330
333
BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n");
331
334
BIO_printf(bio_err," -cert arg - certificate file to use\n");
332
335
BIO_printf(bio_err," (default is %s)\n",TEST_CERT);
336
BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \
337
" The CRL(s) are appended to the certificate file\n");
338
BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \
339
" or any other CRL in the CA chain. CRL(s) are appened to the\n" \
340
" the certificate file.\n");
333
341
BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
334
342
BIO_printf(bio_err," -key arg - Private Key file to use, in cert file if\n");
335
343
BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT);
586
594
return SSL_TLSEXT_ERR_OK;
597
/* Structure passed to cert status callback */
599
typedef struct tlsextstatusctx_st {
600
/* Default responder to use */
601
char *host, *path, *port;
608
static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0, -1, NULL, 0};
610
/* Certificate Status callback. This is called when a client includes a
611
* certificate status request extension.
613
* This is a simplified version. It examines certificates each time and
614
* makes one OCSP responder query for each request.
616
* A full version would store details such as the OCSP certificate IDs and
617
* minimise the number of OCSP responses by caching them until they were
618
* considered "expired".
621
static int cert_status_cb(SSL *s, void *arg)
623
tlsextstatusctx *srctx = arg;
624
BIO *err = srctx->err;
625
char *host, *port, *path;
627
unsigned char *rspder = NULL;
631
X509_STORE_CTX inctx;
633
OCSP_REQUEST *req = NULL;
634
OCSP_RESPONSE *resp = NULL;
635
OCSP_CERTID *id = NULL;
636
STACK_OF(X509_EXTENSION) *exts;
637
int ret = SSL_TLSEXT_ERR_NOACK;
640
STACK_OF(OCSP_RESPID) *ids;
641
SSL_get_tlsext_status_ids(s, &ids);
642
BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
645
BIO_puts(err, "cert_status: callback called\n");
646
/* Build up OCSP query from server certificate */
647
x = SSL_get_certificate(s);
648
aia = X509_get1_ocsp(x);
651
if (!OCSP_parse_url(sk_value(aia, 0),
652
&host, &port, &path, &use_ssl))
654
BIO_puts(err, "cert_status: can't parse AIA URL\n");
658
BIO_printf(err, "cert_status: AIA URL: %s\n",
665
BIO_puts(srctx->err, "cert_status: no AIA and no default responder URL\n");
671
use_ssl = srctx->use_ssl;
674
if (!X509_STORE_CTX_init(&inctx,
675
SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
678
if (X509_STORE_get_by_subject(&inctx,X509_LU_X509,
679
X509_get_issuer_name(x),&obj) <= 0)
681
BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n");
682
X509_STORE_CTX_cleanup(&inctx);
685
req = OCSP_REQUEST_new();
688
id = OCSP_cert_to_id(NULL, x, obj.data.x509);
689
X509_free(obj.data.x509);
690
X509_STORE_CTX_cleanup(&inctx);
693
if (!OCSP_request_add0_id(req, id))
696
/* Add any extensions to the request */
697
SSL_get_tlsext_status_exts(s, &exts);
698
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++)
700
X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
701
if (!OCSP_REQUEST_add_ext(req, ext, -1))
704
resp = process_responder(err, req, host, path, port, use_ssl,
708
BIO_puts(err, "cert_status: error querying responder\n");
711
rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
714
SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
717
BIO_puts(err, "cert_status: ocsp response sent:\n");
718
OCSP_RESPONSE_print(err, resp, 2);
720
ret = SSL_TLSEXT_ERR_OK;
722
if (ret != SSL_TLSEXT_ERR_OK)
723
ERR_print_errors(err);
729
X509_email_free(aia);
732
OCSP_CERTID_free(id);
734
OCSP_REQUEST_free(req);
736
OCSP_RESPONSE_free(resp);
739
ret = SSL_TLSEXT_ERR_ALERT_FATAL;
589
743
int MAIN(int, char **);
745
#ifndef OPENSSL_NO_JPAKE
746
static char *jpake_secret = NULL;
591
749
int MAIN(int argc, char *argv[])
593
751
X509_STORE *store = NULL;
792
947
#ifndef OPENSSL_NO_TLSEXT
793
948
else if (strcmp(*argv,"-tlsextdebug") == 0)
950
else if (strcmp(*argv,"-status") == 0)
952
else if (strcmp(*argv,"-status_verbose") == 0)
955
tlscstatp.verbose = 1;
957
else if (!strcmp(*argv, "-status_timeout"))
960
if (--argc < 1) goto bad;
961
tlscstatp.timeout = atoi(*(++argv));
963
else if (!strcmp(*argv, "-status_url"))
966
if (--argc < 1) goto bad;
967
if (!OCSP_parse_url(*(++argv),
973
BIO_printf(bio_err, "Error parsing URL\n");
796
978
else if (strcmp(*argv,"-msg") == 0)