static void ask_server(const char* url)
{
gnutls_datum_t resp_data;
int ret, v;
gnutls_x509_crt_t cert, issuer;
cert = load_cert();
issuer = load_issuer();
ret = send_ocsp_request(url, cert, issuer, &resp_data, ENABLED_OPT(NONCE));
if (ret < 0)
{
fprintf(stderr, "Cannot send OCSP request\n");
exit(1);
}
_response_info (&resp_data);
if (HAVE_OPT(LOAD_SIGNER) || HAVE_OPT(LOAD_TRUST))
{
fprintf(outfile, "\n");
v = _verify_response(&resp_data);
}
else
{
fprintf(stderr, "\nResponse could not be verified (use --load-signer).\n");
v = 0;
}
if (HAVE_OPT(OUTFILE) && v == 0)
{
fwrite(resp_data.data, 1, resp_data.size, outfile);
}
}
static void ask_server(const char *url)
{
gnutls_datum_t resp_data;
int ret, v = 0;
gnutls_x509_crt_t cert, issuer;
unsigned char noncebuf[23];
gnutls_datum_t nonce = { noncebuf, sizeof(noncebuf) };
gnutls_datum_t *n;
cert = load_cert();
issuer = load_issuer();
if (ENABLED_OPT(NONCE)) {
ret =
gnutls_rnd(GNUTLS_RND_NONCE, nonce.data, nonce.size);
if (ret < 0) {
fprintf(stderr, "gnutls_rnd: %s\n",
gnutls_strerror(ret));
exit(1);
}
n = &nonce;
} else {
n = NULL;
}
ret =
send_ocsp_request(url, cert, issuer, &resp_data, n);
if (ret < 0) {
fprintf(stderr, "Cannot send OCSP request\n");
exit(1);
}
_response_info(&resp_data);
if (HAVE_OPT(LOAD_TRUST)) {
v = _verify_response(&resp_data, n, NULL);
} else if (HAVE_OPT(LOAD_SIGNER)) {
v = _verify_response(&resp_data, n, load_signer());
} else {
fprintf(stderr,
"\nAssuming response's signer = issuer (use --load-signer to override).\n");
v = _verify_response(&resp_data, n, issuer);
}
if (HAVE_OPT(OUTFILE) && (v == 0 || HAVE_OPT(IGNORE_ERRORS))) {
fwrite(resp_data.data, 1, resp_data.size, outfile);
}
if (v && !HAVE_OPT(IGNORE_ERRORS))
exit(1);
}
/* OCSP check for the peer's certificate. Should be called
* only after the certificate list verication is complete.
* Returns:
* 0: certificate is revoked
* 1: certificate is ok
* -1: dunno
*/
static int
cert_verify_ocsp (gnutls_session_t session)
{
gnutls_x509_crt_t crt, issuer;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int deinit_issuer = 0;
gnutls_datum_t resp;
int ret;
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list_size == 0)
{
fprintf (stderr, "No certificates found!\n");
return -1;
}
gnutls_x509_crt_init (&crt);
ret =
gnutls_x509_crt_import (crt, &cert_list[0],
GNUTLS_X509_FMT_DER);
if (ret < 0)
{
fprintf (stderr, "Decoding error: %s\n",
gnutls_strerror (ret));
return -1;
}
ret = gnutls_certificate_get_issuer(xcred, crt, &issuer, 0);
if (ret < 0 && cert_list_size > 1)
{
gnutls_x509_crt_init(&issuer);
ret = gnutls_x509_crt_import(issuer, &cert_list[1], GNUTLS_X509_FMT_DER);
if (ret < 0)
{
fprintf (stderr, "Decoding error: %s\n",
gnutls_strerror (ret));
return -1;
}
deinit_issuer = 1;
}
else if (ret < 0)
{
fprintf(stderr, "Cannot find issuer\n");
ret = -1;
goto cleanup;
}
ret = send_ocsp_request(NULL, crt, issuer, &resp, 1);
if (ret < 0)
{
fprintf(stderr, "Cannot contact OCSP server\n");
ret = -1;
goto cleanup;
}
/* verify and check the response for revoked cert */
ret = check_ocsp_response(issuer, &resp);
cleanup:
if (deinit_issuer)
gnutls_x509_crt_deinit (issuer);
gnutls_x509_crt_deinit (crt);
return ret;
}
