summaryrefslogtreecommitdiffstats
path: root/util/ocsp_fetch.pl
blob: 08ca4cbe4c22e5a1e5a67da52c2156c86efe42f9 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84

#!/usr/bin/perl
# Copyright (C) 2012 Wizards Internet Ltd
# License GPLv2: GNU GPL version 2 <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
use strict;
BEGIN { pop @INC if $INC[-1] eq '.' };
use Getopt::Std;
$Getopt::Std::STANDARD_HELP_VERSION=1;
use IO::Handle;
use Date::Parse;
my ($o,$i,$s,$f,$t,$u,$VERSION);
$VERSION='1.0';
$o={'m'=>10};
getopts("c:i:u:a:o:m:fv",$o);
usage('No issuer specified') if ! $o->{'i'} && ! -f $o->{'i'};
usage('No certificate specified') if ! $o->{'c'} && ! -f $o->{'c'};
usage('No CA chain specified') if ! $o->{'a'} && ! -f $o->{'a'};
usage('No OCSP file specified') if ! $o->{'o'};
usage('No URL specified') if ! $o->{'u'};
$o->{'t'}=$o->{'o'}.'.tmp';

# check if we need to
if (     $o->{'f'}
    || ! -f $o->{'o'}
    || ( -M $o->{'o'} > 0 )
   )
{
    $i = new IO::Handle;
    open( $i, "openssl ocsp -issuer $o->{'i'} -cert $o->{'c'} -url $o->{'u'} -CAfile $o->{'a'} -respout $o->{'t'} 2>/dev/null |" ) || die 'Unable to execute ocsp command';
    $s = <$i> || die 'Unable to read status';
    $f = <$i> || die 'Unable to read update time';
    $t = <$i> || die 'Unable to read next update time';
    close $i;
    # Status ok ?
    chomp($s);
    chomp($f);
    chomp($t);
    $s =~ s/[^:]*: //;
    $f =~ s/[^:]*: //;
    $t =~ s/[^:]*: //;
    $t = str2time($t);
    die "OCSP status is $s" if $s ne 'good';
    warn "Next Update $t" if $o->{'v'};
    # response is good, adjust mod time and move into place.
    $u = $t - $o->{'m'} * (($t - time)/100);
    utime $u,$u,$o->{'t'};
    rename $o->{'t'},$o->{'o'};
}
exit;

sub
usage
{
    my $m = shift;
    print STDERR "$m\n" if $m;
    HELP_MESSAGE(\*STDERR);
    die;
}
sub
HELP_MESSAGE
{
    my $h = shift;
    print $h <<EOF
Usage: $0 -i issuer -c certificate -u ocsp_url -a ca_certs -o response [-v] [-f]

For a certificate    "www.example.com.pem"
  signed by          "signing.example.net.pem"
  signed by root CA  "ca.example.net.pem"
  with OCSP server   http://ocsp.example.net/

Ensure there is a file with the signing chain

  cat ca.example.net.pem signing.example.net.pem >chain.pem

The update procedure would be

    ocsp_fetch -i signing.example.net.pem \
        -c www.example.com.pem \
    -u http://ocsp.example.net/ \
    -a chain.pem \
    -o www.example.com.ocsp.der
EOF
}
# vi: aw ai sw=4
# End of File
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-03 14:04:27 +0000