[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_9-49-g7a69990
|
From: |
Simon Josefsson |
|
Subject: |
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_9-49-g7a69990 |
|
Date: |
Thu, 12 Jan 2012 10:08:35 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=7a699900587e733ca174fd08089618e199b607b2
The branch, ocsp has been updated
via 7a699900587e733ca174fd08089618e199b607b2 (commit)
via e3a464ad77225d209036b19fa6206d3301216b44 (commit)
via dd4ff45ff6a3821d3d20304ac8c57948e40fb338 (commit)
via d3306b68cd7978b17f7c4bf9e95c7e71a15014bc (commit)
via 87bc92a9eed4d879668db2c650cd86166d6757ae (commit)
from e8d8d81550523203ac45212462d1624bdcecdd25 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 7a699900587e733ca174fd08089618e199b607b2
Author: Simon Josefsson <address@hidden>
Date: Tue Jan 3 14:11:51 2012 +0100
Add OCSP examples in manual.
commit e3a464ad77225d209036b19fa6206d3301216b44
Author: Simon Josefsson <address@hidden>
Date: Tue Jan 3 14:07:02 2012 +0100
Add OCSP verify example.
commit dd4ff45ff6a3821d3d20304ac8c57948e40fb338
Author: Simon Josefsson <address@hidden>
Date: Tue Jan 3 14:06:18 2012 +0100
Fix mem leaks.
commit d3306b68cd7978b17f7c4bf9e95c7e71a15014bc
Author: Simon Josefsson <address@hidden>
Date: Tue Jan 3 14:06:01 2012 +0100
Fix mem leaks.
commit 87bc92a9eed4d879668db2c650cd86166d6757ae
Author: Simon Josefsson <address@hidden>
Date: Tue Jan 3 14:00:30 2012 +0100
Fix mem leak.
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 1 +
doc/cha-gtls-examples.texi | 23 ++++++
doc/examples/Makefile.am | 4 +-
doc/examples/ex-ocsp-client.c | 58 ++++++++++++++--
doc/examples/ex-ocsp-verify.c | 153 +++++++++++++++++++++++++++++++++++++++++
lib/x509/ocsp.c | 9 ++-
lib/x509/ocsp_output.c | 4 +-
7 files changed, 241 insertions(+), 11 deletions(-)
create mode 100644 doc/examples/ex-ocsp-verify.c
diff --git a/.gitignore b/.gitignore
index 539da25..90dd40c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -544,3 +544,4 @@ tests/slow/gendh
doc/reference/*.bak
doc/manpages/gnutls_*.3
doc/examples/ex-ocsp-client
+doc/examples/ex-ocsp-verify
diff --git a/doc/cha-gtls-examples.texi b/doc/cha-gtls-examples.texi
index 7ce4ee1..922c796 100644
--- a/doc/cha-gtls-examples.texi
+++ b/doc/cha-gtls-examples.texi
@@ -7,6 +7,7 @@
@menu
* Client examples::
* Server examples::
+* OCSP examples::
* Miscellaneous examples::
@end menu
@@ -193,6 +194,28 @@ used to serve the example client for anonymous
authentication.
@verbatiminclude examples/ex-serv-anon.c
address@hidden OCSP examples
address@hidden OCSP examples
+
address@hidden
+* Generate OCSP request::
+* Verify OCSP response::
address@hidden menu
+
address@hidden Generate OCSP request
address@hidden Generate @acronym{OCSP} request
+
+A small tool to generate OCSP requests.
+
address@hidden examples/ex-ocsp-client.c
+
address@hidden Verify OCSP response
address@hidden Verify @acronym{OCSP} response
+
+A small tool to verify OCSP responses.
+
address@hidden examples/ex-ocsp-verify.c
+
@node Miscellaneous examples
@section Miscellaneous examples
diff --git a/doc/examples/Makefile.am b/doc/examples/Makefile.am
index a30776c..4f57353 100644
--- a/doc/examples/Makefile.am
+++ b/doc/examples/Makefile.am
@@ -1,5 +1,5 @@
## Process this file with automake to produce Makefile.in
-# Copyright (C) 2005-2011 Free Software Foundation, Inc.
+# Copyright (C) 2005-2012 Free Software Foundation, Inc.
#
# Author: Simon Josefsson
#
@@ -77,7 +77,7 @@ noinst_PROGRAMS += ex-client-srp ex-serv-srp
endif
if ENABLE_OCSP
-noinst_PROGRAMS += ex-ocsp-client
+noinst_PROGRAMS += ex-ocsp-client ex-ocsp-verify
endif
noinst_LTLIBRARIES = libexamples.la
diff --git a/doc/examples/ex-ocsp-client.c b/doc/examples/ex-ocsp-client.c
index 31ceefd..79088de 100644
--- a/doc/examples/ex-ocsp-client.c
+++ b/doc/examples/ex-ocsp-client.c
@@ -15,11 +15,9 @@
/* This program will read a file (argv[1]) containing a certificate in
PEM format and print the "CA issuers" and "OCSP address" extensions
for the certificate. If another file is given (argv[2]) it holds
- the issuer certificate for the first certificate, and another file
- (argv[3]) should contain a set of trust anchors in PEM format.
- Then the tool will generate an OCSP request and will read an OCSP
- response from standard input and verify it against the trust
- anchors. */
+ the issuer certificate for the first certificate. Then the tool
+ will generate an OCSP request for the certificate and write it to
+ the file "ocsp-req.der". */
int
main (int argc, char *argv[])
@@ -29,6 +27,8 @@ main (int argc, char *argv[])
gnutls_datum_t certdata, issuerdata, tmp;
size_t s;
unsigned int seq;
+ gnutls_ocsp_req_t ocspreq = NULL;
+ FILE *fh;
rc = gnutls_global_init ();
if (rc < 0)
@@ -107,7 +107,7 @@ main (int argc, char *argv[])
goto done;
}
- /* Read issuer and print OCSP request. */
+ /* Read issuer cert and print brief info about it. */
rc = gnutls_x509_crt_init (&issuer);
if (rc < 0)
@@ -134,11 +134,57 @@ main (int argc, char *argv[])
gnutls_free (tmp.data);
+ /* Generate OCSP request and write it. */
+
+ rc = gnutls_ocsp_req_init (&ocspreq);
+ if (rc < 0)
+ goto done;
+
+ rc = gnutls_ocsp_req_add_cert (ocspreq, GNUTLS_DIG_SHA1, issuer, cert);
+ if (rc < 0)
+ goto done;
+
+ rc = gnutls_ocsp_req_print (ocspreq, GNUTLS_OCSP_PRINT_FULL, &tmp);
+ if (rc < 0)
+ goto done;
+
+ printf ("ocsp request: %.*s\n", tmp.size, tmp.data);
+
+ gnutls_free (tmp.data);
+
+ fh = fopen ("ocsp-req.der", "w");
+ if (fh == NULL)
+ goto done;
+
+ rc = gnutls_ocsp_req_export (ocspreq, &tmp);
+ if (rc < 0)
+ goto done;
+
+ s = fwrite (tmp.data, 1, tmp.size, fh);
+
+ gnutls_free (tmp.data);
+
+ if (s != tmp.size)
+ {
+ perror ("fwrite");
+ fclose (fh);
+ goto done;
+ }
+
+ rc = fclose (fh);
+ if (rc != 0)
+ {
+ perror ("fclose");
+ rc = 0;
+ goto done;
+ }
+
rc = 0;
done:
if (rc != 0)
printf ("error (%d): %s\n", rc, gnutls_strerror (rc));
+ gnutls_ocsp_req_deinit (ocspreq);
gnutls_x509_crt_deinit (cert);
gnutls_x509_crt_deinit (issuer);
gnutls_global_deinit ();
diff --git a/doc/examples/ex-ocsp-verify.c b/doc/examples/ex-ocsp-verify.c
new file mode 100644
index 0000000..37a2122
--- /dev/null
+++ b/doc/examples/ex-ocsp-verify.c
@@ -0,0 +1,153 @@
+/* This example code is placed in the public domain. */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <gnutls/gnutls.h>
+#include <gnutls/ocsp.h>
+
+#include "read-file.h"
+
+/* This program will read a file (argv[1]) containing an OCSP response
+ and another file (argv[2]) containing a set of OCSP trust anchors.
+ The tool will try to verify the OCSP response against the set of
+ trust anchors. It will also parse the OCSP response and check that
+ the X.509 certificate is still valid, or print why it is not valid
+ (according to the OCSP response). */
+
+int
+main (int argc, char *argv[])
+{
+ int rc;
+ gnutls_datum_t tmp;
+ gnutls_ocsp_resp_t ocspresp = NULL;
+ gnutls_x509_trust_list_t trustlist = NULL;
+ gnutls_x509_crt_t *trustcerts = NULL;
+ unsigned int ntrustcerts = 0;
+ unsigned verify, i;
+ size_t s;
+
+ rc = gnutls_global_init ();
+ if (rc < 0)
+ goto done;
+
+ /* Read OCSP response and print it. */
+
+ rc = gnutls_ocsp_resp_init (&ocspresp);
+ if (rc < 0)
+ goto done;
+
+ tmp.data = read_binary_file (argv[1], &s);
+ if (tmp.data == NULL)
+ {
+ printf ("cannot read OCSP response\n");
+ goto done;
+ }
+ tmp.size = s;
+
+ rc = gnutls_ocsp_resp_import (ocspresp, &tmp);
+ free (tmp.data);
+ if (rc < 0)
+ goto done;
+
+ rc = gnutls_ocsp_resp_print (ocspresp, GNUTLS_OCSP_PRINT_FULL, &tmp);
+ if (rc < 0)
+ goto done;
+
+ printf ("ocsp response: %.*s\n", tmp.size, tmp.data);
+
+ gnutls_free (tmp.data);
+
+ if (argc < 3)
+ {
+ printf ("Done...\n");
+ goto done;
+ }
+
+ /* Read X.509 trustlist. */
+
+ rc = gnutls_x509_trust_list_init (&trustlist, 0);
+ if (rc < 0)
+ goto done;
+
+ tmp.data = read_binary_file (argv[2], &s);
+ if (tmp.data == NULL)
+ {
+ printf ("cannot read OCSP response\n");
+ goto done;
+ }
+ tmp.size = s;
+
+ rc = gnutls_x509_crt_list_import2 (&trustcerts, &ntrustcerts, &tmp,
+ GNUTLS_X509_FMT_PEM, 0);
+ free (tmp.data);
+ if (rc < 0)
+ goto done;
+
+ for (i = 0; i < ntrustcerts; i++)
+ {
+ gnutls_datum_t out;
+
+ rc = gnutls_x509_crt_print (trustcerts[i],
+ GNUTLS_CRT_PRINT_ONELINE, &out);
+ if (rc < 0)
+ goto done;
+
+ printf ("Trust anchor %d: %.*s\n", i, out.size, out.data);
+ gnutls_free (out.data);
+ }
+
+ rc = gnutls_x509_trust_list_add_cas (trustlist, trustcerts, ntrustcerts, 0);
+ gnutls_free (trustcerts);
+ if (rc < 0)
+ goto done;
+
+ printf ("Loaded %d trust anchors\n", ntrustcerts);
+
+ /* Verify it */
+
+ rc = gnutls_ocsp_resp_verify (ocspresp, trustlist, &verify, 0);
+ if (rc < 0)
+ goto done;
+
+ if (verify == 0)
+ printf ("Verification success!\n");
+ else
+ printf ("Verification error!\n");
+
+ if (verify & GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND)
+ printf ("Signer cert not found\n");
+
+ if (verify & GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR)
+ printf ("Signer cert keyusage error\n");
+
+ if (verify & GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER)
+ printf ("Signer cert is not trusted\n");
+
+ if (verify & GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM)
+ printf ("Insecure algorithm\n");
+
+ if (verify & GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE)
+ printf ("Signature failure\n");
+
+ if (verify & GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED)
+ printf ("Signer cert not yet activated\n");
+
+ if (verify & GNUTLS_OCSP_VERIFY_CERT_EXPIRED)
+ printf ("Signer cert expired\n");
+
+ rc = 0;
+
+ done:
+ if (rc != 0)
+ printf ("error (%d): %s\n", rc, gnutls_strerror (rc));
+ gnutls_x509_trust_list_deinit (trustlist, 1);
+ gnutls_ocsp_resp_deinit (ocspresp);
+ gnutls_global_deinit ();
+
+ return rc == 0 ? 0 : 1;
+}
diff --git a/lib/x509/ocsp.c b/lib/x509/ocsp.c
index 9fdbcff..b410453 100644
--- a/lib/x509/ocsp.c
+++ b/lib/x509/ocsp.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011 Free Software Foundation, Inc.
+ * Copyright (C) 2011-2012 Free Software Foundation, Inc.
* Author: Simon Josefsson
*
* This file is part of GnuTLS.
@@ -675,7 +675,7 @@ gnutls_ocsp_req_add_cert_id (gnutls_ocsp_req_t req,
* serial number fields is populated as follows. The issuer name and
* the serial number is taken from @cert. The issuer key is taken
* from @issuer. The hashed values will be hashed using the @digest
- * algorithm.
+ * algorithm, normally %GNUTLS_DIG_SHA1.
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error code is returned.
@@ -1431,8 +1431,10 @@ gnutls_ocsp_resp_get_single (gnutls_ocsp_resp_t resp,
else
{
gnutls_assert ();
+ gnutls_free (sa.data);
return GNUTLS_E_ASN1_DER_ERROR;
}
+ gnutls_free (sa.data);
}
if (this_update)
@@ -1627,6 +1629,7 @@ gnutls_ocsp_resp_get_nonce (gnutls_ocsp_resp_t resp,
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
gnutls_assert ();
+ gnutls_free (tmp.data);
return ret;
}
@@ -1634,11 +1637,13 @@ gnutls_ocsp_resp_get_nonce (gnutls_ocsp_resp_t resp,
if (nonce->data == NULL)
{
gnutls_assert ();
+ gnutls_free (tmp.data);
return GNUTLS_E_MEMORY_ERROR;
}
ret = _gnutls_x509_decode_octet_string (NULL, tmp.data, (size_t) tmp.size,
nonce->data, &l);
+ gnutls_free (tmp.data);
if (ret != GNUTLS_E_SUCCESS)
{
gnutls_assert ();
diff --git a/lib/x509/ocsp_output.c b/lib/x509/ocsp_output.c
index 137f734..719ce89 100644
--- a/lib/x509/ocsp_output.c
+++ b/lib/x509/ocsp_output.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011 Free Software Foundation, Inc.
+ * Copyright (C) 2011-2012 Free Software Foundation, Inc.
* Author: Simon Josefsson
*
* This file is part of GnuTLS.
@@ -128,6 +128,7 @@ print_req (gnutls_buffer_st * str, gnutls_ocsp_req_t req)
addf (str, "\t\tNonce%s: ", critical ? " (critical)" : "");
_gnutls_buffer_hexprint (str, nonce.data, nonce.size);
adds (str, "\n");
+ gnutls_free (nonce.data);
}
}
else
@@ -474,6 +475,7 @@ print_resp (gnutls_buffer_st * str, gnutls_ocsp_resp_t resp)
addf (str, "\t\tNonce%s: ", critical ? " (critical)" : "");
_gnutls_buffer_hexprint (str, nonce.data, nonce.size);
adds (str, "\n");
+ gnutls_free (nonce.data);
}
}
else
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_9-49-g7a69990,
Simon Josefsson <=