mirror of
https://github.com/guanzhi/GmSSL.git
synced 2026-06-27 15:43:42 +08:00
Add ocspget
This commit is contained in:
Zhi Guan
@@ -20,6 +20,7 @@ extern int certparse_main(int argc, char **argv);
|
||||
extern int certverify_main(int argc, char **argv);
|
||||
extern int certrevoke_main(int argc, char **argv);
|
||||
extern int ocspreq_main(int argc, char **argv);
|
||||
extern int ocspget_main(int argc, char **argv);
|
||||
extern int ocspsign_main(int argc, char **argv);
|
||||
extern int ocspverify_main(int argc, char **argv);
|
||||
extern int crlget_main(int argc, char **argv);
|
||||
@@ -197,6 +198,7 @@ static const char *options =
|
||||
" certverify Verify certificate chain\n"
|
||||
" certrevoke Revoke certificate and output RevokedCertificate record\n"
|
||||
" ocspreq Generate OCSPRequest\n"
|
||||
" ocspget Download OCSPResponse from OCSP responder\n"
|
||||
" ocspsign Sign OCSPResponse\n"
|
||||
" ocspverify Verify OCSPResponse\n"
|
||||
#ifdef ENABLE_CMS
|
||||
@@ -292,6 +294,8 @@ int main(int argc, char **argv)
|
||||
return certrevoke_main(argc, argv);
|
||||
} else if (!strcmp(*argv, "ocspreq")) {
|
||||
return ocspreq_main(argc, argv);
|
||||
} else if (!strcmp(*argv, "ocspget")) {
|
||||
return ocspget_main(argc, argv);
|
||||
} else if (!strcmp(*argv, "ocspsign")) {
|
||||
return ocspsign_main(argc, argv);
|
||||
} else if (!strcmp(*argv, "ocspverify")) {
|
||||
|
||||
273
tools/ocspget.c
Normal file
273
tools/ocspget.c
Normal file
@@ -0,0 +1,273 @@
|
||||
/*
|
||||
* Copyright 2014-2026 The GmSSL Project. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the License);
|
||||
* you may not use this file except in compliance with the License.
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*/
|
||||
|
||||
|
||||
#include <stdio.h>
|
||||
#include <errno.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <gmssl/asn1.h>
|
||||
#include <gmssl/digest.h>
|
||||
#include <gmssl/x509.h>
|
||||
#include <gmssl/x509_ext.h>
|
||||
#include <gmssl/ocsp.h>
|
||||
#include <gmssl/error.h>
|
||||
|
||||
|
||||
#define OCSP_RESPONSE_MAX_SIZE 131072
|
||||
|
||||
static const char *options = "-cert pem [-url str] [-digest name] [-out der] [-verbose]";
|
||||
|
||||
static const char *help =
|
||||
"Options\n"
|
||||
"\n"
|
||||
" -cert pem Input certificate chain file in PEM format\n"
|
||||
" The first certificate is the certificate to be checked\n"
|
||||
" The second certificate is its issuer certificate\n"
|
||||
" -url str OCSP responder URL, overrides the OCSP URI in certificate AIA\n"
|
||||
" -digest name Digest algorithm for CertID, default sm3\n"
|
||||
" -out der | stdout Output OCSPResponse in DER format\n"
|
||||
" -verbose Print AuthorityInfoAccess, OCSPRequest and OCSPResponse to stderr\n"
|
||||
"\n"
|
||||
"Examples\n"
|
||||
"\n"
|
||||
" gmssl ocspget -cert chain.pem -out resp.der\n"
|
||||
" gmssl ocspget -cert chain.pem -url http://ocsp.example.com -out resp.der -verbose\n"
|
||||
"\n";
|
||||
|
||||
static int ocsp_request_der_print(FILE *fp, const uint8_t *req, size_t reqlen)
|
||||
{
|
||||
const uint8_t *p = req;
|
||||
size_t len = reqlen;
|
||||
const uint8_t *d;
|
||||
size_t dlen;
|
||||
|
||||
if (asn1_sequence_from_der(&d, &dlen, &p, &len) != 1
|
||||
|| asn1_length_is_zero(len) != 1
|
||||
|| ocsp_request_print(fp, 0, 0, "OCSPRequest", d, dlen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int ocsp_response_der_print(FILE *fp, const uint8_t *resp, size_t resplen)
|
||||
{
|
||||
const uint8_t *p = resp;
|
||||
size_t len = resplen;
|
||||
const uint8_t *d;
|
||||
size_t dlen;
|
||||
|
||||
if (asn1_sequence_from_der(&d, &dlen, &p, &len) != 1
|
||||
|| asn1_length_is_zero(len) != 1
|
||||
|| ocsp_response_print(fp, 0, 0, "OCSPResponse", d, dlen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int x509_cert_get_ocsp_uri(const uint8_t *cert, size_t certlen,
|
||||
const char **uri, size_t *urilen, int verbose)
|
||||
{
|
||||
int ret;
|
||||
const uint8_t *exts;
|
||||
size_t extslen;
|
||||
int critical;
|
||||
const uint8_t *val;
|
||||
size_t vlen;
|
||||
const char *ca_issuers_uri;
|
||||
size_t ca_issuers_urilen;
|
||||
const uint8_t *p;
|
||||
size_t len;
|
||||
|
||||
if (!cert || !certlen || !uri || !urilen) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
*uri = NULL;
|
||||
*urilen = 0;
|
||||
|
||||
if ((ret = x509_cert_get_exts(cert, certlen, &exts, &extslen)) != 1) {
|
||||
if (ret < 0) error_print();
|
||||
return ret;
|
||||
}
|
||||
if (!exts || !extslen) {
|
||||
return 0;
|
||||
}
|
||||
if ((ret = x509_exts_get_ext_by_oid(exts, extslen, OID_pe_authority_info_access,
|
||||
&critical, &val, &vlen)) != 1) {
|
||||
if (ret < 0) error_print();
|
||||
return ret;
|
||||
}
|
||||
if (verbose) {
|
||||
p = val;
|
||||
len = vlen;
|
||||
if (x509_authority_info_access_print(stderr, 0, 0,
|
||||
"AuthorityInfoAccess", p, len) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
if (x509_authority_info_access_from_der(
|
||||
&ca_issuers_uri, &ca_issuers_urilen,
|
||||
uri, urilen, &val, &vlen) != 1
|
||||
|| asn1_length_is_zero(vlen) != 1) {
|
||||
error_print();
|
||||
return -1;
|
||||
}
|
||||
return *uri ? 1 : 0;
|
||||
}
|
||||
|
||||
int ocspget_main(int argc, char **argv)
|
||||
{
|
||||
int ret = 1;
|
||||
char *prog = argv[0];
|
||||
char *certfile = NULL;
|
||||
char *outfile = NULL;
|
||||
char *url = NULL;
|
||||
char *digest_name_str = "sm3";
|
||||
FILE *certfp = NULL;
|
||||
FILE *outfp = stdout;
|
||||
const DIGEST *digest;
|
||||
int verbose = 0;
|
||||
const char *ocsp_uri = NULL;
|
||||
size_t ocsp_uri_len = 0;
|
||||
|
||||
uint8_t cert[OCSP_MAX_CERT_SIZE];
|
||||
size_t certlen = 0;
|
||||
uint8_t issuer_cert[OCSP_MAX_CERT_SIZE];
|
||||
size_t issuer_certlen = 0;
|
||||
uint8_t req[OCSP_MAX_REQUEST_SIZE];
|
||||
size_t reqlen = 0;
|
||||
uint8_t resp[OCSP_RESPONSE_MAX_SIZE];
|
||||
size_t resplen = 0;
|
||||
|
||||
argc--;
|
||||
argv++;
|
||||
|
||||
while (argc > 0) {
|
||||
if (!strcmp(*argv, "-help")) {
|
||||
printf("usage: %s %s\n", prog, options);
|
||||
printf("%s\n", help);
|
||||
ret = 0;
|
||||
goto end;
|
||||
} else if (!strcmp(*argv, "-cert")) {
|
||||
if (--argc < 1) goto bad;
|
||||
certfile = *(++argv);
|
||||
if (!(certfp = fopen(certfile, "rb"))) {
|
||||
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, certfile, strerror(errno));
|
||||
goto end;
|
||||
}
|
||||
} else if (!strcmp(*argv, "-url")) {
|
||||
if (--argc < 1) goto bad;
|
||||
url = *(++argv);
|
||||
} else if (!strcmp(*argv, "-digest")) {
|
||||
if (--argc < 1) goto bad;
|
||||
digest_name_str = *(++argv);
|
||||
} else if (!strcmp(*argv, "-out")) {
|
||||
if (--argc < 1) goto bad;
|
||||
outfile = *(++argv);
|
||||
if (!(outfp = fopen(outfile, "wb"))) {
|
||||
fprintf(stderr, "%s: open '%s' failure : %s\n", prog, outfile, strerror(errno));
|
||||
goto end;
|
||||
}
|
||||
} else if (!strcmp(*argv, "-verbose")) {
|
||||
verbose = 1;
|
||||
} else {
|
||||
fprintf(stderr, "%s: illegal option `%s`\n", prog, *argv);
|
||||
goto end;
|
||||
bad:
|
||||
fprintf(stderr, "%s: `%s` option value missing\n", prog, *argv);
|
||||
goto end;
|
||||
}
|
||||
|
||||
argc--;
|
||||
argv++;
|
||||
}
|
||||
|
||||
if (!certfile) {
|
||||
fprintf(stderr, "%s: `-cert` option required\n", prog);
|
||||
goto end;
|
||||
}
|
||||
if (!(digest = digest_from_name(digest_name_str))) {
|
||||
fprintf(stderr, "%s: invalid `-digest` value\n", prog);
|
||||
goto end;
|
||||
}
|
||||
if (x509_cert_from_pem(cert, &certlen, sizeof(cert), certfp) != 1) {
|
||||
fprintf(stderr, "%s: read certificate failure\n", prog);
|
||||
goto end;
|
||||
}
|
||||
if (x509_cert_from_pem(issuer_cert, &issuer_certlen, sizeof(issuer_cert), certfp) != 1) {
|
||||
fprintf(stderr, "%s: read issuer certificate failure\n", prog);
|
||||
goto end;
|
||||
}
|
||||
if (url) {
|
||||
if (verbose) {
|
||||
const char *cert_ocsp_uri;
|
||||
size_t cert_ocsp_uri_len;
|
||||
if ((ret = x509_cert_get_ocsp_uri(cert, certlen,
|
||||
&cert_ocsp_uri, &cert_ocsp_uri_len, verbose)) < 0) {
|
||||
error_print();
|
||||
ret = 1;
|
||||
goto end;
|
||||
}
|
||||
if (ret == 0) {
|
||||
fprintf(stderr, "%s: no OCSP URI found in certificate\n", prog);
|
||||
}
|
||||
}
|
||||
ocsp_uri = url;
|
||||
ocsp_uri_len = strlen(url);
|
||||
} else {
|
||||
if ((ret = x509_cert_get_ocsp_uri(cert, certlen,
|
||||
&ocsp_uri, &ocsp_uri_len, verbose)) != 1) {
|
||||
if (ret < 0) error_print();
|
||||
else fprintf(stderr, "%s: no OCSP URI found in certificate\n", prog);
|
||||
ret = 1;
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
if (verbose) {
|
||||
fprintf(stderr, "OCSP responder: %.*s\n", (int)ocsp_uri_len, ocsp_uri);
|
||||
}
|
||||
|
||||
if (ocsp_request_generate(req, &reqlen, sizeof(req),
|
||||
cert, certlen, issuer_cert, issuer_certlen, digest) != 1) {
|
||||
fprintf(stderr, "%s: generate OCSPRequest failure\n", prog);
|
||||
goto end;
|
||||
}
|
||||
if (verbose && ocsp_request_der_print(stderr, req, reqlen) != 1) {
|
||||
fprintf(stderr, "%s: print OCSPRequest failure\n", prog);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if ((ret = ocsp_response_get_from_uri(ocsp_uri, ocsp_uri_len,
|
||||
req, reqlen, resp, &resplen, sizeof(resp))) != 1) {
|
||||
if (ret < 0) error_print();
|
||||
else fprintf(stderr, "%s: OCSPResponse too large\n", prog);
|
||||
ret = 1;
|
||||
goto end;
|
||||
}
|
||||
if (verbose && ocsp_response_der_print(stderr, resp, resplen) != 1) {
|
||||
fprintf(stderr, "%s: print OCSPResponse failure\n", prog);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (fwrite(resp, 1, resplen, outfp) != resplen) {
|
||||
fprintf(stderr, "%s: output failure : %s\n", prog, strerror(errno));
|
||||
goto end;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
|
||||
end:
|
||||
if (certfp) fclose(certfp);
|
||||
if (outfile && outfp) fclose(outfp);
|
||||
return ret;
|
||||
}
|
||||
Reference in New Issue
Block a user