Correctly check for trailing digest options. (6302bbd2) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

apps/ocsp.c

+11 −1

Original line number	Diff line number	Diff line
		@@ -228,6 +228,7 @@ int ocsp_main(int argc, char **argv)
		{
		BIO acbio = NULL, cbio = NULL, derbio = NULL, out = NULL;
		const EVP_MD cert_id_md = NULL, rsign_md = NULL;
		int trailing_md = 0;
		CA_DB *rdb = NULL;
		EVP_PKEY key = NULL, rkey = NULL;
		OCSP_BASICRESP *bs = NULL;
		@@ -439,6 +440,7 @@ int ocsp_main(int argc, char **argv)
		goto end;
		if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
		goto end;
		trailing_md = 0;
		break;
		case OPT_SERIAL:
		if (cert_id_md == NULL)
		@@ -447,6 +449,7 @@ int ocsp_main(int argc, char **argv)
		goto end;
		if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
		goto end;
		trailing_md = 0;
		break;
		case OPT_INDEX:
		ridx_filename = opt_arg();
		@@ -490,7 +493,7 @@ int ocsp_main(int argc, char **argv)
		goto end;
		break;
		case OPT_MD:
		if (cert_id_md != NULL) {
		if (trailing_md) {
		BIO_printf(bio_err,
		"%s: Digest must be before -cert or -serial\n",
		prog);
		@@ -498,9 +501,16 @@ int ocsp_main(int argc, char **argv)
		}
		if (!opt_md(opt_unknown(), &cert_id_md))
		goto opthelp;
		trailing_md = 1;
		break;
		}
		}

		if (trailing_md) {
		BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n",
		prog);
		goto opthelp;
		}
		argc = opt_num_rest();
		if (argc != 0)
		goto opthelp;

doc/apps/ocsp.pod

+16 −15

Original line number	Diff line number	Diff line
		@@ -266,24 +266,25 @@ only be used for testing purposes.
		=item B<-validity_period nsec>, B<-status_age age>

		these options specify the range of times, in seconds, which will be tolerated
		in an OCSP response. Each certificate status response includes a B<notBefore> time and
		an optional B<notAfter> time. The current time should fall between these two values, but
		the interval between the two times may be only a few seconds. In practice the OCSP
		responder and clients clocks may not be precisely synchronised and so such a check
		may fail. To avoid this the B<-validity_period> option can be used to specify an
		acceptable error range in seconds, the default value is 5 minutes.

		If the B<notAfter> time is omitted from a response then this means that new status
		information is immediately available. In this case the age of the B<notBefore> field
		is checked to see it is not older than B<age> seconds old. By default this additional
		check is not performed.
		in an OCSP response. Each certificate status response includes a B<notBefore>
		time and an optional B<notAfter> time. The current time should fall between
		these two values, but the interval between the two times may be only a few
		seconds. In practice the OCSP responder and clients clocks may not be precisely
		synchronised and so such a check may fail. To avoid this the
		B<-validity_period> option can be used to specify an acceptable error range in
		seconds, the default value is 5 minutes.

		If the B<notAfter> time is omitted from a response then this means that new
		status information is immediately available. In this case the age of the
		B<notBefore> field is checked to see it is not older than B<age> seconds old.
		By default this additional check is not performed.

		=item B<-[digest]>

		this option sets digest algorithm to use for certificate identification
		in the OCSP request.
		Any digest supported by the OpenSSL B<dgst> command can be used.
		The default is SHA-1.
		this option sets digest algorithm to use for certificate identification in the
		OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
		The default is SHA-1. This option may be used multiple times to specify the
		digest used by subsequent certificate identifiers.

		=back