Added support for -partial_chain

2017-05-19 12:37:34 -04:00 · 2017-05-19 12:37:34 -04:00 · c29d5fa165
parent cfc5a5e725
commit c29d5fa165
1 changed files with 14 additions and 5 deletions
--- a/19
+++ b/19
@ -30,6 +30,7 @@ OCSP_HOST=""
 VERIFY=1
 TMP=""
 SKIP_UPDATE=0
+PARTIAL_CHAIN=""

 function Quit() {
    if [ $KEEP_TEMP -eq 0 ]; then
@ -140,6 +141,10 @@ Options:
                         'Host:' header; use this instead of the one
                         extracted from the OCSP server URL.

+     --partial-chain   : Allow partial certificate chain if at least one certificate 
+                         is in trusted store. Useful when validating an intermediate
+                         certificate without the root CA.
+                         
 -s, --socket file     : haproxy admin socket. If omitted,
                         $HAPROXY_ADMIN_SOCKET_DEFAULT is used by default.
                         This script is distributed with only one 
@ -196,6 +201,10 @@ do
            VERIFY=0
            ;;

+        --partial-chain)
+            PARTIAL_CHAIN="-partial_chain"
+            ;;
+
        -l|--syslog)
            if [ $# -le 1 ]; then
                Error 9 "mandatory value is missing for $1 argument"
@ -423,7 +432,7 @@ else
 fi

 # check if the EE certificate validates against the chain
-$OPENSSL_BIN verify -CAfile $TMP/chain.pem $TMP/ee.pem &>>$TMP/log
+$OPENSSL_BIN verify $PARTIAL_CHAIN -CAfile $TMP/chain.pem $TMP/ee.pem &>>$TMP/log

 if [ $? -ne 0 ]; then
    if [ -e $CERT.issuer ]; then
@ -442,11 +451,11 @@ $OPENSSL_BIN version | grep "OpenSSL 1.0" &>/dev/null
 if [ $? -eq 0 ]; then
    # OpenSSL 1.0.x

-    $OPENSSL_BIN ocsp -issuer $TMP/chain.pem -cert $TMP/ee.pem \
+    $OPENSSL_BIN ocsp $PARTIAL_CHAIN -issuer $TMP/chain.pem -cert $TMP/ee.pem \
        -respout $TMP/ocsp.der -noverify \
        -no_nonce -url $OCSP_URL -header "Host" "$OCSP_HOST" &>>$TMP/log
 else
-    $OPENSSL_BIN ocsp -issuer $TMP/chain.pem -cert $TMP/ee.pem \
+    $OPENSSL_BIN ocsp $PARTIAL_CHAIN -issuer $TMP/chain.pem -cert $TMP/ee.pem \
        -respout $TMP/ocsp.der -noverify \
        -no_nonce -url $OCSP_URL -header "Host=$OCSP_HOST" &>>$TMP/log
 fi
@ -461,11 +470,11 @@ if [ $VERIFY -eq 0 ]; then
    VERIFYOPT="-noverify"
 fi
 if [ -z "$VAFILE" ]; then
-    $OPENSSL_BIN ocsp $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
+    $OPENSSL_BIN ocsp $PARTIAL_CHAIN $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
        -respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \
        -out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt
 else
-    $OPENSSL_BIN ocsp $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
+    $OPENSSL_BIN ocsp $PARTIAL_CHAIN $VERIFYOPT -issuer $TMP/chain.pem -cert $TMP/ee.pem \
        -respin $TMP/ocsp.der -no_nonce -CAfile $TMP/chain.pem \
        -VAfile $VAFILE \
        -out $TMP/ocsp.txt &>>$TMP/ocsp-verify.txt