/* Create a request for the DER encoded certificate in the file CERT_FNAME and its issuer's certificate in the file ISSUER_CERT_FNAME. */ void one_request (const char *cert_fname, const char *issuer_cert_fname) { gpg_error_t err; ksba_cert_t cert = get_one_cert (cert_fname); ksba_cert_t issuer_cert = get_one_cert (issuer_cert_fname); ksba_ocsp_t ocsp; unsigned char *request; size_t requestlen; err = ksba_ocsp_new (&ocsp); fail_if_err (err); err = ksba_ocsp_add_target (ocsp, cert, issuer_cert); fail_if_err (err); ksba_cert_release (cert); ksba_cert_release (issuer_cert); if (!no_nonce) ksba_ocsp_set_nonce (ocsp, "ABCDEFGHIJKLMNOP", 16); err = ksba_ocsp_build_request (ocsp, &request, &requestlen); fail_if_err (err); ksba_ocsp_release (ocsp); printf ("OCSP request of length %u created\n", (unsigned int)requestlen); { FILE *fp = fopen ("a.req", "wb"); if (!fp) fail ("can't create output file `a.req'"); if (fwrite (request, requestlen, 1, fp) != 1) fail ("can't write output"); fclose (fp); } xfree (request); }
/* Check whether the certificate either given by fingerprint CERT_FPR or directly through the CERT object is valid by running an OCSP transaction. With FORCE_DEFAULT_RESPONDER set only the configured default responder is used. */ gpg_error_t ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr, int force_default_responder) { gpg_error_t err; ksba_ocsp_t ocsp = NULL; ksba_cert_t issuer_cert = NULL; ksba_sexp_t sigval = NULL; gcry_sexp_t s_sig = NULL; ksba_isotime_t current_time; ksba_isotime_t this_update, next_update, revocation_time, produced_at; ksba_isotime_t tmp_time; ksba_status_t status; ksba_crl_reason_t reason; char *url_buffer = NULL; const char *url; gcry_md_hd_t md = NULL; int i, idx; char *oid; ksba_name_t name; fingerprint_list_t default_signer = NULL; /* Get the certificate. */ if (cert) { ksba_cert_ref (cert); err = find_issuing_cert (ctrl, cert, &issuer_cert); if (err) { log_error (_("issuer certificate not found: %s\n"), gpg_strerror (err)); goto leave; } } else { cert = get_cert_local (ctrl, cert_fpr); if (!cert) { log_error (_("caller did not return the target certificate\n")); err = gpg_error (GPG_ERR_GENERAL); goto leave; } issuer_cert = get_issuing_cert_local (ctrl, NULL); if (!issuer_cert) { log_error (_("caller did not return the issuing certificate\n")); err = gpg_error (GPG_ERR_GENERAL); goto leave; } } /* Create an OCSP instance. */ err = ksba_ocsp_new (&ocsp); if (err) { log_error (_("failed to allocate OCSP context: %s\n"), gpg_strerror (err)); goto leave; } /* Figure out the OCSP responder to use. 1. Try to get the reponder from the certificate. We do only take http and https style URIs into account. 2. If this fails use the default responder, if any. */ url = NULL; for (idx=0; !url && !opt.ignore_ocsp_service_url && !force_default_responder && !(err=ksba_cert_get_authority_info_access (cert, idx, &oid, &name)); idx++) { if ( !strcmp (oid, oidstr_ocsp) ) { for (i=0; !url && ksba_name_enum (name, i); i++) { char *p = ksba_name_get_uri (name, i); if (p && (!ascii_strncasecmp (p, "http:", 5) || !ascii_strncasecmp (p, "https:", 6))) url = url_buffer = p; else xfree (p); } } ksba_name_release (name); ksba_free (oid); } if (err && gpg_err_code (err) != GPG_ERR_EOF) { log_error (_("can't get authorityInfoAccess: %s\n"), gpg_strerror (err)); goto leave; } if (!url) { if (!opt.ocsp_responder || !*opt.ocsp_responder) { log_info (_("no default OCSP responder defined\n")); err = gpg_error (GPG_ERR_CONFIGURATION); goto leave; } if (!opt.ocsp_signer) { log_info (_("no default OCSP signer defined\n")); err = gpg_error (GPG_ERR_CONFIGURATION); goto leave; } url = opt.ocsp_responder; default_signer = opt.ocsp_signer; if (opt.verbose) log_info (_("using default OCSP responder '%s'\n"), url); } else { if (opt.verbose) log_info (_("using OCSP responder '%s'\n"), url); } /* Ask the OCSP responder. */ err = gcry_md_open (&md, GCRY_MD_SHA1, 0); if (err) { log_error (_("failed to establish a hashing context for OCSP: %s\n"), gpg_strerror (err)); goto leave; } err = do_ocsp_request (ctrl, ocsp, md, url, cert, issuer_cert); if (err) goto leave; /* We got a useful answer, check that the answer has a valid signature. */ sigval = ksba_ocsp_get_sig_val (ocsp, produced_at); if (!sigval || !*produced_at) { err = gpg_error (GPG_ERR_INV_OBJ); goto leave; } if ( (err = canon_sexp_to_gcry (sigval, &s_sig)) ) goto leave; xfree (sigval); sigval = NULL; err = check_signature (ctrl, ocsp, s_sig, md, default_signer); if (err) goto leave; /* We only support one certificate per request. Check that the answer matches the right certificate. */ err = ksba_ocsp_get_status (ocsp, cert, &status, this_update, next_update, revocation_time, &reason); if (err) { log_error (_("error getting OCSP status for target certificate: %s\n"), gpg_strerror (err)); goto leave; } /* In case the certificate has been revoked, we better invalidate our cached validation status. */ if (status == KSBA_STATUS_REVOKED) { time_t validated_at = 0; /* That is: No cached validation available. */ err = ksba_cert_set_user_data (cert, "validated_at", &validated_at, sizeof (validated_at)); if (err) { log_error ("set_user_data(validated_at) failed: %s\n", gpg_strerror (err)); err = 0; /* The certificate is anyway revoked, and that is a more important message than the failure of our cache. */ } } if (opt.verbose) { log_info (_("certificate status is: %s (this=%s next=%s)\n"), status == KSBA_STATUS_GOOD? _("good"): status == KSBA_STATUS_REVOKED? _("revoked"): status == KSBA_STATUS_UNKNOWN? _("unknown"): status == KSBA_STATUS_NONE? _("none"): "?", this_update, next_update); if (status == KSBA_STATUS_REVOKED) log_info (_("certificate has been revoked at: %s due to: %s\n"), revocation_time, reason == KSBA_CRLREASON_UNSPECIFIED? "unspecified": reason == KSBA_CRLREASON_KEY_COMPROMISE? "key compromise": reason == KSBA_CRLREASON_CA_COMPROMISE? "CA compromise": reason == KSBA_CRLREASON_AFFILIATION_CHANGED? "affiliation changed": reason == KSBA_CRLREASON_SUPERSEDED? "superseeded": reason == KSBA_CRLREASON_CESSATION_OF_OPERATION? "cessation of operation": reason == KSBA_CRLREASON_CERTIFICATE_HOLD? "certificate on hold": reason == KSBA_CRLREASON_REMOVE_FROM_CRL? "removed from CRL": reason == KSBA_CRLREASON_PRIVILEGE_WITHDRAWN? "privilege withdrawn": reason == KSBA_CRLREASON_AA_COMPROMISE? "AA compromise": reason == KSBA_CRLREASON_OTHER? "other":"?"); } if (status == KSBA_STATUS_REVOKED) err = gpg_error (GPG_ERR_CERT_REVOKED); else if (status == KSBA_STATUS_UNKNOWN) err = gpg_error (GPG_ERR_NO_DATA); else if (status != KSBA_STATUS_GOOD) err = gpg_error (GPG_ERR_GENERAL); /* Allow for some clock skew. */ gnupg_get_isotime (current_time); add_seconds_to_isotime (current_time, opt.ocsp_max_clock_skew); if (strcmp (this_update, current_time) > 0 ) { log_error (_("OCSP responder returned a status in the future\n")); log_info ("used now: %s this_update: %s\n", current_time, this_update); if (!err) err = gpg_error (GPG_ERR_TIME_CONFLICT); } /* Check that THIS_UPDATE is not too far back in the past. */ gnupg_copy_time (tmp_time, this_update); add_seconds_to_isotime (tmp_time, opt.ocsp_max_period+opt.ocsp_max_clock_skew); if (!*tmp_time || strcmp (tmp_time, current_time) < 0 ) { log_error (_("OCSP responder returned a non-current status\n")); log_info ("used now: %s this_update: %s\n", current_time, this_update); if (!err) err = gpg_error (GPG_ERR_TIME_CONFLICT); } /* Check that we are not beyound NEXT_UPDATE (plus some extra time). */ if (*next_update) { gnupg_copy_time (tmp_time, next_update); add_seconds_to_isotime (tmp_time, opt.ocsp_current_period+opt.ocsp_max_clock_skew); if (!*tmp_time && strcmp (tmp_time, current_time) < 0 ) { log_error (_("OCSP responder returned an too old status\n")); log_info ("used now: %s next_update: %s\n", current_time, next_update); if (!err) err = gpg_error (GPG_ERR_TIME_CONFLICT); } } leave: gcry_md_close (md); gcry_sexp_release (s_sig); xfree (sigval); ksba_cert_release (issuer_cert); ksba_cert_release (cert); ksba_ocsp_release (ocsp); xfree (url_buffer); return err; }
void one_response (const char *cert_fname, const char *issuer_cert_fname, char *response_fname) { gpg_error_t err; ksba_ocsp_t ocsp; unsigned char *request, *response; size_t requestlen, responselen; ksba_cert_t cert = get_one_cert (cert_fname); ksba_cert_t issuer_cert = get_one_cert (issuer_cert_fname); ksba_ocsp_response_status_t response_status; const char *t; err = ksba_ocsp_new (&ocsp); fail_if_err (err); /* We need to build a request, so that the context is properly prepared for the response. */ err = ksba_ocsp_add_target (ocsp, cert, issuer_cert); fail_if_err (err); ksba_cert_release (issuer_cert); if (!no_nonce) ksba_ocsp_set_nonce (ocsp, "ABCDEFGHIJKLMNOP", 16); err = ksba_ocsp_build_request (ocsp, &request, &requestlen); fail_if_err (err); xfree (request); /* Now for the response. */ response = read_file (response_fname, &responselen); if (!response) fail ("file error"); err = ksba_ocsp_parse_response (ocsp, response, responselen, &response_status); fail_if_err (err); switch (response_status) { case KSBA_OCSP_RSPSTATUS_SUCCESS: t = "success"; break; case KSBA_OCSP_RSPSTATUS_MALFORMED: t = "malformed"; break; case KSBA_OCSP_RSPSTATUS_INTERNAL: t = "internal error"; break; case KSBA_OCSP_RSPSTATUS_TRYLATER: t = "try later"; break; case KSBA_OCSP_RSPSTATUS_SIGREQUIRED: t = "must sign request"; break; case KSBA_OCSP_RSPSTATUS_UNAUTHORIZED: t = "unauthorized"; break; case KSBA_OCSP_RSPSTATUS_REPLAYED: t = "replay detected"; break; case KSBA_OCSP_RSPSTATUS_OTHER: t = "other (unknown)"; break; case KSBA_OCSP_RSPSTATUS_NONE: t = "no status"; break; default: fail ("impossible response_status"); break; } printf ("response status ..: %s\n", t); if (response_status == KSBA_OCSP_RSPSTATUS_SUCCESS || response_status == KSBA_OCSP_RSPSTATUS_REPLAYED) { ksba_status_t status; ksba_crl_reason_t reason; ksba_isotime_t this_update, next_update, revocation_time, produced_at; ksba_sexp_t sigval; char *name; ksba_sexp_t keyid; err = ksba_ocsp_get_responder_id (ocsp, &name, &keyid); fail_if_err (err); printf ("responder id .....: "); if (name) printf ("`%s'", name); else print_sexp (keyid); putchar ('\n'); ksba_free (name); ksba_free (keyid); sigval = ksba_ocsp_get_sig_val (ocsp, produced_at); printf ("signature value ..: "); print_sexp (sigval); printf ("\nproduced at ......: "); print_time (produced_at); putchar ('\n'); err = ksba_ocsp_get_status (ocsp, cert, &status, this_update, next_update, revocation_time, &reason); fail_if_err (err); printf ("certificate status: %s\n", status == KSBA_STATUS_GOOD? "good": status == KSBA_STATUS_REVOKED? "revoked": status == KSBA_STATUS_UNKNOWN? "unknown": status == KSBA_STATUS_NONE? "none": "?"); if (status == KSBA_STATUS_REVOKED) { printf ("revocation time ..: "); print_time (revocation_time); printf ("\nrevocation reason : %s\n", reason == KSBA_CRLREASON_UNSPECIFIED? "unspecified": reason == KSBA_CRLREASON_KEY_COMPROMISE? "key compromise": reason == KSBA_CRLREASON_CA_COMPROMISE? "CA compromise": reason == KSBA_CRLREASON_AFFILIATION_CHANGED? "affiliation changed": reason == KSBA_CRLREASON_SUPERSEDED? "superseeded": reason == KSBA_CRLREASON_CESSATION_OF_OPERATION? "cessation of operation": reason == KSBA_CRLREASON_CERTIFICATE_HOLD? "certificate on hold": reason == KSBA_CRLREASON_REMOVE_FROM_CRL? "removed from CRL": reason == KSBA_CRLREASON_PRIVILEGE_WITHDRAWN? "privilege withdrawn": reason == KSBA_CRLREASON_AA_COMPROMISE? "AA compromise": reason == KSBA_CRLREASON_OTHER? "other":"?"); } printf ("this update ......: "); print_time (this_update); printf ("\nnext update ......: "); print_time (next_update); putchar ('\n'); { int cert_idx; ksba_cert_t acert; for (cert_idx=0; (acert = ksba_ocsp_get_cert (ocsp, cert_idx)); cert_idx++) ksba_cert_release (acert); printf ("extra certificates: %d\n", cert_idx ); } { int idx, crit; const char *oid; const unsigned char *der; size_t derlen; for (idx=0; !(err=ksba_ocsp_get_extension (ocsp, NULL, idx, &oid, &crit, &der, &derlen)); idx++) { const char *s = get_oid_desc (oid); printf ("%sresp-extn ..%s: %s%s%s%s (", crit? "crit. ":"", crit?"":"......", s?"(":"", s?s:"", s?") ":"", oid); print_hex (der, derlen); putchar (')'); putchar ('\n'); } if (err && gpg_err_code (err) != GPG_ERR_EOF) fail_if_err (err); for (idx=0; !(err=ksba_ocsp_get_extension (ocsp, cert, idx, &oid, &crit, &der, &derlen)); idx++) { const char *s = get_oid_desc (oid); printf ("%ssngl-extn ..%s: %s%s%s%s (", crit? "crit. ":"", crit?"":"......", s?"(":"", s?s:"", s?") ":"", oid); print_hex (der, derlen); putchar (')'); putchar ('\n'); } if (err && gpg_err_code (err) != GPG_ERR_EOF) fail_if_err (err); } } ksba_cert_release (cert); ksba_ocsp_release (ocsp); xfree (response); }