OCSP Updates

1. Add option to example server and client to check the OCSP responder. 2. Add option to example server and client to override the URL to use when checking the OCSP responder. 3. Copy the certificate serial number correctly into OCSP request. Add leading zero only if MS bit is set. 4. Fix responder address used when Auth Info extension is present. 5. Update EmbedOcspLookup callback to better handle the HTTP response and obtain the complete OCSP response.
2013-06-20 11:07:54 -07:00
parent e0a84521c5
commit 0c34ecb451
5 changed files with 202 additions and 77 deletions
@@ -123,6 +123,10 @@ static void Usage(void)
    printf("-f          Fewer packets/group messages\n");
    printf("-N          Use Non-blocking sockets\n");
    printf("-S <str>    Use Host Name Indication\n");
+#ifdef HAVE_OCSP
+    printf("-o          Perform OCSP lookup on peer certificate\n");
+    printf("-O <url>    Perform OCSP lookup using <url> as responder\n");
+#endif
 }

 #ifdef CYASSL_MDK_SHELL
@@ -164,6 +168,11 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
    char*  sniHostName = NULL;
 #endif

+#ifdef HAVE_OCSP
+    int    useOcsp  = 0;
+    char*  ocspUrl  = NULL;
+#endif
+
    ((func_args*)args)->return_code = -1; /* error state */

 #ifdef NO_RSA
@@ -173,7 +182,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
 #endif
    (void)trackMemory;

-    while ((ch = mygetopt(argc, argv, "?dbstnNufp:v:l:A:c:k:S:")) != -1) {
+    while ((ch = mygetopt(argc, argv, "?dbstnNufp:v:l:A:c:k:S:oO:")) != -1) {
        switch (ch) {
            case '?' :
                Usage();
@@ -251,6 +260,19 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
                #endif
                break;

+            case 'o' :
+                #ifdef HAVE_OCSP
+                    useOcsp = 1;
+                #endif
+                break;
+
+            case 'O' :
+                #ifdef HAVE_OCSP
+                    useOcsp = 1;
+                    ocspUrl = myoptarg;
+                #endif
+                break;
+
            default:
                Usage();
                exit(MY_EX_USAGE);
@@ -424,6 +446,15 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
                                                     CYASSL_CRL_START_MON);
    CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
 #endif
+#ifdef HAVE_OCSP
+    if (useOcsp) {
+        CyaSSL_CTX_OCSP_set_options(ctx,
+                                    CYASSL_OCSP_ENABLE | CYASSL_OCSP_NO_NONCE);
+        if (ocspUrl != NULL)
+            CyaSSL_CTX_OCSP_set_override_url(ctx, ocspUrl);
+    }
+#endif
+
    tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr, doDTLS);
    if (!doDTLS) 
        CloseSocket(sockfd);