OCSP documentation

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OCSP documentation

Randy Turner
Is there any documentation on how I can programmatically create OCSP  
requests, ready to be sent on the wire?

Thanks in advance!
Randy

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OCSP documentation

Stefan Vatev

> Is there any documentation on how I can programmatically
> create OCSP
> requests, ready to be sent on the wire?
>
> Thanks in advance!
> Randy
>



Well, you should look at openssl.org and the openssl source
code. Here I can give you a small code snippet which should
give you a basic idea of what you have to do (error handling
code is omitted for better readability). My advice is to
compile openssl with the debug option and trace it.

int main(int argc, char** argv)
{

    if(argc != 6)
    {
        fprintf(stderr, "Usage : %s cert oper_cert root_cert
ocsp_cert ocsp_url", argv[0]);
        goto end;
    }

    fp = fopen(argv[1], "r");
    bio = BIO_new_fp(fp, BIO_NOCLOSE);

    cert = PEM_read_bio_X509(bio, NULL, 0, NULL);

    fclose(fp);
    fp = 0;
    BIO_free(bio);
    bio = 0;

    fp = fopen(argv[2], "r");
    bio = BIO_new_fp(fp, BIO_NOCLOSE);
    oper_cert = PEM_read_bio_X509(bio, NULL, 0, NULL);

    fclose(fp);
    BIO_free(bio);
    bio = 0;

    fp = fopen(argv[3], "r");
    bio = BIO_new_fp(fp, BIO_NOCLOSE);
    root_cert = PEM_read_bio_X509(bio, NULL, 0, NULL);

    fclose(fp);
    BIO_free(bio);
    bio = 0;

    fp = fopen(argv[4], "r");
    bio = BIO_new_fp(fp, BIO_NOCLOSE);
    ocsp_cert = PEM_read_bio_X509(bio, NULL, 0, NULL);

    fclose(fp);
    BIO_free(bio);
    bio = 0;

    ocsp_url = argv[5];

    ids = sk_OCSP_CERTID_new_null();

    if(!req) req = OCSP_REQUEST_new();

    id = OCSP_cert_to_id(NULL, cert, oper_cert);
    if(!id || !sk_OCSP_CERTID_push(ids, id)) goto end;
    if(!OCSP_request_add0_id(req, id)) goto end;

    OCSP_REQUEST_print(bio_err, req, 0);

    OCSP_parse_url(ocsp_url, &host, &port, &path, &use_ssl);
    bc = BIO_new_connect(host);

    BIO_set_conn_port(bc, port);

    resp = OCSP_sendreq_bio(bc, path, req);

    OCSP_RESPONSE_print(bio_err, resp, 0);

    br = OCSP_response_get1_basic(resp);

    store = X509_STORE_new();
    ret = X509_STORE_add_cert(store, root_cert);


    verify_flags |= OCSP_NOVERIFY;
  //verify_flags |= OCSP_NOCERTS;
    verify_flags |= OCSP_NOCHAIN;
  //verify_flags |= OCSP_NOCHECKS;
  //verify_flags |= OCSP_TRUSTOTHER;
    verify_flags |= OCSP_NOINTERN;

    verify_other = sk_X509_new_null();
    if(!verify_other) {
        sk_X509_free(verify_other);
        verify_other = 0;
        goto end;
    }
    sk_X509_push(verify_other, ocsp_cert);


    ret = OCSP_basic_verify(br, NULL, store, verify_flags);

end:
        /* error handling code*/
}



P.S.
I'm not quite sure if this source is correct. Don't trust it
too much.

-----------------------------

Казанова
от 3 март само в кината
http://www.casanova.dir.bg/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]