Add -rsigopt option to ocsp command

                              STACK_OF(OPENSSL_STRING) *names,

                              STACK_OF(OCSP_CERTID) *ids, long nsec,

                              long maxage);

static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,

static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req,

                              CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,

                              EVP_PKEY *rkey, const EVP_MD *md,

                              STACK_OF(OPENSSL_STRING) *sigopts,

                              STACK_OF(X509) *rother, unsigned long flags,

                              int nmin, int ndays, int badsig);

    OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT,

    OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL,

    OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER,

    OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_HEADER,

    OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_SIGOPT, OPT_HEADER,

    OPT_V_ENUM,

    OPT_MD

} OPTION_CHOICE;

    {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"},

    {"rother", OPT_ROTHER, '<', "Other certificates to include in response"},

    {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"},

    {"rsigopt", OPT_SIGOPT, 's', "OCSP response signature parameter in n:v form"},

    {"header", OPT_HEADER, 's', "key=value header to add"},

    {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"},

    OPT_V_OPTIONS,

{

    BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL;

    const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;

    STACK_OF(OPENSSL_STRING) *rsign_sigopts = NULL;

    int trailing_md = 0;

    CA_DB *rdb = NULL;

    EVP_PKEY *key = NULL, *rkey = NULL;

            if (!opt_md(opt_arg(), &rsign_md))

                goto end;

            break;

        case OPT_SIGOPT:

            if (rsign_sigopts == NULL)

                rsign_sigopts = sk_OPENSSL_STRING_new_null();

            if (rsign_sigopts == NULL || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg()))

                goto end;

            break;

        case OPT_HEADER:

            header = opt_arg();

            value = strchr(header, '=');

    }

    if (rdb != NULL) {

        make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,

                               rsign_md, rother, rflags, nmin, ndays, badsig);

        make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey,

                               rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, badsig);

        if (cbio != NULL)

            send_ocsp_response(cbio, resp);

    } else if (host != NULL) {

    X509_free(signer);

    X509_STORE_free(store);

    X509_VERIFY_PARAM_free(vpm);

    if (rsign_sigopts != NULL)

        sk_OPENSSL_STRING_free(rsign_sigopts);

    EVP_PKEY_free(key);

    EVP_PKEY_free(rkey);

    X509_free(cert);

    }

}

static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,

static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req,

                              CA_DB *db, STACK_OF(X509) *ca, X509 *rcert,

                              EVP_PKEY *rkey, const EVP_MD *rmd,

                              STACK_OF(OPENSSL_STRING) *sigopts,

                              STACK_OF(X509) *rother, unsigned long flags,

                              int nmin, int ndays, int badsig)

{

    OCSP_CERTID *cid;

    OCSP_BASICRESP *bs = NULL;

    int i, id_count;

    EVP_MD_CTX *mctx = NULL;

    EVP_PKEY_CTX *pkctx = NULL;

    id_count = OCSP_request_onereq_count(req);

    OCSP_copy_nonce(bs, req);

    OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);

    mctx = EVP_MD_CTX_new();

    if ( mctx == NULL || !EVP_DigestSignInit(mctx, &pkctx, rmd, NULL, rkey)) {

        *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, NULL);

        goto end;

    }

    for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {

        char *sigopt = sk_OPENSSL_STRING_value(sigopts, i);

        if (pkey_ctrl_string(pkctx, sigopt) <= 0) {

            BIO_printf(err, "parameter error \"%s\"\n", sigopt);

            ERR_print_errors(bio_err);

            *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR,

                                         NULL);

            goto end;

        }

    }

    OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags);

    if (badsig) {

        const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs);

    *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);

 end:

    if (mctx != NULL)

        EVP_MD_CTX_free(mctx);

    ASN1_TIME_free(thisupd);

    ASN1_TIME_free(nextupd);

    OCSP_BASICRESP_free(bs);

    {ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_BASIC_ADD1_STATUS, 0),

     "OCSP_basic_add1_status"},

    {ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_BASIC_SIGN, 0), "OCSP_basic_sign"},

    {ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_BASIC_SIGN_CTX, 0), "OCSP_basic_sign_ctx"},

    {ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_BASIC_VERIFY, 0), "OCSP_basic_verify"},

    {ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_CERT_ID_NEW, 0), "OCSP_cert_id_new"},

    {ERR_PACK(ERR_LIB_OCSP, OCSP_F_OCSP_CHECK_DELEGATED, 0),

        ASN1_item_sign(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\

                NULL,(o)->signature,&(o)->tbsResponseData,pkey,md)

#  define OCSP_BASICRESP_sign_ctx(o,ctx,d) \

        ASN1_item_sign_ctx(ASN1_ITEM_rptr(OCSP_RESPDATA),&(o)->signatureAlgorithm,\

                NULL,(o)->signature,&(o)->tbsResponseData,ctx)

#  define OCSP_REQUEST_verify(a,r) ASN1_item_verify(ASN1_ITEM_rptr(OCSP_REQINFO),\

        &(a)->optionalSignature->signatureAlgorithm,\

        (a)->optionalSignature->signature,&(a)->tbsRequest,r)

    return 1;

}

int OCSP_basic_sign(OCSP_BASICRESP *brsp,

                    X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,

int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,

                    X509 *signer, EVP_MD_CTX *ctx,

                    STACK_OF(X509) *certs, unsigned long flags)

{

    int i;

    OCSP_RESPID *rid;

    if (!X509_check_private_key(signer, key)) {

        OCSPerr(OCSP_F_OCSP_BASIC_SIGN,

    if (!ctx || !EVP_MD_CTX_pkey_ctx(ctx) || !EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)) ||

        !X509_check_private_key(signer, EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx)))) {

        OCSPerr(OCSP_F_OCSP_BASIC_SIGN_CTX,

                OCSP_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);

        goto err;

    }

     * -- Richard Levitte

     */

    if (!OCSP_BASICRESP_sign(brsp, key, dgst, 0))

    if (!OCSP_BASICRESP_sign_ctx(brsp, ctx, 0))

        goto err;

    return 1;

    return 0;

}

int OCSP_basic_sign(OCSP_BASICRESP *brsp,

                    X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,

                    STACK_OF(X509) *certs, unsigned long flags)

{

    EVP_MD_CTX *ctx = EVP_MD_CTX_new();

    EVP_PKEY_CTX *pkctx = NULL;

    int i;

    if (!EVP_DigestSignInit(ctx, &pkctx, dgst, NULL, key)) {

        EVP_MD_CTX_free(ctx);

        return 1;

    }

    i = OCSP_basic_sign_ctx(brsp, signer, ctx, certs, flags);

    EVP_MD_CTX_free(ctx);

    return i;

}

int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert)

{

    if (!X509_NAME_set(&respid->value.byName, X509_get_subject_name(cert)))

int OCSP_basic_sign(OCSP_BASICRESP *brsp,

                    X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,

                    STACK_OF(X509) *certs, unsigned long flags);

int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,

                        X509 *signer, EVP_MD_CTX *ctx,

                        STACK_OF(X509) *certs, unsigned long flags);

int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert);

int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert);

int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert);