Add an OCSPD responder

3 years ago · 5f07a5e24c
2 changed files with 54 additions and 0 deletions
--- a/openssl.cnf
+++ b/openssl.cnf
@ -34,6 +34,11 @@ subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid:always,issuer:always
 basicConstraints = CA:true

+[ v3_ocsp ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = OCSPSigning
+
 [ req_distinguished_name ]
 countryName                     = Country Name (2 letter code)
 countryName_default             = FR
--- a/shellpki.sh
+++ b/shellpki.sh
@ -52,6 +52,44 @@ commonName_default = ${cn}
 EOF
 }

+ocsp() {
+    umask 0177
+
+    ocsp_uri="${1:-}"
+    [ -z "${ocsp_uri}" ] && usage >&2 && exit 1
+
+    url=$(echo "${ocsp_uri}"|cut -d':' -f1)
+    port=$(echo "${ocsp_uri}"|cut -d':' -f2)
+
+    [ ! -f "${OCSPKEY}" ] && "$OPENSSL"   \
+        genrsa                            \
+        -out "${OCSPKEY}"                 \
+        2048 >/dev/null 2>&1
+
+    "$OPENSSL" req                              \
+        -batch -new                             \
+        -key "${OCSPKEY}"			\
+        -out "${CSRDIR}/ocsp.csr"               \
+        -config /dev/stdin <<EOF
+$(cat "${CONFFILE}")
+commonName_default = ${url}
+[ usr_cert ]
+authorityInfoAccess = OCSP;URI:http://${ocsp_uri}
+EOF
+
+    [ ! -f "${OCSPCERT}" ] && ask_ca_password 0
+
+    [ ! -f "${OCSPCERT}" ] && CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL}"	\
+        ca								\
+        -extensions v3_ocsp                                             \
+        -in "${CSRDIR}/ocsp.csr"					\
+        -out "${OCSPCERT}"                                              \
+        -passin env:CA_PASSWORD                                         \
+        -config "${CONFFILE}"
+
+    "${OPENSSL}" ocsp -index "${INDEX}" -port "${port}" -rsigner "${OCSPCERT}" -rkey "${OCSPKEY}" -CA "${CACERT}" -text
+}
+
 usage() {
    cat <<EOF
 Usage: ${0} <subcommand> [options] [CommonName]
@ -60,6 +98,10 @@ Initialize PKI (create CA key and self-signed cert) :

    ${0} init <commonName_for_CA>

+Run OCSPD server :
+
+    ${0} ocsp <ocsp_uri:ocsp_port>
+
 Create a client cert with key and CSR directly generated on server
 (use -p for set a password on client key) :

@ -367,6 +409,8 @@ main() {
    CADIR=$(grep -E "^dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1)
    CAKEY=$(grep -E "^private_key" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
    CACERT=$(grep -E "^certificate" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
+    OCSPKEY="${CADIR}/ocsp.key"
+    OCSPCERT="${CADIR}/ocsp.pem"
    CRTDIR=$(grep -E "^certs" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
    TMPDIR=$(grep -E "^new_certs_dir" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
    INDEX=$(grep -E "^database" "${CONFFILE}" | cut -d'=' -f2|xargs -n1|sed "s~\$dir~${CADIR}~")
@ -398,6 +442,11 @@ main() {
            init "$@"
        ;;

+        ocsp)
+            shift
+            ocsp "$@"
+        ;;
+
        create)
            shift
            create "$@"