ocspclnt.c

来自「支持SSL v2/v3, TLS, PKCS #5, PKCS #7, PKCS」· C语言 代码 · 共 1,221 行 · 第 1/3 页

	goto loser;

    rv = CERT_CheckOCSPStatus (handle, cert, verify_time, NULL);

    fprintf (out_file, "Check of certificate \"%s\" ", cert_name); 
    if (rv == SECSuccess) {
	fprintf (out_file, "succeeded.\n"); 
    } else {
	const char *error_string = SECU_Strerror(PORT_GetError());
	fprintf (out_file, "failed.  Reason:\n");
	if (error_string != NULL && PORT_Strlen(error_string) > 0)
	    fprintf (out_file, "%s\n", error_string);
	else
	    fprintf (out_file, "Unknown\n");
    }

    rv = SECSuccess;

loser:
    if (cert != NULL)
	CERT_DestroyCertificate (cert);

    return rv;
}


/*
 * Verify the specified certificate (whose nickname is "cert_name").
 * OCSP is already turned on, so we just need to call the standard
 * certificate verification API and let it do all the work.
 */
static SECStatus
verify_cert (FILE *out_file, CERTCertDBHandle *handle, const char *cert_name,
	     SECCertUsage cert_usage, int64 verify_time)
{
    CERTCertificate *cert = NULL;
    SECStatus rv = SECFailure;

    if (handle == NULL || cert_name == NULL)
	goto loser;

    cert = CERT_FindCertByNicknameOrEmailAddr (handle, (char *) cert_name);
    if (cert == NULL)
	goto loser;

    rv = CERT_VerifyCert (handle, cert, PR_TRUE, cert_usage, verify_time,
			  NULL, NULL);

    fprintf (out_file, "Verification of certificate \"%s\" ", cert_name); 
    if (rv == SECSuccess) {
	fprintf (out_file, "succeeded.\n"); 
    } else {
	const char *error_string = SECU_Strerror(PORT_GetError());
	fprintf (out_file, "failed.  Reason:\n");
	if (error_string != NULL && PORT_Strlen(error_string) > 0)
	    fprintf (out_file, "%s\n", error_string);
	else
	    fprintf (out_file, "Unknown\n");
    }

    rv = SECSuccess;

loser:
    if (cert != NULL)
	CERT_DestroyCertificate (cert);

    return rv;
}


#ifdef	NO_PP

static SECStatus
print_request (FILE *out_file, SECItem *data)
{
    fprintf (out_file, "Cannot pretty-print request compiled with NO_PP.\n");
    return SECSuccess;
}

static SECStatus
print_response (FILE *out_file, SECItem *data, CERTCertDBHandle *handle)
{
    fprintf (out_file, "Cannot pretty-print response compiled with NO_PP.\n");
    return SECSuccess;
}

#else /* NO_PP */

static void
print_ocsp_version (FILE *out_file, SECItem *version, int level)
{
    if (version->len > 0) {
	SECU_PrintInteger (out_file, version, "Version", level);
    } else {
	SECU_Indent (out_file, level);
	fprintf (out_file, "Version: DEFAULT\n");
    }
}


static void
print_ocsp_cert_id (FILE *out_file, CERTOCSPCertID *cert_id, int level)
{
    SECU_Indent (out_file, level);
    fprintf (out_file, "Cert ID:\n");
    level++;

    SECU_PrintAlgorithmID (out_file, &(cert_id->hashAlgorithm),
			   "Hash Algorithm", level);
    SECU_PrintAsHex (out_file, &(cert_id->issuerNameHash),
		     "Issuer Name Hash", level);
    SECU_PrintAsHex (out_file, &(cert_id->issuerKeyHash),
		     "Issuer Key Hash", level);
    SECU_PrintInteger (out_file, &(cert_id->serialNumber),
		       "Serial Number", level);
    /* XXX lookup the cert; if found, print something nice (nickname?) */
}


static void
print_raw_certificates (FILE *out_file, SECItem **raw_certs, int level)
{
    SECItem *raw_cert;
    int i = 0;
    char cert_label[50];

    SECU_Indent (out_file, level);

    if (raw_certs == NULL) {
	fprintf (out_file, "No Certificates.\n");
	return;
    }

    fprintf (out_file, "Certificate List:\n");
    while ((raw_cert = raw_certs[i++]) != NULL) {
	sprintf (cert_label, "Certificate (%d)", i);
	(void) SECU_PrintSignedData (out_file, raw_cert, cert_label, level + 1,
				     SECU_PrintCertificate);
    }
}


static void
print_ocsp_extensions (FILE *out_file, CERTCertExtension **extensions,
		       char *msg, int level)
{
    if (extensions) {
	SECU_PrintExtensions (out_file, extensions, msg, level);
    } else {
	SECU_Indent (out_file, level);
	fprintf (out_file, "No %s\n", msg);
    }
}


static void
print_single_request (FILE *out_file, ocspSingleRequest *single, int level)
{
    print_ocsp_cert_id (out_file, single->reqCert, level);
    print_ocsp_extensions (out_file, single->singleRequestExtensions,
			   "Single Request Extensions", level);
}


/*
 * Decode the DER/BER-encoded item "data" as an OCSP request
 * and pretty-print the subfields.
 */
static SECStatus
print_request (FILE *out_file, SECItem *data)
{
    CERTOCSPRequest *request;
    ocspTBSRequest *tbsRequest;
    int level = 0;

    PORT_Assert (out_file != NULL);
    PORT_Assert (data != NULL);
    if (out_file == NULL || data == NULL) {
	PORT_SetError (SEC_ERROR_INVALID_ARGS);
	return SECFailure;
    }

    request = CERT_DecodeOCSPRequest (data);
    if (request == NULL || request->tbsRequest == NULL)
	return SECFailure;

    tbsRequest = request->tbsRequest;

    fprintf (out_file, "TBS Request:\n");
    level++;

    print_ocsp_version (out_file, &(tbsRequest->version), level);

    /*
     * XXX Probably should be an interface to get the signer name
     * without looking inside the tbsRequest at all.
     */
    if (tbsRequest->requestorName != NULL) {
	SECU_Indent (out_file, level);
	fprintf (out_file, "XXX print the requestorName\n");
    } else {
	SECU_Indent (out_file, level);
	fprintf (out_file, "No Requestor Name.\n");
    }

    if (tbsRequest->requestList != NULL) {
	int i;

	for (i = 0; tbsRequest->requestList[i] != NULL; i++) {
	    SECU_Indent (out_file, level);
	    fprintf (out_file, "Request %d:\n", i);
	    print_single_request (out_file, tbsRequest->requestList[i],
				  level + 1);
	}
    } else {
	fprintf (out_file, "Request list is empty.\n");
    }

    print_ocsp_extensions (out_file, tbsRequest->requestExtensions,
			   "Request Extensions", level);

    if (request->optionalSignature != NULL) {
	ocspSignature *whole_sig;
	SECItem rawsig;

	fprintf (out_file, "Signature:\n");

	whole_sig = request->optionalSignature;
	SECU_PrintAlgorithmID (out_file, &(whole_sig->signatureAlgorithm),
			       "Signature Algorithm", level);

	rawsig = whole_sig->signature;
	DER_ConvertBitString (&rawsig);
	SECU_PrintAsHex (out_file, &rawsig, "Signature", level);

	print_raw_certificates (out_file, whole_sig->derCerts, level);

	fprintf (out_file, "XXX verify the sig and print result\n");
    } else {
	fprintf (out_file, "No Signature\n");
    }

    CERT_DestroyOCSPRequest (request);
    return SECSuccess;
}


static void
print_revoked_info (FILE *out_file, ocspRevokedInfo *revoked_info, int level)
{
    SECU_PrintGeneralizedTime (out_file, &(revoked_info->revocationTime),
			       "Revocation Time", level);

    if (revoked_info->revocationReason != NULL) {
	SECU_PrintAsHex (out_file, revoked_info->revocationReason,
			 "Revocation Reason", level);
    } else {
	SECU_Indent (out_file, level);
	fprintf (out_file, "No Revocation Reason.\n");
    }
}


static void
print_cert_status (FILE *out_file, ocspCertStatus *status, int level)
{
    SECU_Indent (out_file, level);
    fprintf (out_file, "Status: ");

    switch (status->certStatusType) {
      case ocspCertStatus_good:
	fprintf (out_file, "Cert is good.\n");
	break;
      case ocspCertStatus_revoked:
	fprintf (out_file, "Cert has been revoked.\n");
	print_revoked_info (out_file, status->certStatusInfo.revokedInfo,
			    level + 1);
	break;
      case ocspCertStatus_unknown:
	fprintf (out_file, "Cert is unknown to responder.\n");
	break;
      default:
	fprintf (out_file, "Unrecognized status.\n");
	break;
    }
}


static void
print_single_response (FILE *out_file, CERTOCSPSingleResponse *single,
		       int level)
{
    print_ocsp_cert_id (out_file, single->certID, level);

    print_cert_status (out_file, single->certStatus, level);

    SECU_PrintGeneralizedTime (out_file, &(single->thisUpdate),
			       "This Update", level);

    if (single->nextUpdate != NULL) {
	SECU_PrintGeneralizedTime (out_file, single->nextUpdate,
				   "Next Update", level);
    } else {
	SECU_Indent (out_file, level);
	fprintf (out_file, "No Next Update\n");
    }

    print_ocsp_extensions (out_file, single->singleExtensions,
			   "Single Response Extensions", level);
}


static void
print_responder_id (FILE *out_file, ocspResponderID *responderID, int level)
{
    SECU_Indent (out_file, level);
    fprintf (out_file, "Responder ID ");

    switch (responderID->responderIDType) {
      case ocspResponderID_byName:
	fprintf (out_file, "(byName):\n");
	SECU_PrintName (out_file, &(responderID->responderIDValue.name),
			"Name", level + 1);
	break;
      case ocspResponderID_byKey:
	fprintf (out_file, "(byKey):\n");
	SECU_PrintAsHex (out_file, &(responderID->responderIDValue.keyHash),
			 "Key Hash", level + 1);
	break;
      default:
	fprintf (out_file, "Unrecognized Responder ID Type\n");
	break;
    }
}


static void
print_response_data (FILE *out_file, ocspResponseData *responseData, int level)
{
    SECU_Indent (out_file, level);
    fprintf (out_file, "Response Data:\n");
    level++;

    print_ocsp_version (out_file, &(responseData->version), level);

    print_responder_id (out_file, responseData->responderID, level);

    SECU_PrintGeneralizedTime (out_file, &(responseData->producedAt),
			       "Produced At", level);

    if (responseData->responses != NULL) {
	int i;

	for (i = 0; responseData->responses[i] != NULL; i++) {
	    SECU_Indent (out_file, level);
	    fprintf (out_file, "Response %d:\n", i);
	    print_single_response (out_file, responseData->responses[i],
				   level + 1);
	}
    } else {
	fprintf (out_file, "Response list is empty.\n");
    }

    print_ocsp_extensions (out_file, responseData->responseExtensions,
			   "Response Extensions", level);
}


static void
print_basic_response (FILE *out_file, ocspBasicOCSPResponse *basic, int level)
{
    SECItem rawsig;

    SECU_Indent (out_file, level);
    fprintf (out_file, "Basic OCSP Response:\n");
    level++;

    print_response_data (out_file, basic->tbsResponseData, level);

    SECU_PrintAlgorithmID (out_file,
			   &(basic->responseSignature.signatureAlgorithm),
			   "Signature Algorithm", level);

    rawsig = basic->responseSignature.signature;
    DER_ConvertBitString (&rawsig);
    SECU_PrintAsHex (out_file, &rawsig, "Signature", level);

    print_raw_certificates (out_file, basic->responseSignature.derCerts, level);
}


/*
 * Note this must match (exactly) the enumeration ocspResponseStatus.
 */
static char *responseStatusNames[] = {
    "successful (Response has valid confirmations)",
    "malformedRequest (Illegal confirmation request)",
    "internalError (Internal error in issuer)",
    "tryLater (Try again later)",
    "unused ((4) is not used)",
    "sigRequired (Must sign the request)",
    "unauthorized (Request unauthorized)",
    "other (Status value out of defined range)"
};

/*
 * Decode the DER/BER-encoded item "data" as an OCSP response