static void ask_server(const char* url)
{
gnutls_datum_t resp_data;
int ret, v;
gnutls_x509_crt_t cert, issuer;
cert = load_cert();
issuer = load_issuer();
ret = send_ocsp_request(url, cert, issuer, &resp_data, ENABLED_OPT(NONCE));
if (ret < 0)
{
fprintf(stderr, "Cannot send OCSP request\n");
exit(1);
}
_response_info (&resp_data);
if (HAVE_OPT(LOAD_SIGNER) || HAVE_OPT(LOAD_TRUST))
{
fprintf(outfile, "\n");
v = _verify_response(&resp_data);
}
else
{
fprintf(stderr, "\nResponse could not be verified (use --load-signer).\n");
v = 0;
}
if (HAVE_OPT(OUTFILE) && v == 0)
{
fwrite(resp_data.data, 1, resp_data.size, outfile);
}
}
static void ask_server(const char *url)
{
gnutls_datum_t resp_data;
int ret, v = 0;
gnutls_x509_crt_t cert, issuer;
unsigned char noncebuf[23];
gnutls_datum_t nonce = { noncebuf, sizeof(noncebuf) };
gnutls_datum_t *n;
cert = load_cert();
issuer = load_issuer();
if (ENABLED_OPT(NONCE)) {
ret =
gnutls_rnd(GNUTLS_RND_NONCE, nonce.data, nonce.size);
if (ret < 0) {
fprintf(stderr, "gnutls_rnd: %s\n",
gnutls_strerror(ret));
exit(1);
}
n = &nonce;
} else {
n = NULL;
}
ret =
send_ocsp_request(url, cert, issuer, &resp_data, n);
if (ret < 0) {
fprintf(stderr, "Cannot send OCSP request\n");
exit(1);
}
_response_info(&resp_data);
if (HAVE_OPT(LOAD_TRUST)) {
v = _verify_response(&resp_data, n, NULL);
} else if (HAVE_OPT(LOAD_SIGNER)) {
v = _verify_response(&resp_data, n, load_signer());
} else {
fprintf(stderr,
"\nAssuming response's signer = issuer (use --load-signer to override).\n");
v = _verify_response(&resp_data, n, issuer);
}
if (HAVE_OPT(OUTFILE) && (v == 0 || HAVE_OPT(IGNORE_ERRORS))) {
fwrite(resp_data.data, 1, resp_data.size, outfile);
}
if (v && !HAVE_OPT(IGNORE_ERRORS))
exit(1);
}
static void
response_info (void)
{
gnutls_datum_t dat;
size_t size;
if (HAVE_OPT(LOAD_RESPONSE))
dat.data = (void*)read_binary_file (OPT_ARG(LOAD_RESPONSE), &size);
else
dat.data = (void*)fread_file (infile, &size);
if (dat.data == NULL)
error (EXIT_FAILURE, errno, "reading response");
dat.size = size;
_response_info(&dat);
gnutls_free (dat.data);
}
static void response_info(void)
{
gnutls_datum_t dat;
size_t size;
if (HAVE_OPT(LOAD_RESPONSE))
dat.data =
(void *) read_binary_file(OPT_ARG(LOAD_RESPONSE),
&size);
else
dat.data = (void *) fread_file(infile, &size);
if (dat.data == NULL) {
fprintf(stderr, "error reading response\n");
exit(1);
}
dat.size = size;
_response_info(&dat);
gnutls_free(dat.data);
}
int
main (int argc, char *argv[])
{
gnutls_datum_t ud, tmp;
int ret;
gnutls_datum_t req;
gnutls_x509_crt_t cert, issuer, signer;
#ifndef NO_LIBCURL
CURL *handle;
struct curl_slist *headers = NULL;
#endif
int v, seq;
const char *cert_file = argv[1];
const char *issuer_file = argv[2];
const char *signer_file = argv[3];
char *hostname = NULL;
gnutls_global_init ();
if (argc > 4)
hostname = argv[4];
cert = load_cert (cert_file);
issuer = load_cert (issuer_file);
signer = load_cert (signer_file);
if (hostname == NULL)
{
for (seq = 0;; seq++)
{
ret = gnutls_x509_crt_get_authority_info_access (cert, seq,
GNUTLS_IA_OCSP_URI,
&tmp,
NULL);
if (ret == GNUTLS_E_UNKNOWN_ALGORITHM)
continue;
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
{
fprintf (stderr,
"No URI was found in the certificate.\n");
exit (1);
}
if (ret < 0)
{
fprintf (stderr, "error: %s\n",
gnutls_strerror (ret));
exit (1);
}
printf ("CA issuers URI: %.*s\n", tmp.size, tmp.data);
hostname = malloc (tmp.size + 1);
memcpy (hostname, tmp.data, tmp.size);
hostname[tmp.size] = 0;
gnutls_free (tmp.data);
break;
}
}
/* Note that the OCSP servers hostname might be available
* using gnutls_x509_crt_get_authority_info_access() in the issuer's
* certificate */
memset (&ud, 0, sizeof (ud));
fprintf (stderr, "Connecting to %s\n", hostname);
_generate_request (&req, cert, issuer);
#ifndef NO_LIBCURL
curl_global_init (CURL_GLOBAL_ALL);
handle = curl_easy_init ();
if (handle == NULL)
exit (1);
headers =
curl_slist_append (headers,
"Content-Type: application/ocsp-request");
curl_easy_setopt (handle, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt (handle, CURLOPT_POSTFIELDS, (void *) req.data);
curl_easy_setopt (handle, CURLOPT_POSTFIELDSIZE, req.size);
curl_easy_setopt (handle, CURLOPT_URL, hostname);
curl_easy_setopt (handle, CURLOPT_WRITEFUNCTION, get_data);
curl_easy_setopt (handle, CURLOPT_WRITEDATA, &ud);
ret = curl_easy_perform (handle);
if (ret != 0)
{
fprintf (stderr, "curl[%d] error %d\n", __LINE__, ret);
exit (1);
}
curl_easy_cleanup (handle);
#endif
_response_info (&ud);
v = _verify_response (&ud, cert, signer);
gnutls_x509_crt_deinit (cert);
gnutls_x509_crt_deinit (issuer);
gnutls_x509_crt_deinit (signer);
gnutls_global_deinit ();
return v;
}