1#!/bin/bash 2# CGI wrapper to use "openssl ocsp" as a simple OCSP responder 3# 4# Copyright 2016 Fiona Klute 5# 6# Licensed under the Apache License, Version 2.0 (the "License"); you 7# may not use this file except in compliance with the License. You 8# may obtain a copy of the License at 9# 10# http://www.apache.org/licenses/LICENSE-2.0 11# 12# Unless required by applicable law or agreed to in writing, software 13# distributed under the License is distributed on an "AS IS" BASIS, 14# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 15# implied. See the License for the specific language governing 16# permissions and limitations under the License. 17 18# This is a CGI script to run the OpenSSL OCSP responder from a web 19# server. The CGI environment must provide the following four 20# variables to configure the OCSP responder: 21# 22# CA_CERT: CA certificate of the CA that issued the certificates this 23# OCSP reponder should provide status information for 24# 25# OCSP_INDEX: CA index file in the format used by OpenSSL 26# 27# OCSP_CERT: Certificate that should be used to sign OCSP reponses 28# (either CA_CERT or a dedicated OCSP signer certificate, see RFC 29# 6960, Section 4.2.2.2) 30# 31# OCSP_KEY: Private key for OCSP_CERT 32# 33# Additionally, the OpenSSL binary to use can be configured through 34# the OPENSSL environment variable. If it is not set, the PATH will be 35# searched. 36 37if [ -z "${OPENSSL}" ]; then 38 OPENSSL=$(which openssl) 39fi 40if [ -z "${OCSP_VALID_MIN}" ]; then 41 OCSP_VALID_MIN="3" 42fi 43 44case "${REQUEST_METHOD}" in 45 ("GET") 46 # GET OCSP requests are allowed by RFC 6960, Appendix A.1, but 47 # not implemented here. It should be possible to extract a GET 48 # request from the PATH_INFO CGI variable. 49 echo "Status: 405 Method Not Allowed" 50 echo -e "Content-Type: text/plain\n" 51 echo "OCSP GET request not implemented." 52 ;; 53 ("POST") 54 if [ "${CONTENT_TYPE}" == "application/ocsp-request" ] && 55 [ ! -z "${CONTENT_LENGTH}" ]; then 56 echo "Status: 200 OK" 57 echo -e "Content-Type: application/ocsp-response\n" 58 ${OPENSSL} ocsp -index "${OCSP_INDEX}" -CA "${CA_CERT}" \ 59 -rsigner "${OCSP_CERT}" -rkey "${OCSP_KEY}" \ 60 -nmin "${OCSP_VALID_MIN}" -reqin - -respout - 61 else 62 echo "Status: 415 Unsupported Media Type" 63 echo -e "Content-Type: text/plain\n" 64 echo "POST request must contain application/ocsp-request data." 65 fi 66 ;; 67 (*) 68 echo "Status: 405 Method Not Allowed" 69 echo -e "Content-Type: text/plain\n" 70 ;; 71esac 72