source: mod_gnutls/test/data/ocsp.cgi @ c0c4106

debian/masterdebian/stretch-backportsupstream
Last change on this file since c0c4106 was c0c4106, checked in by Thomas Klute <thomas2.klute@…>, 3 years ago

Test suite: Minimal OCSP responder (CGI script and Apache config snippet)

  • Property mode set to 100755
File size: 2.3 KB
Line 
1#!/bin/bash
2# CGI wrapper to use "openssl ocsp" as a simple OCSP responder
3#
4# Copyright 2016 Thomas Klute
5#
6# Licensed under the Apache License, Version 2.0 (the "License"); you
7# may not use this file except in compliance with the License.  You
8# may obtain a copy of the License at
9#
10#      http://www.apache.org/licenses/LICENSE-2.0
11#
12# Unless required by applicable law or agreed to in writing, software
13# distributed under the License is distributed on an "AS IS" BASIS,
14# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
15# implied.  See the License for the specific language governing
16# permissions and limitations under the License.
17
18# This is a CGI script to run the OpenSSL OCSP responder from a web
19# server. The CGI environment must provide the following four
20# variables to configure the OCSP responder:
21#
22# CA_CERT: CA certificate of the CA that issued the certificates this
23# OCSP reponder should provide status information for
24#
25# OCSP_INDEX: CA index file in the format used by OpenSSL
26#
27# OCSP_CERT: Certificate that should be used to sign OCSP reponses
28# (either CA_CERT or a dedicated OCSP signer certificate, see RFC
29# 6960, Section 4.2.2.2)
30#
31# OCSP_KEY: Private key for OCSP_CERT
32#
33# Additionally, the OpenSSL binary to use can be configured through
34# the OPENSSL environment variable. If it is not set, the PATH will be
35# searched.
36
37if [ -z "${OPENSSL}" ]; then
38    OPENSSL=$(which openssl)
39fi
40
41case "${REQUEST_METHOD}" in
42    ("GET")
43        # GET OCSP requests are allowed by RFC 6960, Appendix A.1, but
44        # not implemented here. It should be possible to extract a GET
45        # request from the PATH_INFO CGI variable.
46        echo "Status: 405 Method Not Allowed"
47        echo -e "Content-Type: text/plain\n"
48        echo "OCSP GET request not implemented."
49        ;;
50    ("POST")
51        if [ "${CONTENT_TYPE}" == "application/ocsp-request" ] &&
52               [ ! -z "${CONTENT_LENGTH}" ]; then
53            echo "Status: 200 OK"
54            echo -e "Content-Type: application/ocsp-response\n"
55            ${OPENSSL} ocsp -index "${OCSP_INDEX}" -CA "${CA_CERT}" \
56                    -rsigner "${OCSP_CERT}" -rkey "${OCSP_KEY}" \
57                    -nmin 3 -reqin - -respout -
58        else
59            echo "Status: 415 Unsupported Media Type"
60            echo -e "Content-Type: text/plain\n"
61            echo "POST request must contain application/ocsp-request data."
62        fi
63        ;;
64    (*)
65        echo "Status: 405 Method Not Allowed"
66        echo -e "Content-Type: text/plain\n"
67        ;;
68esac
Note: See TracBrowser for help on using the repository browser.