Loading apps/ocsp.c +53 −11 Original line number Diff line number Diff line Loading @@ -69,6 +69,7 @@ #include <string.h> #include <time.h> #include "apps.h" /* needs to be included before the openssl headers! */ #include "s_apps.h" #include <openssl/e_os2.h> #include <openssl/crypto.h> #include <openssl/err.h> Loading Loading @@ -105,9 +106,9 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, long maxage); static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, X509 *ca, X509 *rcert, EVP_PKEY *rkey, const EVP_MD *md, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays); int nmin, int ndays, int badsig); static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); static BIO *init_responder(char *port); Loading Loading @@ -148,12 +149,14 @@ int MAIN(int argc, char **argv) long nsec = MAX_VALIDITY_PERIOD, maxage = -1; char *CAfile = NULL, *CApath = NULL; X509_STORE *store = NULL; X509_VERIFY_PARAM *vpm = NULL; STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; int ret = 1; int accept_count = -1; int badarg = 0; int badsig = 0; int i; int ignore_err = 0; STACK_OF(OPENSSL_STRING) *reqnames = NULL; Loading @@ -164,7 +167,7 @@ int MAIN(int argc, char **argv) char *rca_filename = NULL; CA_DB *rdb = NULL; int nmin = 0, ndays = -1; const EVP_MD *cert_id_md = NULL; const EVP_MD *cert_id_md = NULL, *rsign_md = NULL; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); Loading Loading @@ -271,6 +274,8 @@ int MAIN(int argc, char **argv) verify_flags |= OCSP_TRUSTOTHER; else if (!strcmp(*args, "-no_intern")) verify_flags |= OCSP_NOINTERN; else if (!strcmp(*args, "-badsig")) badsig = 1; else if (!strcmp(*args, "-text")) { req_text = 1; Loading Loading @@ -353,6 +358,12 @@ int MAIN(int argc, char **argv) } else badarg = 1; } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) { if (badarg) goto end; continue; } else if (!strcmp (*args, "-validity_period")) { if (args[1]) Loading Loading @@ -558,6 +569,17 @@ int MAIN(int argc, char **argv) } else badarg = 1; } else if (!strcmp(*args, "-rmd")) { if (args[1]) { args++; rsign_md = EVP_get_digestbyname(*args); if (!rsign_md) badarg = 1; } else badarg = 1; } else if ((cert_id_md = EVP_get_digestbyname((*args)+1))==NULL) { badarg = 1; Loading Loading @@ -634,6 +656,9 @@ int MAIN(int argc, char **argv) if (!req && reqin) { if (!strcmp(reqin, "-")) derbio = BIO_new_fp(stdin, BIO_NOCLOSE); else derbio = BIO_new_file(reqin, "rb"); if (!derbio) { Loading Loading @@ -736,6 +761,9 @@ int MAIN(int argc, char **argv) if (reqout) { if (!strcmp(reqout, "-")) derbio = BIO_new_fp(stdout, BIO_NOCLOSE); else derbio = BIO_new_file(reqout, "wb"); if(!derbio) { Loading @@ -761,7 +789,7 @@ int MAIN(int argc, char **argv) if (rdb) { i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays); i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,rsign_md, rother, rflags, nmin, ndays, badsig); if (cbio) send_ocsp_response(cbio, resp); } Loading @@ -779,6 +807,9 @@ int MAIN(int argc, char **argv) } else if (respin) { if (!strcmp(respin, "-")) derbio = BIO_new_fp(stdin, BIO_NOCLOSE); else derbio = BIO_new_file(respin, "rb"); if (!derbio) { Loading @@ -804,6 +835,9 @@ int MAIN(int argc, char **argv) if (respout) { if (!strcmp(respout, "-")) derbio = BIO_new_fp(stdout, BIO_NOCLOSE); else derbio = BIO_new_file(respout, "wb"); if(!derbio) { Loading Loading @@ -857,6 +891,8 @@ int MAIN(int argc, char **argv) store = setup_verify(bio_err, CAfile, CApath); if (!store) goto end; if (vpm) X509_STORE_set1_param(store, vpm); if (verify_certfile) { verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM, Loading Loading @@ -907,6 +943,8 @@ end: ERR_print_errors(bio_err); X509_free(signer); X509_STORE_free(store); if (vpm) X509_VERIFY_PARAM_free(vpm); EVP_PKEY_free(key); EVP_PKEY_free(rkey); X509_free(issuer); Loading Loading @@ -1057,9 +1095,10 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, X509 *ca, X509 *rcert, EVP_PKEY *rkey, const EVP_MD *rmd, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays) int nmin, int ndays, int badsig) { ASN1_TIME *thisupd = NULL, *nextupd = NULL; OCSP_CERTID *cid, *ca_id = NULL; Loading Loading @@ -1148,7 +1187,10 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db OCSP_copy_nonce(bs, req); OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags); OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags); if (badsig) bs->signature->data[bs->signature->length -1] ^= 0x1; *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); Loading ssl/ssl_locl.h +6 −0 Original line number Diff line number Diff line Loading @@ -524,6 +524,12 @@ typedef struct cert_st /* Size of above array */ size_t sigalgslen; /* Optional X509_STORE for chain building or certificate validation * If NULL the parent SSL_CTX store is used instead. */ X509_STORE *chain_store; X509_STORE *verify_store; int references; /* >1 only if SSL_copy_session_id is used */ } CERT; Loading Loading
apps/ocsp.c +53 −11 Original line number Diff line number Diff line Loading @@ -69,6 +69,7 @@ #include <string.h> #include <time.h> #include "apps.h" /* needs to be included before the openssl headers! */ #include "s_apps.h" #include <openssl/e_os2.h> #include <openssl/crypto.h> #include <openssl/err.h> Loading Loading @@ -105,9 +106,9 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, long maxage); static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, X509 *ca, X509 *rcert, EVP_PKEY *rkey, const EVP_MD *md, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays); int nmin, int ndays, int badsig); static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); static BIO *init_responder(char *port); Loading Loading @@ -148,12 +149,14 @@ int MAIN(int argc, char **argv) long nsec = MAX_VALIDITY_PERIOD, maxage = -1; char *CAfile = NULL, *CApath = NULL; X509_STORE *store = NULL; X509_VERIFY_PARAM *vpm = NULL; STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; int ret = 1; int accept_count = -1; int badarg = 0; int badsig = 0; int i; int ignore_err = 0; STACK_OF(OPENSSL_STRING) *reqnames = NULL; Loading @@ -164,7 +167,7 @@ int MAIN(int argc, char **argv) char *rca_filename = NULL; CA_DB *rdb = NULL; int nmin = 0, ndays = -1; const EVP_MD *cert_id_md = NULL; const EVP_MD *cert_id_md = NULL, *rsign_md = NULL; if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); Loading Loading @@ -271,6 +274,8 @@ int MAIN(int argc, char **argv) verify_flags |= OCSP_TRUSTOTHER; else if (!strcmp(*args, "-no_intern")) verify_flags |= OCSP_NOINTERN; else if (!strcmp(*args, "-badsig")) badsig = 1; else if (!strcmp(*args, "-text")) { req_text = 1; Loading Loading @@ -353,6 +358,12 @@ int MAIN(int argc, char **argv) } else badarg = 1; } else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) { if (badarg) goto end; continue; } else if (!strcmp (*args, "-validity_period")) { if (args[1]) Loading Loading @@ -558,6 +569,17 @@ int MAIN(int argc, char **argv) } else badarg = 1; } else if (!strcmp(*args, "-rmd")) { if (args[1]) { args++; rsign_md = EVP_get_digestbyname(*args); if (!rsign_md) badarg = 1; } else badarg = 1; } else if ((cert_id_md = EVP_get_digestbyname((*args)+1))==NULL) { badarg = 1; Loading Loading @@ -634,6 +656,9 @@ int MAIN(int argc, char **argv) if (!req && reqin) { if (!strcmp(reqin, "-")) derbio = BIO_new_fp(stdin, BIO_NOCLOSE); else derbio = BIO_new_file(reqin, "rb"); if (!derbio) { Loading Loading @@ -736,6 +761,9 @@ int MAIN(int argc, char **argv) if (reqout) { if (!strcmp(reqout, "-")) derbio = BIO_new_fp(stdout, BIO_NOCLOSE); else derbio = BIO_new_file(reqout, "wb"); if(!derbio) { Loading @@ -761,7 +789,7 @@ int MAIN(int argc, char **argv) if (rdb) { i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays); i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,rsign_md, rother, rflags, nmin, ndays, badsig); if (cbio) send_ocsp_response(cbio, resp); } Loading @@ -779,6 +807,9 @@ int MAIN(int argc, char **argv) } else if (respin) { if (!strcmp(respin, "-")) derbio = BIO_new_fp(stdin, BIO_NOCLOSE); else derbio = BIO_new_file(respin, "rb"); if (!derbio) { Loading @@ -804,6 +835,9 @@ int MAIN(int argc, char **argv) if (respout) { if (!strcmp(respout, "-")) derbio = BIO_new_fp(stdout, BIO_NOCLOSE); else derbio = BIO_new_file(respout, "wb"); if(!derbio) { Loading Loading @@ -857,6 +891,8 @@ int MAIN(int argc, char **argv) store = setup_verify(bio_err, CAfile, CApath); if (!store) goto end; if (vpm) X509_STORE_set1_param(store, vpm); if (verify_certfile) { verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM, Loading Loading @@ -907,6 +943,8 @@ end: ERR_print_errors(bio_err); X509_free(signer); X509_STORE_free(store); if (vpm) X509_VERIFY_PARAM_free(vpm); EVP_PKEY_free(key); EVP_PKEY_free(rkey); X509_free(issuer); Loading Loading @@ -1057,9 +1095,10 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db, X509 *ca, X509 *rcert, EVP_PKEY *rkey, X509 *ca, X509 *rcert, EVP_PKEY *rkey, const EVP_MD *rmd, STACK_OF(X509) *rother, unsigned long flags, int nmin, int ndays) int nmin, int ndays, int badsig) { ASN1_TIME *thisupd = NULL, *nextupd = NULL; OCSP_CERTID *cid, *ca_id = NULL; Loading Loading @@ -1148,7 +1187,10 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db OCSP_copy_nonce(bs, req); OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags); OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags); if (badsig) bs->signature->data[bs->signature->length -1] ^= 0x1; *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); Loading
ssl/ssl_locl.h +6 −0 Original line number Diff line number Diff line Loading @@ -524,6 +524,12 @@ typedef struct cert_st /* Size of above array */ size_t sigalgslen; /* Optional X509_STORE for chain building or certificate validation * If NULL the parent SSL_CTX store is used instead. */ X509_STORE *chain_store; X509_STORE *verify_store; int references; /* >1 only if SSL_copy_session_id is used */ } CERT; Loading
