[c0c4106] | 1 | #!/bin/bash |
---|
| 2 | # CGI wrapper to use "openssl ocsp" as a simple OCSP responder |
---|
| 3 | # |
---|
[3c123cd] | 4 | # Copyright 2016 Fiona Klute |
---|
[c0c4106] | 5 | # |
---|
| 6 | # Licensed under the Apache License, Version 2.0 (the "License"); you |
---|
| 7 | # may not use this file except in compliance with the License. You |
---|
| 8 | # may obtain a copy of the License at |
---|
| 9 | # |
---|
| 10 | # http://www.apache.org/licenses/LICENSE-2.0 |
---|
| 11 | # |
---|
| 12 | # Unless required by applicable law or agreed to in writing, software |
---|
| 13 | # distributed under the License is distributed on an "AS IS" BASIS, |
---|
| 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or |
---|
| 15 | # implied. See the License for the specific language governing |
---|
| 16 | # permissions and limitations under the License. |
---|
| 17 | |
---|
| 18 | # This is a CGI script to run the OpenSSL OCSP responder from a web |
---|
| 19 | # server. The CGI environment must provide the following four |
---|
| 20 | # variables to configure the OCSP responder: |
---|
| 21 | # |
---|
| 22 | # CA_CERT: CA certificate of the CA that issued the certificates this |
---|
| 23 | # OCSP reponder should provide status information for |
---|
| 24 | # |
---|
| 25 | # OCSP_INDEX: CA index file in the format used by OpenSSL |
---|
| 26 | # |
---|
| 27 | # OCSP_CERT: Certificate that should be used to sign OCSP reponses |
---|
| 28 | # (either CA_CERT or a dedicated OCSP signer certificate, see RFC |
---|
| 29 | # 6960, Section 4.2.2.2) |
---|
| 30 | # |
---|
| 31 | # OCSP_KEY: Private key for OCSP_CERT |
---|
| 32 | # |
---|
| 33 | # Additionally, the OpenSSL binary to use can be configured through |
---|
| 34 | # the OPENSSL environment variable. If it is not set, the PATH will be |
---|
| 35 | # searched. |
---|
| 36 | |
---|
| 37 | if [ -z "${OPENSSL}" ]; then |
---|
| 38 | OPENSSL=$(which openssl) |
---|
| 39 | fi |
---|
[317b569] | 40 | if [ -z "${OCSP_VALID_MIN}" ]; then |
---|
| 41 | OCSP_VALID_MIN="3" |
---|
| 42 | fi |
---|
[c0c4106] | 43 | |
---|
| 44 | case "${REQUEST_METHOD}" in |
---|
| 45 | ("GET") |
---|
| 46 | # GET OCSP requests are allowed by RFC 6960, Appendix A.1, but |
---|
| 47 | # not implemented here. It should be possible to extract a GET |
---|
| 48 | # request from the PATH_INFO CGI variable. |
---|
| 49 | echo "Status: 405 Method Not Allowed" |
---|
| 50 | echo -e "Content-Type: text/plain\n" |
---|
| 51 | echo "OCSP GET request not implemented." |
---|
| 52 | ;; |
---|
| 53 | ("POST") |
---|
| 54 | if [ "${CONTENT_TYPE}" == "application/ocsp-request" ] && |
---|
| 55 | [ ! -z "${CONTENT_LENGTH}" ]; then |
---|
| 56 | echo "Status: 200 OK" |
---|
| 57 | echo -e "Content-Type: application/ocsp-response\n" |
---|
| 58 | ${OPENSSL} ocsp -index "${OCSP_INDEX}" -CA "${CA_CERT}" \ |
---|
| 59 | -rsigner "${OCSP_CERT}" -rkey "${OCSP_KEY}" \ |
---|
[317b569] | 60 | -nmin "${OCSP_VALID_MIN}" -reqin - -respout - |
---|
[c0c4106] | 61 | else |
---|
| 62 | echo "Status: 415 Unsupported Media Type" |
---|
| 63 | echo -e "Content-Type: text/plain\n" |
---|
| 64 | echo "POST request must contain application/ocsp-request data." |
---|
| 65 | fi |
---|
| 66 | ;; |
---|
| 67 | (*) |
---|
| 68 | echo "Status: 405 Method Not Allowed" |
---|
| 69 | echo -e "Content-Type: text/plain\n" |
---|
| 70 | ;; |
---|
| 71 | esac |
---|