From 1e8b9e7e69c694806695121ff6fb511028442309 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Sun, 9 Dec 2012 16:21:46 +0000
Subject: [PATCH] add -badsig option to ocsp utility too.

---
 apps/ocsp.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/apps/ocsp.c b/apps/ocsp.c
index ce9bfa52d6..16aa23b6f6 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -107,7 +107,7 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
 			X509 *ca, X509 *rcert, EVP_PKEY *rkey,
 			STACK_OF(X509) *rother, unsigned long flags,
-			int nmin, int ndays);
+			int nmin, int ndays, int badsig);
 
 static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
 static BIO *init_responder(char *port);
@@ -154,6 +154,7 @@ int MAIN(int argc, char **argv)
 	int ret = 1;
 	int accept_count = -1;
 	int badarg = 0;
+	int badsig = 0;
 	int i;
 	int ignore_err = 0;
 	STACK_OF(OPENSSL_STRING) *reqnames = NULL;
@@ -271,6 +272,8 @@ int MAIN(int argc, char **argv)
 			verify_flags |= OCSP_TRUSTOTHER;
 		else if (!strcmp(*args, "-no_intern"))
 			verify_flags |= OCSP_NOINTERN;
+		else if (!strcmp(*args, "-badsig"))
+			badsig = 1;
 		else if (!strcmp(*args, "-text"))
 			{
 			req_text = 1;
@@ -761,7 +764,7 @@ int MAIN(int argc, char **argv)
 
 	if (rdb)
 		{
-		i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays);
+		i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey, rother, rflags, nmin, ndays, badsig);
 		if (cbio)
 			send_ocsp_response(cbio, resp);
 		}
@@ -1053,7 +1056,7 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
 static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
 			X509 *ca, X509 *rcert, EVP_PKEY *rkey,
 			STACK_OF(X509) *rother, unsigned long flags,
-			int nmin, int ndays)
+			int nmin, int ndays, int badsig)
 	{
 	ASN1_TIME *thisupd = NULL, *nextupd = NULL;
 	OCSP_CERTID *cid, *ca_id = NULL;
@@ -1144,6 +1147,9 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db
 	
 	OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags);
 
+	if (badsig)
+		bs->signature->data[bs->signature->length -1] ^= 0x1;
+
 	*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
 
 	end:
-- 
2.25.1