generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add the -VAfile option to 'openssl ocsp'. This option will give the

Browse Source 
client code certificates to use to only check response signatures.
I'm not entirely sure if the way I just implemented the verification
is the right way to do it, and would be happy if someone would like to
review this.
This commit is contained in:
Richard Levitte 2001-02-08 17:59:29 +00:00
parent a71b5abfa4
commit 9235adbf47
2 changed files with 22 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -3,6 +3,11 @@
Changes between 0.9.6 and 0.9.7 [xx XXX 2000] Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
*) Add the option -VAfile to 'openssl ocsp', so the user can give the
OCSP client a number of certificate to only verify the response
signature against.
[Richard Levitte]
*) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent
Bleichenbacher's DSA attack. Bleichenbacher's DSA attack.
[Ulf Moeller, Bodo Moeller] [Ulf Moeller, Bodo Moeller]

18
apps/ocsp.c
View File

@ -94,7 +94,9 @@ int MAIN(int argc, char **argv)
BIO *out = NULL; BIO *out = NULL;
int req_text = 0, resp_text = 0; int req_text = 0, resp_text = 0;
char *CAfile = NULL, *CApath = NULL; char *CAfile = NULL, *CApath = NULL;
char *VAfile = NULL;
X509_STORE *store = NULL; X509_STORE *store = NULL;
STACK_OF(X509) *VAstore = NULL;
int ret = 1; int ret = 1;
int badarg = 0; int badarg = 0;
int i; int i;
@ -167,6 +169,15 @@ int MAIN(int argc, char **argv)
} }
else badarg = 1; else badarg = 1;
} }
else if (!strcmp (*args, "-VAfile"))
{
if (args[1])
{
args++;
VAfile = *args;
}
else badarg = 1;
}
else if (!strcmp (*args, "-CAfile")) else if (!strcmp (*args, "-CAfile"))
{ {
if (args[1]) if (args[1])
@ -290,6 +301,7 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-path path to use in OCSP request\n"); BIO_printf (bio_err, "-path path to use in OCSP request\n");
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
BIO_printf (bio_err, "-VAfile file validator certificates file\n");
BIO_printf (bio_err, "-noverify don't verify response\n"); BIO_printf (bio_err, "-noverify don't verify response\n");
goto end; goto end;
} }
@ -438,6 +450,8 @@ int MAIN(int argc, char **argv)
store = setup_verify(bio_err, CAfile, CApath); store = setup_verify(bio_err, CAfile, CApath);
if(!store) goto end; if(!store) goto end;
if (VAfile) VAstore = load_certs(bio_err, VAfile, FORMAT_PEM);
bs = OCSP_response_get1_basic(resp); bs = OCSP_response_get1_basic(resp);
if (!bs) if (!bs)
@ -454,7 +468,8 @@ int MAIN(int argc, char **argv)
goto end; goto end;
} }
i = OCSP_basic_verify(bs, NULL, store, 0); i = OCSP_basic_verify(bs, VAstore, store, OCSP_TRUSTOTHER);
if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0);
if(i <= 0) if(i <= 0)
{ {
@ -475,6 +490,7 @@ end:
ERR_print_errors(bio_err); ERR_print_errors(bio_err);
X509_free(signer); X509_free(signer);
X509_STORE_free(store); X509_STORE_free(store);
sk_X509_free(VAstore);
EVP_PKEY_free(key); EVP_PKEY_free(key);
X509_free(issuer); X509_free(issuer);
X509_free(cert); X509_free(cert);