mirror of https://github.com/openssl/openssl
Correctly check for trailing digest options.
Multiple digest options to the ocsp utility are allowed: e.g. to use different digests for different certificate IDs. A digest option without a following certificate is however illegal. RT#4215 Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
parent
d535e56526
commit
6302bbd21a
12
apps/ocsp.c
12
apps/ocsp.c
|
@ -228,6 +228,7 @@ int ocsp_main(int argc, char **argv)
|
|||
{
|
||||
BIO *acbio = NULL, *cbio = NULL, *derbio = NULL, *out = NULL;
|
||||
const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
|
||||
int trailing_md = 0;
|
||||
CA_DB *rdb = NULL;
|
||||
EVP_PKEY *key = NULL, *rkey = NULL;
|
||||
OCSP_BASICRESP *bs = NULL;
|
||||
|
@ -439,6 +440,7 @@ int ocsp_main(int argc, char **argv)
|
|||
goto end;
|
||||
if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
|
||||
goto end;
|
||||
trailing_md = 0;
|
||||
break;
|
||||
case OPT_SERIAL:
|
||||
if (cert_id_md == NULL)
|
||||
|
@ -447,6 +449,7 @@ int ocsp_main(int argc, char **argv)
|
|||
goto end;
|
||||
if (!sk_OPENSSL_STRING_push(reqnames, opt_arg()))
|
||||
goto end;
|
||||
trailing_md = 0;
|
||||
break;
|
||||
case OPT_INDEX:
|
||||
ridx_filename = opt_arg();
|
||||
|
@ -490,7 +493,7 @@ int ocsp_main(int argc, char **argv)
|
|||
goto end;
|
||||
break;
|
||||
case OPT_MD:
|
||||
if (cert_id_md != NULL) {
|
||||
if (trailing_md) {
|
||||
BIO_printf(bio_err,
|
||||
"%s: Digest must be before -cert or -serial\n",
|
||||
prog);
|
||||
|
@ -498,9 +501,16 @@ int ocsp_main(int argc, char **argv)
|
|||
}
|
||||
if (!opt_md(opt_unknown(), &cert_id_md))
|
||||
goto opthelp;
|
||||
trailing_md = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (trailing_md) {
|
||||
BIO_printf(bio_err, "%s: Digest must be before -cert or -serial\n",
|
||||
prog);
|
||||
goto opthelp;
|
||||
}
|
||||
argc = opt_num_rest();
|
||||
if (argc != 0)
|
||||
goto opthelp;
|
||||
|
|
|
@ -266,24 +266,25 @@ only be used for testing purposes.
|
|||
=item B<-validity_period nsec>, B<-status_age age>
|
||||
|
||||
these options specify the range of times, in seconds, which will be tolerated
|
||||
in an OCSP response. Each certificate status response includes a B<notBefore> time and
|
||||
an optional B<notAfter> time. The current time should fall between these two values, but
|
||||
the interval between the two times may be only a few seconds. In practice the OCSP
|
||||
responder and clients clocks may not be precisely synchronised and so such a check
|
||||
may fail. To avoid this the B<-validity_period> option can be used to specify an
|
||||
acceptable error range in seconds, the default value is 5 minutes.
|
||||
in an OCSP response. Each certificate status response includes a B<notBefore>
|
||||
time and an optional B<notAfter> time. The current time should fall between
|
||||
these two values, but the interval between the two times may be only a few
|
||||
seconds. In practice the OCSP responder and clients clocks may not be precisely
|
||||
synchronised and so such a check may fail. To avoid this the
|
||||
B<-validity_period> option can be used to specify an acceptable error range in
|
||||
seconds, the default value is 5 minutes.
|
||||
|
||||
If the B<notAfter> time is omitted from a response then this means that new status
|
||||
information is immediately available. In this case the age of the B<notBefore> field
|
||||
is checked to see it is not older than B<age> seconds old. By default this additional
|
||||
check is not performed.
|
||||
If the B<notAfter> time is omitted from a response then this means that new
|
||||
status information is immediately available. In this case the age of the
|
||||
B<notBefore> field is checked to see it is not older than B<age> seconds old.
|
||||
By default this additional check is not performed.
|
||||
|
||||
=item B<-[digest]>
|
||||
|
||||
this option sets digest algorithm to use for certificate identification
|
||||
in the OCSP request.
|
||||
Any digest supported by the OpenSSL B<dgst> command can be used.
|
||||
The default is SHA-1.
|
||||
this option sets digest algorithm to use for certificate identification in the
|
||||
OCSP request. Any digest supported by the OpenSSL B<dgst> command can be used.
|
||||
The default is SHA-1. This option may be used multiple times to specify the
|
||||
digest used by subsequent certificate identifiers.
|
||||
|
||||
=back
|
||||
|
||||
|
|
Loading…
Reference in New Issue