示例#1
0
static void ask_server(const char* url)
{
gnutls_datum_t resp_data;
int ret, v;
gnutls_x509_crt_t cert, issuer;

  cert = load_cert();
  issuer = load_issuer();
  
  ret = send_ocsp_request(url, cert, issuer, &resp_data, ENABLED_OPT(NONCE));
  if (ret < 0)
    {
      fprintf(stderr, "Cannot send OCSP request\n");
      exit(1);
    }
  
  _response_info (&resp_data);

  if (HAVE_OPT(LOAD_SIGNER) || HAVE_OPT(LOAD_TRUST))
    {
      fprintf(outfile, "\n");
      v = _verify_response(&resp_data);
    }
  else
    {
      fprintf(stderr, "\nResponse could not be verified (use --load-signer).\n");
      v = 0;
    }
    
  if (HAVE_OPT(OUTFILE) && v == 0)
    {
      fwrite(resp_data.data, 1, resp_data.size, outfile);
    }
}  
示例#2
0
static void ask_server(const char *url)
{
	gnutls_datum_t resp_data;
	int ret, v = 0;
	gnutls_x509_crt_t cert, issuer;
	unsigned char noncebuf[23];
	gnutls_datum_t nonce = { noncebuf, sizeof(noncebuf) };
	gnutls_datum_t *n;

	cert = load_cert();
	issuer = load_issuer();

	if (ENABLED_OPT(NONCE)) {
		ret =
		    gnutls_rnd(GNUTLS_RND_NONCE, nonce.data, nonce.size);
		if (ret < 0) {
			fprintf(stderr, "gnutls_rnd: %s\n",
				gnutls_strerror(ret));
			exit(1);
		}
		n = &nonce;

	} else {
		n = NULL;
	}

	ret =
	    send_ocsp_request(url, cert, issuer, &resp_data, n);
	if (ret < 0) {
		fprintf(stderr, "Cannot send OCSP request\n");
		exit(1);
	}

	_response_info(&resp_data);

	if (HAVE_OPT(LOAD_TRUST)) {
		v = _verify_response(&resp_data, n, NULL);
	} else if (HAVE_OPT(LOAD_SIGNER)) {
		v = _verify_response(&resp_data, n, load_signer());
	} else {
		fprintf(stderr,
			"\nAssuming response's signer = issuer (use --load-signer to override).\n");

		v = _verify_response(&resp_data, n, issuer);
	}

	if (HAVE_OPT(OUTFILE) && (v == 0 || HAVE_OPT(IGNORE_ERRORS))) {
		fwrite(resp_data.data, 1, resp_data.size, outfile);
	}

	if (v && !HAVE_OPT(IGNORE_ERRORS))
		exit(1);
}
示例#3
0
static void
response_info (void)
{
  gnutls_datum_t dat;
  size_t size;

  if (HAVE_OPT(LOAD_RESPONSE))
    dat.data = (void*)read_binary_file (OPT_ARG(LOAD_RESPONSE), &size);
  else
    dat.data = (void*)fread_file (infile, &size);
  if (dat.data == NULL)
    error (EXIT_FAILURE, errno, "reading response");
  dat.size = size;

  _response_info(&dat);
  gnutls_free (dat.data);
}
示例#4
0
static void response_info(void)
{
	gnutls_datum_t dat;
	size_t size;

	if (HAVE_OPT(LOAD_RESPONSE))
		dat.data =
		    (void *) read_binary_file(OPT_ARG(LOAD_RESPONSE),
					      &size);
	else
		dat.data = (void *) fread_file(infile, &size);
	if (dat.data == NULL) {
		fprintf(stderr, "error reading response\n");
		exit(1);
	}
	dat.size = size;

	_response_info(&dat);
	gnutls_free(dat.data);
}
示例#5
0
int
main (int argc, char *argv[])
{
    gnutls_datum_t ud, tmp;
    int ret;
    gnutls_datum_t req;
    gnutls_x509_crt_t cert, issuer, signer;
#ifndef NO_LIBCURL
    CURL *handle;
    struct curl_slist *headers = NULL;
#endif
    int v, seq;
    const char *cert_file = argv[1];
    const char *issuer_file = argv[2];
    const char *signer_file = argv[3];
    char *hostname = NULL;

    gnutls_global_init ();

    if (argc > 4)
        hostname = argv[4];

    cert = load_cert (cert_file);
    issuer = load_cert (issuer_file);
    signer = load_cert (signer_file);

    if (hostname == NULL)
      {

          for (seq = 0;; seq++)
            {
                ret = gnutls_x509_crt_get_authority_info_access (cert, seq,
                                                                 GNUTLS_IA_OCSP_URI,
                                                                 &tmp,
                                                                 NULL);
                if (ret == GNUTLS_E_UNKNOWN_ALGORITHM)
                    continue;
                if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
                  {
                      fprintf (stderr,
                               "No URI was found in the certificate.\n");
                      exit (1);
                  }
                if (ret < 0)
                  {
                      fprintf (stderr, "error: %s\n",
                               gnutls_strerror (ret));
                      exit (1);
                  }

                printf ("CA issuers URI: %.*s\n", tmp.size, tmp.data);

                hostname = malloc (tmp.size + 1);
                memcpy (hostname, tmp.data, tmp.size);
                hostname[tmp.size] = 0;

                gnutls_free (tmp.data);
                break;
            }

      }

    /* Note that the OCSP servers hostname might be available
     * using gnutls_x509_crt_get_authority_info_access() in the issuer's
     * certificate */

    memset (&ud, 0, sizeof (ud));
    fprintf (stderr, "Connecting to %s\n", hostname);

    _generate_request (&req, cert, issuer);

#ifndef NO_LIBCURL
    curl_global_init (CURL_GLOBAL_ALL);

    handle = curl_easy_init ();
    if (handle == NULL)
        exit (1);

    headers =
        curl_slist_append (headers,
                           "Content-Type: application/ocsp-request");

    curl_easy_setopt (handle, CURLOPT_HTTPHEADER, headers);
    curl_easy_setopt (handle, CURLOPT_POSTFIELDS, (void *) req.data);
    curl_easy_setopt (handle, CURLOPT_POSTFIELDSIZE, req.size);
    curl_easy_setopt (handle, CURLOPT_URL, hostname);
    curl_easy_setopt (handle, CURLOPT_WRITEFUNCTION, get_data);
    curl_easy_setopt (handle, CURLOPT_WRITEDATA, &ud);

    ret = curl_easy_perform (handle);
    if (ret != 0)
      {
          fprintf (stderr, "curl[%d] error %d\n", __LINE__, ret);
          exit (1);
      }

    curl_easy_cleanup (handle);
#endif

    _response_info (&ud);

    v = _verify_response (&ud, cert, signer);

    gnutls_x509_crt_deinit (cert);
    gnutls_x509_crt_deinit (issuer);
    gnutls_x509_crt_deinit (signer);
    gnutls_global_deinit ();

    return v;
}