source: mod_gnutls/test/data/ocsp.cgi @ 3c123cd

debian/masterdebian/stretch-backportsproxy-ticketupstream
Last change on this file since 3c123cd was 3c123cd, checked in by Fiona Klute <fiona.klute@…>, 2 years ago

Update my name, prepare changelog for the next release
  • Property mode set to 100755
File size: 2.4 KB
RevLine 
[c0c4106]1#!/bin/bash
2# CGI wrapper to use "openssl ocsp" as a simple OCSP responder
3#
[3c123cd]4# Copyright 2016 Fiona Klute
[c0c4106]5#
6# Licensed under the Apache License, Version 2.0 (the "License"); you
7# may not use this file except in compliance with the License.  You
8# may obtain a copy of the License at
9#
10#      http://www.apache.org/licenses/LICENSE-2.0
11#
12# Unless required by applicable law or agreed to in writing, software
13# distributed under the License is distributed on an "AS IS" BASIS,
14# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
15# implied.  See the License for the specific language governing
16# permissions and limitations under the License.
17
18# This is a CGI script to run the OpenSSL OCSP responder from a web
19# server. The CGI environment must provide the following four
20# variables to configure the OCSP responder:
21#
22# CA_CERT: CA certificate of the CA that issued the certificates this
23# OCSP reponder should provide status information for
24#
25# OCSP_INDEX: CA index file in the format used by OpenSSL
26#
27# OCSP_CERT: Certificate that should be used to sign OCSP reponses
28# (either CA_CERT or a dedicated OCSP signer certificate, see RFC
29# 6960, Section 4.2.2.2)
30#
31# OCSP_KEY: Private key for OCSP_CERT
32#
33# Additionally, the OpenSSL binary to use can be configured through
34# the OPENSSL environment variable. If it is not set, the PATH will be
35# searched.
36
37if [ -z "${OPENSSL}" ]; then
38    OPENSSL=$(which openssl)
39fi
[317b569]40if [ -z "${OCSP_VALID_MIN}" ]; then
41    OCSP_VALID_MIN="3"
42fi
[c0c4106]43
44case "${REQUEST_METHOD}" in
45    ("GET")
46        # GET OCSP requests are allowed by RFC 6960, Appendix A.1, but
47        # not implemented here. It should be possible to extract a GET
48        # request from the PATH_INFO CGI variable.
49        echo "Status: 405 Method Not Allowed"
50        echo -e "Content-Type: text/plain\n"
51        echo "OCSP GET request not implemented."
52        ;;
53    ("POST")
54        if [ "${CONTENT_TYPE}" == "application/ocsp-request" ] &&
55               [ ! -z "${CONTENT_LENGTH}" ]; then
56            echo "Status: 200 OK"
57            echo -e "Content-Type: application/ocsp-response\n"
58            ${OPENSSL} ocsp -index "${OCSP_INDEX}" -CA "${CA_CERT}" \
59                    -rsigner "${OCSP_CERT}" -rkey "${OCSP_KEY}" \
[317b569]60                    -nmin "${OCSP_VALID_MIN}" -reqin - -respout -
[c0c4106]61        else
62            echo "Status: 415 Unsupported Media Type"
63            echo -e "Content-Type: text/plain\n"
64            echo "POST request must contain application/ocsp-request data."
65        fi
66        ;;
67    (*)
68        echo "Status: 405 Method Not Allowed"
69        echo -e "Content-Type: text/plain\n"
70        ;;
71esac
Note: See TracBrowser for help on using the repository browser.