[openssl.org #1927] [PATCH] openssl ocsp app to autodetect ocsp_uri and issuer

Tue, 12 May 2009 06:17:29 -0700 

The cert passed to the ocsp app contains ocsp_uri so we can use that if not 
specified.

We also can use the CApath to look up a issuer certificate if not specified.

hence a simple line works:
$ openssl ocsp -no_cert_verify -nonce   -CApath /etc/ssl/certs/ -cert cert.pem
Response verify OK
cert.pem: good
        This Update: May 11 22:14:15 2009 GMT
        Next Update: May 12 08:56:26 2009 GMT

known bug: Issuer cert detection uses non-portable path concatenation




Index: apps/ocsp.c
===================================================================
RCS file: /v/openssl/cvs/openssl/apps/ocsp.c,v
retrieving revision 1.55
diff -u -b -B -r1.55 ocsp.c
--- apps/ocsp.c	3 Apr 2009 11:45:15 -0000	1.55
+++ apps/ocsp.c	12 May 2009 07:52:07 -0000
@@ -129,7 +129,8 @@
 	char *reqout = NULL, *respout = NULL;
 	char *signfile = NULL, *keyfile = NULL;
 	char *rsignfile = NULL, *rkeyfile = NULL;
-	char *outfile = NULL;
+	char *outfile = NULL, *ocspurl = NULL;
+	char certpath[PATH_MAX];
 	int add_nonce = 1, noverify = 0, use_ssl = -1;
 	OCSP_REQUEST *req = NULL;
 	OCSP_RESPONSE *resp = NULL;
@@ -146,6 +147,8 @@
 	char *CAfile = NULL, *CApath = NULL;
 	X509_STORE *store = NULL;
 	STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
+	STACK_OF(STRING) *ocsplist = NULL;
+	unsigned long int issuer_hash = 0;
 	char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
 	unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
 	int ret = 1;
@@ -430,6 +433,24 @@
 					NULL, e, "certificate");
 				if(!cert) goto end;
 				if (!cert_id_md) cert_id_md = EVP_sha1();
+				if (host==NULL && (path==NULL || ((*path=='/' && *(path+1)=='\0'))))
+					{
+					ocsplist = X509_get1_ocsp(cert);
+					if (sk_STRING_num(ocsplist) >0)
+						/* TODO: - iterate until valid */
+						if (!OCSP_parse_url(ocspurl=sk_STRING_value(ocsplist,0), &host, &port, &path, &use_ssl))
+							BIO_printf(bio_err, "Error parsing URL %s in certificate\n",ocspurl);
+					X509_email_free(ocsplist);
+					}
+				if (issuer==NULL && CApath!=NULL)
+					{
+					if ((issuer_hash=X509_issuer_name_hash(cert))!=0L)
+						{
+						/* TODO: - portable path separator */
+						BIO_snprintf(certpath, sizeof certpath,"%s/%08lx.0",CApath,issuer_hash);
+						issuer = load_cert(bio_err, certpath, FORMAT_PEM, NULL, e, "issuer certificate");
+						}
+					}
 				if(!add_ocsp_cert(&req, cert, cert_id_md, issuer, ids))
 					goto end;
 				if(!sk_STRING_push(reqnames, *args))

Reply via email to