
                                         goto end;
-                               if(!sk_push(reqnames, *args))
+                               if(!sk_OPENSSL_STRING_push(reqnames, *args))
                                         goto end;
                                 }
                         else badarg = 1;
@@ -434,7 +461,7 @@ int MAIN(int argc, char **argv)
                                 if (!cert_id_md) cert_id_md = EVP_sha1();
                                 if(!add_ocsp_serial(&req, *args, cert_id_md, issuer, ids))
                                         goto end;
-                               if(!sk_push(reqnames, *args))
+                               if(!sk_OPENSSL_STRING_push(reqnames, *args))
                                         goto end;
                                 }
                         else badarg = 1;
@@ -737,7 +764,7 @@ int MAIN(int argc, char **argv)
  
         if (rdb)
                 {
-               i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
+               i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays, badsig);
                 if (cbio)
                         send_ocsp_response(cbio, resp);
                 }
@@ -745,7 +772,7 @@ int MAIN(int argc, char **argv)
                 {
  #ifndef OPENSSL_NO_SOCK
                 resp = process_responder(bio_err, req, host, path,
-                                               port, use_ssl, req_timeout);
+                                       port, use_ssl, headers, req_timeout);
                 if (!resp)
                         goto end;
  #else
@@ -842,6 +869,8 @@ int MAIN(int argc, char **argv)
                 goto end;
                 }
  
+       ret = 0;
+
         if (!noverify)
                 {
                 if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
@@ -851,17 +880,17 @@ int MAIN(int argc, char **argv)
                         else
                                 {
                                 BIO_printf(bio_err, "Nonce Verify error\n");
+                               ret = 1;
                                 goto end;
                                 }
                         }
  
                 i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
-                if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
-
                 if(i <= 0)
                         {
                         BIO_printf(bio_err, "Response Verify Failure\n");
                         ERR_print_errors(bio_err);
+                       ret = 1;
                         }
                 else
                         BIO_printf(bio_err, "Response verify OK\n");
@@ -869,9 +898,7 @@ int MAIN(int argc, char **argv)
                 }
  
         if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
-               goto end;
-
-       ret = 0;
+               ret = 1;
  
  end:
         ERR_print_errors(bio_err);
@@ -890,10 +917,11 @@ end:
         OCSP_REQUEST_free(req);
         OCSP_RESPONSE_free(resp);
         OCSP_BASICRESP_free(bs);
-       sk_free(reqnames);
+       sk_OPENSSL_STRING_free(reqnames);
         sk_OCSP_CERTID_free(ids);
         sk_X509_pop_free(sign_other, X509_free);
         sk_X509_pop_free(verify_other, X509_free);
+       sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
  
         if (use_ssl != -1)
                 {
@@ -960,8 +988,9 @@ static int add_ocsp_serial(OCSP_REQUEST **req, char *serial,const EVP_MD *cert_i
         }
  
  static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
-                                       STACK *names, STACK_OF(OCSP_CERTID) *ids,
-                                       long nsec, long maxage)
+                             STACK_OF(OPENSSL_STRING) *names,
+                             STACK_OF(OCSP_CERTID) *ids, long nsec,
+                             long maxage)
         {
         OCSP_CERTID *id;
         char *name;
@@ -971,13 +1000,13 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
  
         ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
  
-       if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids))
+       if (!bs || !req || !sk_OPENSSL_STRING_num(names) || !sk_OCSP_CERTID_num(ids))
                 return 1;
  
         for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
                 {
                 id = sk_OCSP_CERTID_value(ids, i);
-               name = sk_value(names, i);
+               name = sk_OPENSSL_STRING_value(names, i);
                 BIO_printf(out, "%s: ", name);
  
                 if(!OCSP_resp_find_status(bs, id, &status, &reason,
@@ -1027,7 +1056,7 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
  static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
                         X509 *ca, X509 *rcert, EVP_PKEY *rkey,
                         STACK_OF(X509) *rother, unsigned long flags,
-                       int nmin, int ndays)
+                       int nmin, int ndays, int badsig)
         {
         ASN1_TIME *thisupd = NULL, *nextupd = NULL;
         OCSP_CERTID *cid, *ca_id = NULL;
@@ -1118,6 +1147,9 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db
         
         OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags);
  
+       if (badsig)
+               bs->signature->data[bs->signature->length -1] ^= 0x1;
+
         *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
  
         end:
@@ -1248,10 +1280,12 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
         }
  
  static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
+                               STACK_OF(CONF_VALUE) *headers,
                                 OCSP_REQUEST *req, int req_timeout)
         {
         int fd;
         int rv;
+       int i;
         OCSP_REQ_CTX *ctx = NULL;
         OCSP_RESPONSE *rsp = NULL;
         fd_set confds;
@@ -1268,16 +1302,13 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
                 return NULL;
                 }
  
-       if (req_timeout == -1)
-               return OCSP_sendreq_bio(cbio, path, req);
-
         if (BIO_get_fd(cbio, &fd) <= 0)
                 {
                 BIO_puts(err, "Can't get connection fd\n");
                 goto err;
                 }
  
-       if (rv <= 0)
+       if (req_timeout != -1 && rv <= 0)
                 {
                 FD_ZERO(&confds);
                 openssl_fdset(fd, &confds);
@@ -1292,15 +1323,27 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
                 }
  
  
-       ctx = OCSP_sendreq_new(cbio, path, req, -1);
+       ctx = OCSP_sendreq_new(cbio, path, NULL, -1);
         if (!ctx)
                 return NULL;
+
+       for (i = 0; i < sk_CONF_VALUE_num(headers); i++)
+               {
+               CONF_VALUE *hdr = sk_CONF_VALUE_value(headers, i);
+               if (!OCSP_REQ_CTX_add1_header(ctx, hdr->name, hdr->value))
+                       goto err;
+               }
+
+       if (!OCSP_REQ_CTX_set1_req(ctx, req))
+               goto err;
         
         for (;;)
                 {
                 rv = OCSP_sendreq_nbio(&rsp, ctx);
                 if (rv != -1)
                         break;
+               if (req_timeout == -1)
+                       continue;
                 FD_ZERO(&confds);
                 openssl_fdset(fd, &confds);
                 tv.tv_usec = 0;
@@ -1324,7 +1367,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
                         BIO_puts(err, "Select error\n");
                         break;
                         }
-                       
+
                 }
         err:
         if (ctx)
@@ -1335,6 +1378,7 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
  
  OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
                         char *host, char *path, char *port, int use_ssl,
+                       STACK_OF(CONF_VALUE) *headers,
                         int req_timeout)
         {
         BIO *cbio = NULL;
@@ -1369,14 +1413,14 @@ OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
                 sbio = BIO_new_ssl(ctx, 1);
                 cbio = BIO_push(sbio, cbio);
                 }
-       resp = query_responder(err, cbio, path, req, req_timeout);
+       resp = query_responder(err, cbio, path, headers, req, req_timeout);
         if (!resp)
                 BIO_printf(bio_err, "Error querying OCSP responsder\n");
         end:
-       if (ctx)
-               SSL_CTX_free(ctx);
         if (cbio)
                 BIO_free_all(cbio);
+       if (ctx)
+               SSL_CTX_free(ctx);
         return resp;
         }