diff options
| author | Richard Levitte <levitte@openssl.org> | 2001-02-08 17:59:29 +0000 |
|---|---|---|
| committer | Richard Levitte <levitte@openssl.org> | 2001-02-08 17:59:29 +0000 |
| commit | 9235adbf47cb5bd045742e762e3d17e31b2ed553 (patch) | |
| tree | 938d855793a0f640b632b9a53e8de6f94a6aae48 | |
| parent | a71b5abfa4c5515fcfb5b69281e04cf620e0c66c (diff) | |
| download | openssl-9235adbf47cb5bd045742e762e3d17e31b2ed553.tar.gz | |
Add the -VAfile option to 'openssl ocsp'. This option will give the
client code certificates to use to only check response signatures.
I'm not entirely sure if the way I just implemented the verification
is the right way to do it, and would be happy if someone would like to
review this.
| -rw-r--r-- | CHANGES | 5 | ||||
| -rw-r--r-- | apps/ocsp.c | 18 |
2 files changed, 22 insertions, 1 deletions
@@ -3,6 +3,11 @@ Changes between 0.9.6 and 0.9.7 [xx XXX 2000] + *) Add the option -VAfile to 'openssl ocsp', so the user can give the + OCSP client a number of certificate to only verify the response + signature against. + [Richard Levitte] + *) Add new function BN_rand_range(), and fix DSA_sign_setup() to prevent Bleichenbacher's DSA attack. [Ulf Moeller, Bodo Moeller] diff --git a/apps/ocsp.c b/apps/ocsp.c index cec2f2b809..1ea4f9d2ef 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -94,7 +94,9 @@ int MAIN(int argc, char **argv) BIO *out = NULL; int req_text = 0, resp_text = 0; char *CAfile = NULL, *CApath = NULL; + char *VAfile = NULL; X509_STORE *store = NULL; + STACK_OF(X509) *VAstore = NULL; int ret = 1; int badarg = 0; int i; @@ -167,6 +169,15 @@ int MAIN(int argc, char **argv) } else badarg = 1; } + else if (!strcmp (*args, "-VAfile")) + { + if (args[1]) + { + args++; + VAfile = *args; + } + else badarg = 1; + } else if (!strcmp (*args, "-CAfile")) { if (args[1]) @@ -290,6 +301,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-path path to use in OCSP request\n"); BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf (bio_err, "-VAfile file validator certificates file\n"); BIO_printf (bio_err, "-noverify don't verify response\n"); goto end; } @@ -438,6 +450,8 @@ int MAIN(int argc, char **argv) store = setup_verify(bio_err, CAfile, CApath); if(!store) goto end; + if (VAfile) VAstore = load_certs(bio_err, VAfile, FORMAT_PEM); + bs = OCSP_response_get1_basic(resp); if (!bs) @@ -454,7 +468,8 @@ int MAIN(int argc, char **argv) goto end; } - i = OCSP_basic_verify(bs, NULL, store, 0); + i = OCSP_basic_verify(bs, VAstore, store, OCSP_TRUSTOTHER); + if (i < 0) i = OCSP_basic_verify(bs, NULL, store, 0); if(i <= 0) { @@ -475,6 +490,7 @@ end: ERR_print_errors(bio_err); X509_free(signer); X509_STORE_free(store); + sk_X509_free(VAstore); EVP_PKEY_free(key); X509_free(issuer); X509_free(cert); |