[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_9-44-ge8d8d81
From: |
Simon Josefsson |
Subject: |
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_9-44-ge8d8d81 |
Date: |
Mon, 02 Jan 2012 14:02:30 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=e8d8d81550523203ac45212462d1624bdcecdd25
The branch, ocsp has been updated
via e8d8d81550523203ac45212462d1624bdcecdd25 (commit)
via 951e9c0db0d49beaee15b40096a36403e7497b7b (commit)
from 71c1a51e5375a4dbe1fb693026fd4157700f877f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e8d8d81550523203ac45212462d1624bdcecdd25
Author: Simon Josefsson <address@hidden>
Date: Tue Dec 27 18:19:08 2011 +0100
Add OCSP example.
commit 951e9c0db0d49beaee15b40096a36403e7497b7b
Author: Simon Josefsson <address@hidden>
Date: Tue Dec 27 16:01:09 2011 +0100
OCSP doc fixes.
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 1 +
doc/cha-cert-auth2.texi | 13 ++--
doc/examples/Makefile.am | 7 ++-
doc/examples/ex-ocsp-client.c | 147 +++++++++++++++++++++++++++++++++++++++++
4 files changed, 160 insertions(+), 8 deletions(-)
create mode 100644 doc/examples/ex-ocsp-client.c
diff --git a/.gitignore b/.gitignore
index a353f11..539da25 100644
--- a/.gitignore
+++ b/.gitignore
@@ -543,3 +543,4 @@ tests/slow/keygen
tests/slow/gendh
doc/reference/*.bak
doc/manpages/gnutls_*.3
+doc/examples/ex-ocsp-client
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index 12e25f6..dca61ae 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -825,10 +825,10 @@ certificate for the domain itself, secondly
@code{issuer.pem} for the
intermediate certificate and @code{root.pem} for the final root
certificate.
-The issuer certificate normally contains a pointer to where the OCSP
-responder for its end-entity certificates are located, in the
-Authority Information Access Information extension. For example, from
address@hidden -i < issuer.pem} there is this information:
+The domain certificate normally contains a pointer to where the OCSP
+responder is located, in the Authority Information Access Information
+extension. For example, from @code{certtool -i < cert.pem} there is
+this information:
@smallexample
Authority Information Access Information (not critical):
@@ -843,7 +843,8 @@ create a OCSP request for the certificate.
$ ocsptool --generate-request --load-issuer issuer.pem --load-cert cert.pem
--outfile ocsp-request.der
@end smallexample
-The request is sent base64 encoded via HTTP as follows.
+The request is sent base64 encoded via HTTP to the address indicated
+by the id-ad-ocsp extension, as follows.
@smallexample
$ wget -O ocsp-response.der http://ocsp.CAcert.org/$(base64 -w0
ocsp-request.der)
@@ -873,7 +874,7 @@ $
You may experiment passing different certificates to
@code{--load-trust} and @code{--load-signer} to find common error
-conditions.
+conditions for OCSP response verification failures.
@node Hardware tokens
@section Security modules
diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am
index 0ed1eae..a30776c 100644
--- a/doc/examples/Makefile.am
+++ b/doc/examples/Makefile.am
@@ -1,6 +1,5 @@
## Process this file with automake to produce Makefile.in
-# Copyright (C) 2005, 2006, 2007, 2008, 2009, 2010 Free Software
-# Foundation, Inc.
+# Copyright (C) 2005-2011 Free Software Foundation, Inc.
#
# Author: Simon Josefsson
#
@@ -77,6 +76,10 @@ if ENABLE_SRP
noinst_PROGRAMS += ex-client-srp ex-serv-srp
endif
+if ENABLE_OCSP
+noinst_PROGRAMS += ex-ocsp-client
+endif
+
noinst_LTLIBRARIES = libexamples.la
libexamples_la_SOURCES = examples.h ex-alert.c ex-pkcs12.c \
diff --git a/doc/examples/ex-ocsp-client.c b/doc/examples/ex-ocsp-client.c
new file mode 100644
index 0000000..31ceefd
--- /dev/null
+++ b/doc/examples/ex-ocsp-client.c
@@ -0,0 +1,147 @@
+/* This example code is placed in the public domain. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/ocsp.h>
+
+#include "read-file.h"
+
+/* This program will read a file (argv[1]) containing a certificate in
+ PEM format and print the "CA issuers" and "OCSP address" extensions
+ for the certificate. If another file is given (argv[2]) it holds
+ the issuer certificate for the first certificate, and another file
+ (argv[3]) should contain a set of trust anchors in PEM format.
+ Then the tool will generate an OCSP request and will read an OCSP
+ response from standard input and verify it against the trust
+ anchors. */
+
+int
+main (int argc, char *argv[])
+{
+ int rc;
+ gnutls_x509_crt_t cert = NULL, issuer = NULL;
+ gnutls_datum_t certdata, issuerdata, tmp;
+ size_t s;
+ unsigned int seq;
+
+ rc = gnutls_global_init ();
+ if (rc < 0)
+ goto done;
+
+ /* Read certificate and print AIA info. */
+
+ rc = gnutls_x509_crt_init (&cert);
+ if (rc < 0)
+ goto done;
+
+ certdata.data = read_binary_file (argv[1], &s);
+ if (certdata.data == NULL)
+ {
+ printf ("cannot read certificate\n");
+ goto done;
+ }
+ certdata.size = s;
+
+ rc = gnutls_x509_crt_import (cert, &certdata, GNUTLS_X509_FMT_PEM);
+ free (certdata.data);
+ if (rc < 0)
+ goto done;
+
+ rc = gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &tmp);
+ if (rc < 0)
+ goto done;
+
+ printf ("cert: %.*s\n", tmp.size, tmp.data);
+
+ gnutls_free (tmp.data); tmp.data = NULL;
+
+ for (seq = 0; ; seq++)
+ {
+ rc = gnutls_x509_crt_get_authority_info_access (cert, seq,
+ GNUTLS_IA_CAISSUERS_URI,
+ &tmp, NULL);
+ if (rc == GNUTLS_E_UNKNOWN_ALGORITHM)
+ continue;
+ if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ break;
+ if (rc < 0)
+ goto done;
+
+ printf ("CA issuers URI: %.*s\n", tmp.size, tmp.data);
+ gnutls_free (tmp.data);
+ break;
+ }
+
+ if (!tmp.data)
+ printf ("No CA issuers URI found\n");
+
+ for (seq = 0; ; seq++)
+ {
+ rc = gnutls_x509_crt_get_authority_info_access (cert, seq,
+ GNUTLS_IA_OCSP_URI,
+ &tmp, NULL);
+ if (rc == GNUTLS_E_UNKNOWN_ALGORITHM)
+ continue;
+ if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+ break;
+ if (rc < 0)
+ goto done;
+
+ printf ("OCSP URI: %.*s\n", tmp.size, tmp.data);
+ gnutls_free (tmp.data);
+ break;
+ }
+
+ if (!tmp.data)
+ printf ("No OCSP URI URI found\n");
+
+ if (argc < 3)
+ {
+ printf ("Done...\n");
+ goto done;
+ }
+
+ /* Read issuer and print OCSP request. */
+
+ rc = gnutls_x509_crt_init (&issuer);
+ if (rc < 0)
+ goto done;
+
+ issuerdata.data = read_binary_file (argv[2], &s);
+ if (issuerdata.data == NULL)
+ {
+ printf ("cannot read issuer\n");
+ goto done;
+ }
+ issuerdata.size = s;
+
+ rc = gnutls_x509_crt_import (issuer, &issuerdata, GNUTLS_X509_FMT_PEM);
+ free (issuerdata.data);
+ if (rc < 0)
+ goto done;
+
+ rc = gnutls_x509_crt_print (issuer, GNUTLS_CRT_PRINT_ONELINE, &tmp);
+ if (rc < 0)
+ goto done;
+
+ printf ("issuer: %.*s\n", tmp.size, tmp.data);
+
+ gnutls_free (tmp.data);
+
+ rc = 0;
+
+ done:
+ if (rc != 0)
+ printf ("error (%d): %s\n", rc, gnutls_strerror (rc));
+ gnutls_x509_crt_deinit (cert);
+ gnutls_x509_crt_deinit (issuer);
+ gnutls_global_deinit ();
+
+ return rc == 0 ? 0 : 1;
+}
hooks/post-receive
--
GNU gnutls
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_9-44-ge8d8d81,
Simon Josefsson <=