summaryrefslogtreecommitdiffstats
path: root/debian/vendor-h2o/share/h2o/fetch-ocsp-response
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 21:12:02 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-13 21:12:02 +0000
commit77e50caaf2ef81cd91075cf836fed0e75718ffb4 (patch)
tree53b7b411290b63192fc9e924a3b6b65cdf67e9d0 /debian/vendor-h2o/share/h2o/fetch-ocsp-response
parentAdding upstream version 1.8.3. (diff)
downloaddnsdist-77e50caaf2ef81cd91075cf836fed0e75718ffb4.tar.xz
dnsdist-77e50caaf2ef81cd91075cf836fed0e75718ffb4.zip
Adding debian version 1.8.3-2.debian/1.8.3-2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/vendor-h2o/share/h2o/fetch-ocsp-response')
-rwxr-xr-xdebian/vendor-h2o/share/h2o/fetch-ocsp-response164
1 files changed, 164 insertions, 0 deletions
diff --git a/debian/vendor-h2o/share/h2o/fetch-ocsp-response b/debian/vendor-h2o/share/h2o/fetch-ocsp-response
new file mode 100755
index 0000000..f74b738
--- /dev/null
+++ b/debian/vendor-h2o/share/h2o/fetch-ocsp-response
@@ -0,0 +1,164 @@
+#! /bin/sh
+exec ${H2O_PERL:-perl} -x $0 "$@"
+#! perl
+
+# Copyright (c) 2015 DeNA Co., Ltd., Kazuho Oku, Tatsuhiro Tsujikawa
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to
+# deal in the Software without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+# sell copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+use strict;
+use warnings;
+use File::Temp qw(tempdir);
+use Getopt::Long;
+
+# from sysexits.h
+use constant EX_TEMPFAIL => 75;
+
+my ($issuer_fn, $opt_help);
+my $openssl_cmd = 'openssl';
+
+GetOptions(
+ "issuer=s" => \$issuer_fn,
+ "openssl=s", => \$openssl_cmd,
+ help => \$opt_help,
+) or exit(1);
+if ($opt_help) {
+ print << "EOT";
+Usage: $0 [<options>] <certificate-file>
+
+Options:
+ --issuer <file> issuer certificate (if omitted, is extracted from the
+ certificate chain)
+ --openssl <cmd> openssl command to use (default: "openssl")
+ --help prints this help
+
+The command issues an OCSP request for given server certificate, verifies the
+response and prints the resulting DER.
+
+The command exits 0 if successful, or 75 (EX_TEMPFAIL) on temporary error.
+Other exit codes may be returned in case of hard errors.
+
+EOT
+ exit(0);
+}
+
+die "no certificate file\n"
+ if @ARGV == 0;
+my $cert_fn = shift @ARGV;
+
+my $tempdir = tempdir(CLEANUP => 1);
+
+my $openssl_version = run_openssl("version");
+chomp $openssl_version;
+print STDERR "fetch-ocsp-response (using $openssl_version)\n";
+
+# obtain ocsp uri
+my $ocsp_uri = run_openssl("x509 -in $cert_fn -noout -ocsp_uri");
+chomp $ocsp_uri;
+die "failed to extract ocsp URI from $cert_fn\n"
+ if $ocsp_uri !~ m{^https?://};
+my($ocsp_host) = $ocsp_uri =~ m{^https?://([^/]+)};
+
+# save issuer certificate
+if (! defined $issuer_fn) {
+ my $chain = read_file($cert_fn);
+ $chain =~ m{-----END CERTIFICATE-----.*?(-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----)}s
+ or die "--issuer option was not used, and failed to extract issuer certificate from the certificate\n";
+ $issuer_fn = "$tempdir/issuer.crt";
+ write_file($issuer_fn, "$1\n");
+}
+
+# obtain response (without verification)
+print STDERR "sending OCSP request to $ocsp_uri\n";
+my $resp = run_openssl(
+ "ocsp -issuer $issuer_fn -cert $cert_fn -url $ocsp_uri"
+ . ($openssl_version =~ /^(OpenSSL 1\.|LibreSSL )/is ? " -header Host@{[$openssl_version =~ /^(OpenSSL 1\.0\.|LibreSSL )/is ? ' ' : '=']}$ocsp_host" : "")
+ . " -noverify -respout $tempdir/resp.der " . join(' ', @ARGV),
+ 1,
+);
+print STDERR $resp;
+
+# OpenSSL 1.0.2 still returns exit code 0 even if ocsp responder
+# returned error status (e.g., trylater(3))
+ die "responder returned error\n"
+ if $resp =~ /Responder Error:/is;
+
+# verify the response
+print STDERR "verifying the response signature\n";
+my $success;
+for my $args (
+ # try from exotic options
+ "-VAfile $issuer_fn", # for comodo
+ "-partial_chain -trusted_first -CAfile $issuer_fn", # these options are only available in OpenSSL >= 1.0.2
+ "-CAfile $issuer_fn", # for OpenSSL <= 1.0.1
+) {
+ if (system("$openssl_cmd ocsp -respin $tempdir/resp.der $args > $tempdir/verify.out 2>&1") == 0) {
+ # OpenSSL <= 1.0.1, openssl ocsp still returns exit code 0
+ # even if verification was failed. So check the error message
+ # in stderr output.
+ my $verifyout = read_file("$tempdir/verify.out");
+ if ($verifyout =~ /Response Verify Failure/is) {
+ print STDERR $verifyout;
+ print STDERR "try next verify argument options\n";
+ next;
+ }
+ print STDERR "verify OK (used: $args)\n";
+ $success = 1;
+ last;
+ }
+}
+if (! $success) {
+ print STDERR read_file("$tempdir/verify.out");
+ tempfail("failed to verify the response\n");
+}
+
+# success
+print read_file("$tempdir/resp.der");
+exit 0;
+
+sub run_openssl {
+ my ($args, $tempfail) = @_;
+ open my $fh, "-|", "$openssl_cmd $args"
+ or die "failed to invoke $openssl_cmd:$!";
+ my $resp = do { local $/; <$fh> };
+ close $fh
+ or ($tempfail ? \&tempfail : \&CORE::die)->("OpenSSL exitted abnormally: $openssl_cmd $args:$!");
+ $resp;
+}
+
+sub read_file {
+ my $fn = shift;
+ open my $fh, "<", $fn
+ or die "failed to open file:$fn:$!";
+ local $/;
+ <$fh>;
+}
+
+sub write_file {
+ my ($fn, $data) = @_;
+ open my $fh, ">", $fn
+ or die "failed to open file:$fn:$!";
+ print $fh $data;
+ close $fh;
+}
+
+sub tempfail {
+ print STDERR @_;
+ exit EX_TEMPFAIL;
+}