Re: OCSP documentation

Sun, 12 Feb 2006 23:02:07 -0800 

> Is there any documentation on how I can programmatically
> create OCSP
> requests, ready to be sent on the wire?
>
> Thanks in advance!
> Randy
>



Well, you should look at openssl.org and the openssl source
code. Here I can give you a small code snippet which should
give you a basic idea of what you have to do (error handling
code is omitted for better readability). My advice is to
compile openssl with the debug option and trace it.

int main(int argc, char** argv)
{

    if(argc != 6)
    {
        fprintf(stderr, "Usage : %s cert oper_cert root_cert
ocsp_cert ocsp_url", argv[0]);
        goto end;
    }

    fp = fopen(argv[1], "r");
    bio = BIO_new_fp(fp, BIO_NOCLOSE);

    cert = PEM_read_bio_X509(bio, NULL, 0, NULL);

    fclose(fp);
    fp = 0;
    BIO_free(bio);
    bio = 0;

    fp = fopen(argv[2], "r");
    bio = BIO_new_fp(fp, BIO_NOCLOSE);
    oper_cert = PEM_read_bio_X509(bio, NULL, 0, NULL);

    fclose(fp);
    BIO_free(bio);
    bio = 0;

    fp = fopen(argv[3], "r");
    bio = BIO_new_fp(fp, BIO_NOCLOSE);
    root_cert = PEM_read_bio_X509(bio, NULL, 0, NULL);

    fclose(fp);
    BIO_free(bio);
    bio = 0;

    fp = fopen(argv[4], "r");
    bio = BIO_new_fp(fp, BIO_NOCLOSE);
    ocsp_cert = PEM_read_bio_X509(bio, NULL, 0, NULL);

    fclose(fp);
    BIO_free(bio);
    bio = 0;

    ocsp_url = argv[5];

    ids = sk_OCSP_CERTID_new_null();

    if(!req) req = OCSP_REQUEST_new();

    id = OCSP_cert_to_id(NULL, cert, oper_cert);
    if(!id || !sk_OCSP_CERTID_push(ids, id)) goto end;
    if(!OCSP_request_add0_id(req, id)) goto end;

    OCSP_REQUEST_print(bio_err, req, 0);

    OCSP_parse_url(ocsp_url, &host, &port, &path, &use_ssl);
    bc = BIO_new_connect(host);

    BIO_set_conn_port(bc, port);

    resp = OCSP_sendreq_bio(bc, path, req);

    OCSP_RESPONSE_print(bio_err, resp, 0);

    br = OCSP_response_get1_basic(resp);

    store = X509_STORE_new();
    ret = X509_STORE_add_cert(store, root_cert);


    verify_flags |= OCSP_NOVERIFY;
  //verify_flags |= OCSP_NOCERTS;
    verify_flags |= OCSP_NOCHAIN;
  //verify_flags |= OCSP_NOCHECKS;
  //verify_flags |= OCSP_TRUSTOTHER;
    verify_flags |= OCSP_NOINTERN;

    verify_other = sk_X509_new_null();
    if(!verify_other) {
        sk_X509_free(verify_other);
        verify_other = 0;
        goto end;
    }
    sk_X509_push(verify_other, ocsp_cert);


    ret = OCSP_basic_verify(br, NULL, store, verify_flags);

end:
        /* error handling code*/
}



P.S.
I'm not quite sure if this source is correct. Don't trust it
too much.

-----------------------------

Казанова
от 3 март само в кината
http://www.casanova.dir.bg/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to