search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Added function to sort the provided certificate chain prior to verification.
[gnutls.git] / lib / x509 / ocsp_output.c
blob737b227a37828b90ad8e877cf07f8333b3baad05
1 /*
2 * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3 * Author: Simon Josefsson
4 *
5 * This file is part of GnuTLS.
6 *
7 * The GnuTLS is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public License
9 * as published by the Free Software Foundation; either version 3 of
10 * the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>
19 *
20 */
21
22 /* Online Certificate Status Protocol - RFC 2560
23 */
24
25 #include <gnutls_int.h>
26 #include <gnutls_global.h>
27 #include <gnutls_errors.h>
28 #include <libtasn1.h>
29 #include <gnutls_pk.h>
30 #include "algorithms.h"
31
32 #include <gnutls/ocsp.h>
33
34 /* I18n of error codes. */
35 #include "gettext.h"
36 #define _(String) dgettext (PACKAGE, String)
37
38 #define addf _gnutls_buffer_append_printf
39 #define adds _gnutls_buffer_append_str
40
41 static void
42 print_req (gnutls_buffer_st * str, gnutls_ocsp_req_t req)
43 {
44 int ret;
45 unsigned indx;
46
47 /* Version. */
48 {
49 int version = gnutls_ocsp_req_get_version (req);
50 if (version < 0)
51 addf (str, "error: get_version: %s\n", gnutls_strerror (version));
52 else
53 addf (str, _("\tVersion: %d\n"), version);
54 }
55
56 /* XXX requestorName */
57
58 /* requestList */
59 addf (str, "\tRequest List:\n");
60 for (indx = 0; ; indx++)
61 {
62 gnutls_digest_algorithm_t digest;
63 gnutls_datum_t in, ik, sn;
64
65 ret = gnutls_ocsp_req_get_cert_id (req, indx, &digest, &in, &ik, &sn);
66 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
67 break;
68 addf (str, "\t\tCertificate ID:\n");
69 if (ret != GNUTLS_E_SUCCESS)
70 {
71 addf (str, "error: get_cert_id: %s\n",
72 gnutls_strerror (ret));
73 continue;
74 }
75 addf (str, "\t\t\tHash Algorithm: %s\n",
76 _gnutls_digest_get_name (digest));
77
78 adds (str, "\t\t\tIssuer Name Hash: ");
79 _gnutls_buffer_hexprint (str, in.data, in.size);
80 adds (str, "\n");
81
82 adds (str, "\t\t\tIssuer Key Hash: ");
83 _gnutls_buffer_hexprint (str, ik.data, ik.size);
84 adds (str, "\n");
85
86 adds (str, "\t\t\tSerial Number: ");
87 _gnutls_buffer_hexprint (str, sn.data, sn.size);
88 adds (str, "\n");
89
90 gnutls_free (in.data);
91 gnutls_free (ik.data);
92 gnutls_free (sn.data);
93
94 /* XXX singleRequestExtensions */
95 }
96
97 for (indx = 0; ; indx++)
98 {
99 gnutls_datum_t oid;
100 unsigned int critical;
101 gnutls_datum_t data;
102
103 ret = gnutls_ocsp_req_get_extension (req, indx, &oid, &critical, &data);
104 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
105 break;
106 else if (ret != GNUTLS_E_SUCCESS)
107 {
108 addf (str, "error: get_extension: %s\n",
109 gnutls_strerror (ret));
110 continue;
111 }
112 if (indx == 0)
113 adds (str, "\tExtensions:\n");
114
115 if (memcmp (oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0)
116 {
117 gnutls_datum_t nonce;
118 unsigned int critical;
119
120 ret = gnutls_ocsp_req_get_nonce (req, &critical, &nonce);
121 if (ret != GNUTLS_E_SUCCESS)
122 {
123 addf (str, "error: get_nonce: %s\n",
124 gnutls_strerror (ret));
125 }
126 else
127 {
128 addf (str, "\t\tNonce%s: ", critical ? " (critical)" : "");
129 _gnutls_buffer_hexprint (str, nonce.data, nonce.size);
130 adds (str, "\n");
131 gnutls_free (nonce.data);
132 }
133 }
134 else
135 {
136 addf (str, "\t\tUnknown extension %s (%s):\n", oid.data,
137 critical ? "critical" : "not critical");
138
139 addf (str, _("\t\t\tASCII: "));
140 _gnutls_buffer_asciiprint (str, (char*)data.data, data.size);
141 addf (str, "\n");
142
143 addf (str, _("\t\t\tHexdump: "));
144 _gnutls_buffer_hexprint (str, (char*)data.data, data.size);
145 adds (str, "\n");
146 }
147
148 gnutls_free (oid.data);
149 gnutls_free (data.data);
150 }
151
152 /* XXX Signature */
153 }
154
155 /**
156 * gnutls_ocsp_req_print:
157 * @req: The structure to be printed
158 * @format: Indicate the format to use
159 * @out: Newly allocated datum with (0) terminated string.
160 *
161 * This function will pretty print a OCSP request, suitable for
162 * display to a human.
163 *
164 * If the format is %GNUTLS_PRINT_FULL then all fields of the request
165 * will be output, on multiple lines.
166 *
167 * The output @out->data needs to be deallocate using gnutls_free().
168 *
169 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
170 * negative error value.
171 **/
172 int
173 gnutls_ocsp_req_print (gnutls_ocsp_req_t req,
174 gnutls_ocsp_print_formats_t format,
175 gnutls_datum_t * out)
176 {
177 gnutls_buffer_st str;
178 int rc;
179
180 if (format != GNUTLS_OCSP_PRINT_FULL)
181 {
182 gnutls_assert ();
183 return GNUTLS_E_INVALID_REQUEST;
184 }
185
186 _gnutls_buffer_init (&str);
187
188 _gnutls_buffer_append_str (&str, _("OCSP Request Information:\n"));
189
190 print_req (&str, req);
191
192 _gnutls_buffer_append_data (&str, "\0", 1);
193
194 rc = _gnutls_buffer_to_datum (&str, out);
195 if (rc != GNUTLS_E_SUCCESS)
196 {
197 gnutls_assert ();
198 return rc;
199 }
200
201 return GNUTLS_E_SUCCESS;
202 }
203
204 static void
205 print_resp (gnutls_buffer_st * str, gnutls_ocsp_resp_t resp,
206 gnutls_ocsp_print_formats_t format)
207 {
208 int ret;
209 unsigned indx;
210
211 ret = gnutls_ocsp_resp_get_status (resp);
212 if (ret < 0)
213 {
214 addf (str, "error: ocsp_resp_get_status: %s\n",
215 gnutls_strerror (ret));
216 return;
217 }
218
219 adds (str, "\tResponse Status: ");
220 switch (ret)
221 {
222 case GNUTLS_OCSP_RESP_SUCCESSFUL:
223 adds (str, "Successful\n");
224 break;
225
226 case GNUTLS_OCSP_RESP_MALFORMEDREQUEST:
227 adds (str, "malformedRequest\n");
228 return;
229
230 case GNUTLS_OCSP_RESP_INTERNALERROR:
231 adds (str, "internalError\n");
232 return;
233
234 case GNUTLS_OCSP_RESP_TRYLATER:
235 adds (str, "tryLater\n");
236 return;
237
238 case GNUTLS_OCSP_RESP_SIGREQUIRED:
239 adds (str, "sigRequired\n");
240 return;
241
242 case GNUTLS_OCSP_RESP_UNAUTHORIZED:
243 adds (str, "unauthorized\n");
244 return;
245
246 default:
247 adds (str, "unknown\n");
248 return;
249 }
250
251 {
252 gnutls_datum_t oid;
253
254 ret = gnutls_ocsp_resp_get_response (resp, &oid, NULL);
255 if (ret < 0)
256 {
257 addf (str, "error: get_response: %s\n", gnutls_strerror (ret));
258 return;
259 }
260
261 adds (str, "\tResponse Type: ");
262 #define OCSP_BASIC "1.3.6.1.5.5.7.48.1.1"
263
264 if (oid.size == sizeof (OCSP_BASIC)
265 && memcmp (oid.data, OCSP_BASIC, oid.size) == 0)
266 {
267 adds (str, "Basic OCSP Response\n");
268 gnutls_free (oid.data);
269 }
270 else
271 {
272 addf (str, "Unknown response type (%.*s)\n", oid.size, oid.data);
273 gnutls_free (oid.data);
274 return;
275 }
276 }
277
278 /* Version. */
279 {
280 int version = gnutls_ocsp_resp_get_version (resp);
281 if (version < 0)
282 addf (str, "error: get_version: %s\n", gnutls_strerror (version));
283 else
284 addf (str, _("\tVersion: %d\n"), version);
285 }
286
287 /* responderID */
288 {
289 gnutls_datum_t dn;
290
291 /* XXX byKey */
292
293 ret = gnutls_ocsp_resp_get_responder (resp, &dn);
294 if (ret < 0)
295 addf (str, "error: get_dn: %s\n", gnutls_strerror (ret));
296 else
297 {
298 addf (str, _("\tResponder ID: %.*s\n"), dn.size, dn.data);
299 gnutls_free (dn.data);
300 }
301 }
302
303 {
304 char s[42];
305 size_t max = sizeof (s);
306 struct tm t;
307 time_t tim = gnutls_ocsp_resp_get_produced (resp);
308
309 if (tim == (time_t) -1)
310 addf (str, "error: ocsp_resp_get_produced\n");
311 else if (gmtime_r (&tim, &t) == NULL)
312 addf (str, "error: gmtime_r (%ld)\n", (unsigned long) tim);
313 else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0)
314 addf (str, "error: strftime (%ld)\n", (unsigned long) tim);
315 else
316 addf (str, _("\tProduced At: %s\n"), s);
317 }
318
319 addf (str, "\tResponses:\n");
320 for (indx = 0; ; indx++)
321 {
322 gnutls_digest_algorithm_t digest;
323 gnutls_datum_t in, ik, sn;
324 unsigned int cert_status;
325 time_t this_update;
326 time_t next_update;
327 time_t revocation_time;
328 unsigned int revocation_reason;
329
330 ret = gnutls_ocsp_resp_get_single (resp,
331 indx,
332 &digest, &in, &ik, &sn,
333 &cert_status,
334 &this_update,
335 &next_update,
336 &revocation_time,
337 &revocation_reason);
338 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
339 break;
340 addf (str, "\t\tCertificate ID:\n");
341 if (ret != GNUTLS_E_SUCCESS)
342 {
343 addf (str, "error: get_singleresponse: %s\n",
344 gnutls_strerror (ret));
345 continue;
346 }
347 addf (str, "\t\t\tHash Algorithm: %s\n",
348 _gnutls_digest_get_name (digest));
349
350 adds (str, "\t\t\tIssuer Name Hash: ");
351 _gnutls_buffer_hexprint (str, in.data, in.size);
352 adds (str, "\n");
353
354 adds (str, "\t\t\tIssuer Key Hash: ");
355 _gnutls_buffer_hexprint (str, ik.data, ik.size);
356 adds (str, "\n");
357
358 adds (str, "\t\t\tSerial Number: ");
359 _gnutls_buffer_hexprint (str, sn.data, sn.size);
360 adds (str, "\n");
361
362 gnutls_free (in.data);
363 gnutls_free (ik.data);
364 gnutls_free (sn.data);
365
366 {
367 const char *p = NULL;
368
369 switch (cert_status)
370 {
371 case GNUTLS_OCSP_CERT_GOOD:
372 p = "good";
373 break;
374
375 case GNUTLS_OCSP_CERT_REVOKED:
376 p = "revoked";
377 break;
378
379 case GNUTLS_OCSP_CERT_UNKNOWN:
380 p = "unknown";
381 break;
382
383 default:
384 addf (str, "\t\tCertificate Status: unexpected value %d\n",
385 cert_status);
386 break;
387 }
388
389 if (p)
390 addf (str, "\t\tCertificate Status: %s\n", p);
391 }
392
393 /* XXX revocation reason */
394
395 if (cert_status == GNUTLS_OCSP_CERT_REVOKED)
396 {
397 char s[42];
398 size_t max = sizeof (s);
399 struct tm t;
400
401 if (revocation_time == (time_t) -1)
402 addf (str, "error: revocation_time\n");
403 else if (gmtime_r (&revocation_time, &t) == NULL)
404 addf (str, "error: gmtime_r (%ld)\n",
405 (unsigned long) revocation_time);
406 else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0)
407 addf (str, "error: strftime (%ld)\n",
408 (unsigned long) revocation_time);
409 else
410 addf (str, _("\t\tRevocation time: %s\n"), s);
411 }
412
413 {
414 char s[42];
415 size_t max = sizeof (s);
416 struct tm t;
417
418 if (this_update == (time_t) -1)
419 addf (str, "error: this_update\n");
420 else if (gmtime_r (&this_update, &t) == NULL)
421 addf (str, "error: gmtime_r (%ld)\n", (unsigned long) this_update);
422 else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0)
423 addf (str, "error: strftime (%ld)\n", (unsigned long) this_update);
424 else
425 addf (str, _("\t\tThis Update: %s\n"), s);
426 }
427
428 {
429 char s[42];
430 size_t max = sizeof (s);
431 struct tm t;
432
433 if (next_update == (time_t) -1)
434 addf (str, "error: next_update\n");
435 else if (gmtime_r (&next_update, &t) == NULL)
436 addf (str, "error: gmtime_r (%ld)\n", (unsigned long) next_update);
437 else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0)
438 addf (str, "error: strftime (%ld)\n", (unsigned long) next_update);
439 else
440 addf (str, _("\t\tNext Update: %s\n"), s);
441 }
442
443 /* XXX singleRequestExtensions */
444 }
445
446 adds (str, "\tExtensions:\n");
447 for (indx = 0; ; indx++)
448 {
449 gnutls_datum_t oid;
450 unsigned int critical;
451 gnutls_datum_t data;
452
453 ret = gnutls_ocsp_resp_get_extension (resp, indx, &oid, &critical, &data);
454 if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
455 break;
456 else if (ret != GNUTLS_E_SUCCESS)
457 {
458 addf (str, "error: get_extension: %s\n",
459 gnutls_strerror (ret));
460 continue;
461 }
462
463 if (memcmp (oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0)
464 {
465 gnutls_datum_t nonce;
466 unsigned int critical;
467
468 ret = gnutls_ocsp_resp_get_nonce (resp, &critical, &nonce);
469 if (ret != GNUTLS_E_SUCCESS)
470 {
471 addf (str, "error: get_nonce: %s\n",
472 gnutls_strerror (ret));
473 }
474 else
475 {
476 addf (str, "\t\tNonce%s: ", critical ? " (critical)" : "");
477 _gnutls_buffer_hexprint (str, nonce.data, nonce.size);
478 adds (str, "\n");
479 gnutls_free (nonce.data);
480 }
481 }
482 else
483 {
484 addf (str, "\t\tUnknown extension %s (%s):\n", oid.data,
485 critical ? "critical" : "not critical");
486
487 addf (str, _("\t\t\tASCII: "));
488 _gnutls_buffer_asciiprint (str, (char*)data.data, data.size);
489 addf (str, "\n");
490
491 addf (str, _("\t\t\tHexdump: "));
492 _gnutls_buffer_hexprint (str, (char*)data.data, data.size);
493 adds (str, "\n");
494 }
495
496 gnutls_free (oid.data);
497 gnutls_free (data.data);
498 }
499
500 /* Signature. */
501 if (format == GNUTLS_OCSP_PRINT_FULL)
502 {
503 gnutls_datum_t sig;
504
505 ret = gnutls_ocsp_resp_get_signature_algorithm (resp);
506 if (ret < 0)
507 addf (str, "retor: get_signature_algorithm: %s\n",
508 gnutls_strerror (ret));
509 else
510 {
511 const char *name = gnutls_sign_algorithm_get_name (ret);
512 if (name == NULL)
513 name = _("unknown");
514 addf (str, _("\tSignature Algorithm: %s\n"), name);
515 }
516 if (ret == GNUTLS_SIGN_RSA_MD5 || ret == GNUTLS_SIGN_RSA_MD2)
517 {
518 adds (str, _("warning: signed using a broken signature "
519 "algorithm that can be forged.\n"));
520 }
521
522 ret = gnutls_ocsp_resp_get_signature (resp, &sig);
523 if (ret < 0)
524 addf (str, "error: get_signature: %s\n", gnutls_strerror (ret));
525 else
526 {
527 adds (str, _("\tSignature:\n"));
528 _gnutls_buffer_hexdump (str, sig.data, sig.size, "\t\t");
529
530 gnutls_free (sig.data);
531 }
532 }
533
534 /* certs */
535 if (format == GNUTLS_OCSP_PRINT_FULL)
536 {
537 gnutls_x509_crt_t *certs;
538 size_t ncerts, i;
539 gnutls_datum_t out;
540
541 ret = gnutls_ocsp_resp_get_certs (resp, &certs, &ncerts);
542 if (ret < 0)
543 addf (str, "error: get_certs: %s\n", gnutls_strerror (ret));
544 else
545 {
546 for (i = 0; i < ncerts; i++)
547 {
548 size_t s = 0;
549
550 ret = gnutls_x509_crt_print (certs[i], GNUTLS_CRT_PRINT_FULL,
551 &out);
552 if (ret < 0)
553 addf (str, "error: crt_print: %s\n", gnutls_strerror (ret));
554 else
555 {
556 addf (str, "%.*s", out.size, out.data);
557 gnutls_free (out.data);
558 }
559
560 ret = gnutls_x509_crt_export (certs[i], GNUTLS_X509_FMT_PEM,
561 NULL, &s);
562 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
563 addf (str, "error: crt_export: %s\n", gnutls_strerror (ret));
564 else
565 {
566 out.data = gnutls_malloc (s);
567 if (out.data == NULL)
568 addf (str, "error: malloc: %s\n",
569 gnutls_strerror (GNUTLS_E_MEMORY_ERROR));
570 else
571 {
572 ret = gnutls_x509_crt_export (certs[i], GNUTLS_X509_FMT_PEM,
573 out.data, &s);
574 out.size = s;
575 addf (str, "%.*s", out.size, out.data);
576 gnutls_free (out.data);
577 }
578 }
579
580 gnutls_x509_crt_deinit (certs[i]);
581 }
582 gnutls_free (certs);
583 }
584 }
585 }
586
587 /**
588 * gnutls_ocsp_resp_print:
589 * @resp: The structure to be printed
590 * @format: Indicate the format to use
591 * @out: Newly allocated datum with (0) terminated string.
592 *
593 * This function will pretty print a OCSP response, suitable for
594 * display to a human.
595 *
596 * If the format is %GNUTLS_PRINT_FULL then all fields of the response
597 * will be output, on multiple lines.
598 *
599 * The output @out->data needs to be deallocate using gnutls_free().
600 *
601 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
602 * negative error value.
603 **/
604 int
605 gnutls_ocsp_resp_print (gnutls_ocsp_resp_t resp,
606 gnutls_ocsp_print_formats_t format,
607 gnutls_datum_t * out)
608 {
609 gnutls_buffer_st str;
610 int rc;
611
612 _gnutls_buffer_init (&str);
613
614 _gnutls_buffer_append_str (&str, _("OCSP Response Information:\n"));
615
616 print_resp (&str, resp, format);
617
618 _gnutls_buffer_append_data (&str, "\0", 1);
619
620 rc = _gnutls_buffer_to_datum (&str, out);
621 if (rc != GNUTLS_E_SUCCESS)
622 {
623 gnutls_assert ();
624 return rc;
625 }
626
627 return GNUTLS_E_SUCCESS;
628 }
Implementation of the SSL/TLS protocol