components/openca-ocspd/patches/001-1114efa9e9ac249bcd73b4d541529eb9c03cfd2b.patch
PSARC/2016/217 Smartcard Reintroduction
PSARC/2016/233 OpenCA OCSP Responder
22017756 Add openca-ocspd v3.1.2 to Userland consolidation
Patch taken directly from upstream GIT repository.
Version 3.1.2 of openca-ocspd has not been released, yet.
Solaris 12 Userland has the build infrastructure to fetch
sources from SCM repository based on a particular changeset id.
Solaris 11.3 lacks such infrastructure and allows to download only
tarballs. This patch adds on the last released source tarball
with version 3.1.1 to get the same functionality as present
in Solaris 12.
Once version 3.1.2 is released, simply delete this patch.
From 1114efa9e9ac249bcd73b4d541529eb9c03cfd2b Mon Sep 17 00:00:00 2001
From: "Dr. Massimiliano Pala" <[email protected]>
Date: Wed, 25 Mar 2015 18:57:52 -0500
Subject: [PATCH] Added responderIdType option for CA configs. Removed unused
addResponderId config options for the responder.
---
Makefile.in | 15 ++-
aclocal.m4 | 154 +++++++++++++++++++-------
configure | 251 +++++++++++++++++++------------------------
configure.ac | 4 +-
docs/Makefile.in | 2 +-
etc/Makefile.in | 2 +-
etc/ca.d/collegeca.xml | 6 ++
etc/ca.d/self-certs.xml | 6 ++
etc/ocspd.xml.in | 3 -
src/Makefile.in | 2 +-
src/ocspd/Makefile.in | 6 +-
src/ocspd/config.c | 49 ++++++---
src/ocspd/includes/general.h | 67 ++++++------
src/ocspd/response.c | 14 ++-
14 files changed, 340 insertions(+), 241 deletions(-)
diff --git a/Makefile.in b/Makefile.in
index d85a181..a82f2f7 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -493,8 +493,8 @@ $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
$(am__aclocal_m4_deps):
src/ocspd/includes/config.h: src/ocspd/includes/stamp-h1
- @if test ! -f $@; then rm -f src/ocspd/includes/stamp-h1; else :; fi
- @if test ! -f $@; then $(MAKE) $(AM_MAKEFLAGS) src/ocspd/includes/stamp-h1; else :; fi
+ @test -f $@ || rm -f src/ocspd/includes/stamp-h1
+ @test -f $@ || $(MAKE) $(AM_MAKEFLAGS) src/ocspd/includes/stamp-h1
src/ocspd/includes/stamp-h1: $(top_srcdir)/src/ocspd/includes/config.h.in $(top_builddir)/config.status
@rm -f src/ocspd/includes/stamp-h1
@@ -773,10 +773,16 @@ dist-xz: distdir
$(am__post_remove_distdir)
dist-tarZ: distdir
+ @echo WARNING: "Support for shar distribution archives is" \
+ "deprecated." >&2
+ @echo WARNING: "It will be removed altogether in Automake 2.0" >&2
tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z
$(am__post_remove_distdir)
dist-shar: distdir
+ @echo WARNING: "Support for distribution archives compressed with" \
+ "legacy program 'compress' is deprecated." >&2
+ @echo WARNING: "It will be removed altogether in Automake 2.0" >&2
shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz
$(am__post_remove_distdir)
@@ -818,9 +824,10 @@ distcheck: dist
&& dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \
&& am__cwd=`pwd` \
&& $(am__cd) $(distdir)/_build \
- && ../configure --srcdir=.. --prefix="$$dc_install_base" \
+ && ../configure \
$(AM_DISTCHECK_CONFIGURE_FLAGS) \
$(DISTCHECK_CONFIGURE_FLAGS) \
+ --srcdir=.. --prefix="$$dc_install_base" \
&& $(MAKE) $(AM_MAKEFLAGS) \
&& $(MAKE) $(AM_MAKEFLAGS) dvi \
&& $(MAKE) $(AM_MAKEFLAGS) check \
diff --git a/aclocal.m4 b/aclocal.m4
index f5e37ea..0af6916 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
-# generated automatically by aclocal 1.13.4 -*- Autoconf -*-
+# generated automatically by aclocal 1.14.1 -*- Autoconf -*-
# Copyright (C) 1996-2013 Free Software Foundation, Inc.
@@ -32,10 +32,10 @@ To do so, use the procedure documented by the package, typically 'autoreconf'.])
# generated from the m4 files accompanying Automake X.Y.
# (This private macro should not be called outside this file.)
AC_DEFUN([AM_AUTOMAKE_VERSION],
-[am__api_version='1.13'
+[am__api_version='1.14'
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
dnl require some minimum version. Point them to the right macro.
-m4_if([$1], [1.13.4], [],
+m4_if([$1], [1.14.1], [],
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
])
@@ -51,7 +51,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.13.4])dnl
+[AM_AUTOMAKE_VERSION([1.14.1])dnl
m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
@@ -418,6 +418,12 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
# This macro actually does too much. Some checks are only needed if
# your package does certain things. But this isn't really a big deal.
+dnl Redefine AC_PROG_CC to automatically invoke _AM_PROG_CC_C_O.
+m4_define([AC_PROG_CC],
+m4_defn([AC_PROG_CC])
+[_AM_PROG_CC_C_O
+])
+
# AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE])
# AM_INIT_AUTOMAKE([OPTIONS])
# -----------------------------------------------
@@ -526,7 +532,48 @@ dnl macro is hooked onto _AC_COMPILER_EXEEXT early, see below.
AC_CONFIG_COMMANDS_PRE(dnl
[m4_provide_if([_AM_COMPILER_EXEEXT],
[AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl
-])
+
+# POSIX will say in a future version that running "rm -f" with no argument
+# is OK; and we want to be able to make that assumption in our Makefile
+# recipes. So use an aggressive probe to check that the usage we want is
+# actually supported "in the wild" to an acceptable degree.
+# See automake bug#10828.
+# To make any issue more visible, cause the running configure to be aborted
+# by default if the 'rm' program in use doesn't match our expectations; the
+# user can still override this though.
+if rm -f && rm -fr && rm -rf; then : OK; else
+ cat >&2 <<'END'
+Oops!
+
+Your 'rm' program seems unable to run without file operands specified
+on the command line, even when the '-f' option is present. This is contrary
+to the behaviour of most rm programs out there, and not conforming with
+the upcoming POSIX standard: <http://austingroupbugs.net/view.php?id=542>
+
+Please tell [email protected] about your system, including the value
+of your $PATH and any error possibly output before this message. This
+can help us improve future automake versions.
+
+END
+ if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then
+ echo 'Configuration will proceed anyway, since you have set the' >&2
+ echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2
+ echo >&2
+ else
+ cat >&2 <<'END'
+Aborting the configuration process, to ensure you take notice of the issue.
+
+You can download and install GNU coreutils to get an 'rm' implementation
+that behaves properly: <http://www.gnu.org/software/coreutils/>.
+
+If you want to complete the configuration process using your problematic
+'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
+to "yes", and re-run configure.
+
+END
+ AC_MSG_ERROR([Your 'rm' program is bad, sorry.])
+ fi
+fi])
dnl Hook into '_AC_COMPILER_EXEEXT' early to learn its expansion. Do not
dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further
@@ -534,7 +581,6 @@ dnl mangled by Autoconf and run in a shell conditional statement.
m4_define([_AC_COMPILER_EXEEXT],
m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])])
-
# When config.status generates a header, we must update the stamp-h file.
# This file resides in the same directory as the config header
# that is generated. The stamp files are numbered to have different names.
@@ -682,38 +728,6 @@ AC_MSG_RESULT([$_am_result])
rm -f confinc confmf
])
-# Copyright (C) 1999-2013 Free Software Foundation, Inc.
-#
-# This file is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# AM_PROG_CC_C_O
-# --------------
-# Like AC_PROG_CC_C_O, but changed for automake.
-AC_DEFUN([AM_PROG_CC_C_O],
-[AC_REQUIRE([AC_PROG_CC_C_O])dnl
-AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
-AC_REQUIRE_AUX_FILE([compile])dnl
-# FIXME: we rely on the cache variable name because
-# there is no other way.
-set dummy $CC
-am_cc=`echo $[2] | sed ['s/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/']`
-eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
-if test "$am_t" != yes; then
- # Losing compiler, so override with the script.
- # FIXME: It is wrong to rewrite CC.
- # But if we don't then we get into trouble of one sort or another.
- # A longer-term fix would be to have automake use am__CC in this case,
- # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
- CC="$am_aux_dir/compile $CC"
-fi
-dnl Make sure AC_PROG_CC is never called again, or it will override our
-dnl setting of CC.
-m4_define([AC_PROG_CC],
- [m4_fatal([AC_PROG_CC cannot be called after AM_PROG_CC_C_O])])
-])
-
# Fake the existence of programs that GNU maintainers use. -*- Autoconf -*-
# Copyright (C) 1997-2013 Free Software Foundation, Inc.
@@ -784,6 +798,70 @@ AC_DEFUN([_AM_SET_OPTIONS],
AC_DEFUN([_AM_IF_OPTION],
[m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])])
+# Copyright (C) 1999-2013 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# _AM_PROG_CC_C_O
+# ---------------
+# Like AC_PROG_CC_C_O, but changed for automake. We rewrite AC_PROG_CC
+# to automatically call this.
+AC_DEFUN([_AM_PROG_CC_C_O],
+[AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl
+AC_REQUIRE_AUX_FILE([compile])dnl
+AC_LANG_PUSH([C])dnl
+AC_CACHE_CHECK(
+ [whether $CC understands -c and -o together],
+ [am_cv_prog_cc_c_o],
+ [AC_LANG_CONFTEST([AC_LANG_PROGRAM([])])
+ # Make sure it works both with $CC and with simple cc.
+ # Following AC_PROG_CC_C_O, we do the test twice because some
+ # compilers refuse to overwrite an existing .o file with -o,
+ # though they will create one.
+ am_cv_prog_cc_c_o=yes
+ for am_i in 1 2; do
+ if AM_RUN_LOG([$CC -c conftest.$ac_ext -o conftest2.$ac_objext]) \
+ && test -f conftest2.$ac_objext; then
+ : OK
+ else
+ am_cv_prog_cc_c_o=no
+ break
+ fi
+ done
+ rm -f core conftest*
+ unset am_i])
+if test "$am_cv_prog_cc_c_o" != yes; then
+ # Losing compiler, so override with the script.
+ # FIXME: It is wrong to rewrite CC.
+ # But if we don't then we get into trouble of one sort or another.
+ # A longer-term fix would be to have automake use am__CC in this case,
+ # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+ CC="$am_aux_dir/compile $CC"
+fi
+AC_LANG_POP([C])])
+
+# For backward compatibility.
+AC_DEFUN_ONCE([AM_PROG_CC_C_O], [AC_REQUIRE([AC_PROG_CC])])
+
+# Copyright (C) 2001-2013 Free Software Foundation, Inc.
+#
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# AM_RUN_LOG(COMMAND)
+# -------------------
+# Run COMMAND, save the exit status in ac_status, and log it.
+# (This has been adapted from Autoconf's _AC_RUN_LOG macro.)
+AC_DEFUN([AM_RUN_LOG],
+[{ echo "$as_me:$LINENO: $1" >&AS_MESSAGE_LOG_FD
+ ($1) >&AS_MESSAGE_LOG_FD 2>&AS_MESSAGE_LOG_FD
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+ (exit $ac_status); }])
+
# Check to make sure that the build environment is sane. -*- Autoconf -*-
# Copyright (C) 1996-2013 Free Software Foundation, Inc.
diff --git a/configure b/configure
index 1c73fed..cfc2d55 100755
--- a/configure
+++ b/configure
@@ -1,11 +1,11 @@
#! /bin/sh
# From configure.ac Revision: 1.4 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for openca-ocspd 3.1.1.
+# Generated by GNU Autoconf 2.69 for openca-ocspd 3.1.2.
#
# Report bugs to <[email protected]>.
#
-# Copyright 2007-2014 by Massimiliano Pala and OpenCA Labs
+# Copyright 2007-2015 by Massimiliano Pala and OpenCA Labs
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -593,8 +593,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='openca-ocspd'
PACKAGE_TARNAME='openca-ocspd'
-PACKAGE_VERSION='3.1.1'
-PACKAGE_STRING='openca-ocspd 3.1.1'
+PACKAGE_VERSION='3.1.2'
+PACKAGE_STRING='openca-ocspd 3.1.2'
PACKAGE_BUGREPORT='[email protected]'
PACKAGE_URL=''
@@ -1377,7 +1377,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures openca-ocspd 3.1.1 to adapt to many kinds of systems.
+\`configure' configures openca-ocspd 3.1.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1448,7 +1448,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of openca-ocspd 3.1.1:";;
+ short | recursive ) echo "Configuration of openca-ocspd 3.1.2:";;
esac
cat <<\_ACEOF
@@ -1566,14 +1566,14 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-openca-ocspd configure 3.1.1
+openca-ocspd configure 3.1.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
-Copyright 2007-2014 by Massimiliano Pala and OpenCA Labs
+Copyright 2007-2015 by Massimiliano Pala and OpenCA Labs
_ACEOF
exit
fi
@@ -1937,7 +1937,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by openca-ocspd $as_me 3.1.1, which was
+It was created by openca-ocspd $as_me 3.1.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2448,7 +2448,7 @@ test -n "$target_alias" &&
program_prefix=${target_alias}-
-am__api_version='1.13'
+am__api_version='1.14'
# Find a good install program. We prefer a C program (faster),
# so one script is as good as another. But avoid the broken or
@@ -2934,7 +2934,7 @@ fi
# Define the identity of the package.
PACKAGE='openca-ocspd'
- VERSION='3.1.1'
+ VERSION='3.1.2'
cat >>confdefs.h <<_ACEOF
@@ -2985,6 +2985,47 @@ am__tar='$${TAR-tar} chof - "$$tardir"' am__untar='$${TAR-tar} xf -'
+# POSIX will say in a future version that running "rm -f" with no argument
+# is OK; and we want to be able to make that assumption in our Makefile
+# recipes. So use an aggressive probe to check that the usage we want is
+# actually supported "in the wild" to an acceptable degree.
+# See automake bug#10828.
+# To make any issue more visible, cause the running configure to be aborted
+# by default if the 'rm' program in use doesn't match our expectations; the
+# user can still override this though.
+if rm -f && rm -fr && rm -rf; then : OK; else
+ cat >&2 <<'END'
+Oops!
+
+Your 'rm' program seems unable to run without file operands specified
+on the command line, even when the '-f' option is present. This is contrary
+to the behaviour of most rm programs out there, and not conforming with
+the upcoming POSIX standard: <http://austingroupbugs.net/view.php?id=542>
+
+Please tell [email protected] about your system, including the value
+of your $PATH and any error possibly output before this message. This
+can help us improve future automake versions.
+
+END
+ if test x"$ACCEPT_INFERIOR_RM_PROGRAM" = x"yes"; then
+ echo 'Configuration will proceed anyway, since you have set the' >&2
+ echo 'ACCEPT_INFERIOR_RM_PROGRAM variable to "yes"' >&2
+ echo >&2
+ else
+ cat >&2 <<'END'
+Aborting the configuration process, to ensure you take notice of the issue.
+
+You can download and install GNU coreutils to get an 'rm' implementation
+that behaves properly: <http://www.gnu.org/software/coreutils/>.
+
+If you want to complete the configuration process using your problematic
+'rm' anyway, export the environment variable ACCEPT_INFERIOR_RM_PROGRAM
+to "yes", and re-run configure.
+
+END
+ as_fn_error $? "Your 'rm' program is bad, sorry." "$LINENO" 5
+ fi
+fi
#AC_DISABLE_FAST_INSTALL
#AC_DISABLE_SHARED
@@ -3957,6 +3998,65 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC understands -c and -o together" >&5
+$as_echo_n "checking whether $CC understands -c and -o together... " >&6; }
+if ${am_cv_prog_cc_c_o+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+ # Make sure it works both with $CC and with simple cc.
+ # Following AC_PROG_CC_C_O, we do the test twice because some
+ # compilers refuse to overwrite an existing .o file with -o,
+ # though they will create one.
+ am_cv_prog_cc_c_o=yes
+ for am_i in 1 2; do
+ if { echo "$as_me:$LINENO: $CC -c conftest.$ac_ext -o conftest2.$ac_objext" >&5
+ ($CC -c conftest.$ac_ext -o conftest2.$ac_objext) >&5 2>&5
+ ac_status=$?
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } \
+ && test -f conftest2.$ac_objext; then
+ : OK
+ else
+ am_cv_prog_cc_c_o=no
+ break
+ fi
+ done
+ rm -f core conftest*
+ unset am_i
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_prog_cc_c_o" >&5
+$as_echo "$am_cv_prog_cc_c_o" >&6; }
+if test "$am_cv_prog_cc_c_o" != yes; then
+ # Losing compiler, so override with the script.
+ # FIXME: It is wrong to rewrite CC.
+ # But if we don't then we get into trouble of one sort or another.
+ # A longer-term fix would be to have automake use am__CC in this case,
+ # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
+ CC="$am_aux_dir/compile $CC"
+fi
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
depcc="$CC" am_compiler_list=
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5
@@ -4585,131 +4685,6 @@ done
ac_config_headers="$ac_config_headers src/ocspd/includes/config.h"
-if test "x$CC" != xcc; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC and cc understand -c and -o together" >&5
-$as_echo_n "checking whether $CC and cc understand -c and -o together... " >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether cc understands -c and -o together" >&5
-$as_echo_n "checking whether cc understands -c and -o together... " >&6; }
-fi
-set dummy $CC; ac_cc=`$as_echo "$2" |
- sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
-if eval \${ac_cv_prog_cc_${ac_cc}_c_o+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h. */
-
-int
-main ()
-{
-
- ;
- return 0;
-}
-_ACEOF
-# Make sure it works both with $CC and with simple cc.
-# We do the test twice because some compilers refuse to overwrite an
-# existing .o file with -o, though they will create one.
-ac_try='$CC -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
-rm -f conftest2.*
-if { { case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_try") 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; } &&
- test -f conftest2.$ac_objext && { { case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_try") 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; };
-then
- eval ac_cv_prog_cc_${ac_cc}_c_o=yes
- if test "x$CC" != xcc; then
- # Test first that cc exists at all.
- if { ac_try='cc -c conftest.$ac_ext >&5'
- { { case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_try") 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }; }; then
- ac_try='cc -c conftest.$ac_ext -o conftest2.$ac_objext >&5'
- rm -f conftest2.*
- if { { case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_try") 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; } &&
- test -f conftest2.$ac_objext && { { case "(($ac_try" in
- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
- *) ac_try_echo=$ac_try;;
-esac
-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
-$as_echo "$ac_try_echo"; } >&5
- (eval "$ac_try") 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; };
- then
- # cc works too.
- :
- else
- # cc exists but doesn't like -o.
- eval ac_cv_prog_cc_${ac_cc}_c_o=no
- fi
- fi
- fi
-else
- eval ac_cv_prog_cc_${ac_cc}_c_o=no
-fi
-rm -f core conftest*
-
-fi
-if eval test \$ac_cv_prog_cc_${ac_cc}_c_o = yes; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
-$as_echo "#define NO_MINUS_C_MINUS_O 1" >>confdefs.h
-
-fi
-
-# FIXME: we rely on the cache variable name because
-# there is no other way.
-set dummy $CC
-am_cc=`echo $2 | sed 's/[^a-zA-Z0-9_]/_/g;s/^[0-9]/_/'`
-eval am_t=\$ac_cv_prog_cc_${am_cc}_c_o
-if test "$am_t" != yes; then
- # Losing compiler, so override with the script.
- # FIXME: It is wrong to rewrite CC.
- # But if we don't then we get into trouble of one sort or another.
- # A longer-term fix would be to have automake use am__CC in this case,
- # and then we could set am__CC="\$(top_srcdir)/compile \$(CC)"
- CC="$am_aux_dir/compile $CC"
-fi
-
ac_ext=c
@@ -13875,7 +13850,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by openca-ocspd $as_me 3.1.1, which was
+This file was extended by openca-ocspd $as_me 3.1.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -13941,7 +13916,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-openca-ocspd config.status 3.1.1
+openca-ocspd config.status 3.1.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git a/configure.ac b/configure.ac
index e4ccf22..b9e370c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2,10 +2,10 @@ dnl -*- mode: m4; -*-
dnl Process this file with autoconf to produce a configure script.
AC_REVISION($Revision: 1.4 $)
-AC_COPYRIGHT([Copyright 2007-2014 by Massimiliano Pala and OpenCA Labs])
+AC_COPYRIGHT([Copyright 2007-2015 by Massimiliano Pala and OpenCA Labs])
dnl Autoconf
-AC_INIT(openca-ocspd, 3.1.1, [[email protected]], [openca-ocspd])
+AC_INIT(openca-ocspd, 3.1.2, [[email protected]], [openca-ocspd])
dnl Some variables
VERSION=$PACKAGE_VERSION
diff --git a/docs/Makefile.in b/docs/Makefile.in
index 85ac380..140207a 100644
--- a/docs/Makefile.in
+++ b/docs/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
diff --git a/etc/Makefile.in b/etc/Makefile.in
index 7af691f..a174a3d 100644
--- a/etc/Makefile.in
+++ b/etc/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
diff --git a/etc/ca.d/collegeca.xml b/etc/ca.d/collegeca.xml
index e67a939..3471267 100644
--- a/etc/ca.d/collegeca.xml
+++ b/etc/ca.d/collegeca.xml
@@ -28,6 +28,12 @@
the serverToken is used, it has the precedence over the serverCertUrl
one -->
<!-- <pki:serverToken></pki:serverToken> -->
+ <!-- This allows for setting the responderIdType for the responder. The allowed
+ values are:
+ - 'name' for using the hash of the signer's certificate name
+ - 'keyid' for using the hash of the signer's public key
+ The default value (if not set) is to use the name identifier -->
+ <pki:responderIdType>name</pki:responderIdType>
<!-- In case a CA is compromised, set this option to yes. All the
responses for this CA will carry the caCompromised flag. -->
<pki:caCompromised>no</pki:caCompromised>
diff --git a/etc/ca.d/self-certs.xml b/etc/ca.d/self-certs.xml
index 2665175..f03a2e1 100644
--- a/etc/ca.d/self-certs.xml
+++ b/etc/ca.d/self-certs.xml
@@ -28,6 +28,12 @@
the serverToken is used, it has the precedence over the serverCertUrl
one -->
<!-- <pki:serverToken></pki:serverToken> -->
+ <!-- This allows for setting the responderIdType for the responder. The allowed
+ values are:
+ - 'name' for using the hash of the signer's certificate name
+ - 'keyid' for using the hash of the signer's public key
+ The default value (if not set) is to use the name identifier -->
+ <pki:responderIdType>name</pki:responderIdType>
<!-- In case a CA is compromised, set this option to yes. All the
responses for this CA will carry the caCompromised flag. -->
<pki:caCompromised>no</pki:caCompromised>
diff --git a/etc/ocspd.xml.in b/etc/ocspd.xml.in
index bb74d34..c028e67 100644
--- a/etc/ocspd.xml.in
+++ b/etc/ocspd.xml.in
@@ -59,9 +59,6 @@
<!-- Digest Algorithm to be used when signing responses, currently
for some CISCO devices SHA1 is the only supported algorithm -->
<pki:signatureDigestAlgorithm>SHA1</pki:signatureDigestAlgorithm>
- <!-- Set this option if you want to include the KeyID. If you are
- unsure about this setting, use 'yes'. -->
- <pki:addResponseKeyID>yes</pki:addResponseKeyID>
<!-- Validity Period of responses, clients are not supposed to ask
informations about the same CA within this validity period
If the two options are both set to '0' the 'nextUpdate' field
diff --git a/src/Makefile.in b/src/Makefile.in
index c7b1dcf..23c5b79 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
diff --git a/src/ocspd/Makefile.in b/src/ocspd/Makefile.in
index 0c02f4e..3ecb86f 100644
--- a/src/ocspd/Makefile.in
+++ b/src/ocspd/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -442,14 +442,14 @@ distclean-compile:
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/ocspd/config.c b/src/ocspd/config.c
index 5ee4258..3ecb676 100644
--- a/src/ocspd/config.c
+++ b/src/ocspd/config.c
@@ -300,17 +300,6 @@ OCSPD_CONFIG * OCSPD_load_config(char *configfile)
PKI_Free(tmp_s);
}
- /* Digest Algorithm to be used */
- if ((tmp_s = PKI_CONFIG_get_value(cnf, "/serverConfig/response/addResponseKeyID")) != NULL)
- {
- if (strncmp_nocase(tmp_s, "n", 1) == 0)
- {
- h->add_response_keyid = 1;
- }
-
- PKI_Free(tmp_s);
- }
-
/* Now Parse the PRQP Response Section */
if ((tmp_s = PKI_CONFIG_get_value( cnf, "/serverConfig/response/validity/days" )) != NULL)
{
@@ -578,21 +567,53 @@ int OCSPD_build_ca_list ( OCSPD_CONFIG *handler,
ca->token_name = tmp_s;
ca->token = PKI_TOKEN_new_null();
- if ((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/pkiConfigDir" )) != NULL)
+ if ((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/pkiConfigDir" )) != NULL) {
ca->token_config_dir = strdup( tmp_s );
+ PKI_Free(tmp_s);
+ }
else
+ {
ca->token_config_dir = strdup(handler->token_config_dir);
+ }
}
- if((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/caCompromised" )) == NULL)
+ if((tmp_s = PKI_CONFIG_get_value ( cnf, "/caConfig/caCompromised" )) == NULL) {
ca->compromised = 0;
+ }
else
+ {
ca->compromised = atoi(tmp_s);
+ PKI_Free(tmp_s);
+ }
+
+ /* Responder Id Type */
+ if ((tmp_s = PKI_CONFIG_get_value(cnf, "/caConfig/responderIdType")) != NULL)
+ {
+ if (strncmp_nocase(tmp_s, "keyid", 5) == 0)
+ {
+ ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_KEYID;
+ }
+ else if (strncmp_nocase(tmp_s, "name", 4) == 0)
+ {
+ ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_NAME;
+ }
+ else
+ {
+ PKI_log_err("Can not parse responderIdType: %s (allowed 'keyid' or 'name')", tmp_s);
+ exit(1);
+ }
+
+ PKI_Free(tmp_s);
+ }
+ else
+ {
+ // Default Value
+ ca->response_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_NAME;
+ }
// Now let's add the CA_LIST_ENTRY to the list of configured CAs
PKI_STACK_push ( ca_list, ca );
- PKI_Free(tmp_s);
}
handler->ca_list = ca_list;
diff --git a/src/ocspd/includes/general.h b/src/ocspd/includes/general.h
index f82f236..34c453e 100644
--- a/src/ocspd/includes/general.h
+++ b/src/ocspd/includes/general.h
@@ -110,51 +110,53 @@ typedef struct ca_entry_certid
#define sk_CA_ENTRY_CERTID_find(st) SKM_sk_find(CA_ENTRY_CERTID, (st))
/* List of available CAs */
-typedef struct ca_list_st
- {
- /* CA Identifier - Name from config file */
- char *ca_id;
+typedef struct ca_list_st {
+ /* CA Identifier - Name from config file */
+ char *ca_id;
- /* CA Status - If compromised > 0 respond all revoked */
- int compromised;
+ /* CA Status - If compromised > 0 respond all revoked */
+ int compromised;
- /* CA certificate */
- PKI_X509_CERT *ca_cert;
+ /* CA certificate */
+ PKI_X509_CERT *ca_cert;
- /* Cert Identifier */
- CA_ENTRY_CERTID *cid;
+ /* Cert Identifier */
+ CA_ENTRY_CERTID *cid;
- /* CA certificate URL */
- URL *ca_url;
+ /* CA certificate URL */
+ URL *ca_url;
- /* CRL URL */
- URL *crl_url;
+ /* CRL URL */
+ URL *crl_url;
- /* CRL data */
- PKI_X509_CRL *crl;
+ /* CRL data */
+ PKI_X509_CRL *crl;
- /* Pointer to the list of CRLs entries */
- STACK_OF(X509_REVOKED) *crl_list;
+ /* Pointer to the list of CRLs entries */
+ STACK_OF(X509_REVOKED) *crl_list;
- /* X509 nextUpdate and lastUpdate */
- PKI_TIME *nextUpdate;
- PKI_TIME *lastUpdate;
+ /* X509 nextUpdate and lastUpdate */
+ PKI_TIME *nextUpdate;
+ PKI_TIME *lastUpdate;
- /* Options for auto reloading of CRL upon expiration */
- int crl_status;
+ /* Options for auto reloading of CRL upon expiration */
+ int crl_status;
- /* Number of entries present in the list */
- unsigned long entries_num;
+ /* Number of entries present in the list */
+ unsigned long entries_num;
- /* TOKEN to be used with this CA - if null, the default
- * one will be used */
- PKI_X509_CERT *server_cert;
+ /* TOKEN to be used with this CA - if null, the default
+ * one will be used */
+ PKI_X509_CERT *server_cert;
- char *token_name;
- char *token_config_dir;
- PKI_TOKEN *token;
+ char *token_name;
+ char *token_config_dir;
+ PKI_TOKEN *token;
+
+ /* Responder Identifier Type */
+ int response_id_type;
- } CA_LIST_ENTRY;
+} CA_LIST_ENTRY;
typedef struct {
pthread_t thread_tid;
@@ -193,7 +195,6 @@ typedef struct ocspd_config {
int nmin;
int ndays;
int set_nextUpdate;
- int add_response_keyid;
int flags;
diff --git a/src/ocspd/response.c b/src/ocspd/response.c
index 1dd39cb..9933f1e 100644
--- a/src/ocspd/response.c
+++ b/src/ocspd/response.c
@@ -27,7 +27,8 @@ static const char *statusInfo[] = {
NULL
};
-int sign_ocsp_response(PKI_X509_OCSP_RESP *resp, OCSPD_CONFIG *conf, PKI_X509_CERT *signCert, PKI_X509_CERT *caCert, PKI_TOKEN *tk)
+int sign_ocsp_response(PKI_X509_OCSP_RESP *resp, OCSPD_CONFIG *conf, PKI_X509_CERT *signCert,
+ PKI_X509_CERT *caCert, PKI_TOKEN *tk, PKI_X509_OCSP_RESPID_TYPE resp_id_type)
{
PKI_DIGEST_ALG * sign_dgst = NULL;
PKI_OCSP_RESP * r = NULL;
@@ -106,7 +107,9 @@ int sign_ocsp_response(PKI_X509_OCSP_RESP *resp, OCSPD_CONFIG *conf, PKI_X509_CE
}
// Now generate the signature for the response
- sig_rv = PKI_X509_OCSP_RESP_sign(resp, tk->keypair, signCert, caCert, tk->otherCerts, sign_dgst);
+ sig_rv = PKI_X509_OCSP_RESP_sign(resp, tk->keypair, signCert,
+ caCert, tk->otherCerts,
+ sign_dgst, resp_id_type);
// Checks the return code and report the error (if any)
if (sig_rv != PKI_OK)
@@ -206,6 +209,8 @@ PKI_X509_OCSP_RESP *make_ocsp_response(PKI_X509_OCSP_REQ *req, OCSPD_CONFIG *con
PKI_X509_OCSP_RESP *resp = NULL;
PKI_X509_OCSP_REQ_VALUE *req_val = NULL;
+ PKI_X509_OCSP_RESPID_TYPE resp_id_type = PKI_X509_OCSP_RESPID_TYPE_BY_NAME;
+
PKI_TOKEN *tk = NULL;
PKI_X509_CERT *signCert = NULL;
@@ -339,6 +344,9 @@ PKI_X509_OCSP_RESP *make_ocsp_response(PKI_X509_OCSP_REQ *req, OCSPD_CONFIG *con
else signCert = NULL;
}
+ // Response Id Type
+ resp_id_type = ca->response_id_type;
+
// Here we check for the case where the CRL status is not ok, so
// we ask the client to try later, hopefully when we have a valid
// CRL to provide the response with
@@ -498,7 +506,7 @@ PKI_X509_OCSP_RESP *make_ocsp_response(PKI_X509_OCSP_REQ *req, OCSPD_CONFIG *con
// Now we need to sign the response
if (resp != NULL && signResponse == 1)
{
- if (sign_ocsp_response(resp, conf, signCert, caCert, tk) != PKI_OK)
+ if (sign_ocsp_response(resp, conf, signCert, caCert, tk, resp_id_type) != PKI_OK)
{
// Free the current response, and generate the appropriate error
PKI_X509_OCSP_RESP_free(resp);