Doesn't handle SSL URLs yet.
Changes between 0.9.6 and 0.9.7 [xx XXX 2000]
+ *) New function OCSP_parse_url(). This splits up a URL into its host,
+ port and path components: primarily to parse OCSP URLs. New -url
+ option to ocsp utility.
+ [Steve Henson]
+
*) New nonce behavior. The return value of OCSP_check_nonce() now
reflects the various checks performed. Applications can decide
whether to tolerate certain situations such as an absent nonce
int MAIN(int argc, char **argv)
{
char **args;
- char *host = NULL, *path = "/";
+ char *host = NULL, *port = NULL, *path = "/";
char *reqin = NULL, *respin = NULL;
char *reqout = NULL, *respout = NULL;
char *signfile = NULL, *keyfile = NULL;
char *outfile = NULL;
- int add_nonce = 1, noverify = 0;
+ int add_nonce = 1, noverify = 0, use_ssl = -1;
OCSP_REQUEST *req = NULL;
OCSP_RESPONSE *resp = NULL;
OCSP_BASICRESP *bs = NULL;
}
else badarg = 1;
}
+ else if (!strcmp(*args, "-url"))
+ {
+ if (args[1])
+ {
+ args++;
+ if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl))
+ {
+ BIO_printf(bio_err, "Error parsing URL\n");
+ badarg = 1;
+ }
+ }
+ else badarg = 1;
+ }
else if (!strcmp(*args, "-host"))
{
if (args[1])
BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
BIO_printf (bio_err, "-nonce add OCSP nonce to request\n");
BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n");
+ BIO_printf (bio_err, "-url URL OCSP responder URL\n");
BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n");
BIO_printf (bio_err, "-path path to use in OCSP request\n");
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
BIO_printf(bio_err, "Error creating connect BIO\n");
goto end;
}
+ if (port) BIO_set_conn_port(cbio, port);
if (BIO_do_connect(cbio) <= 0)
{
BIO_printf(bio_err, "Error connecting BIO\n");
sk_X509_pop_free(sign_other, X509_free);
sk_X509_pop_free(verify_other, X509_free);
+ if (use_ssl != -1)
+ {
+ OPENSSL_free(host);
+ OPENSSL_free(port);
+ OPENSSL_free(path);
+ }
+
EXIT(ret);
}
int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey);
+int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl);
+
int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b);
#define OCSP_F_OCSP_CHECK_IDS 107
#define OCSP_F_OCSP_CHECK_ISSUER 108
#define OCSP_F_OCSP_MATCH_ISSUERID 109
+#define OCSP_F_OCSP_PARSE_URL 114
#define OCSP_F_OCSP_REQUEST_SIGN 110
#define OCSP_F_OCSP_RESPONSE_GET1_BASIC 111
#define OCSP_F_OCSP_SENDREQ_BIO 112
#define OCSP_R_BAD_DATA 100
#define OCSP_R_CERTIFICATE_VERIFY_ERROR 101
#define OCSP_R_DIGEST_ERR 102
+#define OCSP_R_ERROR_PARSING_URL 121
#define OCSP_R_MISSING_OCSPSIGNING_USAGE 103
#define OCSP_R_NOT_BASIC_RESPONSE 104
#define OCSP_R_NO_CERTIFICATES_IN_CHAIN 105
{ERR_PACK(0,OCSP_F_OCSP_CHECK_IDS,0), "OCSP_CHECK_IDS"},
{ERR_PACK(0,OCSP_F_OCSP_CHECK_ISSUER,0), "OCSP_CHECK_ISSUER"},
{ERR_PACK(0,OCSP_F_OCSP_MATCH_ISSUERID,0), "OCSP_MATCH_ISSUERID"},
+{ERR_PACK(0,OCSP_F_OCSP_PARSE_URL,0), "OCSP_parse_url"},
{ERR_PACK(0,OCSP_F_OCSP_REQUEST_SIGN,0), "OCSP_request_sign"},
{ERR_PACK(0,OCSP_F_OCSP_RESPONSE_GET1_BASIC,0), "OCSP_response_get1_basic"},
{ERR_PACK(0,OCSP_F_OCSP_SENDREQ_BIO,0), "OCSP_sendreq_bio"},
{OCSP_R_BAD_DATA ,"bad data"},
{OCSP_R_CERTIFICATE_VERIFY_ERROR ,"certificate verify error"},
{OCSP_R_DIGEST_ERR ,"digest err"},
+{OCSP_R_ERROR_PARSING_URL ,"error parsing url"},
{OCSP_R_MISSING_OCSPSIGNING_USAGE ,"missing ocspsigning usage"},
{OCSP_R_NOT_BASIC_RESPONSE ,"not basic response"},
{OCSP_R_NO_CERTIFICATES_IN_CHAIN ,"no certificates in chain"},
}
return OCSP_REQUEST_verify(req, pkey);
}
+
+
+/* Parse a URL and split it up into host, port and path components and whether
+ * it is SSL.
+ */
+
+int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl)
+ {
+ char *p, *buf;
+
+ char *host, *port;
+
+ /* dup the buffer since we are going to mess with it */
+ buf = BUF_strdup(url);
+ if (!buf) goto mem_err;
+
+ *phost = NULL;
+ *pport = NULL;
+ *ppath = NULL;
+
+ /* Check for initial colon */
+ p = strchr(buf, ':');
+
+ if (!p) goto parse_err;
+
+ *(p++) = '\0';
+
+ if (!strcmp(buf, "http"))
+ {
+ *pssl = 0;
+ port = "80";
+ }
+ else if (!strcmp(buf, "https"))
+ {
+ *pssl = 1;
+ port = "443";
+ }
+ else
+ goto parse_err;
+
+ /* Check for double slash */
+ if ((p[0] != '/') || (p[1] != '/'))
+ goto parse_err;
+
+ p += 2;
+
+ host = p;
+
+ /* Check for trailing part of path */
+
+ p = strchr(p, '/');
+
+ if (!p)
+ *ppath = BUF_strdup("/");
+ else
+ {
+ *ppath = BUF_strdup(p);
+ /* Set start of path to 0 so hostname is valid */
+ *p = '\0';
+ }
+
+ if (!*ppath) goto mem_err;
+
+ /* Look for optional ':' for port number */
+ if ((p = strchr(host, ':')))
+ {
+ *p = 0;
+ port = p + 1;
+ }
+ else
+ {
+ /* Not found: set default port */
+ if (*pssl) port = "443";
+ else port = "80";
+ }
+
+ *pport = BUF_strdup(port);
+ if (!*pport) goto mem_err;
+
+ *phost = BUF_strdup(host);
+
+ if (!*phost) goto mem_err;
+
+ OPENSSL_free(buf);
+
+ return 1;
+
+ mem_err:
+ OCSPerr(OCSP_F_OCSP_PARSE_URL, ERR_R_MALLOC_FAILURE);
+ goto err;
+
+ parse_err:
+ OCSPerr(OCSP_F_OCSP_PARSE_URL, OCSP_R_ERROR_PARSING_URL);
+
+
+ err:
+ if (*ppath) OPENSSL_free(*ppath);
+ if (*pport) OPENSSL_free(*pport);
+ if (*phost) OPENSSL_free(*phost);
+ return 0;
+
+ }