static void ask_server(const char* url) { gnutls_datum_t resp_data; int ret, v; gnutls_x509_crt_t cert, issuer; cert = load_cert(); issuer = load_issuer(); ret = send_ocsp_request(url, cert, issuer, &resp_data, ENABLED_OPT(NONCE)); if (ret < 0) { fprintf(stderr, "Cannot send OCSP request\n"); exit(1); } _response_info (&resp_data); if (HAVE_OPT(LOAD_SIGNER) || HAVE_OPT(LOAD_TRUST)) { fprintf(outfile, "\n"); v = _verify_response(&resp_data); } else { fprintf(stderr, "\nResponse could not be verified (use --load-signer).\n"); v = 0; } if (HAVE_OPT(OUTFILE) && v == 0) { fwrite(resp_data.data, 1, resp_data.size, outfile); } }
static void ask_server(const char *url) { gnutls_datum_t resp_data; int ret, v = 0; gnutls_x509_crt_t cert, issuer; unsigned char noncebuf[23]; gnutls_datum_t nonce = { noncebuf, sizeof(noncebuf) }; gnutls_datum_t *n; cert = load_cert(); issuer = load_issuer(); if (ENABLED_OPT(NONCE)) { ret = gnutls_rnd(GNUTLS_RND_NONCE, nonce.data, nonce.size); if (ret < 0) { fprintf(stderr, "gnutls_rnd: %s\n", gnutls_strerror(ret)); exit(1); } n = &nonce; } else { n = NULL; } ret = send_ocsp_request(url, cert, issuer, &resp_data, n); if (ret < 0) { fprintf(stderr, "Cannot send OCSP request\n"); exit(1); } _response_info(&resp_data); if (HAVE_OPT(LOAD_TRUST)) { v = _verify_response(&resp_data, n, NULL); } else if (HAVE_OPT(LOAD_SIGNER)) { v = _verify_response(&resp_data, n, load_signer()); } else { fprintf(stderr, "\nAssuming response's signer = issuer (use --load-signer to override).\n"); v = _verify_response(&resp_data, n, issuer); } if (HAVE_OPT(OUTFILE) && (v == 0 || HAVE_OPT(IGNORE_ERRORS))) { fwrite(resp_data.data, 1, resp_data.size, outfile); } if (v && !HAVE_OPT(IGNORE_ERRORS)) exit(1); }
/* OCSP check for the peer's certificate. Should be called * only after the certificate list verication is complete. * Returns: * 0: certificate is revoked * 1: certificate is ok * -1: dunno */ static int cert_verify_ocsp (gnutls_session_t session) { gnutls_x509_crt_t crt, issuer; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; int deinit_issuer = 0; gnutls_datum_t resp; int ret; cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list_size == 0) { fprintf (stderr, "No certificates found!\n"); return -1; } gnutls_x509_crt_init (&crt); ret = gnutls_x509_crt_import (crt, &cert_list[0], GNUTLS_X509_FMT_DER); if (ret < 0) { fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); return -1; } ret = gnutls_certificate_get_issuer(xcred, crt, &issuer, 0); if (ret < 0 && cert_list_size > 1) { gnutls_x509_crt_init(&issuer); ret = gnutls_x509_crt_import(issuer, &cert_list[1], GNUTLS_X509_FMT_DER); if (ret < 0) { fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); return -1; } deinit_issuer = 1; } else if (ret < 0) { fprintf(stderr, "Cannot find issuer\n"); ret = -1; goto cleanup; } ret = send_ocsp_request(NULL, crt, issuer, &resp, 1); if (ret < 0) { fprintf(stderr, "Cannot contact OCSP server\n"); ret = -1; goto cleanup; } /* verify and check the response for revoked cert */ ret = check_ocsp_response(issuer, &resp); cleanup: if (deinit_issuer) gnutls_x509_crt_deinit (issuer); gnutls_x509_crt_deinit (crt); return ret; }