1 files changed, 97 insertions, 0 deletions
diff --git a/src/usr.sbin/ocspcheck/ocspcheck.8 b/src/usr.sbin/ocspcheck/ocspcheck.8
new file mode 100644
index 0000000000..2ef5d26fc3
--- /dev/null
+++ b/src/usr.sbin/ocspcheck/ocspcheck.8
@@ -0,0 +1,97 @@
+.\"     $OpenBSD: ocspcheck.8,v 1.1 2017/01/24 08:50:57 beck Exp $
+.\"
+.\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: January 24 2017 $
+.Dt OCSPCHECK 8
+.Os
+.Sh NAME
+.Nm ocspcheck
+.Nd Check a certificate for validity against its OSCP responder
+.Sh SYNOPSIS
+.Nm
+.Op Fl vN
+.Op Fl o Ar staplefile
+.Op Fl C Ar CAfile
+.Ar file
+.Sh DESCRIPTION
+The
+.Nm
+utility validates a PEM format certificate against the OCSP responder
+encoded in the certificate that is specified by the
+.Ar file
+argument.
+Normally it should be used for checking server certificates
+and maintaining saved OCSP responses to be used for OCSP stapling.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl C Ar CAfile
+Specify a PEM formatted root certificate bundle to use for the validation of
+requests.
+By default no certificates are used beyond those in the
+certificate chain provided by the
+.Ar file
+argument.
+.It Fl o Ar staplefile
+Specify an output filename where the DER encoded response from the
+OCSP server will be written, if the OCSP response validates.
+A filename
+of
+.Ar -
+will write the response to standard output. By default the response
+is not saved.
+.It Fl N
+Do not use a nonce value in the OCSP request, or validate that the
+nonce was returned in the OCSP response.
+By default a nonce is always used and validated.
+The use of this flag is a security risk as it will allow OCSP
+responses to be replayed.
+It should not be used unless the OCSP server does not support the
+use of OCSP nonces.
+.It Fl v
+Increase verbosity.
+This flag may be specified multiple times to get more verbose output.
+The default behaviour is to be silent unless something goes wrong.
+.Sh EXIT STATUS
+.Nm
+exits 0 if the OCSP response validates for the
+certificate in
+.Ar file
+and all output is successfully written out.
+Otherwise
+.Nm
+will exit >0.
+.Sh SEE ALSO
+.Xr httpd 8 ,
+.Xr nc 1 ,
+.Xr tls_config_set_ocsp_staple_mem 3 ,
+.Xr tls_config_set_ocsp_staple_file 3 ,
+.Sh BUGS
+.Nm
+will create the output file if it does not exit.
+On failure a newly created output file will not be removed.
+.Sh CAVEATS
+While
+.Nm
+could possibly be used in scripts to query responders for server
+certificates seen on client connections, this is almost always a bad
+idea.
+God kills a kitten every time you make an OCSP query from the
+client side of a TLS connection.
+.Sh AUTHORS
+.Nm
+was written by
+.An Bob Beck

diff --git a/src/usr.sbin/ocspcheck/ocspcheck.8 b/src/usr.sbin/ocspcheck/ocspcheck.8 new file mode 100644 index 0000000000..2ef5d26fc3 --- /dev/null +++ b/src/usr.sbin/ocspcheck/ocspcheck.8
@@ -0,0 +1,97 @@
	1	.\" $OpenBSD: ocspcheck.8,v 1.1 2017/01/24 08:50:57 beck Exp $
	2	.\"
	3	.\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>
	4	.\"
	5	.\" Permission to use, copy, modify, and distribute this software for any
	6	.\" purpose with or without fee is hereby granted, provided that the above
	7	.\" copyright notice and this permission notice appear in all copies.
	8	.\"
	9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	.\"
	17	.Dd $Mdocdate: January 24 2017 $
	18	.Dt OCSPCHECK 8
	19	.Os
	20	.Sh NAME
	21	.Nm ocspcheck
	22	.Nd Check a certificate for validity against its OSCP responder
	23	.Sh SYNOPSIS
	24	.Nm
	25	.Op Fl vN
	26	.Op Fl o Ar staplefile
	27	.Op Fl C Ar CAfile
	28	.Ar file
	29	.Sh DESCRIPTION
	30	The
	31	.Nm
	32	utility validates a PEM format certificate against the OCSP responder
	33	encoded in the certificate that is specified by the
	34	.Ar file
	35	argument.
	36	Normally it should be used for checking server certificates
	37	and maintaining saved OCSP responses to be used for OCSP stapling.
	38	.Pp
	39	The options are as follows:
	40	.Bl -tag -width Ds
	41	.It Fl C Ar CAfile
	42	Specify a PEM formatted root certificate bundle to use for the validation of
	43	requests.
	44	By default no certificates are used beyond those in the
	45	certificate chain provided by the
	46	.Ar file
	47	argument.
	48	.It Fl o Ar staplefile
	49	Specify an output filename where the DER encoded response from the
	50	OCSP server will be written, if the OCSP response validates.
	51	A filename
	52	of
	53	.Ar -
	54	will write the response to standard output. By default the response
	55	is not saved.
	56	.It Fl N
	57	Do not use a nonce value in the OCSP request, or validate that the
	58	nonce was returned in the OCSP response.
	59	By default a nonce is always used and validated.
	60	The use of this flag is a security risk as it will allow OCSP
	61	responses to be replayed.
	62	It should not be used unless the OCSP server does not support the
	63	use of OCSP nonces.
	64	.It Fl v
	65	Increase verbosity.
	66	This flag may be specified multiple times to get more verbose output.
	67	The default behaviour is to be silent unless something goes wrong.
	68	.Sh EXIT STATUS
	69	.Nm
	70	exits 0 if the OCSP response validates for the
	71	certificate in
	72	.Ar file
	73	and all output is successfully written out.
	74	Otherwise
	75	.Nm
	76	will exit >0.
	77	.Sh SEE ALSO
	78	.Xr httpd 8 ,
	79	.Xr nc 1 ,
	80	.Xr tls_config_set_ocsp_staple_mem 3 ,
	81	.Xr tls_config_set_ocsp_staple_file 3 ,
	82	.Sh BUGS
	83	.Nm
	84	will create the output file if it does not exit.
	85	On failure a newly created output file will not be removed.
	86	.Sh CAVEATS
	87	While
	88	.Nm
	89	could possibly be used in scripts to query responders for server
	90	certificates seen on client connections, this is almost always a bad
	91	idea.
	92	God kills a kitten every time you make an OCSP query from the
	93	client side of a TLS connection.
	94	.Sh AUTHORS
	95	.Nm
	96	was written by
	97	.An Bob Beck