www.gitorious.org Git - gnutls:gnutls.git/blob

1 /*

3 *

4 * This file is part of GnuTLS.

5 *

6 * GnuTLS is free software: you can redistribute it and/or modify it

7 * under the terms of the GNU General Public License as published by

8 * the Free Software Foundation, either version 3 of the License, or

9 * (at your option) any later version.

10 *

11 * GnuTLS is distributed in the hope that it will be useful, but

12 * WITHOUT ANY WARRANTY; without even the implied warranty of

13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

14 * General Public License for more details.

15 *

16 * You should have received a copy of the GNU General Public License

17 * along with this program. If not, see

18 * <http://www.gnu.org/licenses/>.

19 */

21 #include <config.h>

23 #include <stdio.h>

24 #include <stdlib.h>

25 #include <string.h>

26 #include <errno.h>

28 #include <gnutls/gnutls.h>

29 #include <gnutls/ocsp.h>

30 #include <gnutls/x509.h>

31 #include <gnutls/crypto.h>

33 /* Gnulib portability files. */

34 #include <read-file.h>

35 #include <socket.h>

37 #include <ocsptool-common.h>

39 #define MAX_BUF 4*1024

40 #define HEADER_PATTERN "POST /%s HTTP/1.1\r\n" \

41 "Host: %s\r\n" \

42 "Accept: */*\r\n" \

43 "Content-Type: application/ocsp-request\r\n" \

44 "Content-Length: %u\r\n" \

45 "Connection: close\r\n\r\n"

46 static char buffer[MAX_BUF + 1];

48 /* returns the host part of a URL */

49 static const char *host_from_url(const char *url, unsigned int *port, const char **path)

50 {

51 static char hostname[512];

52 char *p;

54 *port = 0;

55 *path = "";

57 if ((p = strstr(url, "http://")) != NULL) {

58 snprintf(hostname, sizeof(hostname), "%s", p + 7);

59 p = strchr(hostname, '/');

60 if (p != NULL) {

61 *p = 0;

62 *path = p+1;

63 }

65 p = strchr(hostname, ':');

66 if (p != NULL) {

67 *p = 0;

68 *port = atoi(p + 1);

69 }

71 return hostname;

72 } else {

73 return url;

74 }

75 }

77 void

78 _generate_request(gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,

79 gnutls_datum_t * rdata, gnutls_datum_t *nonce)

80 {

81 gnutls_ocsp_req_t req;

82 int ret;

84 ret = gnutls_ocsp_req_init(&req);

85 if (ret < 0) {

86 fprintf(stderr, "ocsp_req_init: %s", gnutls_strerror(ret));

87 exit(1);

88 }

90 ret = gnutls_ocsp_req_add_cert(req, GNUTLS_DIG_SHA1, issuer, cert);

91 if (ret < 0) {

92 fprintf(stderr, "ocsp_req_add_cert: %s",

93 gnutls_strerror(ret));

94 exit(1);

95 }

97 if (nonce) {

98 ret = gnutls_ocsp_req_set_nonce(req, 0, nonce);

99 if (ret < 0) {

100 fprintf(stderr, "ocsp_req_set_nonce: %s",

101 gnutls_strerror(ret));

102 exit(1);

103 }

104 }

105

106 ret = gnutls_ocsp_req_export(req, rdata);

107 if (ret != 0) {

108 fprintf(stderr, "ocsp_req_export: %s",

109 gnutls_strerror(ret));

110 exit(1);

111 }

112

113 gnutls_ocsp_req_deinit(req);

114 return;

115 }

116

117 static size_t get_data(void *buffer, size_t size, size_t nmemb,

118 void *userp)

119 {

120 gnutls_datum_t *ud = userp;

121

122 size *= nmemb;

123

124 ud->data = realloc(ud->data, size + ud->size);

125 if (ud->data == NULL) {

126 fprintf(stderr, "Not enough memory for the request\n");

127 exit(1);

128 }

129

130 memcpy(&ud->data[ud->size], buffer, size);

131 ud->size += size;

132

133 return size;

134 }

135

136 /* Returns 0 on ok, and -1 on error */

137 int send_ocsp_request(const char *server,

138 gnutls_x509_crt_t cert, gnutls_x509_crt_t issuer,

139 gnutls_datum_t * resp_data, gnutls_datum_t *nonce)

140 {

141 gnutls_datum_t ud;

142 int ret;

143 gnutls_datum_t req;

144 char *url = (void *) server;

145 char headers[1024];

146 char service[16];

147 unsigned char *p;

148 const char *hostname;

149 const char *path = "";

150 unsigned int headers_size = 0, port;

151 socket_st hd;

152

153 sockets_init();

154

155 if (url == NULL) {

156 /* try to read URL from issuer certificate */

157 gnutls_datum_t data;

158

159 ret = gnutls_x509_crt_get_authority_info_access(cert, 0,

160 GNUTLS_IA_OCSP_URI,

161 &data,

162 NULL);

163

164 if (ret < 0)

165 ret =

166 gnutls_x509_crt_get_authority_info_access

167 (issuer, 0, GNUTLS_IA_OCSP_URI, &data, NULL);

168 if (ret < 0) {

169 fprintf(stderr,

170 "Cannot find URL from issuer: %s\n",

171 gnutls_strerror(ret));

172 return -1;

173 }

174

175 url = malloc(data.size + 1);

176 memcpy(url, data.data, data.size);

177 url[data.size] = 0;

178

179 gnutls_free(data.data);

180 }

181

182 hostname = host_from_url(url, &port, &path);

183 if (port != 0)

184 snprintf(service, sizeof(service), "%u", port);

185 else

186 strcpy(service, "80");

187

188 fprintf(stderr, "Connecting to OCSP server: %s...\n", hostname);

189

190 memset(&ud, 0, sizeof(ud));

191

192 _generate_request(cert, issuer, &req, nonce);

193

194 snprintf(headers, sizeof(headers), HEADER_PATTERN, path, hostname,

195 (unsigned int) req.size);

196 headers_size = strlen(headers);

197

198 socket_open(&hd, hostname, service, 0);

199

200 socket_send(&hd, headers, headers_size);

201 socket_send(&hd, req.data, req.size);

202

203 do {

204 ret = socket_recv(&hd, buffer, sizeof(buffer));

205 if (ret > 0)

206 get_data(buffer, ret, 1, &ud);

207 } while (ret > 0);

208

209 if (ret < 0 || ud.size == 0) {

210 perror("recv");

211 return -1;

212 }

213

214 socket_bye(&hd);

215

216 p = memmem(ud.data, ud.size, "\r\n\r\n", 4);

217 if (p == NULL) {

218 fprintf(stderr, "Cannot interpret HTTP response\n");

219 return -1;

220 }

221

222 p += 4;

223 resp_data->size = ud.size - (p - ud.data);

224 resp_data->data = malloc(resp_data->size);

225 if (resp_data->data == NULL)

226 return -1;

227

228 memcpy(resp_data->data, p, resp_data->size);

229

230 free(ud.data);

231

232 return 0;

233 }

234

235 void print_ocsp_verify_res(unsigned int output)

236 {

237 int comma = 0;

238

239 if (output) {

240 printf("Failure");

241 comma = 1;

242 } else {

243 printf("Success");

244 comma = 1;

245 }

246

247 if (output & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND) {

248 if (comma)

249 printf(", ");

250 printf("Signer cert not found");

251 comma = 1;

252 }

253

254 if (output & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR) {

255 if (comma)

256 printf(", ");

257 printf("Signer cert keyusage error");

258 comma = 1;

259 }

260

261 if (output & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER) {

262 if (comma)

263 printf(", ");

264 printf("Signer cert is not trusted");

265 comma = 1;

266 }

267

268 if (output & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM) {

269 if (comma)

270 printf(", ");

271 printf("Insecure algorithm");

272 comma = 1;

273 }

274

275 if (output & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE) {

276 if (comma)

277 printf(", ");

278 printf("Signature failure");

279 comma = 1;

280 }

281

282 if (output & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED) {

283 if (comma)

284 printf(", ");

285 printf("Signer cert not yet activated");

286 comma = 1;

287 }

288

289 if (output & GNUTLS_OCSP_VERIFY_CERT_EXPIRED) {

290 if (comma)

291 printf(", ");

292 printf("Signer cert expired");

293 comma = 1;

294 }

295 }

296

297 /* three days */

298 #define OCSP_VALIDITY_SECS (3*60*60*24)

299

300 /* Returns:

301 * 0: certificate is revoked

302 * 1: certificate is ok

303 * -1: dunno

304 */

305 int

306 check_ocsp_response(gnutls_x509_crt_t cert,

307 gnutls_x509_crt_t issuer, gnutls_datum_t * data,

308 gnutls_datum_t * nonce)

309 {

310 gnutls_ocsp_resp_t resp;

311 int ret;

312 unsigned int status, cert_status;

313 time_t rtime, vtime, ntime, now;

314

315 now = time(0);

316

317 ret = gnutls_ocsp_resp_init(&resp);

318 if (ret < 0) {

319 fprintf(stderr, "ocsp_resp_init: %s",

320 gnutls_strerror(ret));

321 exit(1);

322 }

323

324 ret = gnutls_ocsp_resp_import(resp, data);

325 if (ret < 0) {

326 fprintf(stderr, "importing response: %s",

327 gnutls_strerror(ret));

328 exit(1);

329 }

330

331 ret = gnutls_ocsp_resp_check_crt(resp, 0, cert);

332 if (ret < 0) {

333 printf

334 ("*** Got OCSP response on an unrelated certificate (ignoring)\n");

335 ret = -1;

336 goto cleanup;

337 }

338

339 ret = gnutls_ocsp_resp_verify_direct(resp, issuer, &status, 0);

340 if (ret < 0) {

341 fprintf(stderr, "gnutls_ocsp_resp_verify_direct: %s",

342 gnutls_strerror(ret));

343 exit(1);

344 }

345

346 if (status != 0) {

347 printf("*** Verifying OCSP Response: ");

348 print_ocsp_verify_res(status);

349 printf(".\n");

350 }

351

352 /* do not print revocation data if response was not verified */

353 if (status != 0) {

354 ret = -1;

355 goto cleanup;

356 }

357

358

359 ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,

360 &cert_status, &vtime, &ntime,

361 &rtime, NULL);

362 if (ret < 0) {

363 fprintf(stderr, "reading response: %s",

364 gnutls_strerror(ret));

365 exit(1);

366 }

367

368 if (cert_status == GNUTLS_OCSP_CERT_REVOKED) {

369 printf("*** Certificate was revoked at %s", ctime(&rtime));

370 ret = 0;

371 goto cleanup;

372 }

373

374 if (ntime == -1) {

375 if (now - vtime > OCSP_VALIDITY_SECS) {

376 printf

377 ("*** The OCSP response is old (was issued at: %s) ignoring",

378 ctime(&vtime));

379 ret = -1;

380 goto cleanup;

381 }

382 } else {

383 /* there is a newer OCSP answer, don't trust this one */

384 if (ntime < now) {

385 printf

386 ("*** The OCSP response was issued at: %s, but there is a newer issue at %s",

387 ctime(&vtime), ctime(&ntime));

388 ret = -1;

389 goto cleanup;

390 }

391 }

392

393 if (nonce) {

394 gnutls_datum_t rnonce;

395

396 ret = gnutls_ocsp_resp_get_nonce(resp, NULL, &rnonce);

397 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {

398 fprintf(stderr, "*** The OCSP reply did not include the requested nonce.\n");

399 goto finish_ok;

400 }

401

402 if (ret < 0) {

403 fprintf(stderr, "could not read response's nonce: %s\n",

404 gnutls_strerror(ret));

405 exit(1);

406 }

407

408 if (rnonce.size != nonce->size || memcmp(nonce->data, rnonce.data,

409 nonce->size) != 0) {

410 fprintf(stderr, "nonce in the response doesn't match\n");

411 exit(1);

412 }

413

414 gnutls_free(rnonce.data);

415 }

416

417 finish_ok:

418 printf("- OCSP server flags certificate not revoked as of %s",

419 ctime(&vtime));

420 ret = 1;

421 cleanup:

422 gnutls_ocsp_resp_deinit(resp);

423

424 return ret;

425 }