Initial OCSP certificate verify. Not complete,
it just supports a "trusted OCSP global root CA".
diff --git a/apps/apps.c b/apps/apps.c
index ca3f557..bdd8c71 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -837,3 +837,32 @@
}
}
+X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath)
+{
+ X509_STORE *store;
+ X509_LOOKUP *lookup;
+ if(!(store = X509_STORE_new())) goto end;
+ lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
+ if (lookup == NULL) goto end;
+ if (CAfile) {
+ if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
+ BIO_printf(bp, "Error loading file %s\n", CAfile);
+ goto end;
+ }
+ } else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+
+ lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
+ if (lookup == NULL) goto end;
+ if (CApath) {
+ if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
+ BIO_printf(bp, "Error loading directory %s\n", CApath);
+ goto end;
+ }
+ } else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+
+ ERR_clear_error();
+ return store;
+ end:
+ X509_STORE_free(store);
+ return NULL;
+}
diff --git a/apps/apps.h b/apps/apps.h
index 11133cb..2da89e2 100644
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -158,6 +158,7 @@
EVP_PKEY *load_key(BIO *err, char *file, int format, char *pass, ENGINE *e);
EVP_PKEY *load_pubkey(BIO *err, char *file, int format, ENGINE *e);
STACK_OF(X509) *load_certs(BIO *err, char *file, int format);
+X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
#define FORMAT_UNDEF 0
#define FORMAT_ASN1 1
diff --git a/apps/ocsp.c b/apps/ocsp.c
index cfd4f18..3125583 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -82,14 +82,18 @@
int add_nonce = 1;
OCSP_REQUEST *req = NULL;
OCSP_RESPONSE *resp = NULL;
+ OCSP_BASICRESP *bs = NULL;
X509 *issuer = NULL, *cert = NULL;
X509 *signer = NULL;
EVP_PKEY *key = NULL;
BIO *cbio = NULL, *derbio = NULL;
BIO *out = NULL;
int req_text = 0, resp_text = 0;
+ char *CAfile = NULL, *CApath = NULL;
+ X509_STORE *store = NULL;
int ret = 1;
int badarg = 0;
+ int i;
if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
ERR_load_crypto_strings();
args = argv + 1;
@@ -153,6 +157,24 @@
}
else badarg = 1;
}
+ else if (!strcmp (*args, "-CAfile"))
+ {
+ if (args[1])
+ {
+ args++;
+ CAfile = *args;
+ }
+ else badarg = 1;
+ }
+ else if (!strcmp (*args, "-CApath"))
+ {
+ if (args[1])
+ {
+ args++;
+ CApath = *args;
+ }
+ else badarg = 1;
+ }
else if (!strcmp(*args, "-signkey"))
{
if (args[1])
@@ -386,11 +408,25 @@
if (resp_text) OCSP_RESPONSE_print(out, resp, 0);
+ store = setup_verify(bio_err, CAfile, CApath);
+ if(!store) goto end;
+
+ bs = OCSP_response_get1_basic(resp);
+
+ i = OCSP_basic_verify(bs, NULL, store, 0);
+
+ if(i <= 0)
+ {
+ BIO_printf(bio_err, "Response verify error (%d)\n", i);
+ ERR_print_errors(bio_err);
+ }
+
ret = 0;
end:
ERR_print_errors(bio_err);
X509_free(signer);
+ X509_STORE_free(store);
EVP_PKEY_free(key);
X509_free(issuer);
X509_free(cert);
@@ -398,6 +434,7 @@
BIO_free(out);
OCSP_REQUEST_free(req);
OCSP_RESPONSE_free(resp);
+ OCSP_BASICRESP_free(bs);
EXIT(ret);
}
diff --git a/apps/smime.c b/apps/smime.c
index 0a16bbc..e0d31b2 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -68,7 +68,6 @@
#undef PROG
#define PROG smime_main
-static X509_STORE *setup_verify(char *CAfile, char *CApath);
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
#define SMIME_OP 0x10
@@ -431,7 +430,7 @@
}
if(operation == SMIME_VERIFY) {
- if(!(store = setup_verify(CAfile, CApath))) goto end;
+ if(!(store = setup_verify(bio_err, CAfile, CApath))) goto end;
}
ret = 3;
@@ -530,36 +529,6 @@
return (ret);
}
-static X509_STORE *setup_verify(char *CAfile, char *CApath)
-{
- X509_STORE *store;
- X509_LOOKUP *lookup;
- if(!(store = X509_STORE_new())) goto end;
- lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
- if (lookup == NULL) goto end;
- if (CAfile) {
- if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
- BIO_printf(bio_err, "Error loading file %s\n", CAfile);
- goto end;
- }
- } else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
-
- lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
- if (lookup == NULL) goto end;
- if (CApath) {
- if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
- BIO_printf(bio_err, "Error loading directory %s\n", CApath);
- goto end;
- }
- } else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
-
- ERR_clear_error();
- return store;
- end:
- X509_STORE_free(store);
- return NULL;
-}
-
static int save_certs(char *signerfile, STACK_OF(X509) *signers)
{
int i;
