2 * Copyright (C) 2011-2014 Free Software Foundation, Inc.
4 * This file is part of GnuTLS.
6 * GnuTLS is free software: you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by
8 * the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
11 * GnuTLS is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program. If not, see
18 * <http://www.gnu.org/licenses/>.
28 #include <gnutls/gnutls.h>
29 #include <gnutls/ocsp.h>
30 #include <gnutls/x509.h>
31 #include <gnutls/crypto.h>
33 /* Gnulib portability files. */
34 #include <read-file.h>
37 #include <ocsptool-common.h>
38 #include <ocsptool-args.h>
42 static unsigned int encoding;
43 unsigned int verbose = 0;
45 static void tls_log_func(int level, const char *str)
47 fprintf(stderr, "|<%d>| %s", level, str);
50 static void request_info(void)
52 gnutls_ocsp_req_t req;
57 ret = gnutls_ocsp_req_init(&req);
59 fprintf(stderr, "ocsp_req_init: %s\n", gnutls_strerror(ret));
63 if (HAVE_OPT(LOAD_REQUEST))
65 (void *) read_binary_file(OPT_ARG(LOAD_REQUEST),
68 dat.data = (void *) fread_file(infile, &size);
69 if (dat.data == NULL) {
70 fprintf(stderr, "error reading request\n");
75 ret = gnutls_ocsp_req_import(req, &dat);
78 fprintf(stderr, "error importing request: %s\n",
79 gnutls_strerror(ret));
83 ret = gnutls_ocsp_req_print(req, GNUTLS_OCSP_PRINT_FULL, &dat);
85 fprintf(stderr, "ocsp_req_print: %s\n",
86 gnutls_strerror(ret));
90 printf("%.*s", dat.size, dat.data);
91 gnutls_free(dat.data);
93 gnutls_ocsp_req_deinit(req);
96 static void _response_info(const gnutls_datum_t * data)
98 gnutls_ocsp_resp_t resp;
102 ret = gnutls_ocsp_resp_init(&resp);
104 fprintf(stderr, "ocsp_resp_init: %s\n",
105 gnutls_strerror(ret));
109 ret = gnutls_ocsp_resp_import(resp, data);
111 fprintf(stderr, "importing response: %s\n",
112 gnutls_strerror(ret));
116 if (ENABLED_OPT(VERBOSE))
118 gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL,
122 gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT,
125 fprintf(stderr, "ocsp_resp_print: %s\n",
126 gnutls_strerror(ret));
130 printf("%.*s", buf.size, buf.data);
131 gnutls_free(buf.data);
133 gnutls_ocsp_resp_deinit(resp);
136 static void response_info(void)
141 if (HAVE_OPT(LOAD_RESPONSE))
143 (void *) read_binary_file(OPT_ARG(LOAD_RESPONSE),
146 dat.data = (void *) fread_file(infile, &size);
147 if (dat.data == NULL) {
148 fprintf(stderr, "error reading response\n");
153 _response_info(&dat);
154 gnutls_free(dat.data);
157 static gnutls_x509_crt_t load_issuer(void)
159 gnutls_x509_crt_t crt;
164 if (!HAVE_OPT(LOAD_ISSUER)) {
165 fprintf(stderr, "missing --load-issuer\n");
169 ret = gnutls_x509_crt_init(&crt);
171 fprintf(stderr, "crt_init: %s\n", gnutls_strerror(ret));
175 dat.data = (void *) read_binary_file(OPT_ARG(LOAD_ISSUER), &size);
179 fprintf(stderr, "error reading --load-issuer: %s\n",
180 OPT_ARG(LOAD_ISSUER));
184 ret = gnutls_x509_crt_import(crt, &dat, encoding);
187 fprintf(stderr, "error importing --load-issuer: %s: %s\n",
188 OPT_ARG(LOAD_ISSUER), gnutls_strerror(ret));
195 static gnutls_x509_crt_t load_signer(void)
197 gnutls_x509_crt_t crt;
202 if (!HAVE_OPT(LOAD_SIGNER)) {
203 fprintf(stderr, "missing --load-signer\n");
207 ret = gnutls_x509_crt_init(&crt);
209 fprintf(stderr, "crt_init: %s\n", gnutls_strerror(ret));
213 dat.data = (void *) read_binary_file(OPT_ARG(LOAD_SIGNER), &size);
217 fprintf(stderr, "reading --load-signer: %s\n",
218 OPT_ARG(LOAD_SIGNER));
222 ret = gnutls_x509_crt_import(crt, &dat, encoding);
225 fprintf(stderr, "importing --load-signer: %s: %s\n",
226 OPT_ARG(LOAD_SIGNER), gnutls_strerror(ret));
233 static gnutls_x509_crt_t load_cert(void)
235 gnutls_x509_crt_t crt;
240 if (!HAVE_OPT(LOAD_CERT)) {
241 fprintf(stderr, "missing --load-cert\n");
245 ret = gnutls_x509_crt_init(&crt);
247 fprintf(stderr, "crt_init: %s\n", gnutls_strerror(ret));
251 dat.data = (void *) read_binary_file(OPT_ARG(LOAD_CERT), &size);
255 fprintf(stderr, "reading --load-cert: %s\n",
260 ret = gnutls_x509_crt_import(crt, &dat, encoding);
263 fprintf(stderr, "importing --load-cert: %s: %s\n",
264 OPT_ARG(LOAD_CERT), gnutls_strerror(ret));
271 static void generate_request(gnutls_datum_t *nonce)
275 _generate_request(load_cert(), load_issuer(), &dat, nonce);
277 fwrite(dat.data, 1, dat.size, outfile);
279 gnutls_free(dat.data);
283 static int _verify_response(gnutls_datum_t * data, gnutls_datum_t * nonce,
284 gnutls_x509_crt_t signer)
286 gnutls_ocsp_resp_t resp;
289 gnutls_x509_crt_t *x509_ca_list = NULL;
290 gnutls_x509_trust_list_t list;
291 unsigned int x509_ncas = 0;
295 ret = gnutls_ocsp_resp_init(&resp);
297 fprintf(stderr, "ocsp_resp_init: %s\n",
298 gnutls_strerror(ret));
302 ret = gnutls_ocsp_resp_import(resp, data);
304 fprintf(stderr, "importing response: %s\n",
305 gnutls_strerror(ret));
310 gnutls_datum_t rnonce;
312 ret = gnutls_ocsp_resp_get_nonce(resp, NULL, &rnonce);
314 fprintf(stderr, "could not read response's nonce: %s\n",
315 gnutls_strerror(ret));
319 if (rnonce.size != nonce->size || memcmp(nonce->data, rnonce.data,
321 fprintf(stderr, "nonce in the response doesn't match\n");
325 gnutls_free(rnonce.data);
328 if (HAVE_OPT(LOAD_TRUST)) {
330 (void *) read_binary_file(OPT_ARG(LOAD_TRUST), &size);
331 if (dat.data == NULL) {
332 fprintf(stderr, "reading --load-trust: %s\n",
333 OPT_ARG(LOAD_TRUST));
338 ret = gnutls_x509_trust_list_init(&list, 0);
340 fprintf(stderr, "gnutls_x509_trust_list_init: %s\n",
341 gnutls_strerror(ret));
346 gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas,
347 &dat, GNUTLS_X509_FMT_PEM,
349 if (ret < 0 || x509_ncas < 1) {
350 fprintf(stderr, "error parsing CAs: %s\n",
351 gnutls_strerror(ret));
355 if (HAVE_OPT(VERBOSE)) {
357 printf("Trust anchors:\n");
358 for (i = 0; i < x509_ncas; i++) {
362 gnutls_x509_crt_print(x509_ca_list[i],
363 GNUTLS_CRT_PRINT_ONELINE,
367 "gnutls_x509_crt_print: %s\n",
368 gnutls_strerror(ret));
372 printf("%d: %.*s\n", i, out.size,
374 gnutls_free(out.data);
380 gnutls_x509_trust_list_add_cas(list, x509_ca_list,
383 fprintf(stderr, "gnutls_x509_trust_add_cas: %s\n",
384 gnutls_strerror(ret));
388 if (HAVE_OPT(VERBOSE))
389 fprintf(stdout, "Loaded %d trust anchors\n",
392 ret = gnutls_ocsp_resp_verify(resp, list, &verify, 0);
394 fprintf(stderr, "gnutls_ocsp_resp_verify: %s\n",
395 gnutls_strerror(ret));
399 if (HAVE_OPT(VERBOSE)) {
403 gnutls_x509_crt_print(signer,
404 GNUTLS_CRT_PRINT_ONELINE,
408 "gnutls_x509_crt_print: %s\n",
409 gnutls_strerror(ret));
413 printf("Signer: %.*s\n", out.size, out.data);
414 gnutls_free(out.data);
419 gnutls_ocsp_resp_verify_direct(resp, signer, &verify,
423 "gnutls_ocsp_resp_verify_direct: %s\n",
424 gnutls_strerror(ret));
428 fprintf(stderr, "missing --load-trust or --load-signer\n");
432 printf("Verifying OCSP Response: ");
433 print_ocsp_verify_res(verify);
436 gnutls_ocsp_resp_deinit(resp);
441 static void verify_response(gnutls_datum_t *nonce)
445 gnutls_x509_crt_t signer;
447 if (HAVE_OPT(LOAD_RESPONSE))
449 (void *) read_binary_file(OPT_ARG(LOAD_RESPONSE),
452 dat.data = (void *) fread_file(infile, &size);
453 if (dat.data == NULL) {
454 fprintf(stderr, "error reading response\n");
459 signer = load_signer();
461 _verify_response(&dat, nonce, signer);
464 static void ask_server(const char *url)
466 gnutls_datum_t resp_data;
468 gnutls_x509_crt_t cert, issuer;
469 unsigned char noncebuf[23];
470 gnutls_datum_t nonce = { noncebuf, sizeof(noncebuf) };
474 issuer = load_issuer();
476 if (ENABLED_OPT(NONCE)) {
478 gnutls_rnd(GNUTLS_RND_NONCE, nonce.data, nonce.size);
480 fprintf(stderr, "gnutls_rnd: %s\n",
481 gnutls_strerror(ret));
491 send_ocsp_request(url, cert, issuer, &resp_data, n);
493 fprintf(stderr, "Cannot send OCSP request\n");
497 _response_info(&resp_data);
499 if (HAVE_OPT(LOAD_TRUST)) {
500 v = _verify_response(&resp_data, n, NULL);
501 } else if (HAVE_OPT(LOAD_SIGNER)) {
502 v = _verify_response(&resp_data, n, load_signer());
505 "\nAssuming response's signer = issuer (use --load-signer to override).\n");
507 v = _verify_response(&resp_data, n, issuer);
510 if (HAVE_OPT(OUTFILE) && v == 0) {
511 fwrite(resp_data.data, 1, resp_data.size, outfile);
515 int main(int argc, char **argv)
519 if ((ret = gnutls_global_init()) < 0) {
520 fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret));
524 optionProcess(&ocsptoolOptions, argc, argv);
526 gnutls_global_set_log_function(tls_log_func);
527 gnutls_global_set_log_level(OPT_VALUE_DEBUG);
529 if (HAVE_OPT(OUTFILE)) {
530 outfile = fopen(OPT_ARG(OUTFILE), "wb");
531 if (outfile == NULL) {
532 fprintf(stderr, "%s\n", OPT_ARG(OUTFILE));
538 if (HAVE_OPT(INFILE)) {
539 infile = fopen(OPT_ARG(INFILE), "rb");
540 if (infile == NULL) {
541 fprintf(stderr, "%s\n", OPT_ARG(INFILE));
547 if (ENABLED_OPT(INDER))
548 encoding = GNUTLS_X509_FMT_DER;
550 encoding = GNUTLS_X509_FMT_PEM;
552 if (HAVE_OPT(REQUEST_INFO))
554 else if (HAVE_OPT(RESPONSE_INFO))
556 else if (HAVE_OPT(GENERATE_REQUEST))
557 generate_request(NULL);
558 else if (HAVE_OPT(VERIFY_RESPONSE))
559 verify_response(NULL);
560 else if (HAVE_OPT(ASK))
561 ask_server(OPT_ARG(ASK));