1#!/bin/sh 2 3# Sample script to perform OCSP queries with OpenSSL 4# given a certificate serial number. 5 6# If you run your own CA, you can set up a very simple 7# OCSP server using the -port option to "openssl ocsp". 8 9# Full documentation and examples: 10# http://www.openssl.org/docs/apps/ocsp.html 11 12 13# Edit the following values to suit your needs 14 15# OCSP responder URL (mandatory) 16# YOU MUST UNCOMMENT ONE OF THESE AND SET IT TO A VALID SERVER 17#ocsp_url="http://ocsp.example.com/" 18#ocsp_url="https://ocsp.secure.example.com/" 19 20# Path to issuer certificate (mandatory) 21# YOU MUST SET THIS TO THE PATH TO THE CA CERTIFICATE 22issuer="/path/to/CAcert.crt" 23 24# use a nonce in the query, set to "-no_nonce" to not use it 25nonce="-nonce" 26 27# Verify the response 28# YOU MUST SET THIS TO THE PATH TO THE RESPONSE VERIFICATION CERT 29verify="/path/to/CAcert.crt" 30 31# Depth in the certificate chain where the cert to verify is. 32# Set to -1 to run the verification at every level (NOTE that 33# in that case you need a more complex script as the various 34# parameters for the query will likely be different at each level) 35# "0" is the usual value here, where the client certificate is 36check_depth=0 37 38cur_depth=$1 # this is the *CURRENT* depth 39common_name=$2 # CN in case you need it 40 41# minimal sanity checks 42 43err=0 44if [ -z "$issuer" ] || [ ! -e "$issuer" ]; then 45 echo "Error: issuer certificate undefined or not found!" >&2 46 err=1 47fi 48 49if [ -z "$verify" ] || [ ! -e "$verify" ]; then 50 echo "Error: verification certificate undefined or not found!" >&2 51 err=1 52fi 53 54if [ -z "$ocsp_url" ]; then 55 echo "Error: OCSP server URL not defined!" >&2 56 err=1 57fi 58 59if [ $err -eq 1 ]; then 60 echo "Did you forget to customize the variables in the script?" >&2 61 exit 1 62fi 63 64# begin 65if [ $check_depth -eq -1 ] || [ $cur_depth -eq $check_depth ]; then 66 67 eval serial="\$tls_serial_${cur_depth}" 68 69 # To successfully complete, the following must happen: 70 # 71 # - The serial number must not be empty 72 # - The exit status of "openssl ocsp" must be zero 73 # - The output of the above command must contain the line 74 # "${serial}: good" 75 # 76 # Everything else fails with exit status 1. 77 78 if [ -n "$serial" ]; then 79 80 # This is only an example; you are encouraged to run this command (without 81 # redirections) manually against your or your CA's OCSP server to see how 82 # it responds, and adapt accordingly. 83 # Sample output that is assumed here: 84 # 85 # Response verify OK 86 # 4287405: good 87 # This Update: Apr 24 19:38:49 2010 GMT 88 # Next Update: May 2 14:23:42 2010 GMT 89 # 90 # NOTE: It is needed to check the exit code of OpenSSL explicitly. OpenSSL 91 # can in some circumstances give a "good" result if it could not 92 # reach the the OSCP server. In this case, the exit code will indicate 93 # if OpenSSL itself failed or not. If OpenSSL's exit code is not 0, 94 # don't trust the OpenSSL status. 95 96 status=$(openssl ocsp -issuer "$issuer" \ 97 "$nonce" \ 98 -CAfile "$verify" \ 99 -url "$ocsp_url" \ 100 -serial "${serial}" 2>&1) 101 102 if [ $? -eq 0 ]; then 103 # check if ocsp didn't report any errors 104 if echo "$status" | grep -Eq "(error|fail)"; then 105 exit 1 106 fi 107 # check that the reported status of certificate is ok 108 if echo "$status" | grep -Eq "^${serial}: good"; then 109 # check if signature on the OCSP response verified correctly 110 if echo "$status" | grep -Eq "^Response verify OK"; then 111 exit 0 112 fi 113 fi 114 fi 115 fi 116 # if we get here, something was wrong 117 exit 1 118fi 119