From OpenCA::Wiki
#include <libpki/pki.h>
int main () {
PKI_OCSP_CERTID *cid = NULL;
PKI_X509_OCSP_REQ *r = NULL;
PKI_X509_OCSP_RESP *resp = NULL;
PKI_X509_CERT *cacert = NULL;
PKI_TOKEN *tk = NULL;
int ret = PKI_OK;
PKI_init_all();
if(( PKI_log_init (PKI_LOG_TYPE_STDERR, PKI_LOG_INFO, NULL,
PKI_LOG_FLAGS_ENABLE_DEBUG, NULL )) == PKI_ERR ) {
exit(1);
}
if((cacert = PKI_X509_CERT_get( "cacert.pem", NULL, NULL )) == NULL ){
printf("ERROR, can not load cacert.pem!\n\n");
exit(1);
}
// Generate a new Keypair and a Self-Signed Certificate
if((tk = PKI_TOKEN_new_null()) == NULL ) {
printf("ERROR, can not create a new token!\n");
exit ( 1 );
}
PKI_TOKEN_set_algor( tk, PKI_ALGOR_RSA_SHA256 );
if((PKI_TOKEN_new_keypair(tk, 1024, NULL)) == PKI_ERR){
printf("ERROR, can not generate new keypair!\n");
exit(1);
}
PKI_X509_KEYPAIR_put ( tk->keypair, PKI_DATA_FORMAT_PEM, "key.pem",
NULL, NULL );
PKI_TOKEN_set_cacert( tk, cacert );
PKI_TOKEN_new_req ( tk, "CN=Max, O=OpenCA", NULL );
PKI_TOKEN_self_sign( tk, NULL, NULL, 3600*24*30, NULL );
PKI_X509_CERT_put ( tk->cert, PKI_DATA_FORMAT_TXT, "fd://1",
NULL, NULL, NULL );
// ************************** OCSP REQUEST SECTION ************************** //
// Now The OCSP part... !!!!
if ((r = PKI_X509_OCSP_REQ_new()) == NULL ) {
PKI_log_err("Memory Error!");
exit(1);
}
// Adds the details about certificate (serial 4332 issued by cacert)
if (PKI_X509_OCSP_REQ_add_longlong( r, 4332, cacert, NULL)==PKI_ERR) {
PKI_log_err ("Can not add serial 4332!");
exit (1);
}
if ( PKI_X509_OCSP_REQ_add_nonce ( r, 0) == PKI_ERR ) {
PKI_log_err ("Can not add NONCE to REQUEST!");
exit(1);
}
// Now Sign the OCSP_REQ with the generated PKI_TOKEN
if (PKI_X509_OCSP_REQ_sign_tk ( r, tk ) == PKI_ERR ) {
PKI_log_err ("ERROR, can not sign OCSP request!");
exit(1);
}
// Save the OCSP request as new file output/req.der
PKI_X509_OCSP_REQ_put( r, PKI_DATA_FORMAT_ASN1,
"output/req.der", NULL, NULL, NULL);
// ************************** OCSP RESPONSE SECTION ************************** //
// Generate a new OCSP response
if((resp = PKI_X509_OCSP_RESP_new()) == NULL ) {
PKI_log_err("Memory allocation error!");
exit (1);
}
// Now, let's set the status of the response
PKI_X509_OCSP_RESP_set_status ( resp,
PKI_X509_OCSP_RESP_STATUS_SUCCESSFUL );
// We now want to copy the NONCE from the request...
if( PKI_X509_OCSP_RESP_copy_nonce ( resp, r ) == PKI_ERR ) {
PKI_log_debug("ERROR::can not copy NONCE!!!");
}
// We also need the Certificate Identifier from the request
if((cid = PKI_X509_OCSP_REQ_get_cid(r, 0)) == NULL ) {
perror ( "Can not get CID from request!");
}
// Let's add the status of the requested certificate to the
// response
PKI_X509_OCSP_RESP_add( resp, cid, PKI_OCSP_CERTSTATUS_GOOD,
NULL, NULL, NULL, CRL_REASON_UNSPECIFIED, NULL );
// Now, as usual, sign the response
if ((ret = PKI_X509_OCSP_RESP_sign_tk( resp, tk )) == PKI_ERR ) {
PKI_log_err("Can not sign Response");
exit(1);
}
// To verify that the signature is correct
if( PKI_X509_verify( resp, tk->keypair ) == PKI_OK ) {
PKI_log_debug("OCSP Response Verify => Ok.");
} else {
PKI_log_debug("OCSP Response Verify => Error.");
}
// Now Let's save the response to a file (output/resp.der)
PKI_X509_OCSP_RESP_put ( resp, PKI_DATA_FORMAT_ASN1,
"output/resp.der", NULL, NULL, NULL );
PKI_log_debug("Operations Completed!");
return 0;
}
