1/* 2 * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#include <openssl/opensslconf.h> 11 12#ifdef OPENSSL_SYS_VMS 13 /* So fd_set and friends get properly defined on OpenVMS */ 14# define _XOPEN_SOURCE_EXTENDED 15#endif 16 17#include <stdio.h> 18#include <stdlib.h> 19#include <string.h> 20#include <time.h> 21#include <ctype.h> 22 23/* Needs to be included before the openssl headers */ 24#include "apps.h" 25#include "http_server.h" 26#include "progs.h" 27#include "internal/sockets.h" 28#include <openssl/e_os2.h> 29#include <openssl/crypto.h> 30#include <openssl/err.h> 31#include <openssl/ssl.h> 32#include <openssl/evp.h> 33#include <openssl/bn.h> 34#include <openssl/x509v3.h> 35 36#if defined(__TANDEM) 37# if defined(OPENSSL_TANDEM_FLOSS) 38# include <floss.h(floss_fork)> 39# endif 40#endif 41 42#if defined(OPENSSL_SYS_VXWORKS) 43/* not supported */ 44int setpgid(pid_t pid, pid_t pgid) 45{ 46 errno = ENOSYS; 47 return 0; 48} 49/* not supported */ 50pid_t fork(void) 51{ 52 errno = ENOSYS; 53 return (pid_t) -1; 54} 55#endif 56/* Maximum leeway in validity period: default 5 minutes */ 57#define MAX_VALIDITY_PERIOD (5 * 60) 58 59static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, 60 const EVP_MD *cert_id_md, X509 *issuer, 61 STACK_OF(OCSP_CERTID) *ids); 62static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, 63 const EVP_MD *cert_id_md, X509 *issuer, 64 STACK_OF(OCSP_CERTID) *ids); 65static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, 66 STACK_OF(OPENSSL_STRING) *names, 67 STACK_OF(OCSP_CERTID) *ids, long nsec, 68 long maxage); 69static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req, 70 CA_DB *db, STACK_OF(X509) *ca, X509 *rcert, 71 EVP_PKEY *rkey, const EVP_MD *md, 72 STACK_OF(OPENSSL_STRING) *sigopts, 73 STACK_OF(X509) *rother, unsigned long flags, 74 int nmin, int ndays, int badsig, 75 const EVP_MD *resp_md); 76 77static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser); 78static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, 79 const char *port, int timeout); 80static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp); 81static char *prog; 82 83#ifdef HTTP_DAEMON 84static int index_changed(CA_DB *); 85#endif 86 87typedef enum OPTION_choice { 88 OPT_COMMON, 89 OPT_OUTFILE, OPT_TIMEOUT, OPT_URL, OPT_HOST, OPT_PORT, 90#ifndef OPENSSL_NO_SOCK 91 OPT_PROXY, OPT_NO_PROXY, 92#endif 93 OPT_IGNORE_ERR, OPT_NOVERIFY, OPT_NONCE, OPT_NO_NONCE, 94 OPT_RESP_NO_CERTS, OPT_RESP_KEY_ID, OPT_NO_CERTS, 95 OPT_NO_SIGNATURE_VERIFY, OPT_NO_CERT_VERIFY, OPT_NO_CHAIN, 96 OPT_NO_CERT_CHECKS, OPT_NO_EXPLICIT, OPT_TRUST_OTHER, 97 OPT_NO_INTERN, OPT_BADSIG, OPT_TEXT, OPT_REQ_TEXT, OPT_RESP_TEXT, 98 OPT_REQIN, OPT_RESPIN, OPT_SIGNER, OPT_VAFILE, OPT_SIGN_OTHER, 99 OPT_VERIFY_OTHER, OPT_CAFILE, OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE, 100 OPT_NOCAPATH, OPT_NOCASTORE, 101 OPT_VALIDITY_PERIOD, OPT_STATUS_AGE, OPT_SIGNKEY, OPT_REQOUT, 102 OPT_RESPOUT, OPT_PATH, OPT_ISSUER, OPT_CERT, OPT_SERIAL, 103 OPT_INDEX, OPT_CA, OPT_NMIN, OPT_REQUEST, OPT_NDAYS, OPT_RSIGNER, 104 OPT_RKEY, OPT_ROTHER, OPT_RMD, OPT_RSIGOPT, OPT_HEADER, 105 OPT_PASSIN, 106 OPT_RCID, 107 OPT_V_ENUM, 108 OPT_MD, 109 OPT_MULTI, OPT_PROV_ENUM 110} OPTION_CHOICE; 111 112const OPTIONS ocsp_options[] = { 113 OPT_SECTION("General"), 114 {"help", OPT_HELP, '-', "Display this summary"}, 115 {"ignore_err", OPT_IGNORE_ERR, '-', 116 "Ignore error on OCSP request or response and continue running"}, 117 {"CAfile", OPT_CAFILE, '<', "Trusted certificates file"}, 118 {"CApath", OPT_CAPATH, '<', "Trusted certificates directory"}, 119 {"CAstore", OPT_CASTORE, ':', "Trusted certificates store URI"}, 120 {"no-CAfile", OPT_NOCAFILE, '-', 121 "Do not load the default certificates file"}, 122 {"no-CApath", OPT_NOCAPATH, '-', 123 "Do not load certificates from the default certificates directory"}, 124 {"no-CAstore", OPT_NOCASTORE, '-', 125 "Do not load certificates from the default certificates store"}, 126 127 OPT_SECTION("Responder"), 128 {"timeout", OPT_TIMEOUT, 'p', 129 "Connection timeout (in seconds) to the OCSP responder"}, 130 {"resp_no_certs", OPT_RESP_NO_CERTS, '-', 131 "Don't include any certificates in response"}, 132#ifdef HTTP_DAEMON 133 {"multi", OPT_MULTI, 'p', "run multiple responder processes"}, 134#endif 135 {"no_certs", OPT_NO_CERTS, '-', 136 "Don't include any certificates in signed request"}, 137 {"badsig", OPT_BADSIG, '-', 138 "Corrupt last byte of loaded OCSP response signature (for test)"}, 139 {"CA", OPT_CA, '<', "CA certificate"}, 140 {"nmin", OPT_NMIN, 'p', "Number of minutes before next update"}, 141 {"nrequest", OPT_REQUEST, 'p', 142 "Number of requests to accept (default unlimited)"}, 143 {"reqin", OPT_REQIN, 's', "File with the DER-encoded request"}, 144 {"signer", OPT_SIGNER, '<', "Certificate to sign OCSP request with"}, 145 {"sign_other", OPT_SIGN_OTHER, '<', 146 "Additional certificates to include in signed request"}, 147 {"index", OPT_INDEX, '<', "Certificate status index file"}, 148 {"ndays", OPT_NDAYS, 'p', "Number of days before next update"}, 149 {"rsigner", OPT_RSIGNER, '<', 150 "Responder certificate to sign responses with"}, 151 {"rkey", OPT_RKEY, '<', "Responder key to sign responses with"}, 152 {"passin", OPT_PASSIN, 's', "Responder key pass phrase source"}, 153 {"rother", OPT_ROTHER, '<', "Other certificates to include in response"}, 154 {"rmd", OPT_RMD, 's', "Digest Algorithm to use in signature of OCSP response"}, 155 {"rsigopt", OPT_RSIGOPT, 's', "OCSP response signature parameter in n:v form"}, 156 {"header", OPT_HEADER, 's', "key=value header to add"}, 157 {"rcid", OPT_RCID, 's', "Use specified algorithm for cert id in response"}, 158 {"", OPT_MD, '-', "Any supported digest algorithm (sha1,sha256, ... )"}, 159 160 OPT_SECTION("Client"), 161 {"url", OPT_URL, 's', "Responder URL"}, 162 {"host", OPT_HOST, 's', "TCP/IP hostname:port to connect to"}, 163 {"port", OPT_PORT, 'N', "Port to run responder on"}, 164 {"path", OPT_PATH, 's', "Path to use in OCSP request"}, 165#ifndef OPENSSL_NO_SOCK 166 {"proxy", OPT_PROXY, 's', 167 "[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"}, 168 {"no_proxy", OPT_NO_PROXY, 's', 169 "List of addresses of servers not to use HTTP(S) proxy for"}, 170 {OPT_MORE_STR, 0, 0, 171 "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"}, 172#endif 173 {"out", OPT_OUTFILE, '>', "Output filename"}, 174 {"noverify", OPT_NOVERIFY, '-', "Don't verify response at all"}, 175 {"nonce", OPT_NONCE, '-', "Add OCSP nonce to request"}, 176 {"no_nonce", OPT_NO_NONCE, '-', "Don't add OCSP nonce to request"}, 177 {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-', 178 "Don't check signature on response"}, 179 {"resp_key_id", OPT_RESP_KEY_ID, '-', 180 "Identify response by signing certificate key ID"}, 181 {"no_cert_verify", OPT_NO_CERT_VERIFY, '-', 182 "Don't check signing certificate"}, 183 {"text", OPT_TEXT, '-', "Print text form of request and response"}, 184 {"req_text", OPT_REQ_TEXT, '-', "Print text form of request"}, 185 {"resp_text", OPT_RESP_TEXT, '-', "Print text form of response"}, 186 {"no_chain", OPT_NO_CHAIN, '-', "Don't chain verify response"}, 187 {"no_cert_checks", OPT_NO_CERT_CHECKS, '-', 188 "Don't do additional checks on signing certificate"}, 189 {"no_explicit", OPT_NO_EXPLICIT, '-', 190 "Do not explicitly check the chain, just verify the root"}, 191 {"trust_other", OPT_TRUST_OTHER, '-', 192 "Don't verify additional certificates"}, 193 {"no_intern", OPT_NO_INTERN, '-', 194 "Don't search certificates contained in response for signer"}, 195 {"respin", OPT_RESPIN, 's', "File with the DER-encoded response"}, 196 {"VAfile", OPT_VAFILE, '<', "Validator certificates file"}, 197 {"verify_other", OPT_VERIFY_OTHER, '<', 198 "Additional certificates to search for signer"}, 199 {"cert", OPT_CERT, '<', "Certificate to check"}, 200 {"serial", OPT_SERIAL, 's', "Serial number to check"}, 201 {"validity_period", OPT_VALIDITY_PERIOD, 'u', 202 "Maximum validity discrepancy in seconds"}, 203 {"signkey", OPT_SIGNKEY, 's', "Private key to sign OCSP request with"}, 204 {"reqout", OPT_REQOUT, 's', "Output file for the DER-encoded request"}, 205 {"respout", OPT_RESPOUT, 's', "Output file for the DER-encoded response"}, 206 {"issuer", OPT_ISSUER, '<', "Issuer certificate"}, 207 {"status_age", OPT_STATUS_AGE, 'p', "Maximum status age in seconds"}, 208 209 OPT_V_OPTIONS, 210 OPT_PROV_OPTIONS, 211 {NULL} 212}; 213 214int ocsp_main(int argc, char **argv) 215{ 216 BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL; 217 EVP_MD *cert_id_md = NULL, *rsign_md = NULL; 218 STACK_OF(OPENSSL_STRING) *rsign_sigopts = NULL; 219 int trailing_md = 0; 220 CA_DB *rdb = NULL; 221 EVP_PKEY *key = NULL, *rkey = NULL; 222 OCSP_BASICRESP *bs = NULL; 223 OCSP_REQUEST *req = NULL; 224 OCSP_RESPONSE *resp = NULL; 225 STACK_OF(CONF_VALUE) *headers = NULL; 226 STACK_OF(OCSP_CERTID) *ids = NULL; 227 STACK_OF(OPENSSL_STRING) *reqnames = NULL; 228 STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL; 229 STACK_OF(X509) *issuers = NULL; 230 X509 *issuer = NULL, *cert = NULL; 231 STACK_OF(X509) *rca_cert = NULL; 232 EVP_MD *resp_certid_md = NULL; 233 X509 *signer = NULL, *rsigner = NULL; 234 X509_STORE *store = NULL; 235 X509_VERIFY_PARAM *vpm = NULL; 236 const char *CAfile = NULL, *CApath = NULL, *CAstore = NULL; 237 char *header, *value, *respdigname = NULL; 238 char *host = NULL, *port = NULL, *path = "/", *outfile = NULL; 239#ifndef OPENSSL_NO_SOCK 240 char *opt_proxy = NULL; 241 char *opt_no_proxy = NULL; 242#endif 243 char *rca_filename = NULL, *reqin = NULL, *respin = NULL; 244 char *reqout = NULL, *respout = NULL, *ridx_filename = NULL; 245 char *rsignfile = NULL, *rkeyfile = NULL; 246 char *passinarg = NULL, *passin = NULL; 247 char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL; 248 char *signfile = NULL, *keyfile = NULL; 249 char *thost = NULL, *tport = NULL, *tpath = NULL; 250 int noCAfile = 0, noCApath = 0, noCAstore = 0; 251 int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1; 252 int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1; 253 int req_text = 0, resp_text = 0, res, ret = 1; 254 int req_timeout = -1; 255 long nsec = MAX_VALIDITY_PERIOD, maxage = -1; 256 unsigned long sign_flags = 0, verify_flags = 0, rflags = 0; 257 OPTION_CHOICE o; 258 259 if ((reqnames = sk_OPENSSL_STRING_new_null()) == NULL 260 || (ids = sk_OCSP_CERTID_new_null()) == NULL 261 || (vpm = X509_VERIFY_PARAM_new()) == NULL) 262 goto end; 263 264 prog = opt_init(argc, argv, ocsp_options); 265 while ((o = opt_next()) != OPT_EOF) { 266 switch (o) { 267 case OPT_EOF: 268 case OPT_ERR: 269 opthelp: 270 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); 271 goto end; 272 case OPT_HELP: 273 ret = 0; 274 opt_help(ocsp_options); 275 goto end; 276 case OPT_OUTFILE: 277 outfile = opt_arg(); 278 break; 279 case OPT_TIMEOUT: 280#ifndef OPENSSL_NO_SOCK 281 req_timeout = atoi(opt_arg()); 282#endif 283 break; 284 case OPT_URL: 285 OPENSSL_free(thost); 286 OPENSSL_free(tport); 287 OPENSSL_free(tpath); 288 thost = tport = tpath = NULL; 289 if (!OSSL_HTTP_parse_url(opt_arg(), &use_ssl, NULL /* userinfo */, 290 &host, &port, NULL /* port_num */, 291 &path, NULL /* qry */, NULL /* frag */)) { 292 BIO_printf(bio_err, "%s Error parsing -url argument\n", prog); 293 goto end; 294 } 295 thost = host; 296 tport = port; 297 tpath = path; 298 break; 299 case OPT_HOST: 300 host = opt_arg(); 301 break; 302 case OPT_PORT: 303 port = opt_arg(); 304 break; 305 case OPT_PATH: 306 path = opt_arg(); 307 break; 308#ifndef OPENSSL_NO_SOCK 309 case OPT_PROXY: 310 opt_proxy = opt_arg(); 311 break; 312 case OPT_NO_PROXY: 313 opt_no_proxy = opt_arg(); 314 break; 315#endif 316 case OPT_IGNORE_ERR: 317 ignore_err = 1; 318 break; 319 case OPT_NOVERIFY: 320 noverify = 1; 321 break; 322 case OPT_NONCE: 323 add_nonce = 2; 324 break; 325 case OPT_NO_NONCE: 326 add_nonce = 0; 327 break; 328 case OPT_RESP_NO_CERTS: 329 rflags |= OCSP_NOCERTS; 330 break; 331 case OPT_RESP_KEY_ID: 332 rflags |= OCSP_RESPID_KEY; 333 break; 334 case OPT_NO_CERTS: 335 sign_flags |= OCSP_NOCERTS; 336 break; 337 case OPT_NO_SIGNATURE_VERIFY: 338 verify_flags |= OCSP_NOSIGS; 339 break; 340 case OPT_NO_CERT_VERIFY: 341 verify_flags |= OCSP_NOVERIFY; 342 break; 343 case OPT_NO_CHAIN: 344 verify_flags |= OCSP_NOCHAIN; 345 break; 346 case OPT_NO_CERT_CHECKS: 347 verify_flags |= OCSP_NOCHECKS; 348 break; 349 case OPT_NO_EXPLICIT: 350 verify_flags |= OCSP_NOEXPLICIT; 351 break; 352 case OPT_TRUST_OTHER: 353 verify_flags |= OCSP_TRUSTOTHER; 354 break; 355 case OPT_NO_INTERN: 356 verify_flags |= OCSP_NOINTERN; 357 break; 358 case OPT_BADSIG: 359 badsig = 1; 360 break; 361 case OPT_TEXT: 362 req_text = resp_text = 1; 363 break; 364 case OPT_REQ_TEXT: 365 req_text = 1; 366 break; 367 case OPT_RESP_TEXT: 368 resp_text = 1; 369 break; 370 case OPT_REQIN: 371 reqin = opt_arg(); 372 break; 373 case OPT_RESPIN: 374 respin = opt_arg(); 375 break; 376 case OPT_SIGNER: 377 signfile = opt_arg(); 378 break; 379 case OPT_VAFILE: 380 verify_certfile = opt_arg(); 381 verify_flags |= OCSP_TRUSTOTHER; 382 break; 383 case OPT_SIGN_OTHER: 384 sign_certfile = opt_arg(); 385 break; 386 case OPT_VERIFY_OTHER: 387 verify_certfile = opt_arg(); 388 break; 389 case OPT_CAFILE: 390 CAfile = opt_arg(); 391 break; 392 case OPT_CAPATH: 393 CApath = opt_arg(); 394 break; 395 case OPT_CASTORE: 396 CAstore = opt_arg(); 397 break; 398 case OPT_NOCAFILE: 399 noCAfile = 1; 400 break; 401 case OPT_NOCAPATH: 402 noCApath = 1; 403 break; 404 case OPT_NOCASTORE: 405 noCAstore = 1; 406 break; 407 case OPT_V_CASES: 408 if (!opt_verify(o, vpm)) 409 goto end; 410 vpmtouched++; 411 break; 412 case OPT_VALIDITY_PERIOD: 413 opt_long(opt_arg(), &nsec); 414 break; 415 case OPT_STATUS_AGE: 416 opt_long(opt_arg(), &maxage); 417 break; 418 case OPT_SIGNKEY: 419 keyfile = opt_arg(); 420 break; 421 case OPT_REQOUT: 422 reqout = opt_arg(); 423 break; 424 case OPT_RESPOUT: 425 respout = opt_arg(); 426 break; 427 case OPT_ISSUER: 428 issuer = load_cert(opt_arg(), FORMAT_UNDEF, "issuer certificate"); 429 if (issuer == NULL) 430 goto end; 431 if (issuers == NULL) { 432 if ((issuers = sk_X509_new_null()) == NULL) 433 goto end; 434 } 435 if (!sk_X509_push(issuers, issuer)) 436 goto end; 437 break; 438 case OPT_CERT: 439 X509_free(cert); 440 cert = load_cert(opt_arg(), FORMAT_UNDEF, "certificate"); 441 if (cert == NULL) 442 goto end; 443 if (cert_id_md == NULL) 444 cert_id_md = (EVP_MD *)EVP_sha1(); 445 if (!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids)) 446 goto end; 447 if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) 448 goto end; 449 trailing_md = 0; 450 break; 451 case OPT_SERIAL: 452 if (cert_id_md == NULL) 453 cert_id_md = (EVP_MD *)EVP_sha1(); 454 if (!add_ocsp_serial(&req, opt_arg(), cert_id_md, issuer, ids)) 455 goto end; 456 if (!sk_OPENSSL_STRING_push(reqnames, opt_arg())) 457 goto end; 458 trailing_md = 0; 459 break; 460 case OPT_INDEX: 461 ridx_filename = opt_arg(); 462 break; 463 case OPT_CA: 464 rca_filename = opt_arg(); 465 break; 466 case OPT_NMIN: 467 nmin = opt_int_arg(); 468 if (ndays == -1) 469 ndays = 0; 470 break; 471 case OPT_REQUEST: 472 accept_count = opt_int_arg(); 473 break; 474 case OPT_NDAYS: 475 ndays = atoi(opt_arg()); 476 break; 477 case OPT_RSIGNER: 478 rsignfile = opt_arg(); 479 break; 480 case OPT_RKEY: 481 rkeyfile = opt_arg(); 482 break; 483 case OPT_PASSIN: 484 passinarg = opt_arg(); 485 break; 486 case OPT_ROTHER: 487 rcertfile = opt_arg(); 488 break; 489 case OPT_RMD: /* Response MessageDigest */ 490 respdigname = opt_arg(); 491 break; 492 case OPT_RSIGOPT: 493 if (rsign_sigopts == NULL) 494 rsign_sigopts = sk_OPENSSL_STRING_new_null(); 495 if (rsign_sigopts == NULL 496 || !sk_OPENSSL_STRING_push(rsign_sigopts, opt_arg())) 497 goto end; 498 break; 499 case OPT_HEADER: 500 header = opt_arg(); 501 value = strchr(header, '='); 502 if (value == NULL) { 503 BIO_printf(bio_err, "Missing = in header key=value\n"); 504 goto opthelp; 505 } 506 *value++ = '\0'; 507 if (!X509V3_add_value(header, value, &headers)) 508 goto end; 509 break; 510 case OPT_RCID: 511 if (!opt_md(opt_arg(), &resp_certid_md)) 512 goto opthelp; 513 break; 514 case OPT_MD: 515 if (trailing_md) { 516 BIO_printf(bio_err, 517 "%s: Digest must be before -cert or -serial\n", 518 prog); 519 goto opthelp; 520 } 521 if (!opt_md(opt_unknown(), &cert_id_md)) 522 goto opthelp; 523 trailing_md = 1; 524 break; 525 case OPT_MULTI: 526#ifdef HTTP_DAEMON 527 multi = atoi(opt_arg()); 528#endif 529 break; 530 case OPT_PROV_CASES: 531 if (!opt_provider(o)) 532 goto end; 533 break; 534 } 535 } 536 537 /* No extra arguments. */ 538 argc = opt_num_rest(); 539 if (argc != 0) 540 goto opthelp; 541 542 if (trailing_md) { 543 BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n", 544 prog); 545 goto opthelp; 546 } 547 548 if (respdigname != NULL) { 549 if (!opt_md(respdigname, &rsign_md)) 550 goto end; 551 } 552 553 /* Have we anything to do? */ 554 if (req == NULL && reqin == NULL 555 && respin == NULL && !(port != NULL && ridx_filename != NULL)) 556 goto opthelp; 557 558 out = bio_open_default(outfile, 'w', FORMAT_TEXT); 559 if (out == NULL) 560 goto end; 561 562 if (req == NULL && (add_nonce != 2)) 563 add_nonce = 0; 564 565 if (req == NULL && reqin != NULL) { 566 derbio = bio_open_default(reqin, 'r', FORMAT_ASN1); 567 if (derbio == NULL) 568 goto end; 569 req = d2i_OCSP_REQUEST_bio(derbio, NULL); 570 BIO_free(derbio); 571 if (req == NULL) { 572 BIO_printf(bio_err, "Error reading OCSP request\n"); 573 goto end; 574 } 575 } 576 577 if (req == NULL && port != NULL) { 578#ifndef OPENSSL_NO_SOCK 579 acbio = http_server_init_bio(prog, port); 580 if (acbio == NULL) 581 goto end; 582#else 583 BIO_printf(bio_err, "Cannot act as server - sockets not supported\n"); 584 goto end; 585#endif 586 } 587 588 if (rsignfile != NULL) { 589 if (rkeyfile == NULL) 590 rkeyfile = rsignfile; 591 rsigner = load_cert(rsignfile, FORMAT_UNDEF, "responder certificate"); 592 if (rsigner == NULL) { 593 BIO_printf(bio_err, "Error loading responder certificate\n"); 594 goto end; 595 } 596 if (!load_certs(rca_filename, 0, &rca_cert, NULL, "CA certificates")) 597 goto end; 598 if (rcertfile != NULL) { 599 if (!load_certs(rcertfile, 0, &rother, NULL, 600 "responder other certificates")) 601 goto end; 602 } 603 if (!app_passwd(passinarg, NULL, &passin, NULL)) { 604 BIO_printf(bio_err, "Error getting password\n"); 605 goto end; 606 } 607 rkey = load_key(rkeyfile, FORMAT_UNDEF, 0, passin, NULL, 608 "responder private key"); 609 if (rkey == NULL) 610 goto end; 611 } 612 613 if (ridx_filename != NULL 614 && (rkey == NULL || rsigner == NULL || rca_cert == NULL)) { 615 BIO_printf(bio_err, 616 "Responder mode requires certificate, key, and CA.\n"); 617 goto end; 618 } 619 620 if (ridx_filename != NULL) { 621 rdb = load_index(ridx_filename, NULL); 622 if (rdb == NULL || index_index(rdb) <= 0) { 623 BIO_printf(bio_err, 624 "Problem with index file: %s (could not load/parse file)\n", 625 ridx_filename); 626 ret = 1; 627 goto end; 628 } 629 } 630 631#ifdef HTTP_DAEMON 632 if (multi && acbio != NULL) 633 spawn_loop(prog); 634 if (acbio != NULL && req_timeout > 0) 635 signal(SIGALRM, socket_timeout); 636#endif 637 638 if (acbio != NULL) 639 log_message(prog, LOG_INFO, "waiting for OCSP client connections..."); 640 641redo_accept: 642 643 if (acbio != NULL) { 644#ifdef HTTP_DAEMON 645 if (index_changed(rdb)) { 646 CA_DB *newrdb = load_index(ridx_filename, NULL); 647 648 if (newrdb != NULL && index_index(newrdb) > 0) { 649 free_index(rdb); 650 rdb = newrdb; 651 } else { 652 free_index(newrdb); 653 log_message(prog, LOG_ERR, "error reloading updated index: %s", 654 ridx_filename); 655 } 656 } 657#endif 658 659 req = NULL; 660 res = do_responder(&req, &cbio, acbio, port, req_timeout); 661 if (res == 0) 662 goto redo_accept; 663 664 if (req == NULL) { 665 if (res == 1) { 666 resp = 667 OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, 668 NULL); 669 send_ocsp_response(cbio, resp); 670 } 671 goto done_resp; 672 } 673 } 674 675 if (req == NULL 676 && (signfile != NULL || reqout != NULL 677 || host != NULL || add_nonce || ridx_filename != NULL)) { 678 BIO_printf(bio_err, "Need an OCSP request for this operation!\n"); 679 goto end; 680 } 681 682 if (req != NULL && add_nonce) { 683 if (!OCSP_request_add1_nonce(req, NULL, -1)) 684 goto end; 685 } 686 687 if (signfile != NULL) { 688 if (keyfile == NULL) 689 keyfile = signfile; 690 signer = load_cert(signfile, FORMAT_UNDEF, "signer certificate"); 691 if (signer == NULL) { 692 BIO_printf(bio_err, "Error loading signer certificate\n"); 693 goto end; 694 } 695 if (sign_certfile != NULL) { 696 if (!load_certs(sign_certfile, 0, &sign_other, NULL, 697 "signer certificates")) 698 goto end; 699 } 700 key = load_key(keyfile, FORMAT_UNDEF, 0, NULL, NULL, 701 "signer private key"); 702 if (key == NULL) 703 goto end; 704 705 if (!OCSP_request_sign(req, signer, key, NULL, 706 sign_other, sign_flags)) { 707 BIO_printf(bio_err, "Error signing OCSP request\n"); 708 goto end; 709 } 710 } 711 712 if (req_text && req != NULL) 713 OCSP_REQUEST_print(out, req, 0); 714 715 if (reqout != NULL) { 716 derbio = bio_open_default(reqout, 'w', FORMAT_ASN1); 717 if (derbio == NULL) 718 goto end; 719 i2d_OCSP_REQUEST_bio(derbio, req); 720 BIO_free(derbio); 721 } 722 723 if (rdb != NULL) { 724 make_ocsp_response(bio_err, &resp, req, rdb, rca_cert, rsigner, rkey, 725 rsign_md, rsign_sigopts, rother, rflags, nmin, ndays, 726 badsig, resp_certid_md); 727 if (resp == NULL) 728 goto end; 729 if (cbio != NULL) 730 send_ocsp_response(cbio, resp); 731 } else if (host != NULL) { 732#ifndef OPENSSL_NO_SOCK 733 resp = process_responder(req, host, port, path, opt_proxy, opt_no_proxy, 734 use_ssl, headers, req_timeout); 735 if (resp == NULL) 736 goto end; 737#else 738 BIO_printf(bio_err, 739 "Error creating connect BIO - sockets not supported\n"); 740 goto end; 741#endif 742 } else if (respin != NULL) { 743 derbio = bio_open_default(respin, 'r', FORMAT_ASN1); 744 if (derbio == NULL) 745 goto end; 746 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL); 747 BIO_free(derbio); 748 if (resp == NULL) { 749 BIO_printf(bio_err, "Error reading OCSP response\n"); 750 goto end; 751 } 752 } else { 753 ret = 0; 754 goto end; 755 } 756 757 done_resp: 758 759 if (respout != NULL) { 760 derbio = bio_open_default(respout, 'w', FORMAT_ASN1); 761 if (derbio == NULL) 762 goto end; 763 i2d_OCSP_RESPONSE_bio(derbio, resp); 764 BIO_free(derbio); 765 } 766 767 i = OCSP_response_status(resp); 768 if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL) { 769 BIO_printf(out, "Responder Error: %s (%d)\n", 770 OCSP_response_status_str(i), i); 771 if (!ignore_err) 772 goto end; 773 } 774 775 if (resp_text) 776 OCSP_RESPONSE_print(out, resp, 0); 777 778 /* If running as responder don't verify our own response */ 779 if (cbio != NULL) { 780 /* If not unlimited, see if we took all we should. */ 781 if (accept_count != -1 && --accept_count <= 0) { 782 ret = 0; 783 goto end; 784 } 785 BIO_free_all(cbio); 786 cbio = NULL; 787 OCSP_REQUEST_free(req); 788 req = NULL; 789 OCSP_RESPONSE_free(resp); 790 resp = NULL; 791 goto redo_accept; 792 } 793 if (ridx_filename != NULL) { 794 ret = 0; 795 goto end; 796 } 797 798 if (store == NULL) { 799 store = setup_verify(CAfile, noCAfile, CApath, noCApath, 800 CAstore, noCAstore); 801 if (!store) 802 goto end; 803 } 804 if (vpmtouched) 805 X509_STORE_set1_param(store, vpm); 806 if (verify_certfile != NULL) { 807 if (!load_certs(verify_certfile, 0, &verify_other, NULL, 808 "validator certificates")) 809 goto end; 810 } 811 812 bs = OCSP_response_get1_basic(resp); 813 if (bs == NULL) { 814 BIO_printf(bio_err, "Error parsing response\n"); 815 goto end; 816 } 817 818 ret = 0; 819 820 if (!noverify) { 821 if (req != NULL && ((i = OCSP_check_nonce(req, bs)) <= 0)) { 822 if (i == -1) 823 BIO_printf(bio_err, "WARNING: no nonce in response\n"); 824 else { 825 BIO_printf(bio_err, "Nonce Verify error\n"); 826 ret = 1; 827 goto end; 828 } 829 } 830 831 i = OCSP_basic_verify(bs, verify_other, store, verify_flags); 832 if (i <= 0 && issuers) { 833 i = OCSP_basic_verify(bs, issuers, store, OCSP_TRUSTOTHER); 834 if (i > 0) 835 ERR_clear_error(); 836 } 837 if (i <= 0) { 838 BIO_printf(bio_err, "Response Verify Failure\n"); 839 ERR_print_errors(bio_err); 840 ret = 1; 841 } else { 842 BIO_printf(bio_err, "Response verify OK\n"); 843 } 844 } 845 846 if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage)) 847 ret = 1; 848 849 end: 850 ERR_print_errors(bio_err); 851 X509_free(signer); 852 X509_STORE_free(store); 853 X509_VERIFY_PARAM_free(vpm); 854 sk_OPENSSL_STRING_free(rsign_sigopts); 855 EVP_PKEY_free(key); 856 EVP_PKEY_free(rkey); 857 EVP_MD_free(cert_id_md); 858 EVP_MD_free(rsign_md); 859 EVP_MD_free(resp_certid_md); 860 X509_free(cert); 861 sk_X509_pop_free(issuers, X509_free); 862 X509_free(rsigner); 863 sk_X509_pop_free(rca_cert, X509_free); 864 free_index(rdb); 865 BIO_free_all(cbio); 866 BIO_free_all(acbio); 867 BIO_free_all(out); 868 OCSP_REQUEST_free(req); 869 OCSP_RESPONSE_free(resp); 870 OCSP_BASICRESP_free(bs); 871 sk_OPENSSL_STRING_free(reqnames); 872 sk_OCSP_CERTID_free(ids); 873 sk_X509_pop_free(sign_other, X509_free); 874 sk_X509_pop_free(verify_other, X509_free); 875 sk_CONF_VALUE_pop_free(headers, X509V3_conf_free); 876 OPENSSL_free(thost); 877 OPENSSL_free(tport); 878 OPENSSL_free(tpath); 879 880 return ret; 881} 882 883#ifdef HTTP_DAEMON 884 885static int index_changed(CA_DB *rdb) 886{ 887 struct stat sb; 888 889 if (rdb != NULL && stat(rdb->dbfname, &sb) != -1) { 890 if (rdb->dbst.st_mtime != sb.st_mtime 891 || rdb->dbst.st_ctime != sb.st_ctime 892 || rdb->dbst.st_ino != sb.st_ino 893 || rdb->dbst.st_dev != sb.st_dev) { 894 syslog(LOG_INFO, "index file changed, reloading"); 895 return 1; 896 } 897 } 898 return 0; 899} 900 901#endif 902 903static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, 904 const EVP_MD *cert_id_md, X509 *issuer, 905 STACK_OF(OCSP_CERTID) *ids) 906{ 907 OCSP_CERTID *id; 908 909 if (issuer == NULL) { 910 BIO_printf(bio_err, "No issuer certificate specified\n"); 911 return 0; 912 } 913 if (*req == NULL) 914 *req = OCSP_REQUEST_new(); 915 if (*req == NULL) 916 goto err; 917 id = OCSP_cert_to_id(cert_id_md, cert, issuer); 918 if (id == NULL || !sk_OCSP_CERTID_push(ids, id)) 919 goto err; 920 if (!OCSP_request_add0_id(*req, id)) 921 goto err; 922 return 1; 923 924 err: 925 BIO_printf(bio_err, "Error Creating OCSP request\n"); 926 return 0; 927} 928 929static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, 930 const EVP_MD *cert_id_md, X509 *issuer, 931 STACK_OF(OCSP_CERTID) *ids) 932{ 933 OCSP_CERTID *id; 934 const X509_NAME *iname; 935 ASN1_BIT_STRING *ikey; 936 ASN1_INTEGER *sno; 937 938 if (issuer == NULL) { 939 BIO_printf(bio_err, "No issuer certificate specified\n"); 940 return 0; 941 } 942 if (*req == NULL) 943 *req = OCSP_REQUEST_new(); 944 if (*req == NULL) 945 goto err; 946 iname = X509_get_subject_name(issuer); 947 ikey = X509_get0_pubkey_bitstr(issuer); 948 sno = s2i_ASN1_INTEGER(NULL, serial); 949 if (sno == NULL) { 950 BIO_printf(bio_err, "Error converting serial number %s\n", serial); 951 return 0; 952 } 953 id = OCSP_cert_id_new(cert_id_md, iname, ikey, sno); 954 ASN1_INTEGER_free(sno); 955 if (id == NULL || !sk_OCSP_CERTID_push(ids, id)) 956 goto err; 957 if (!OCSP_request_add0_id(*req, id)) 958 goto err; 959 return 1; 960 961 err: 962 BIO_printf(bio_err, "Error Creating OCSP request\n"); 963 return 0; 964} 965 966static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req, 967 STACK_OF(OPENSSL_STRING) *names, 968 STACK_OF(OCSP_CERTID) *ids, long nsec, 969 long maxage) 970{ 971 OCSP_CERTID *id; 972 const char *name; 973 int i, status, reason; 974 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; 975 int ret = 1; 976 977 if (req == NULL || !sk_OPENSSL_STRING_num(names)) 978 return 1; 979 980 if (bs == NULL || !sk_OCSP_CERTID_num(ids)) 981 return 0; 982 983 for (i = 0; i < sk_OCSP_CERTID_num(ids); i++) { 984 id = sk_OCSP_CERTID_value(ids, i); 985 name = sk_OPENSSL_STRING_value(names, i); 986 BIO_printf(out, "%s: ", name); 987 988 if (!OCSP_resp_find_status(bs, id, &status, &reason, 989 &rev, &thisupd, &nextupd)) { 990 BIO_puts(out, "ERROR: No Status found.\n"); 991 ret = 0; 992 continue; 993 } 994 995 /* 996 * Check validity: if invalid write to output BIO so we know which 997 * response this refers to. 998 */ 999 if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) { 1000 BIO_puts(out, "WARNING: Status times invalid.\n"); 1001 ERR_print_errors(out); 1002 } 1003 BIO_printf(out, "%s\n", OCSP_cert_status_str(status)); 1004 1005 BIO_puts(out, "\tThis Update: "); 1006 ASN1_GENERALIZEDTIME_print(out, thisupd); 1007 BIO_puts(out, "\n"); 1008 1009 if (nextupd) { 1010 BIO_puts(out, "\tNext Update: "); 1011 ASN1_GENERALIZEDTIME_print(out, nextupd); 1012 BIO_puts(out, "\n"); 1013 } 1014 1015 if (status != V_OCSP_CERTSTATUS_REVOKED) 1016 continue; 1017 1018 if (reason != -1) 1019 BIO_printf(out, "\tReason: %s\n", OCSP_crl_reason_str(reason)); 1020 1021 BIO_puts(out, "\tRevocation Time: "); 1022 ASN1_GENERALIZEDTIME_print(out, rev); 1023 BIO_puts(out, "\n"); 1024 } 1025 return ret; 1026} 1027 1028static void make_ocsp_response(BIO *err, OCSP_RESPONSE **resp, OCSP_REQUEST *req, 1029 CA_DB *db, STACK_OF(X509) *ca, X509 *rcert, 1030 EVP_PKEY *rkey, const EVP_MD *rmd, 1031 STACK_OF(OPENSSL_STRING) *sigopts, 1032 STACK_OF(X509) *rother, unsigned long flags, 1033 int nmin, int ndays, int badsig, 1034 const EVP_MD *resp_md) 1035{ 1036 ASN1_TIME *thisupd = NULL, *nextupd = NULL; 1037 OCSP_CERTID *cid; 1038 OCSP_BASICRESP *bs = NULL; 1039 int i, id_count; 1040 EVP_MD_CTX *mctx = NULL; 1041 EVP_PKEY_CTX *pkctx = NULL; 1042 1043 id_count = OCSP_request_onereq_count(req); 1044 1045 if (id_count <= 0) { 1046 *resp = 1047 OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL); 1048 goto end; 1049 } 1050 1051 bs = OCSP_BASICRESP_new(); 1052 thisupd = X509_gmtime_adj(NULL, 0); 1053 if (ndays != -1) 1054 nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL); 1055 1056 /* Examine each certificate id in the request */ 1057 for (i = 0; i < id_count; i++) { 1058 OCSP_ONEREQ *one; 1059 ASN1_INTEGER *serial; 1060 char **inf; 1061 int jj; 1062 int found = 0; 1063 ASN1_OBJECT *cert_id_md_oid; 1064 const EVP_MD *cert_id_md; 1065 OCSP_CERTID *cid_resp_md = NULL; 1066 1067 one = OCSP_request_onereq_get0(req, i); 1068 cid = OCSP_onereq_get0_id(one); 1069 1070 OCSP_id_get0_info(NULL, &cert_id_md_oid, NULL, NULL, cid); 1071 1072 cert_id_md = EVP_get_digestbyobj(cert_id_md_oid); 1073 if (cert_id_md == NULL) { 1074 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, 1075 NULL); 1076 goto end; 1077 } 1078 for (jj = 0; jj < sk_X509_num(ca) && !found; jj++) { 1079 X509 *ca_cert = sk_X509_value(ca, jj); 1080 OCSP_CERTID *ca_id = OCSP_cert_to_id(cert_id_md, NULL, ca_cert); 1081 1082 if (OCSP_id_issuer_cmp(ca_id, cid) == 0) { 1083 found = 1; 1084 if (resp_md != NULL) 1085 cid_resp_md = OCSP_cert_to_id(resp_md, NULL, ca_cert); 1086 } 1087 OCSP_CERTID_free(ca_id); 1088 } 1089 OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid); 1090 inf = lookup_serial(db, serial); 1091 1092 /* at this point, we can have cid be an alias of cid_resp_md */ 1093 cid = (cid_resp_md != NULL) ? cid_resp_md : cid; 1094 1095 if (!found) { 1096 OCSP_basic_add1_status(bs, cid, 1097 V_OCSP_CERTSTATUS_UNKNOWN, 1098 0, NULL, thisupd, nextupd); 1099 continue; 1100 } 1101 if (inf == NULL) { 1102 OCSP_basic_add1_status(bs, cid, 1103 V_OCSP_CERTSTATUS_UNKNOWN, 1104 0, NULL, thisupd, nextupd); 1105 } else if (inf[DB_type][0] == DB_TYPE_VAL) { 1106 OCSP_basic_add1_status(bs, cid, 1107 V_OCSP_CERTSTATUS_GOOD, 1108 0, NULL, thisupd, nextupd); 1109 } else if (inf[DB_type][0] == DB_TYPE_REV) { 1110 ASN1_OBJECT *inst = NULL; 1111 ASN1_TIME *revtm = NULL; 1112 ASN1_GENERALIZEDTIME *invtm = NULL; 1113 OCSP_SINGLERESP *single; 1114 int reason = -1; 1115 1116 unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]); 1117 single = OCSP_basic_add1_status(bs, cid, 1118 V_OCSP_CERTSTATUS_REVOKED, 1119 reason, revtm, thisupd, nextupd); 1120 if (single == NULL) { 1121 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, 1122 NULL); 1123 goto end; 1124 } 1125 if (invtm != NULL) 1126 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, 1127 invtm, 0, 0); 1128 else if (inst != NULL) 1129 OCSP_SINGLERESP_add1_ext_i2d(single, 1130 NID_hold_instruction_code, inst, 1131 0, 0); 1132 ASN1_OBJECT_free(inst); 1133 ASN1_TIME_free(revtm); 1134 ASN1_GENERALIZEDTIME_free(invtm); 1135 } 1136 OCSP_CERTID_free(cid_resp_md); 1137 } 1138 1139 OCSP_copy_nonce(bs, req); 1140 1141 mctx = EVP_MD_CTX_new(); 1142 if ( mctx == NULL || !EVP_DigestSignInit(mctx, &pkctx, rmd, NULL, rkey)) { 1143 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, NULL); 1144 goto end; 1145 } 1146 for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) { 1147 char *sigopt = sk_OPENSSL_STRING_value(sigopts, i); 1148 1149 if (pkey_ctrl_string(pkctx, sigopt) <= 0) { 1150 BIO_printf(err, "parameter error \"%s\"\n", sigopt); 1151 ERR_print_errors(bio_err); 1152 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, 1153 NULL); 1154 goto end; 1155 } 1156 } 1157 if (!OCSP_basic_sign_ctx(bs, rcert, mctx, rother, flags)) { 1158 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_INTERNALERROR, bs); 1159 goto end; 1160 } 1161 1162 if (badsig) { 1163 const ASN1_OCTET_STRING *sig = OCSP_resp_get0_signature(bs); 1164 corrupt_signature(sig); 1165 } 1166 1167 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs); 1168 1169 end: 1170 EVP_MD_CTX_free(mctx); 1171 ASN1_TIME_free(thisupd); 1172 ASN1_TIME_free(nextupd); 1173 OCSP_BASICRESP_free(bs); 1174} 1175 1176static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser) 1177{ 1178 int i; 1179 BIGNUM *bn = NULL; 1180 char *itmp, *row[DB_NUMBER], **rrow; 1181 for (i = 0; i < DB_NUMBER; i++) 1182 row[i] = NULL; 1183 bn = ASN1_INTEGER_to_BN(ser, NULL); 1184 OPENSSL_assert(bn); /* FIXME: should report an error at this 1185 * point and abort */ 1186 if (BN_is_zero(bn)) { 1187 itmp = OPENSSL_strdup("00"); 1188 OPENSSL_assert(itmp); 1189 } else { 1190 itmp = BN_bn2hex(bn); 1191 } 1192 row[DB_serial] = itmp; 1193 BN_free(bn); 1194 rrow = TXT_DB_get_by_index(db->db, DB_serial, row); 1195 OPENSSL_free(itmp); 1196 return rrow; 1197} 1198 1199static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, 1200 const char *port, int timeout) 1201{ 1202#ifndef OPENSSL_NO_SOCK 1203 return http_server_get_asn1_req(ASN1_ITEM_rptr(OCSP_REQUEST), 1204 (ASN1_VALUE **)preq, NULL, pcbio, acbio, 1205 NULL /* found_keep_alive */, 1206 prog, port, 1 /* accept_get */, timeout); 1207#else 1208 BIO_printf(bio_err, 1209 "Error getting OCSP request - sockets not supported\n"); 1210 *preq = NULL; 1211 return 0; 1212#endif 1213} 1214 1215static int send_ocsp_response(BIO *cbio, const OCSP_RESPONSE *resp) 1216{ 1217#ifndef OPENSSL_NO_SOCK 1218 return http_server_send_asn1_resp(cbio, 1219 0 /* no keep-alive */, 1220 "application/ocsp-response", 1221 ASN1_ITEM_rptr(OCSP_RESPONSE), 1222 (const ASN1_VALUE *)resp); 1223#else 1224 BIO_printf(bio_err, 1225 "Error sending OCSP response - sockets not supported\n"); 1226 return 0; 1227#endif 1228} 1229 1230#ifndef OPENSSL_NO_SOCK 1231OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host, 1232 const char *port, const char *path, 1233 const char *proxy, const char *no_proxy, 1234 int use_ssl, STACK_OF(CONF_VALUE) *headers, 1235 int req_timeout) 1236{ 1237 SSL_CTX *ctx = NULL; 1238 OCSP_RESPONSE *resp = NULL; 1239 1240 if (use_ssl == 1) { 1241 ctx = SSL_CTX_new(TLS_client_method()); 1242 if (ctx == NULL) { 1243 BIO_printf(bio_err, "Error creating SSL context.\n"); 1244 goto end; 1245 } 1246 } 1247 1248 resp = (OCSP_RESPONSE *) 1249 app_http_post_asn1(host, port, path, proxy, no_proxy, 1250 ctx, headers, "application/ocsp-request", 1251 (ASN1_VALUE *)req, ASN1_ITEM_rptr(OCSP_REQUEST), 1252 "application/ocsp-response", 1253 req_timeout, ASN1_ITEM_rptr(OCSP_RESPONSE)); 1254 1255 if (resp == NULL) 1256 BIO_printf(bio_err, "Error querying OCSP responder\n"); 1257 1258 end: 1259 SSL_CTX_free(ctx); 1260 return resp; 1261} 1262#endif 1263