3dc36c4bdc4a4ab67b5a6f68f1e780fd487123af
[dragonfly.git] / crypto / openssl-0.9 / apps / ocsp.c
1 /* ocsp.c */
2 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
3  * project 2000.
4  */
5 /* ====================================================================
6  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer. 
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    licensing@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 #ifndef OPENSSL_NO_OCSP
59
60 #include <stdio.h>
61 #include <string.h>
62 #include "apps.h"
63 #include <openssl/pem.h>
64 #include <openssl/ocsp.h>
65 #include <openssl/err.h>
66 #include <openssl/ssl.h>
67 #include <openssl/bn.h>
68
69 /* Maximum leeway in validity period: default 5 minutes */
70 #define MAX_VALIDITY_PERIOD     (5 * 60)
71
72 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
73                                 STACK_OF(OCSP_CERTID) *ids);
74 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
75                                 STACK_OF(OCSP_CERTID) *ids);
76 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
77                                 STACK *names, STACK_OF(OCSP_CERTID) *ids,
78                                 long nsec, long maxage);
79
80 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
81                         X509 *ca, X509 *rcert, EVP_PKEY *rkey,
82                         STACK_OF(X509) *rother, unsigned long flags,
83                         int nmin, int ndays);
84
85 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
86 static BIO *init_responder(char *port);
87 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
88 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
89
90 #undef PROG
91 #define PROG ocsp_main
92
93 int MAIN(int, char **);
94
95 int MAIN(int argc, char **argv)
96         {
97         ENGINE *e = NULL;
98         char **args;
99         char *host = NULL, *port = NULL, *path = "/";
100         char *reqin = NULL, *respin = NULL;
101         char *reqout = NULL, *respout = NULL;
102         char *signfile = NULL, *keyfile = NULL;
103         char *rsignfile = NULL, *rkeyfile = NULL;
104         char *outfile = NULL;
105         int add_nonce = 1, noverify = 0, use_ssl = -1;
106         OCSP_REQUEST *req = NULL;
107         OCSP_RESPONSE *resp = NULL;
108         OCSP_BASICRESP *bs = NULL;
109         X509 *issuer = NULL, *cert = NULL;
110         X509 *signer = NULL, *rsigner = NULL;
111         EVP_PKEY *key = NULL, *rkey = NULL;
112         BIO *acbio = NULL, *cbio = NULL;
113         BIO *derbio = NULL;
114         BIO *out = NULL;
115         int req_text = 0, resp_text = 0;
116         long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
117         char *CAfile = NULL, *CApath = NULL;
118         X509_STORE *store = NULL;
119         SSL_CTX *ctx = NULL;
120         STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
121         char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
122         unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
123         int ret = 1;
124         int accept_count = -1;
125         int badarg = 0;
126         int i;
127         int ignore_err = 0;
128         STACK *reqnames = NULL;
129         STACK_OF(OCSP_CERTID) *ids = NULL;
130
131         X509 *rca_cert = NULL;
132         char *ridx_filename = NULL;
133         char *rca_filename = NULL;
134         CA_DB *rdb = NULL;
135         int nmin = 0, ndays = -1;
136
137         if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
138
139         if (!load_config(bio_err, NULL))
140                 goto end;
141         SSL_load_error_strings();
142         OpenSSL_add_ssl_algorithms();
143         args = argv + 1;
144         reqnames = sk_new_null();
145         ids = sk_OCSP_CERTID_new_null();
146         while (!badarg && *args && *args[0] == '-')
147                 {
148                 if (!strcmp(*args, "-out"))
149                         {
150                         if (args[1])
151                                 {
152                                 args++;
153                                 outfile = *args;
154                                 }
155                         else badarg = 1;
156                         }
157                 else if (!strcmp(*args, "-url"))
158                         {
159                         if (args[1])
160                                 {
161                                 args++;
162                                 if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl))
163                                         {
164                                         BIO_printf(bio_err, "Error parsing URL\n");
165                                         badarg = 1;
166                                         }
167                                 }
168                         else badarg = 1;
169                         }
170                 else if (!strcmp(*args, "-host"))
171                         {
172                         if (args[1])
173                                 {
174                                 args++;
175                                 host = *args;
176                                 }
177                         else badarg = 1;
178                         }
179                 else if (!strcmp(*args, "-port"))
180                         {
181                         if (args[1])
182                                 {
183                                 args++;
184                                 port = *args;
185                                 }
186                         else badarg = 1;
187                         }
188                 else if (!strcmp(*args, "-ignore_err"))
189                         ignore_err = 1;
190                 else if (!strcmp(*args, "-noverify"))
191                         noverify = 1;
192                 else if (!strcmp(*args, "-nonce"))
193                         add_nonce = 2;
194                 else if (!strcmp(*args, "-no_nonce"))
195                         add_nonce = 0;
196                 else if (!strcmp(*args, "-resp_no_certs"))
197                         rflags |= OCSP_NOCERTS;
198                 else if (!strcmp(*args, "-resp_key_id"))
199                         rflags |= OCSP_RESPID_KEY;
200                 else if (!strcmp(*args, "-no_certs"))
201                         sign_flags |= OCSP_NOCERTS;
202                 else if (!strcmp(*args, "-no_signature_verify"))
203                         verify_flags |= OCSP_NOSIGS;
204                 else if (!strcmp(*args, "-no_cert_verify"))
205                         verify_flags |= OCSP_NOVERIFY;
206                 else if (!strcmp(*args, "-no_chain"))
207                         verify_flags |= OCSP_NOCHAIN;
208                 else if (!strcmp(*args, "-no_cert_checks"))
209                         verify_flags |= OCSP_NOCHECKS;
210                 else if (!strcmp(*args, "-no_explicit"))
211                         verify_flags |= OCSP_NOEXPLICIT;
212                 else if (!strcmp(*args, "-trust_other"))
213                         verify_flags |= OCSP_TRUSTOTHER;
214                 else if (!strcmp(*args, "-no_intern"))
215                         verify_flags |= OCSP_NOINTERN;
216                 else if (!strcmp(*args, "-text"))
217                         {
218                         req_text = 1;
219                         resp_text = 1;
220                         }
221                 else if (!strcmp(*args, "-req_text"))
222                         req_text = 1;
223                 else if (!strcmp(*args, "-resp_text"))
224                         resp_text = 1;
225                 else if (!strcmp(*args, "-reqin"))
226                         {
227                         if (args[1])
228                                 {
229                                 args++;
230                                 reqin = *args;
231                                 }
232                         else badarg = 1;
233                         }
234                 else if (!strcmp(*args, "-respin"))
235                         {
236                         if (args[1])
237                                 {
238                                 args++;
239                                 respin = *args;
240                                 }
241                         else badarg = 1;
242                         }
243                 else if (!strcmp(*args, "-signer"))
244                         {
245                         if (args[1])
246                                 {
247                                 args++;
248                                 signfile = *args;
249                                 }
250                         else badarg = 1;
251                         }
252                 else if (!strcmp (*args, "-VAfile"))
253                         {
254                         if (args[1])
255                                 {
256                                 args++;
257                                 verify_certfile = *args;
258                                 verify_flags |= OCSP_TRUSTOTHER;
259                                 }
260                         else badarg = 1;
261                         }
262                 else if (!strcmp(*args, "-sign_other"))
263                         {
264                         if (args[1])
265                                 {
266                                 args++;
267                                 sign_certfile = *args;
268                                 }
269                         else badarg = 1;
270                         }
271                 else if (!strcmp(*args, "-verify_other"))
272                         {
273                         if (args[1])
274                                 {
275                                 args++;
276                                 verify_certfile = *args;
277                                 }
278                         else badarg = 1;
279                         }
280                 else if (!strcmp (*args, "-CAfile"))
281                         {
282                         if (args[1])
283                                 {
284                                 args++;
285                                 CAfile = *args;
286                                 }
287                         else badarg = 1;
288                         }
289                 else if (!strcmp (*args, "-CApath"))
290                         {
291                         if (args[1])
292                                 {
293                                 args++;
294                                 CApath = *args;
295                                 }
296                         else badarg = 1;
297                         }
298                 else if (!strcmp (*args, "-validity_period"))
299                         {
300                         if (args[1])
301                                 {
302                                 args++;
303                                 nsec = atol(*args);
304                                 if (nsec < 0)
305                                         {
306                                         BIO_printf(bio_err,
307                                                 "Illegal validity period %s\n",
308                                                 *args);
309                                         badarg = 1;
310                                         }
311                                 }
312                         else badarg = 1;
313                         }
314                 else if (!strcmp (*args, "-status_age"))
315                         {
316                         if (args[1])
317                                 {
318                                 args++;
319                                 maxage = atol(*args);
320                                 if (maxage < 0)
321                                         {
322                                         BIO_printf(bio_err,
323                                                 "Illegal validity age %s\n",
324                                                 *args);
325                                         badarg = 1;
326                                         }
327                                 }
328                         else badarg = 1;
329                         }
330                  else if (!strcmp(*args, "-signkey"))
331                         {
332                         if (args[1])
333                                 {
334                                 args++;
335                                 keyfile = *args;
336                                 }
337                         else badarg = 1;
338                         }
339                 else if (!strcmp(*args, "-reqout"))
340                         {
341                         if (args[1])
342                                 {
343                                 args++;
344                                 reqout = *args;
345                                 }
346                         else badarg = 1;
347                         }
348                 else if (!strcmp(*args, "-respout"))
349                         {
350                         if (args[1])
351                                 {
352                                 args++;
353                                 respout = *args;
354                                 }
355                         else badarg = 1;
356                         }
357                  else if (!strcmp(*args, "-path"))
358                         {
359                         if (args[1])
360                                 {
361                                 args++;
362                                 path = *args;
363                                 }
364                         else badarg = 1;
365                         }
366                 else if (!strcmp(*args, "-issuer"))
367                         {
368                         if (args[1])
369                                 {
370                                 args++;
371                                 X509_free(issuer);
372                                 issuer = load_cert(bio_err, *args, FORMAT_PEM,
373                                         NULL, e, "issuer certificate");
374                                 if(!issuer) goto end;
375                                 }
376                         else badarg = 1;
377                         }
378                 else if (!strcmp (*args, "-cert"))
379                         {
380                         if (args[1])
381                                 {
382                                 args++;
383                                 X509_free(cert);
384                                 cert = load_cert(bio_err, *args, FORMAT_PEM,
385                                         NULL, e, "certificate");
386                                 if(!cert) goto end;
387                                 if(!add_ocsp_cert(&req, cert, issuer, ids))
388                                         goto end;
389                                 if(!sk_push(reqnames, *args))
390                                         goto end;
391                                 }
392                         else badarg = 1;
393                         }
394                 else if (!strcmp(*args, "-serial"))
395                         {
396                         if (args[1])
397                                 {
398                                 args++;
399                                 if(!add_ocsp_serial(&req, *args, issuer, ids))
400                                         goto end;
401                                 if(!sk_push(reqnames, *args))
402                                         goto end;
403                                 }
404                         else badarg = 1;
405                         }
406                 else if (!strcmp(*args, "-index"))
407                         {
408                         if (args[1])
409                                 {
410                                 args++;
411                                 ridx_filename = *args;
412                                 }
413                         else badarg = 1;
414                         }
415                 else if (!strcmp(*args, "-CA"))
416                         {
417                         if (args[1])
418                                 {
419                                 args++;
420                                 rca_filename = *args;
421                                 }
422                         else badarg = 1;
423                         }
424                 else if (!strcmp (*args, "-nmin"))
425                         {
426                         if (args[1])
427                                 {
428                                 args++;
429                                 nmin = atol(*args);
430                                 if (nmin < 0)
431                                         {
432                                         BIO_printf(bio_err,
433                                                 "Illegal update period %s\n",
434                                                 *args);
435                                         badarg = 1;
436                                         }
437                                 }
438                                 if (ndays == -1)
439                                         ndays = 0;
440                         else badarg = 1;
441                         }
442                 else if (!strcmp (*args, "-nrequest"))
443                         {
444                         if (args[1])
445                                 {
446                                 args++;
447                                 accept_count = atol(*args);
448                                 if (accept_count < 0)
449                                         {
450                                         BIO_printf(bio_err,
451                                                 "Illegal accept count %s\n",
452                                                 *args);
453                                         badarg = 1;
454                                         }
455                                 }
456                         else badarg = 1;
457                         }
458                 else if (!strcmp (*args, "-ndays"))
459                         {
460                         if (args[1])
461                                 {
462                                 args++;
463                                 ndays = atol(*args);
464                                 if (ndays < 0)
465                                         {
466                                         BIO_printf(bio_err,
467                                                 "Illegal update period %s\n",
468                                                 *args);
469                                         badarg = 1;
470                                         }
471                                 }
472                         else badarg = 1;
473                         }
474                 else if (!strcmp(*args, "-rsigner"))
475                         {
476                         if (args[1])
477                                 {
478                                 args++;
479                                 rsignfile = *args;
480                                 }
481                         else badarg = 1;
482                         }
483                 else if (!strcmp(*args, "-rkey"))
484                         {
485                         if (args[1])
486                                 {
487                                 args++;
488                                 rkeyfile = *args;
489                                 }
490                         else badarg = 1;
491                         }
492                 else if (!strcmp(*args, "-rother"))
493                         {
494                         if (args[1])
495                                 {
496                                 args++;
497                                 rcertfile = *args;
498                                 }
499                         else badarg = 1;
500                         }
501                 else badarg = 1;
502                 args++;
503                 }
504
505         /* Have we anything to do? */
506         if (!req && !reqin && !respin && !(port && ridx_filename)) badarg = 1;
507
508         if (badarg)
509                 {
510                 BIO_printf (bio_err, "OCSP utility\n");
511                 BIO_printf (bio_err, "Usage ocsp [options]\n");
512                 BIO_printf (bio_err, "where options are\n");
513                 BIO_printf (bio_err, "-out file          output filename\n");
514                 BIO_printf (bio_err, "-issuer file       issuer certificate\n");
515                 BIO_printf (bio_err, "-cert file         certificate to check\n");
516                 BIO_printf (bio_err, "-serial n          serial number to check\n");
517                 BIO_printf (bio_err, "-signer file       certificate to sign OCSP request with\n");
518                 BIO_printf (bio_err, "-signkey file      private key to sign OCSP request with\n");
519                 BIO_printf (bio_err, "-sign_other file   additional certificates to include in signed request\n");
520                 BIO_printf (bio_err, "-no_certs          don't include any certificates in signed request\n");
521                 BIO_printf (bio_err, "-req_text          print text form of request\n");
522                 BIO_printf (bio_err, "-resp_text         print text form of response\n");
523                 BIO_printf (bio_err, "-text              print text form of request and response\n");
524                 BIO_printf (bio_err, "-reqout file       write DER encoded OCSP request to \"file\"\n");
525                 BIO_printf (bio_err, "-respout file      write DER encoded OCSP reponse to \"file\"\n");
526                 BIO_printf (bio_err, "-reqin file        read DER encoded OCSP request from \"file\"\n");
527                 BIO_printf (bio_err, "-respin file       read DER encoded OCSP reponse from \"file\"\n");
528                 BIO_printf (bio_err, "-nonce             add OCSP nonce to request\n");
529                 BIO_printf (bio_err, "-no_nonce          don't add OCSP nonce to request\n");
530                 BIO_printf (bio_err, "-url URL           OCSP responder URL\n");
531                 BIO_printf (bio_err, "-host host:n       send OCSP request to host on port n\n");
532                 BIO_printf (bio_err, "-path              path to use in OCSP request\n");
533                 BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
534                 BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
535                 BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
536                 BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
537                 BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
538                 BIO_printf (bio_err, "-noverify          don't verify response at all\n");
539                 BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
540                 BIO_printf (bio_err, "-trust_other       don't verify additional certificates\n");
541                 BIO_printf (bio_err, "-no_intern         don't search certificates contained in response for signer\n");
542                 BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
543                 BIO_printf (bio_err, "-no_cert_verify    don't check signing certificate\n");
544                 BIO_printf (bio_err, "-no_chain          don't chain verify response\n");
545                 BIO_printf (bio_err, "-no_cert_checks    don't do additional checks on signing certificate\n");
546                 BIO_printf (bio_err, "-port num          port to run responder on\n");
547                 BIO_printf (bio_err, "-index file        certificate status index file\n");
548                 BIO_printf (bio_err, "-CA file           CA certificate\n");
549                 BIO_printf (bio_err, "-rsigner file      responder certificate to sign responses with\n");
550                 BIO_printf (bio_err, "-rkey file         responder key to sign responses with\n");
551                 BIO_printf (bio_err, "-rother file       other certificates to include in response\n");
552                 BIO_printf (bio_err, "-resp_no_certs     don't include any certificates in response\n");
553                 BIO_printf (bio_err, "-nmin n            number of minutes before next update\n");
554                 BIO_printf (bio_err, "-ndays n           number of days before next update\n");
555                 BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
556                 BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
557                 goto end;
558                 }
559
560         if(outfile) out = BIO_new_file(outfile, "w");
561         else out = BIO_new_fp(stdout, BIO_NOCLOSE);
562
563         if(!out)
564                 {
565                 BIO_printf(bio_err, "Error opening output file\n");
566                 goto end;
567                 }
568
569         if (!req && (add_nonce != 2)) add_nonce = 0;
570
571         if (!req && reqin)
572                 {
573                 derbio = BIO_new_file(reqin, "rb");
574                 if (!derbio)
575                         {
576                         BIO_printf(bio_err, "Error Opening OCSP request file\n");
577                         goto end;
578                         }
579                 req = d2i_OCSP_REQUEST_bio(derbio, NULL);
580                 BIO_free(derbio);
581                 if(!req)
582                         {
583                         BIO_printf(bio_err, "Error reading OCSP request\n");
584                         goto end;
585                         }
586                 }
587
588         if (!req && port)
589                 {
590                 acbio = init_responder(port);
591                 if (!acbio)
592                         goto end;
593                 }
594
595         if (rsignfile && !rdb)
596                 {
597                 if (!rkeyfile) rkeyfile = rsignfile;
598                 rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
599                         NULL, e, "responder certificate");
600                 if (!rsigner)
601                         {
602                         BIO_printf(bio_err, "Error loading responder certificate\n");
603                         goto end;
604                         }
605                 rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
606                         NULL, e, "CA certificate");
607                 if (rcertfile)
608                         {
609                         rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
610                                 NULL, e, "responder other certificates");
611                         if (!rother) goto end;
612                         }
613                 rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
614                         "responder private key");
615                 if (!rkey)
616                         goto end;
617                 }
618         if(acbio)
619                 BIO_printf(bio_err, "Waiting for OCSP client connections...\n");
620
621         redo_accept:
622
623         if (acbio)
624                 {
625                 if (!do_responder(&req, &cbio, acbio, port))
626                         goto end;
627                 if (!req)
628                         {
629                         resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
630                         send_ocsp_response(cbio, resp);
631                         goto done_resp;
632                         }
633                 }
634
635         if (!req && (signfile || reqout || host || add_nonce || ridx_filename))
636                 {
637                 BIO_printf(bio_err, "Need an OCSP request for this operation!\n");
638                 goto end;
639                 }
640
641         if (req && add_nonce) OCSP_request_add1_nonce(req, NULL, -1);
642
643         if (signfile)
644                 {
645                 if (!keyfile) keyfile = signfile;
646                 signer = load_cert(bio_err, signfile, FORMAT_PEM,
647                         NULL, e, "signer certificate");
648                 if (!signer)
649                         {
650                         BIO_printf(bio_err, "Error loading signer certificate\n");
651                         goto end;
652                         }
653                 if (sign_certfile)
654                         {
655                         sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
656                                 NULL, e, "signer certificates");
657                         if (!sign_other) goto end;
658                         }
659                 key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
660                         "signer private key");
661                 if (!key)
662                         goto end;
663                 if (!OCSP_request_sign(req, signer, key, EVP_sha1(), sign_other, sign_flags))
664                         {
665                         BIO_printf(bio_err, "Error signing OCSP request\n");
666                         goto end;
667                         }
668                 }
669
670         if (req_text && req) OCSP_REQUEST_print(out, req, 0);
671
672         if (reqout)
673                 {
674                 derbio = BIO_new_file(reqout, "wb");
675                 if(!derbio)
676                         {
677                         BIO_printf(bio_err, "Error opening file %s\n", reqout);
678                         goto end;
679                         }
680                 i2d_OCSP_REQUEST_bio(derbio, req);
681                 BIO_free(derbio);
682                 }
683
684         if (ridx_filename && (!rkey || !rsigner || !rca_cert))
685                 {
686                 BIO_printf(bio_err, "Need a responder certificate, key and CA for this operation!\n");
687                 goto end;
688                 }
689
690         if (ridx_filename && !rdb)
691                 {
692                 rdb = load_index(ridx_filename, NULL);
693                 if (!rdb) goto end;
694                 if (!index_index(rdb)) goto end;
695                 }
696
697         if (rdb)
698                 {
699                 i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
700                 if (cbio)
701                         send_ocsp_response(cbio, resp);
702                 }
703         else if (host)
704                 {
705 #ifndef OPENSSL_NO_SOCK
706                 cbio = BIO_new_connect(host);
707 #else
708                 BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n");
709                 goto end;
710 #endif
711                 if (!cbio)
712                         {
713                         BIO_printf(bio_err, "Error creating connect BIO\n");
714                         goto end;
715                         }
716                 if (port) BIO_set_conn_port(cbio, port);
717                 if (use_ssl == 1)
718                         {
719                         BIO *sbio;
720 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
721                         ctx = SSL_CTX_new(SSLv23_client_method());
722 #elif !defined(OPENSSL_NO_SSL3)
723                         ctx = SSL_CTX_new(SSLv3_client_method());
724 #elif !defined(OPENSSL_NO_SSL2)
725                         ctx = SSL_CTX_new(SSLv2_client_method());
726 #else
727                         BIO_printf(bio_err, "SSL is disabled\n");
728                         goto end;
729 #endif
730                         if (ctx == NULL)
731                                 {
732                                 BIO_printf(bio_err, "Error creating SSL context.\n");
733                                 goto end;
734                                 }
735                         SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
736                         sbio = BIO_new_ssl(ctx, 1);
737                         cbio = BIO_push(sbio, cbio);
738                         }
739                 if (BIO_do_connect(cbio) <= 0)
740                         {
741                         BIO_printf(bio_err, "Error connecting BIO\n");
742                         goto end;
743                         }
744                 resp = OCSP_sendreq_bio(cbio, path, req);
745                 BIO_free_all(cbio);
746                 cbio = NULL;
747                 if (!resp)
748                         {
749                         BIO_printf(bio_err, "Error querying OCSP responsder\n");
750                         goto end;
751                         }
752                 }
753         else if (respin)
754                 {
755                 derbio = BIO_new_file(respin, "rb");
756                 if (!derbio)
757                         {
758                         BIO_printf(bio_err, "Error Opening OCSP response file\n");
759                         goto end;
760                         }
761                 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
762                 BIO_free(derbio);
763                 if(!resp)
764                         {
765                         BIO_printf(bio_err, "Error reading OCSP response\n");
766                         goto end;
767                         }
768         
769                 }
770         else
771                 {
772                 ret = 0;
773                 goto end;
774                 }
775
776         done_resp:
777
778         if (respout)
779                 {
780                 derbio = BIO_new_file(respout, "wb");
781                 if(!derbio)
782                         {
783                         BIO_printf(bio_err, "Error opening file %s\n", respout);
784                         goto end;
785                         }
786                 i2d_OCSP_RESPONSE_bio(derbio, resp);
787                 BIO_free(derbio);
788                 }
789
790         i = OCSP_response_status(resp);
791
792         if (i != OCSP_RESPONSE_STATUS_SUCCESSFUL)
793                 {
794                 BIO_printf(out, "Responder Error: %s (%d)\n",
795                                 OCSP_response_status_str(i), i);
796                 if (ignore_err)
797                         goto redo_accept;
798                 ret = 0;
799                 goto end;
800                 }
801
802         if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
803
804         /* If running as responder don't verify our own response */
805         if (cbio)
806                 {
807                 if (accept_count > 0)
808                         accept_count--;
809                 /* Redo if more connections needed */
810                 if (accept_count)
811                         {
812                         BIO_free_all(cbio);
813                         cbio = NULL;
814                         OCSP_REQUEST_free(req);
815                         req = NULL;
816                         OCSP_RESPONSE_free(resp);
817                         resp = NULL;
818                         goto redo_accept;
819                         }
820                 goto end;
821                 }
822
823         if (!store)
824                 store = setup_verify(bio_err, CAfile, CApath);
825         if (!store)
826                 goto end;
827         if (verify_certfile)
828                 {
829                 verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
830                         NULL, e, "validator certificate");
831                 if (!verify_other) goto end;
832                 }
833
834         bs = OCSP_response_get1_basic(resp);
835
836         if (!bs)
837                 {
838                 BIO_printf(bio_err, "Error parsing response\n");
839                 goto end;
840                 }
841
842         if (!noverify)
843                 {
844                 if (req && ((i = OCSP_check_nonce(req, bs)) <= 0))
845                         {
846                         if (i == -1)
847                                 BIO_printf(bio_err, "WARNING: no nonce in response\n");
848                         else
849                                 {
850                                 BIO_printf(bio_err, "Nonce Verify error\n");
851                                 goto end;
852                                 }
853                         }
854
855                 i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
856                 if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
857
858                 if(i <= 0)
859                         {
860                         BIO_printf(bio_err, "Response Verify Failure\n");
861                         ERR_print_errors(bio_err);
862                         }
863                 else
864                         BIO_printf(bio_err, "Response verify OK\n");
865
866                 }
867
868         if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
869                 goto end;
870
871         ret = 0;
872
873 end:
874         ERR_print_errors(bio_err);
875         X509_free(signer);
876         X509_STORE_free(store);
877         EVP_PKEY_free(key);
878         EVP_PKEY_free(rkey);
879         X509_free(issuer);
880         X509_free(cert);
881         X509_free(rsigner);
882         X509_free(rca_cert);
883         free_index(rdb);
884         BIO_free_all(cbio);
885         BIO_free_all(acbio);
886         BIO_free(out);
887         OCSP_REQUEST_free(req);
888         OCSP_RESPONSE_free(resp);
889         OCSP_BASICRESP_free(bs);
890         sk_free(reqnames);
891         sk_OCSP_CERTID_free(ids);
892         sk_X509_pop_free(sign_other, X509_free);
893         sk_X509_pop_free(verify_other, X509_free);
894
895         if (use_ssl != -1)
896                 {
897                 OPENSSL_free(host);
898                 OPENSSL_free(port);
899                 OPENSSL_free(path);
900                 SSL_CTX_free(ctx);
901                 }
902
903         OPENSSL_EXIT(ret);
904 }
905
906 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
907                                 STACK_OF(OCSP_CERTID) *ids)
908         {
909         OCSP_CERTID *id;
910         if(!issuer)
911                 {
912                 BIO_printf(bio_err, "No issuer certificate specified\n");
913                 return 0;
914                 }
915         if(!*req) *req = OCSP_REQUEST_new();
916         if(!*req) goto err;
917         id = OCSP_cert_to_id(NULL, cert, issuer);
918         if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
919         if(!OCSP_request_add0_id(*req, id)) goto err;
920         return 1;
921
922         err:
923         BIO_printf(bio_err, "Error Creating OCSP request\n");
924         return 0;
925         }
926
927 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
928                                 STACK_OF(OCSP_CERTID) *ids)
929         {
930         OCSP_CERTID *id;
931         X509_NAME *iname;
932         ASN1_BIT_STRING *ikey;
933         ASN1_INTEGER *sno;
934         if(!issuer)
935                 {
936                 BIO_printf(bio_err, "No issuer certificate specified\n");
937                 return 0;
938                 }
939         if(!*req) *req = OCSP_REQUEST_new();
940         if(!*req) goto err;
941         iname = X509_get_subject_name(issuer);
942         ikey = X509_get0_pubkey_bitstr(issuer);
943         sno = s2i_ASN1_INTEGER(NULL, serial);
944         if(!sno)
945                 {
946                 BIO_printf(bio_err, "Error converting serial number %s\n", serial);
947                 return 0;
948                 }
949         id = OCSP_cert_id_new(EVP_sha1(), iname, ikey, sno);
950         ASN1_INTEGER_free(sno);
951         if(!id || !sk_OCSP_CERTID_push(ids, id)) goto err;
952         if(!OCSP_request_add0_id(*req, id)) goto err;
953         return 1;
954
955         err:
956         BIO_printf(bio_err, "Error Creating OCSP request\n");
957         return 0;
958         }
959
960 static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
961                                         STACK *names, STACK_OF(OCSP_CERTID) *ids,
962                                         long nsec, long maxage)
963         {
964         OCSP_CERTID *id;
965         char *name;
966         int i;
967
968         int status, reason;
969
970         ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
971
972         if (!bs || !req || !sk_num(names) || !sk_OCSP_CERTID_num(ids))
973                 return 1;
974
975         for (i = 0; i < sk_OCSP_CERTID_num(ids); i++)
976                 {
977                 id = sk_OCSP_CERTID_value(ids, i);
978                 name = sk_value(names, i);
979                 BIO_printf(out, "%s: ", name);
980
981                 if(!OCSP_resp_find_status(bs, id, &status, &reason,
982                                         &rev, &thisupd, &nextupd))
983                         {
984                         BIO_puts(out, "ERROR: No Status found.\n");
985                         continue;
986                         }
987
988                 /* Check validity: if invalid write to output BIO so we
989                  * know which response this refers to.
990                  */
991                 if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage))
992                         {
993                         BIO_puts(out, "WARNING: Status times invalid.\n");
994                         ERR_print_errors(out);
995                         }
996                 BIO_printf(out, "%s\n", OCSP_cert_status_str(status));
997
998                 BIO_puts(out, "\tThis Update: ");
999                 ASN1_GENERALIZEDTIME_print(out, thisupd);
1000                 BIO_puts(out, "\n");
1001
1002                 if(nextupd)
1003                         {
1004                         BIO_puts(out, "\tNext Update: ");
1005                         ASN1_GENERALIZEDTIME_print(out, nextupd);
1006                         BIO_puts(out, "\n");
1007                         }
1008
1009                 if (status != V_OCSP_CERTSTATUS_REVOKED)
1010                         continue;
1011
1012                 if (reason != -1)
1013                         BIO_printf(out, "\tReason: %s\n",
1014                                 OCSP_crl_reason_str(reason));
1015
1016                 BIO_puts(out, "\tRevocation Time: ");
1017                 ASN1_GENERALIZEDTIME_print(out, rev);
1018                 BIO_puts(out, "\n");
1019                 }
1020
1021         return 1;
1022         }
1023
1024
1025 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
1026                         X509 *ca, X509 *rcert, EVP_PKEY *rkey,
1027                         STACK_OF(X509) *rother, unsigned long flags,
1028                         int nmin, int ndays)
1029         {
1030         ASN1_TIME *thisupd = NULL, *nextupd = NULL;
1031         OCSP_CERTID *cid, *ca_id = NULL;
1032         OCSP_BASICRESP *bs = NULL;
1033         int i, id_count, ret = 1;
1034
1035
1036         id_count = OCSP_request_onereq_count(req);
1037
1038         if (id_count <= 0)
1039                 {
1040                 *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
1041                 goto end;
1042                 }
1043
1044         ca_id = OCSP_cert_to_id(EVP_sha1(), NULL, ca);
1045
1046         bs = OCSP_BASICRESP_new();
1047         thisupd = X509_gmtime_adj(NULL, 0);
1048         if (ndays != -1)
1049                 nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24 );
1050
1051         /* Examine each certificate id in the request */
1052         for (i = 0; i < id_count; i++)
1053                 {
1054                 OCSP_ONEREQ *one;
1055                 ASN1_INTEGER *serial;
1056                 char **inf;
1057                 one = OCSP_request_onereq_get0(req, i);
1058                 cid = OCSP_onereq_get0_id(one);
1059                 /* Is this request about our CA? */
1060                 if (OCSP_id_issuer_cmp(ca_id, cid))
1061                         {
1062                         OCSP_basic_add1_status(bs, cid,
1063                                                 V_OCSP_CERTSTATUS_UNKNOWN,
1064                                                 0, NULL,
1065                                                 thisupd, nextupd);
1066                         continue;
1067                         }
1068                 OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
1069                 inf = lookup_serial(db, serial);
1070                 if (!inf)
1071                         OCSP_basic_add1_status(bs, cid,
1072                                                 V_OCSP_CERTSTATUS_UNKNOWN,
1073                                                 0, NULL,
1074                                                 thisupd, nextupd);
1075                 else if (inf[DB_type][0] == DB_TYPE_VAL)
1076                         OCSP_basic_add1_status(bs, cid,
1077                                                 V_OCSP_CERTSTATUS_GOOD,
1078                                                 0, NULL,
1079                                                 thisupd, nextupd);
1080                 else if (inf[DB_type][0] == DB_TYPE_REV)
1081                         {
1082                         ASN1_OBJECT *inst = NULL;
1083                         ASN1_TIME *revtm = NULL;
1084                         ASN1_GENERALIZEDTIME *invtm = NULL;
1085                         OCSP_SINGLERESP *single;
1086                         int reason = -1;
1087                         unpack_revinfo(&revtm, &reason, &inst, &invtm, inf[DB_rev_date]);
1088                         single = OCSP_basic_add1_status(bs, cid,
1089                                                 V_OCSP_CERTSTATUS_REVOKED,
1090                                                 reason, revtm,
1091                                                 thisupd, nextupd);
1092                         if (invtm)
1093                                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0);
1094                         else if (inst)
1095                                 OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0);
1096                         ASN1_OBJECT_free(inst);
1097                         ASN1_TIME_free(revtm);
1098                         ASN1_GENERALIZEDTIME_free(invtm);
1099                         }
1100                 }
1101
1102         OCSP_copy_nonce(bs, req);
1103                 
1104         OCSP_basic_sign(bs, rcert, rkey, EVP_sha1(), rother, flags);
1105
1106         *resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
1107
1108         end:
1109         ASN1_TIME_free(thisupd);
1110         ASN1_TIME_free(nextupd);
1111         OCSP_CERTID_free(ca_id);
1112         OCSP_BASICRESP_free(bs);
1113         return ret;
1114
1115         }
1116
1117 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
1118         {
1119         int i;
1120         BIGNUM *bn = NULL;
1121         char *itmp, *row[DB_NUMBER],**rrow;
1122         for (i = 0; i < DB_NUMBER; i++) row[i] = NULL;
1123         bn = ASN1_INTEGER_to_BN(ser,NULL);
1124         if (BN_is_zero(bn))
1125                 itmp = BUF_strdup("00");
1126         else
1127                 itmp = BN_bn2hex(bn);
1128         row[DB_serial] = itmp;
1129         BN_free(bn);
1130         rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
1131         OPENSSL_free(itmp);
1132         return rrow;
1133         }
1134
1135 /* Quick and dirty OCSP server: read in and parse input request */
1136
1137 static BIO *init_responder(char *port)
1138         {
1139         BIO *acbio = NULL, *bufbio = NULL;
1140         bufbio = BIO_new(BIO_f_buffer());
1141         if (!bufbio) 
1142                 goto err;
1143 #ifndef OPENSSL_NO_SOCK
1144         acbio = BIO_new_accept(port);
1145 #else
1146         BIO_printf(bio_err, "Error setting up accept BIO - sockets not supported.\n");
1147 #endif
1148         if (!acbio)
1149                 goto err;
1150         BIO_set_accept_bios(acbio, bufbio);
1151         bufbio = NULL;
1152
1153         if (BIO_do_accept(acbio) <= 0)
1154                 {
1155                         BIO_printf(bio_err, "Error setting up accept BIO\n");
1156                         ERR_print_errors(bio_err);
1157                         goto err;
1158                 }
1159
1160         return acbio;
1161
1162         err:
1163         BIO_free_all(acbio);
1164         BIO_free(bufbio);
1165         return NULL;
1166         }
1167
1168 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port)
1169         {
1170         int have_post = 0, len;
1171         OCSP_REQUEST *req = NULL;
1172         char inbuf[1024];
1173         BIO *cbio = NULL;
1174
1175         if (BIO_do_accept(acbio) <= 0)
1176                 {
1177                         BIO_printf(bio_err, "Error accepting connection\n");
1178                         ERR_print_errors(bio_err);
1179                         return 0;
1180                 }
1181
1182         cbio = BIO_pop(acbio);
1183         *pcbio = cbio;
1184
1185         for(;;)
1186                 {
1187                 len = BIO_gets(cbio, inbuf, sizeof inbuf);
1188                 if (len <= 0)
1189                         return 1;
1190                 /* Look for "POST" signalling start of query */
1191                 if (!have_post)
1192                         {
1193                         if(strncmp(inbuf, "POST", 4))
1194                                 {
1195                                 BIO_printf(bio_err, "Invalid request\n");
1196                                 return 1;
1197                                 }
1198                         have_post = 1;
1199                         }
1200                 /* Look for end of headers */
1201                 if ((inbuf[0] == '\r') || (inbuf[0] == '\n'))
1202                         break;
1203                 }
1204
1205         /* Try to read OCSP request */
1206
1207         req = d2i_OCSP_REQUEST_bio(cbio, NULL);
1208
1209         if (!req)
1210                 {
1211                 BIO_printf(bio_err, "Error parsing OCSP request\n");
1212                 ERR_print_errors(bio_err);
1213                 }
1214
1215         *preq = req;
1216
1217         return 1;
1218
1219         }
1220
1221 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
1222         {
1223         char http_resp[] = 
1224                 "HTTP/1.0 200 OK\r\nContent-type: application/ocsp-response\r\n"
1225                 "Content-Length: %d\r\n\r\n";
1226         if (!cbio)
1227                 return 0;
1228         BIO_printf(cbio, http_resp, i2d_OCSP_RESPONSE(resp, NULL));
1229         i2d_OCSP_RESPONSE_bio(cbio, resp);
1230         (void)BIO_flush(cbio);
1231         return 1;
1232         }
1233
1234 #endif