From 11e2957d5f4208dc9e1929a4957f2cde79a94718 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 14 Dec 2012 23:28:19 +0000 Subject: [PATCH] apps/ocsp.c --- apps/ocsp.c | 31 +++++++++++++++++++++++++++---- demos/certs/ca.cnf | 3 +++ demos/certs/mkcerts.sh | 2 +- 3 files changed, 31 insertions(+), 5 deletions(-) diff --git a/apps/ocsp.c b/apps/ocsp.c index 16aa23b6f6..f5e37a6358 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -148,6 +148,7 @@ int MAIN(int argc, char **argv) long nsec = MAX_VALIDITY_PERIOD, maxage = -1; char *CAfile = NULL, *CApath = NULL; X509_STORE *store = NULL; + X509_VERIFY_PARAM *vpm = NULL; STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; @@ -356,6 +357,12 @@ int MAIN(int argc, char **argv) } else badarg = 1; } + else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) + { + if (badarg) + goto end; + continue; + } else if (!strcmp (*args, "-validity_period")) { if (args[1]) @@ -637,7 +644,10 @@ int MAIN(int argc, char **argv) if (!req && reqin) { - derbio = BIO_new_file(reqin, "rb"); + if (!strcmp(reqin, "-")) + derbio = BIO_new_fp(stdin, BIO_NOCLOSE); + else + derbio = BIO_new_file(reqin, "rb"); if (!derbio) { BIO_printf(bio_err, "Error Opening OCSP request file\n"); @@ -739,7 +749,10 @@ int MAIN(int argc, char **argv) if (reqout) { - derbio = BIO_new_file(reqout, "wb"); + if (!strcmp(respout, "-")) + derbio = BIO_new_fp(stdout, BIO_NOCLOSE); + else + derbio = BIO_new_file(reqout, "wb"); if(!derbio) { BIO_printf(bio_err, "Error opening file %s\n", reqout); @@ -782,7 +795,10 @@ int MAIN(int argc, char **argv) } else if (respin) { - derbio = BIO_new_file(respin, "rb"); + if (!strcmp(respin, "-")) + derbio = BIO_new_fp(stdin, BIO_NOCLOSE); + else + derbio = BIO_new_file(respin, "rb"); if (!derbio) { BIO_printf(bio_err, "Error Opening OCSP response file\n"); @@ -807,7 +823,10 @@ int MAIN(int argc, char **argv) if (respout) { - derbio = BIO_new_file(respout, "wb"); + if (!strcmp(respout, "-")) + derbio = BIO_new_fp(stdout, BIO_NOCLOSE); + else + derbio = BIO_new_file(respout, "wb"); if(!derbio) { BIO_printf(bio_err, "Error opening file %s\n", respout); @@ -854,6 +873,8 @@ int MAIN(int argc, char **argv) store = setup_verify(bio_err, CAfile, CApath); if (!store) goto end; + if (vpm) + X509_STORE_set1_param(store, vpm); if (verify_certfile) { verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM, @@ -904,6 +925,8 @@ end: ERR_print_errors(bio_err); X509_free(signer); X509_STORE_free(store); + if (vpm) + X509_VERIFY_PARAM_free(vpm); EVP_PKEY_free(key); EVP_PKEY_free(rkey); X509_free(issuer); diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf index c45fcfd61e..ddf440bcc8 100644 --- a/demos/certs/ca.cnf +++ b/demos/certs/ca.cnf @@ -35,6 +35,7 @@ commonName = $ENV::CN basicConstraints=critical, CA:FALSE keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment +subjectAltName=DNS:crl.host.com # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" @@ -42,12 +43,14 @@ nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid +authorityInfoAccess = OCSP;URI:http://ocsp.host.com:8080/cgi-bin/prinenv/some/ocsp/path # OCSP responder certificate [ ocsp_cert ] basicConstraints=critical, CA:FALSE keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment + # This will be displayed in Netscape's comment listbox. nsComment = "OpenSSL Generated Certificate" diff --git a/demos/certs/mkcerts.sh b/demos/certs/mkcerts.sh index 18daa6bcfb..d0fdeac72e 100644 --- a/demos/certs/mkcerts.sh +++ b/demos/certs/mkcerts.sh @@ -15,7 +15,7 @@ $OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \ -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem # Server certificate: create request first -CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \ +CN="crl.host.com" $OPENSSL req -config ca.cnf -nodes \ -keyout skey.pem -out req.pem -newkey rsa:1024 # Sign request: end entity extensions $OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \ -- 2.34.1