apps/ocsp.c

diff --git a/apps/ocsp.c b/apps/ocsp.c
index 16aa23b6f6cc078adc413bb53e9656a3f33115cb..f5e37a6358f44aca1fc4c955a7effe47d1565831 100644 (file)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -148,6 +148,7 @@ int MAIN(int argc, char **argv)
        long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
        char *CAfile = NULL, *CApath = NULL;
        X509_STORE *store = NULL;
+       X509_VERIFY_PARAM *vpm = NULL;
        STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
        char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
        unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
@@ -356,6 +357,12 @@ int MAIN(int argc, char **argv)
                                }
                        else badarg = 1;
                        }
+               else if (args_verify(&args, NULL, &badarg, bio_err, &vpm))
+                       {
+                       if (badarg)
+                               goto end;
+                       continue;
+                       }
                else if (!strcmp (*args, "-validity_period"))
                        {
                        if (args[1])
@@ -637,7 +644,10 @@ int MAIN(int argc, char **argv)
 
        if (!req && reqin)
                {
-               derbio = BIO_new_file(reqin, "rb");
+               if (!strcmp(reqin, "-"))
+                       derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+               else
+                       derbio = BIO_new_file(reqin, "rb");
                if (!derbio)
                        {
                        BIO_printf(bio_err, "Error Opening OCSP request file\n");
@@ -739,7 +749,10 @@ int MAIN(int argc, char **argv)
 
        if (reqout)
                {
-               derbio = BIO_new_file(reqout, "wb");
+               if (!strcmp(respout, "-"))
+                       derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
+               else
+                       derbio = BIO_new_file(reqout, "wb");
                if(!derbio)
                        {
                        BIO_printf(bio_err, "Error opening file %s\n", reqout);
@@ -782,7 +795,10 @@ int MAIN(int argc, char **argv)
                }
        else if (respin)
                {
-               derbio = BIO_new_file(respin, "rb");
+               if (!strcmp(respin, "-"))
+                       derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
+               else
+                       derbio = BIO_new_file(respin, "rb");
                if (!derbio)
                        {
                        BIO_printf(bio_err, "Error Opening OCSP response file\n");
@@ -807,7 +823,10 @@ int MAIN(int argc, char **argv)
 
        if (respout)
                {
-               derbio = BIO_new_file(respout, "wb");
+               if (!strcmp(respout, "-"))
+                       derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
+               else
+                       derbio = BIO_new_file(respout, "wb");
                if(!derbio)
                        {
                        BIO_printf(bio_err, "Error opening file %s\n", respout);
@@ -854,6 +873,8 @@ int MAIN(int argc, char **argv)
                store = setup_verify(bio_err, CAfile, CApath);
        if (!store)
                goto end;
+       if (vpm)
+               X509_STORE_set1_param(store, vpm);
        if (verify_certfile)
                {
                verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
@@ -904,6 +925,8 @@ end:
        ERR_print_errors(bio_err);
        X509_free(signer);
        X509_STORE_free(store);
+       if (vpm)
+               X509_VERIFY_PARAM_free(vpm);
        EVP_PKEY_free(key);
        EVP_PKEY_free(rkey);
        X509_free(issuer);

diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf
index c45fcfd61ecd65cf30095d32248e7f0fb8370062..ddf440bcc832aa1af8866ec56b8834fd7ff3a79d 100644 (file)
--- a/demos/certs/ca.cnf
+++ b/demos/certs/ca.cnf
@@ -35,6 +35,7 @@ commonName                    = $ENV::CN
 
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
+subjectAltName=DNS:crl.host.com
 
 # This will be displayed in Netscape's comment listbox.
 nsComment                      = "OpenSSL Generated Certificate"
@@ -42,12 +43,14 @@ nsComment                   = "OpenSSL Generated Certificate"
 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid
+authorityInfoAccess = OCSP;URI:http://ocsp.host.com:8080/cgi-bin/prinenv/some/ocsp/path
 # OCSP responder certificate
 [ ocsp_cert ]
 
 basicConstraints=critical, CA:FALSE
 keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
 
+
 # This will be displayed in Netscape's comment listbox.
 nsComment                      = "OpenSSL Generated Certificate"
 

diff --git a/demos/certs/mkcerts.sh b/demos/certs/mkcerts.sh
index 18daa6bcfb8d2a4bf35bd8ea364c150ebfe74e0e..d0fdeac72eb141e028a8500cbbb0688bef0639bf 100644 (file)
--- a/demos/certs/mkcerts.sh
+++ b/demos/certs/mkcerts.sh
@@ -15,7 +15,7 @@ $OPENSSL x509 -req -in intreq.pem -CA root.pem -days 3600 \
        -extfile ca.cnf -extensions v3_ca -CAcreateserial -out intca.pem
 
 # Server certificate: create request first
-CN="Test Server Cert" $OPENSSL req -config ca.cnf -nodes \
+CN="crl.host.com" $OPENSSL req -config ca.cnf -nodes \
        -keyout skey.pem -out req.pem -newkey rsa:1024
 # Sign request: end entity extensions
 $OPENSSL x509 -req -in req.pem -CA intca.pem -CAkey intkey.pem -days 3600 \