source: mod_gnutls/test/gen_ocsp_index.c @ 04addef

asynciodebian/masterdebian/stretch-backportsproxy-ticketupstream
Last change on this file since 04addef was 42bee37, checked in by Thomas Klute <thomas2.klute@…>, 5 years ago

Test suite: OCSP index generation tool

gen_ocsp_index creates an index file in the format used by OpenSSL
from a list of certificates, e.g.:

./gen_ocsp_index server/x509.pem client/x509.pem

The purpose is to configure an OCSP responder for the test
environment.
  • Property mode set to 100644
File size: 3.0 KB
Line 
1/**
2 * Tool to generate an index file for the OpenSSL OCSP responder
3 *
4 * NOTE: This is a tool for setting up the test environment. At the
5 * moment, all certificates are marked as valid.
6 *
7 * Copyright 2016 Thomas Klute
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you
10 * may not use this file except in compliance with the License.  You
11 * may obtain a copy of the License at
12 *
13 *      http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS,
17 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
18 * implied.  See the License for the specific language governing
19 * permissions and limitations under the License.
20 */
21#include <stdio.h>
22#include <stdlib.h>
23#include <string.h>
24#include <gnutls/gnutls.h>
25#include <gnutls/x509.h>
26
27#include "cert_helper.h"
28
29
30
31static int index_line(const char* filename)
32{
33    gnutls_datum_t rawcert;
34    /* read_cert reports errors to STDERR, just return if there were any */
35    if (read_cert(filename, &rawcert))
36        return GNUTLS_E_FILE_ERROR;
37
38    gnutls_x509_crt_t cert;
39    gnutls_x509_crt_init(&cert);
40    int ret = gnutls_x509_crt_import(cert, &rawcert, GNUTLS_X509_FMT_PEM);
41    if (ret != GNUTLS_E_SUCCESS)
42        goto cleanup;
43
44    /* For each certificate the index file contains a line with the
45     * tab separated fields declared below (in that order). */
46    /* status, one of: V (valid), R (revoked), E (expired) */
47    char* flag = "V";
48    /* expiration time (YYMMDDHHMMSSZ) */
49    char expires[14];
50    /* revocation time & optional reason (YYMMDDHHMMSSZ[,reason]), if
51     * any */
52    char* revocation = "";
53    /* serial number (hex) */
54    char serial[128];
55    /* certificate filename, or "unknown" */
56    char* fname = "unknown";
57    /* certificate DN */
58    char dn[512];
59
60    time_t etime = gnutls_x509_crt_get_expiration_time(cert);
61    struct tm etmp;
62    memset(&etmp, 0, sizeof(etmp));
63    gmtime_r(&etime, &etmp);
64    strftime(expires, sizeof(expires), "%y%m%d%H%M%SZ", &etmp);
65
66    unsigned long long sno = 0;
67    size_t serial_size = sizeof(sno);
68    gnutls_x509_crt_get_serial(cert, &sno, &serial_size);
69    snprintf(serial, sizeof(serial), "%llx", sno);
70
71    size_t dn_size = sizeof(dn);
72    gnutls_x509_crt_get_dn(cert, dn, &dn_size);
73
74    fprintf(stdout, "%s\t%s\t%s\t%s\t%s\t%s\n",
75            flag, expires, revocation, serial, fname, dn);
76
77cleanup:
78    gnutls_x509_crt_deinit(cert);
79    free(rawcert.data);
80    return ret;
81}
82
83
84
85int main(int argc, char *argv[])
86{
87    if (argc < 2)
88    {
89        fprintf(stderr, "Usage:\t%s CERTIFICATE ...\n", argv[0]);
90        return 1;
91    }
92
93    int ret = 0;
94    for (int i = 1; i < argc; i++)
95    {
96        int rv = index_line(argv[i]);
97        if (rv != GNUTLS_E_SUCCESS)
98        {
99            fprintf(stderr, "Error parsing %s: %s\n",
100                    argv[i], gnutls_strerror(rv));
101            ret = 1;
102        }
103    }
104    return ret;
105}
Note: See TracBrowser for help on using the repository browser.