source: mod_gnutls/test/data/ocsp.cgi

mod_gnutls/0.10.0
Last change on this file was 587642d, checked in by Fiona Klute <fiona.klute@…>, 3 months ago

OCSP test: Prevent single-second refresh intervals

With the default failure timeout the default fuzz time ended up being
larger than the cache timeout. Reduce the failure timeout to make sure
extremely short refresh intervals don't interfere with tests.

  • Property mode set to 100755
File size: 2.4 KB
Line 
1#!/bin/bash
2# CGI wrapper to use "openssl ocsp" as a simple OCSP responder
3#
4# Copyright 2016 Fiona Klute
5#
6# Licensed under the Apache License, Version 2.0 (the "License"); you
7# may not use this file except in compliance with the License.  You
8# may obtain a copy of the License at
9#
10#      http://www.apache.org/licenses/LICENSE-2.0
11#
12# Unless required by applicable law or agreed to in writing, software
13# distributed under the License is distributed on an "AS IS" BASIS,
14# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
15# implied.  See the License for the specific language governing
16# permissions and limitations under the License.
17
18# This is a CGI script to run the OpenSSL OCSP responder from a web
19# server. The CGI environment must provide the following four
20# variables to configure the OCSP responder:
21#
22# CA_CERT: CA certificate of the CA that issued the certificates this
23# OCSP reponder should provide status information for
24#
25# OCSP_INDEX: CA index file in the format used by OpenSSL
26#
27# OCSP_CERT: Certificate that should be used to sign OCSP reponses
28# (either CA_CERT or a dedicated OCSP signer certificate, see RFC
29# 6960, Section 4.2.2.2)
30#
31# OCSP_KEY: Private key for OCSP_CERT
32#
33# Additionally, the OpenSSL binary to use can be configured through
34# the OPENSSL environment variable. If it is not set, the PATH will be
35# searched.
36
37if [ -z "${OPENSSL}" ]; then
38    OPENSSL=$(which openssl)
39fi
40if [ -z "${OCSP_VALID_MIN}" ]; then
41    OCSP_VALID_MIN="5"
42fi
43
44case "${REQUEST_METHOD}" in
45    ("GET")
46        # GET OCSP requests are allowed by RFC 6960, Appendix A.1, but
47        # not implemented here. It should be possible to extract a GET
48        # request from the PATH_INFO CGI variable.
49        echo "Status: 405 Method Not Allowed"
50        echo -e "Content-Type: text/plain\n"
51        echo "OCSP GET request not implemented."
52        ;;
53    ("POST")
54        if [ "${CONTENT_TYPE}" == "application/ocsp-request" ] &&
55               [ ! -z "${CONTENT_LENGTH}" ]; then
56            echo "Status: 200 OK"
57            echo -e "Content-Type: application/ocsp-response\n"
58            ${OPENSSL} ocsp -index "${OCSP_INDEX}" -CA "${CA_CERT}" \
59                    -rsigner "${OCSP_CERT}" -rkey "${OCSP_KEY}" \
60                    -nmin "${OCSP_VALID_MIN}" -reqin - -respout -
61        else
62            echo "Status: 415 Unsupported Media Type"
63            echo -e "Content-Type: text/plain\n"
64            echo "POST request must contain application/ocsp-request data."
65        fi
66        ;;
67    (*)
68        echo "Status: 405 Method Not Allowed"
69        echo -e "Content-Type: text/plain\n"
70        ;;
71esac
Note: See TracBrowser for help on using the repository browser.