[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_9-39-gca5bd60
|
From: |
Simon Josefsson |
|
Subject: |
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_9-39-gca5bd60 |
|
Date: |
Tue, 20 Dec 2011 18:13:25 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=ca5bd60927902794b80924cdec5fe1c5fbacd906
The branch, ocsp has been updated
via ca5bd60927902794b80924cdec5fe1c5fbacd906 (commit)
via 44d0e61d00215452814533ede4c775a385a62afc (commit)
from 59199a02d215a09aa13220e6621986fb76a53c92 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ca5bd60927902794b80924cdec5fe1c5fbacd906
Author: Simon Josefsson <address@hidden>
Date: Tue Dec 20 15:36:11 2011 +0100
Improve OCSP verify documentation, and fix bugs.
commit 44d0e61d00215452814533ede4c775a385a62afc
Author: Simon Josefsson <address@hidden>
Date: Mon Dec 19 16:26:28 2011 +0100
Cleanup OCSP verify code and add ocsptool --load-signer.
-----------------------------------------------------------------------
Summary of changes:
doc/cha-cert-auth2.texi | 111 +++++++++++++++++++++++-
lib/includes/gnutls/ocsp.h | 33 +++++--
lib/x509/ocsp.c | 51 +++++++----
lib/x509/verify-high.c | 11 ++-
lib/x509/verify-high.h | 6 +-
src/ocsptool.c | 212 +++++++++++++++++++++++++++++++++----------
src/ocsptool.gaa | 5 +-
7 files changed, 339 insertions(+), 90 deletions(-)
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index 93236b8..00ce6c1 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -720,7 +720,7 @@ Usage : ocsptool [options]
-h, --help shows this help text
@end example
address@hidden Print information about OCSP requests
address@hidden Print information about an OCSP request
To parse an OCSP request and print information about the content, the
@code{-i} or @code{--request-info} parameter may be used as follows.
@@ -738,7 +738,7 @@ The input file may also be sent to standard input like this:
$ cat ocsp-request.der | ocsptool --request-info
@end smallexample
address@hidden Print information about OCSP responses
address@hidden Print information about an OCSP response
Similar to parsing OCSP requests, OCSP responses can be parsed using
the @code{-j} or @code{--response-info} as follows.
@@ -767,6 +767,113 @@ When generating OCSP requests, the tool will add an OCSP
extension
containing a nonce. This behaviour can be disabled by specifying
@code{--no-nonce}.
address@hidden Verify signature in OCSP response
+
+To verify the signature in an OCSP response the @code{-e} or
address@hidden parameter is used. The tool will read an
+OCSP response in DER format from standard input, or from the file
+specified by @code{--load-response}. The OCSP response is verified
+against a set of trust anchors, which are specified using
address@hidden The trust anchors are concatenated certificates
+in PEM format. The certificate that signed the OCSP response needs to
+be in the set of trust anchors, or the issuer of the signer
+certificate needs to be in the set of trust anchors and the OCSP
+Extended Key Usage bit has to be asserted in the signer certificate.
+
address@hidden
+$ ocsptool -e --load-trust issuer.pem --load-response ocsp-response.der
address@hidden smallexample
+
+The tool will print status of verification.
+
address@hidden Verify signature in OCSP response against given certificate
+
+It is possible to override the normal trust logic if you know that a
+certain certificate is supposed to have signed the OCSP response, and
+you want to use it to check the signature. This is achieved using
address@hidden instead of @code{--load-trust}. This will load
+one certificate and it will be used to verify the signature in the
+OCSP response. It will not check the Extended Key Usage bit.
+
address@hidden
+$ ocsptool -e --load-signer ocsp-signer.pem --load-response ocsp-response.der
address@hidden smallexample
+
+This approach is normally only relevant in two situations. The first
+is when the OCSP response does not contain a copy of the signer
+certificate, so the @code{--load-trust} code would fail. The second
+is if you want to avoid the indirect mode where the OCSP response
+signer certificate is signed by a trust anchor.
+
address@hidden Real-world example
+
+Here is an example of how to generate an OCSP request for a
+certificate and to verify the response. For illustration we'll use
+the @code{blog.josefsson.org} host, which (as of writing) uses a
+certificate from CACert. First we'll use @code{gnutls-cli} to get a
+copy of the server certificate chain. The server is not required to
+send this information, but this particular one is configured to do so.
+
address@hidden
+$ echo | gnutls-cli -p 443 blog.josefsson.org --print-cert > chain.pem
address@hidden smallexample
+
+Use a text editor on @code{chain.pem} to create three files for each
+separate certificates, called @code{cert.pem} for the first
+certificate for the domain itself, secondly @code{issuer.pem} for the
+intermediate certificate and @code{root.pem} for the final root
+certificate.
+
+The issuer certificate normally contains a pointer to where the OCSP
+responder for its end-entity certificates are located, in the
+Authority Information Access Information extension. For example, from
address@hidden -i < issuer.pem} there is this information:
+
address@hidden
+ Authority Information Access Information (not critical):
+ Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
+ Access Location URI: http://ocsp.CAcert.org/
address@hidden smallexample
+
+This means the CA support OCSP queries over HTTP. We are now ready to
+create a OCSP request for the certificate.
+
address@hidden
+$ ocsptool --generate-request --load-issuer issuer.pem --load-cert cert.pem
--outfile ocsp-request.der
address@hidden smallexample
+
+The request is sent base64 encoded via HTTP as follows.
+
address@hidden
+$ wget -O ocsp-response.der http://ocsp.CAcert.org/$(base64 -w0
ocsp-request.der)
address@hidden smallexample
+
+The OCSP response is now in the file @code{ocsp-response.der} and you
+can view it using @code{ocsptool -j < ocsp-response.der}. To verify
+the signature you need to load the issuer as the trust anchor.
+
address@hidden
+$ ocsptool --verify-response --load-trust issuer.pem --load-response
ocsp-response.der
+Verifying OCSP Response: Success.
+$
address@hidden smallexample
+
+This particular OCSP responder includes its signer certificate in the
+OCSP respnose, so you may extract it and use it together with
address@hidden for verifying the signature directly against the
+certificate.
+
address@hidden
+$ ocsptool -j < ocsp-response.der > signer.pem
+$ ocsptool --verify-response --load-signer signer.pem --load-response
ocsp-response.der
+Verifying OCSP Response: Success.
+$
address@hidden smallexample
+
+You may experiment passing different certificates to
address@hidden and @code{--load-signer} to find common error
+conditions.
+
@node Hardware tokens
@section Security modules
@cindex PKCS #11 tokens
diff --git a/lib/includes/gnutls/ocsp.h b/lib/includes/gnutls/ocsp.h
index 1044d21..d55c40a 100644
--- a/lib/includes/gnutls/ocsp.h
+++ b/lib/includes/gnutls/ocsp.h
@@ -75,7 +75,7 @@ extern "C"
* @GNUTLS_OCSP_CERT_UNKNOWN: The responder doesn't know about the
* certificate.
*
- * Enumeration of different OCSP response status codes.
+ * Enumeration of different OCSP response certificate status codes.
*/
typedef enum gnutls_ocsp_cert_status_t
{
@@ -116,14 +116,29 @@ extern "C"
GNUTLS_X509_CRLREASON_AACOMPROMISE = 10
} gnutls_x509_crl_reason_t;
- /* Enumeration of OCSP verify status codes. */
-#define GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND 1
-#define GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR 2
-#define GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER 4
-#define GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM 8
-#define GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE 16
-#define GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED 32
-#define GNUTLS_OCSP_VERIFY_CERT_EXPIRED 64
+ /**
+ * gnutls_ocsp_verify_reason_t:
+ * @GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND: Signer cert not found.
+ * @GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR: Signer keyusage bits incorrect.
+ * @GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER: Signer is not trusted.
+ * @GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM: Signature using insecure
algorithm.
+ * @GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE: Signature mismatch.
+ * @GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED: Signer cert is not yet activated.
+ * @GNUTLS_OCSP_VERIFY_CERT_EXPIRED: Signer cert has expired.
+ *
+ * Enumeration of OCSP verify status codes, used by
+ * gnutls_ocsp_resp_verify() and gnutls_ocsp_resp_verify_direct().
+ */
+ typedef enum gnutls_ocsp_verify_reason_t
+ {
+ GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND = 1,
+ GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR = 2,
+ GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER = 4,
+ GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM = 8,
+ GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE = 16,
+ GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED = 32,
+ GNUTLS_OCSP_VERIFY_CERT_EXPIRED = 64
+ } gnutls_ocsp_verify_reason_t;
struct gnutls_ocsp_req_int;
typedef struct gnutls_ocsp_req_int *gnutls_ocsp_req_t;
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index fda1f5f..bba9135 100644
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -1787,6 +1787,8 @@ gnutls_ocsp_resp_get_certs (gnutls_ocsp_resp_t resp,
return ret;
}
+/* Search the OCSP response for a certificate matching the responderId
+ mentioned in the OCSP response. */
static gnutls_x509_crt_t
find_signercert (gnutls_ocsp_resp_t resp)
{
@@ -1867,7 +1869,7 @@ find_signercert (gnutls_ocsp_resp_t resp)
* gnutls_ocsp_resp_verify_direct:
* @resp: should contain a #gnutls_ocsp_resp_t structure
* @signercert: certificate believed to have signed the response
- * @verify: output variable with verification status codes
+ * @verify: output variable with verification status, an
#gnutls_ocsp_cert_status_t
* @flags: verification flags, 0 for now.
*
* Verify signature of the Basic OCSP Response against the public key
@@ -1936,16 +1938,18 @@ gnutls_ocsp_resp_verify_direct (gnutls_ocsp_resp_t resp,
}
rc = gnutls_pubkey_verify_data2 (pubkey, sigalg, 0, &data, &sig);
- if (rc < 0)
+ if (rc == GNUTLS_E_PK_SIG_VERIFY_FAILED)
+ {
+ gnutls_assert ();
+ *verify = GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE;
+ }
+ else if (rc < 0)
{
gnutls_assert ();
goto done;
}
-
- if (rc == 1)
- *verify = 0;
else
- *verify = GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE;
+ *verify = 0;
rc = GNUTLS_E_SUCCESS;
@@ -1961,14 +1965,17 @@ gnutls_ocsp_resp_verify_direct (gnutls_ocsp_resp_t resp,
* gnutls_ocsp_resp_verify:
* @resp: should contain a #gnutls_ocsp_resp_t structure
* @trustlist: trust anchors as a #gnutls_x509_trust_list_t structure
- * @verify: output variable with verification status codes
+ * @verify: output variable with verification status, an
#gnutls_ocsp_cert_status_t
* @flags: verification flags, 0 for now.
*
* Verify signature of the Basic OCSP Response against the public key
* in the certificate of a trusted signer. The @trustlist should be
- * populated with trusted CAs. The function will extract the signer
+ * populated with trust anchors. The function will extract the signer
* certificate from the Basic OCSP Response and will verify it against
- * the @trustlist.
+ * the @trustlist. A trusted signer is a certificate that is either
+ * in @trustlist, or it is signed directly by a certificate in
+ * @trustlist and has the id-ad-ocspSigning Extended Key Usage bit
+ * set.
*
* The output @verify variable will hold verification status codes
* (e.g., %GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND,
@@ -2013,26 +2020,26 @@ gnutls_ocsp_resp_verify (gnutls_ocsp_resp_t resp,
goto done;
}
- /* Either it is directly trusted (i.e., in the list) or it is
- directly signed by something we trust, and has proper OCSP
+ /* Either the signer is directly trusted (i.e., in trustlist) or it
+ is directly signed by something in trustlist and has proper OCSP
extkeyusage. */
-
- rc = _gnutls_trustlist_inlist_p (trustlist, signercert);
+ rc = _gnutls_trustlist_inlist (trustlist, signercert);
if (rc < 0)
{
gnutls_assert ();
goto done;
}
-
- /* indirect trust, need to verify signature and bits */
- if (rc == 0)
+ if (rc == 1)
{
+ /* not in trustlist, need to verify signature and bits */
gnutls_x509_crt_t issuer;
unsigned vtmp;
char oidtmp[sizeof (GNUTLS_KP_OCSP_SIGNING)];
size_t oidsize;
int indx;
+ gnutls_assert ();
+
rc = gnutls_x509_trust_list_get_issuer (trustlist, signercert,
&issuer, 0);
if (rc != GNUTLS_E_SUCCESS)
@@ -2052,6 +2059,7 @@ gnutls_ocsp_resp_verify (gnutls_ocsp_resp_t resp,
if (vtmp != 0)
{
+ gnutls_assert ();
if (vtmp & GNUTLS_CERT_INSECURE_ALGORITHM)
*verify = GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM;
else if (vtmp & GNUTLS_CERT_NOT_ACTIVATED)
@@ -2072,12 +2080,16 @@ gnutls_ocsp_resp_verify (gnutls_ocsp_resp_t resp,
NULL);
if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
{
+ gnutls_assert ();
*verify = GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR;
rc = GNUTLS_E_SUCCESS;
goto done;
}
else if (rc == GNUTLS_E_SHORT_MEMORY_BUFFER)
- continue;
+ {
+ gnutls_assert ();
+ continue;
+ }
else if (rc != GNUTLS_E_SUCCESS)
{
gnutls_assert ();
@@ -2086,9 +2098,8 @@ gnutls_ocsp_resp_verify (gnutls_ocsp_resp_t resp,
if (memcmp (oidtmp, GNUTLS_KP_OCSP_SIGNING, oidsize) != 0)
{
- *verify = GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR;
- rc = GNUTLS_E_SUCCESS;
- goto done;
+ gnutls_assert ();
+ continue;
}
break;
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index 31eb1c0..a3997b1 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -620,9 +620,10 @@
gnutls_x509_trust_list_verify_named_crt(gnutls_x509_trust_list_t list,
return 0;
}
+/* return 0 if @cert is in @list, 1 if not, or < 0 on error. */
int
-_gnutls_trustlist_inlist_p (gnutls_x509_trust_list_t list,
- gnutls_x509_crt_t cert)
+_gnutls_trustlist_inlist (gnutls_x509_trust_list_t list,
+ gnutls_x509_crt_t cert)
{
gnutls_datum_t dn;
int ret, i;
@@ -649,9 +650,9 @@ _gnutls_trustlist_inlist_p (gnutls_x509_trust_list_t list,
return ret;
}
- if (ret == 1)
- return 1;
+ if (ret == 0)
+ return 0;
}
- return 0;
+ return 1;
}
diff --git a/lib/x509/verify-high.h b/lib/x509/verify-high.h
index 5272806..93ef584 100644
--- a/lib/x509/verify-high.h
+++ b/lib/x509/verify-high.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2011 Free Software Foundation, Inc.
*
- * Author: Nikos Mavrogiannopoulos
+ * Author: Simon Josefsson
*
* This file is part of GnuTLS.
*
@@ -20,5 +20,5 @@
*
*/
-int _gnutls_trustlist_inlist_p (gnutls_x509_trust_list_t list,
- gnutls_x509_crt_t cert);
+int _gnutls_trustlist_inlist (gnutls_x509_trust_list_t list,
+ gnutls_x509_crt_t cert);
diff --git a/src/ocsptool.c b/src/ocsptool.c
index 963ccb7..4a7be97 100644
--- a/src/ocsptool.c
+++ b/src/ocsptool.c
@@ -229,61 +229,90 @@ generate_request (void)
}
static void
-verify_response (void)
+print_verify_res (unsigned int output)
{
- gnutls_ocsp_resp_t resp;
- int ret;
- gnutls_datum_t dat;
- size_t size;
- gnutls_x509_crt_t *x509_ca_list = NULL;
- unsigned int x509_ncas = 0;
- gnutls_x509_trust_list_t list;
- unsigned verify;
+ int comma = 0;
- if (info.trust == NULL)
- error (EXIT_FAILURE, 0, "missing --load-trust");
+ if (output)
+ {
+ printf ("Failure");
+ comma = 1;
+ }
+ else
+ {
+ printf ("Success");
+ comma = 1;
+ }
- dat.data = read_binary_file (info.trust, &size);
- if (dat.data == NULL)
- error (EXIT_FAILURE, errno, "reading --load-trust: %s", info.trust);
- dat.size = size;
+ if (output & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND)
+ {
+ if (comma)
+ printf (", ");
+ printf ("Signer cert not found");
+ comma = 1;
+ }
- ret = gnutls_x509_trust_list_init (&list, 0);
- if (ret < 0)
- error (EXIT_FAILURE, 0, "gnutls_x509_trust_list_init: %s",
- gnutls_strerror (ret));
+ if (output & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR)
+ {
+ if (comma)
+ printf (", ");
+ printf ("Signer cert keyusage error");
+ comma = 1;
+ }
- ret = gnutls_x509_crt_list_import2 (&x509_ca_list, &x509_ncas, &dat,
- GNUTLS_X509_FMT_PEM, 0);
- if (ret < 0 || x509_ncas < 1)
- error (EXIT_FAILURE, 0, "error parsing CAs: %s",
- gnutls_strerror (ret));
+ if (output & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER)
+ {
+ if (comma)
+ printf (", ");
+ printf ("Signer cert is not trusted");
+ comma = 1;
+ }
- if (info.verbose)
+ if (output & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM)
{
- unsigned int i;
- for (i = 0; i < x509_ncas; i++)
- {
- gnutls_datum_t out;
+ if (comma)
+ printf (", ");
+ printf ("Insecure algorithm");
+ comma = 1;
+ }
- ret = gnutls_x509_crt_print (x509_ca_list[i],
- GNUTLS_CRT_PRINT_ONELINE, &out);
- if (ret < 0)
- error (EXIT_FAILURE, 0, "gnutls_x509_crt_print: %s",
- gnutls_strerror (ret));
+ if (output & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE)
+ {
+ if (comma)
+ printf (", ");
+ printf ("Signature failure");
+ comma = 1;
+ }
- printf ("Trust anchor %d: %.*s\n", i, out.size, out.data);
- gnutls_free (out.data);
- }
+ if (output & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED)
+ {
+ if (comma)
+ printf (", ");
+ printf ("Signer cert not yet activated");
+ comma = 1;
}
- ret = gnutls_x509_trust_list_add_cas (list, x509_ca_list, x509_ncas, 0);
- if (ret < 0)
- error (EXIT_FAILURE, 0, "gnutls_x509_trust_add_cas: %s",
- gnutls_strerror (ret));
+ if (output & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
+ {
+ if (comma)
+ printf (", ");
+ printf ("Signer cert expired");
+ comma = 1;
+ }
+}
- if (info.verbose)
- fprintf (stdout, "Loaded %d trust anchors\n", x509_ncas);
+static void
+verify_response (void)
+{
+ gnutls_ocsp_resp_t resp;
+ int ret;
+ gnutls_datum_t dat;
+ size_t size;
+ gnutls_x509_crt_t *x509_ca_list = NULL;
+ unsigned int x509_ncas = 0;
+ gnutls_x509_trust_list_t list;
+ gnutls_x509_crt_t signer;
+ unsigned verify;
ret = gnutls_ocsp_resp_init (&resp);
if (ret < 0)
@@ -302,15 +331,98 @@ verify_response (void)
if (ret < 0)
error (EXIT_FAILURE, 0, "importing response: %s", gnutls_strerror (ret));
- ret = gnutls_ocsp_resp_verify (resp, list, &verify, 0);
- if (ret < 0)
- error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify: %s",
- gnutls_strerror (ret));
+ if (info.trust && info.signer)
+ error (EXIT_FAILURE, 0, "cannot mix --load-trust and --load-signer");
+ else if (info.signer == NULL)
+ {
+ dat.data = read_binary_file (info.trust, &size);
+ if (dat.data == NULL)
+ error (EXIT_FAILURE, errno, "reading --load-trust: %s", info.trust);
+ dat.size = size;
+
+ ret = gnutls_x509_trust_list_init (&list, 0);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_x509_trust_list_init: %s",
+ gnutls_strerror (ret));
- if (verify == 0)
- printf ("Verifying OCSP Response: Success.\n");
+ ret = gnutls_x509_crt_list_import2 (&x509_ca_list, &x509_ncas, &dat,
+ GNUTLS_X509_FMT_PEM, 0);
+ if (ret < 0 || x509_ncas < 1)
+ error (EXIT_FAILURE, 0, "error parsing CAs: %s",
+ gnutls_strerror (ret));
+
+ if (info.verbose)
+ {
+ unsigned int i;
+ for (i = 0; i < x509_ncas; i++)
+ {
+ gnutls_datum_t out;
+
+ ret = gnutls_x509_crt_print (x509_ca_list[i],
+ GNUTLS_CRT_PRINT_ONELINE, &out);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_x509_crt_print: %s",
+ gnutls_strerror (ret));
+
+ printf ("Trust anchor %d: %.*s\n", i, out.size, out.data);
+ gnutls_free (out.data);
+ }
+ }
+
+ ret = gnutls_x509_trust_list_add_cas (list, x509_ca_list, x509_ncas, 0);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_x509_trust_add_cas: %s",
+ gnutls_strerror (ret));
+
+ if (info.verbose)
+ fprintf (stdout, "Loaded %d trust anchors\n", x509_ncas);
+
+ ret = gnutls_ocsp_resp_verify (resp, list, &verify, 0);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify: %s",
+ gnutls_strerror (ret));
+ }
+ else if (info.trust == NULL)
+ {
+ ret = gnutls_x509_crt_init (&signer);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret));
+
+ dat.data = read_binary_file (info.signer, &size);
+ if (dat.data == NULL)
+ error (EXIT_FAILURE, errno, "reading --load-signer: %s", info.signer);
+ dat.size = size;
+
+ ret = gnutls_x509_crt_import (signer, &dat, info.inder);
+ free (dat.data);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "importing --load-signer: %s: %s",
+ info.signer, gnutls_strerror (ret));
+
+ if (info.verbose)
+ {
+ gnutls_datum_t out;
+
+ ret = gnutls_x509_crt_print (signer, GNUTLS_CRT_PRINT_ONELINE, &out);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_x509_crt_print: %s",
+ gnutls_strerror (ret));
+
+ printf ("Signer: %.*s\n", out.size, out.data);
+ gnutls_free (out.data);
+ }
+
+ ret = gnutls_ocsp_resp_verify_direct (resp, signer, &verify, 0);
+ if (ret < 0)
+ error (EXIT_FAILURE, 0, "gnutls_ocsp_resp_verify_direct: %s",
+ gnutls_strerror (ret));
+ }
else
- printf ("Verifying OCSP Response: Failed (%d)\n", verify);
+ error (EXIT_FAILURE, 0, "missing --load-trust or --load-signer");
+
+ printf ("Verifying OCSP Response: ");
+ print_verify_res (verify);
+ printf (".\n");
gnutls_ocsp_resp_deinit (resp);
}
diff --git a/src/ocsptool.gaa b/src/ocsptool.gaa
index e0b655c..1f0195d 100644
--- a/src/ocsptool.gaa
+++ b/src/ocsptool.gaa
@@ -33,7 +33,10 @@ option (load-issuer) STR "FILE" { $issuer = $1 } "read
issuer certificate from F
option (load-cert) STR "FILE" { $cert = $1 } "read certificate to check from
FILE."
#char *trust;
-option (load-trust) STR "FILE" { $trust = $1 } "read trust anchors from FILE."
+option (load-trust) STR "FILE" { $trust = $1 } "read OCSP trust anchors from
FILE."
+
+#char *signer;
+option (load-signer) STR "FILE" { $signer = $1 } "read OCSP response signer
from FILE."
#int inder;
option (inder) { $inder=1 } "Use DER format for input certificates."
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_9-39-gca5bd60,
Simon Josefsson <=