diff options
Diffstat (limited to 'lib/x509/ocsp_output.c')
-rw-r--r-- | lib/x509/ocsp_output.c | 1025 |
1 files changed, 523 insertions, 502 deletions
diff --git a/lib/x509/ocsp_output.c b/lib/x509/ocsp_output.c index a2752dbe76..8a2e0e4797 100644 --- a/lib/x509/ocsp_output.c +++ b/lib/x509/ocsp_output.c @@ -38,118 +38,119 @@ #define addf _gnutls_buffer_append_printf #define adds _gnutls_buffer_append_str -static void -print_req (gnutls_buffer_st * str, gnutls_ocsp_req_t req) +static void print_req(gnutls_buffer_st * str, gnutls_ocsp_req_t req) { - int ret; - unsigned indx; - - /* Version. */ - { - int version = gnutls_ocsp_req_get_version (req); - if (version < 0) - addf (str, "error: get_version: %s\n", gnutls_strerror (version)); - else - addf (str, _("\tVersion: %d\n"), version); - } - - /* XXX requestorName */ - - /* requestList */ - addf (str, "\tRequest List:\n"); - for (indx = 0; ; indx++) - { - gnutls_digest_algorithm_t digest; - gnutls_datum_t in, ik, sn; - - ret = gnutls_ocsp_req_get_cert_id (req, indx, &digest, &in, &ik, &sn); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - addf (str, "\t\tCertificate ID:\n"); - if (ret != GNUTLS_E_SUCCESS) - { - addf (str, "error: get_cert_id: %s\n", - gnutls_strerror (ret)); - continue; - } - addf (str, "\t\t\tHash Algorithm: %s\n", - _gnutls_digest_get_name (mac_to_entry(digest))); - - adds (str, "\t\t\tIssuer Name Hash: "); - _gnutls_buffer_hexprint (str, in.data, in.size); - adds (str, "\n"); - - adds (str, "\t\t\tIssuer Key Hash: "); - _gnutls_buffer_hexprint (str, ik.data, ik.size); - adds (str, "\n"); - - adds (str, "\t\t\tSerial Number: "); - _gnutls_buffer_hexprint (str, sn.data, sn.size); - adds (str, "\n"); - - gnutls_free (in.data); - gnutls_free (ik.data); - gnutls_free (sn.data); - - /* XXX singleRequestExtensions */ - } - - for (indx = 0; ; indx++) - { - gnutls_datum_t oid; - unsigned int critical; - gnutls_datum_t data; - - ret = gnutls_ocsp_req_get_extension (req, indx, &oid, &critical, &data); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - else if (ret != GNUTLS_E_SUCCESS) - { - addf (str, "error: get_extension: %s\n", - gnutls_strerror (ret)); - continue; - } - if (indx == 0) - adds (str, "\tExtensions:\n"); + int ret; + unsigned indx; - if (memcmp (oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) + /* Version. */ { - gnutls_datum_t nonce; - unsigned int critical; - - ret = gnutls_ocsp_req_get_nonce (req, &critical, &nonce); - if (ret != GNUTLS_E_SUCCESS) - { - addf (str, "error: get_nonce: %s\n", - gnutls_strerror (ret)); - } - else - { - addf (str, "\t\tNonce%s: ", critical ? " (critical)" : ""); - _gnutls_buffer_hexprint (str, nonce.data, nonce.size); - adds (str, "\n"); - gnutls_free (nonce.data); - } + int version = gnutls_ocsp_req_get_version(req); + if (version < 0) + addf(str, "error: get_version: %s\n", + gnutls_strerror(version)); + else + addf(str, _("\tVersion: %d\n"), version); } - else - { - addf (str, "\t\tUnknown extension %s (%s):\n", oid.data, - critical ? "critical" : "not critical"); - - adds (str, _("\t\t\tASCII: ")); - _gnutls_buffer_asciiprint (str, (char*)data.data, data.size); - addf (str, "\n"); - adds (str, _("\t\t\tHexdump: ")); - _gnutls_buffer_hexprint (str, (char*)data.data, data.size); - adds (str, "\n"); + /* XXX requestorName */ + + /* requestList */ + addf(str, "\tRequest List:\n"); + for (indx = 0;; indx++) { + gnutls_digest_algorithm_t digest; + gnutls_datum_t in, ik, sn; + + ret = + gnutls_ocsp_req_get_cert_id(req, indx, &digest, &in, + &ik, &sn); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + addf(str, "\t\tCertificate ID:\n"); + if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_cert_id: %s\n", + gnutls_strerror(ret)); + continue; + } + addf(str, "\t\t\tHash Algorithm: %s\n", + _gnutls_digest_get_name(mac_to_entry(digest))); + + adds(str, "\t\t\tIssuer Name Hash: "); + _gnutls_buffer_hexprint(str, in.data, in.size); + adds(str, "\n"); + + adds(str, "\t\t\tIssuer Key Hash: "); + _gnutls_buffer_hexprint(str, ik.data, ik.size); + adds(str, "\n"); + + adds(str, "\t\t\tSerial Number: "); + _gnutls_buffer_hexprint(str, sn.data, sn.size); + adds(str, "\n"); + + gnutls_free(in.data); + gnutls_free(ik.data); + gnutls_free(sn.data); + + /* XXX singleRequestExtensions */ } - gnutls_free (oid.data); - gnutls_free (data.data); - } + for (indx = 0;; indx++) { + gnutls_datum_t oid; + unsigned int critical; + gnutls_datum_t data; + + ret = + gnutls_ocsp_req_get_extension(req, indx, &oid, + &critical, &data); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + else if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_extension: %s\n", + gnutls_strerror(ret)); + continue; + } + if (indx == 0) + adds(str, "\tExtensions:\n"); + + if (memcmp(oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) { + gnutls_datum_t nonce; + unsigned int critical; + + ret = + gnutls_ocsp_req_get_nonce(req, &critical, + &nonce); + if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_nonce: %s\n", + gnutls_strerror(ret)); + } else { + addf(str, "\t\tNonce%s: ", + critical ? " (critical)" : ""); + _gnutls_buffer_hexprint(str, nonce.data, + nonce.size); + adds(str, "\n"); + gnutls_free(nonce.data); + } + } else { + addf(str, "\t\tUnknown extension %s (%s):\n", + oid.data, + critical ? "critical" : "not critical"); + + adds(str, _("\t\t\tASCII: ")); + _gnutls_buffer_asciiprint(str, (char *) data.data, + data.size); + addf(str, "\n"); + + adds(str, _("\t\t\tHexdump: ")); + _gnutls_buffer_hexprint(str, (char *) data.data, + data.size); + adds(str, "\n"); + } + + gnutls_free(oid.data); + gnutls_free(data.data); + } - /* XXX Signature */ + /* XXX Signature */ } /** @@ -170,423 +171,444 @@ print_req (gnutls_buffer_st * str, gnutls_ocsp_req_t req) * negative error value. **/ int -gnutls_ocsp_req_print (gnutls_ocsp_req_t req, - gnutls_ocsp_print_formats_t format, - gnutls_datum_t * out) +gnutls_ocsp_req_print(gnutls_ocsp_req_t req, + gnutls_ocsp_print_formats_t format, + gnutls_datum_t * out) { - gnutls_buffer_st str; - int rc; + gnutls_buffer_st str; + int rc; - if (format != GNUTLS_OCSP_PRINT_FULL) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } + if (format != GNUTLS_OCSP_PRINT_FULL) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } - _gnutls_buffer_init (&str); + _gnutls_buffer_init(&str); - _gnutls_buffer_append_str (&str, _("OCSP Request Information:\n")); + _gnutls_buffer_append_str(&str, _("OCSP Request Information:\n")); - print_req (&str, req); + print_req(&str, req); - _gnutls_buffer_append_data (&str, "\0", 1); + _gnutls_buffer_append_data(&str, "\0", 1); - rc = _gnutls_buffer_to_datum (&str, out); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return rc; - } + rc = _gnutls_buffer_to_datum(&str, out); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return rc; + } - return GNUTLS_E_SUCCESS; + return GNUTLS_E_SUCCESS; } static void -print_resp (gnutls_buffer_st * str, gnutls_ocsp_resp_t resp, - gnutls_ocsp_print_formats_t format) +print_resp(gnutls_buffer_st * str, gnutls_ocsp_resp_t resp, + gnutls_ocsp_print_formats_t format) { - int ret; - unsigned indx; - - ret = gnutls_ocsp_resp_get_status (resp); - if (ret < 0) - { - addf (str, "error: ocsp_resp_get_status: %s\n", - gnutls_strerror (ret)); - return; - } - - adds (str, "\tResponse Status: "); - switch (ret) - { - case GNUTLS_OCSP_RESP_SUCCESSFUL: - adds (str, "Successful\n"); - break; - - case GNUTLS_OCSP_RESP_MALFORMEDREQUEST: - adds (str, "malformedRequest\n"); - return; - - case GNUTLS_OCSP_RESP_INTERNALERROR: - adds (str, "internalError\n"); - return; - - case GNUTLS_OCSP_RESP_TRYLATER: - adds (str, "tryLater\n"); - return; - - case GNUTLS_OCSP_RESP_SIGREQUIRED: - adds (str, "sigRequired\n"); - return; - - case GNUTLS_OCSP_RESP_UNAUTHORIZED: - adds (str, "unauthorized\n"); - return; - - default: - adds (str, "unknown\n"); - return; - } - - { - gnutls_datum_t oid; - - ret = gnutls_ocsp_resp_get_response (resp, &oid, NULL); - if (ret < 0) - { - addf (str, "error: get_response: %s\n", gnutls_strerror (ret)); - return; - } - - adds (str, "\tResponse Type: "); -#define OCSP_BASIC "1.3.6.1.5.5.7.48.1.1" - - if (oid.size == sizeof (OCSP_BASIC) - && memcmp (oid.data, OCSP_BASIC, oid.size) == 0) - { - adds (str, "Basic OCSP Response\n"); - gnutls_free (oid.data); - } - else - { - addf (str, "Unknown response type (%.*s)\n", oid.size, oid.data); - gnutls_free (oid.data); - return; - } - } - - /* Version. */ - { - int version = gnutls_ocsp_resp_get_version (resp); - if (version < 0) - addf (str, "error: get_version: %s\n", gnutls_strerror (version)); - else - addf (str, _("\tVersion: %d\n"), version); - } - - /* responderID */ - { - gnutls_datum_t dn; - - /* XXX byKey */ - - ret = gnutls_ocsp_resp_get_responder (resp, &dn); - if (ret < 0) - addf (str, "error: get_dn: %s\n", gnutls_strerror (ret)); - else - { - addf (str, _("\tResponder ID: %.*s\n"), dn.size, dn.data); - gnutls_free (dn.data); - } - } - - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - time_t tim = gnutls_ocsp_resp_get_produced (resp); - - if (tim == (time_t) -1) - addf (str, "error: ocsp_resp_get_produced\n"); - else if (gmtime_r (&tim, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) tim); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) tim); - else - addf (str, _("\tProduced At: %s\n"), s); - } - - addf (str, "\tResponses:\n"); - for (indx = 0; ; indx++) - { - gnutls_digest_algorithm_t digest; - gnutls_datum_t in, ik, sn; - unsigned int cert_status; - time_t this_update; - time_t next_update; - time_t revocation_time; - unsigned int revocation_reason; - - ret = gnutls_ocsp_resp_get_single (resp, - indx, - &digest, &in, &ik, &sn, - &cert_status, - &this_update, - &next_update, - &revocation_time, - &revocation_reason); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - addf (str, "\t\tCertificate ID:\n"); - if (ret != GNUTLS_E_SUCCESS) - { - addf (str, "error: get_singleresponse: %s\n", - gnutls_strerror (ret)); - continue; + int ret; + unsigned indx; + + ret = gnutls_ocsp_resp_get_status(resp); + if (ret < 0) { + addf(str, "error: ocsp_resp_get_status: %s\n", + gnutls_strerror(ret)); + return; } - addf (str, "\t\t\tHash Algorithm: %s\n", - _gnutls_digest_get_name (mac_to_entry(digest))); - adds (str, "\t\t\tIssuer Name Hash: "); - _gnutls_buffer_hexprint (str, in.data, in.size); - adds (str, "\n"); + adds(str, "\tResponse Status: "); + switch (ret) { + case GNUTLS_OCSP_RESP_SUCCESSFUL: + adds(str, "Successful\n"); + break; - adds (str, "\t\t\tIssuer Key Hash: "); - _gnutls_buffer_hexprint (str, ik.data, ik.size); - adds (str, "\n"); + case GNUTLS_OCSP_RESP_MALFORMEDREQUEST: + adds(str, "malformedRequest\n"); + return; - adds (str, "\t\t\tSerial Number: "); - _gnutls_buffer_hexprint (str, sn.data, sn.size); - adds (str, "\n"); + case GNUTLS_OCSP_RESP_INTERNALERROR: + adds(str, "internalError\n"); + return; - gnutls_free (in.data); - gnutls_free (ik.data); - gnutls_free (sn.data); + case GNUTLS_OCSP_RESP_TRYLATER: + adds(str, "tryLater\n"); + return; - { - const char *p = NULL; + case GNUTLS_OCSP_RESP_SIGREQUIRED: + adds(str, "sigRequired\n"); + return; - switch (cert_status) - { - case GNUTLS_OCSP_CERT_GOOD: - p = "good"; - break; + case GNUTLS_OCSP_RESP_UNAUTHORIZED: + adds(str, "unauthorized\n"); + return; - case GNUTLS_OCSP_CERT_REVOKED: - p = "revoked"; - break; + default: + adds(str, "unknown\n"); + return; + } - case GNUTLS_OCSP_CERT_UNKNOWN: - p = "unknown"; - break; + { + gnutls_datum_t oid; - default: - addf (str, "\t\tCertificate Status: unexpected value %d\n", - cert_status); - break; - } + ret = gnutls_ocsp_resp_get_response(resp, &oid, NULL); + if (ret < 0) { + addf(str, "error: get_response: %s\n", + gnutls_strerror(ret)); + return; + } - if (p) - addf (str, "\t\tCertificate Status: %s\n", p); - } + adds(str, "\tResponse Type: "); +#define OCSP_BASIC "1.3.6.1.5.5.7.48.1.1" - /* XXX revocation reason */ + if (oid.size == sizeof(OCSP_BASIC) + && memcmp(oid.data, OCSP_BASIC, oid.size) == 0) { + adds(str, "Basic OCSP Response\n"); + gnutls_free(oid.data); + } else { + addf(str, "Unknown response type (%.*s)\n", + oid.size, oid.data); + gnutls_free(oid.data); + return; + } + } - if (cert_status == GNUTLS_OCSP_CERT_REVOKED) - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (revocation_time == (time_t) -1) - addf (str, "error: revocation_time\n"); - else if (gmtime_r (&revocation_time, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", - (unsigned long) revocation_time); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", - (unsigned long) revocation_time); - else - addf (str, _("\t\tRevocation time: %s\n"), s); - } - - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (this_update == (time_t) -1) - addf (str, "error: this_update\n"); - else if (gmtime_r (&this_update, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) this_update); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) this_update); - else - addf (str, _("\t\tThis Update: %s\n"), s); - } - - { - char s[42]; - size_t max = sizeof (s); - struct tm t; - - if (next_update == (time_t) -1) - addf (str, "error: next_update\n"); - else if (gmtime_r (&next_update, &t) == NULL) - addf (str, "error: gmtime_r (%ld)\n", (unsigned long) next_update); - else if (strftime (s, max, "%a %b %d %H:%M:%S UTC %Y", &t) == 0) - addf (str, "error: strftime (%ld)\n", (unsigned long) next_update); - else - addf (str, _("\t\tNext Update: %s\n"), s); - } - - /* XXX singleRequestExtensions */ - } - - adds (str, "\tExtensions:\n"); - for (indx = 0; ; indx++) - { - gnutls_datum_t oid; - unsigned int critical; - gnutls_datum_t data; - - ret = gnutls_ocsp_resp_get_extension (resp, indx, &oid, &critical, &data); - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) - break; - else if (ret != GNUTLS_E_SUCCESS) + /* Version. */ { - addf (str, "error: get_extension: %s\n", - gnutls_strerror (ret)); - continue; + int version = gnutls_ocsp_resp_get_version(resp); + if (version < 0) + addf(str, "error: get_version: %s\n", + gnutls_strerror(version)); + else + addf(str, _("\tVersion: %d\n"), version); } - if (memcmp (oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) + /* responderID */ { - gnutls_datum_t nonce; - unsigned int critical; - - ret = gnutls_ocsp_resp_get_nonce (resp, &critical, &nonce); - if (ret != GNUTLS_E_SUCCESS) - { - addf (str, "error: get_nonce: %s\n", - gnutls_strerror (ret)); - } - else - { - addf (str, "\t\tNonce%s: ", critical ? " (critical)" : ""); - _gnutls_buffer_hexprint (str, nonce.data, nonce.size); - adds (str, "\n"); - gnutls_free (nonce.data); - } + gnutls_datum_t dn; + + /* XXX byKey */ + + ret = gnutls_ocsp_resp_get_responder(resp, &dn); + if (ret < 0) + addf(str, "error: get_dn: %s\n", + gnutls_strerror(ret)); + else { + addf(str, _("\tResponder ID: %.*s\n"), dn.size, + dn.data); + gnutls_free(dn.data); + } } - else + { - addf (str, "\t\tUnknown extension %s (%s):\n", oid.data, - critical ? "critical" : "not critical"); + char s[42]; + size_t max = sizeof(s); + struct tm t; + time_t tim = gnutls_ocsp_resp_get_produced(resp); + + if (tim == (time_t) - 1) + addf(str, "error: ocsp_resp_get_produced\n"); + else if (gmtime_r(&tim, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) tim); + else if (strftime(s, max, "%a %b %d %H:%M:%S UTC %Y", &t) + == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) tim); + else + addf(str, _("\tProduced At: %s\n"), s); + } - adds (str, _("\t\t\tASCII: ")); - _gnutls_buffer_asciiprint (str, (char*)data.data, data.size); - addf (str, "\n"); + addf(str, "\tResponses:\n"); + for (indx = 0;; indx++) { + gnutls_digest_algorithm_t digest; + gnutls_datum_t in, ik, sn; + unsigned int cert_status; + time_t this_update; + time_t next_update; + time_t revocation_time; + unsigned int revocation_reason; + + ret = gnutls_ocsp_resp_get_single(resp, + indx, + &digest, &in, &ik, &sn, + &cert_status, + &this_update, + &next_update, + &revocation_time, + &revocation_reason); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + addf(str, "\t\tCertificate ID:\n"); + if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_singleresponse: %s\n", + gnutls_strerror(ret)); + continue; + } + addf(str, "\t\t\tHash Algorithm: %s\n", + _gnutls_digest_get_name(mac_to_entry(digest))); + + adds(str, "\t\t\tIssuer Name Hash: "); + _gnutls_buffer_hexprint(str, in.data, in.size); + adds(str, "\n"); + + adds(str, "\t\t\tIssuer Key Hash: "); + _gnutls_buffer_hexprint(str, ik.data, ik.size); + adds(str, "\n"); + + adds(str, "\t\t\tSerial Number: "); + _gnutls_buffer_hexprint(str, sn.data, sn.size); + adds(str, "\n"); + + gnutls_free(in.data); + gnutls_free(ik.data); + gnutls_free(sn.data); + + { + const char *p = NULL; + + switch (cert_status) { + case GNUTLS_OCSP_CERT_GOOD: + p = "good"; + break; + + case GNUTLS_OCSP_CERT_REVOKED: + p = "revoked"; + break; + + case GNUTLS_OCSP_CERT_UNKNOWN: + p = "unknown"; + break; + + default: + addf(str, + "\t\tCertificate Status: unexpected value %d\n", + cert_status); + break; + } + + if (p) + addf(str, "\t\tCertificate Status: %s\n", + p); + } + + /* XXX revocation reason */ + + if (cert_status == GNUTLS_OCSP_CERT_REVOKED) { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (revocation_time == (time_t) - 1) + addf(str, "error: revocation_time\n"); + else if (gmtime_r(&revocation_time, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) revocation_time); + else if (strftime + (s, max, "%a %b %d %H:%M:%S UTC %Y", + &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) revocation_time); + else + addf(str, _("\t\tRevocation time: %s\n"), + s); + } + + { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (this_update == (time_t) - 1) + addf(str, "error: this_update\n"); + else if (gmtime_r(&this_update, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) this_update); + else if (strftime + (s, max, "%a %b %d %H:%M:%S UTC %Y", + &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) this_update); + else + addf(str, _("\t\tThis Update: %s\n"), s); + } + + { + char s[42]; + size_t max = sizeof(s); + struct tm t; + + if (next_update == (time_t) - 1) + addf(str, "error: next_update\n"); + else if (gmtime_r(&next_update, &t) == NULL) + addf(str, "error: gmtime_r (%ld)\n", + (unsigned long) next_update); + else if (strftime + (s, max, "%a %b %d %H:%M:%S UTC %Y", + &t) == 0) + addf(str, "error: strftime (%ld)\n", + (unsigned long) next_update); + else + addf(str, _("\t\tNext Update: %s\n"), s); + } + + /* XXX singleRequestExtensions */ + } - adds (str, _("\t\t\tHexdump: ")); - _gnutls_buffer_hexprint (str, (char*)data.data, data.size); - adds (str, "\n"); + adds(str, "\tExtensions:\n"); + for (indx = 0;; indx++) { + gnutls_datum_t oid; + unsigned int critical; + gnutls_datum_t data; + + ret = + gnutls_ocsp_resp_get_extension(resp, indx, &oid, + &critical, &data); + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + break; + else if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_extension: %s\n", + gnutls_strerror(ret)); + continue; + } + + if (memcmp(oid.data, GNUTLS_OCSP_NONCE, oid.size) == 0) { + gnutls_datum_t nonce; + unsigned int critical; + + ret = + gnutls_ocsp_resp_get_nonce(resp, &critical, + &nonce); + if (ret != GNUTLS_E_SUCCESS) { + addf(str, "error: get_nonce: %s\n", + gnutls_strerror(ret)); + } else { + addf(str, "\t\tNonce%s: ", + critical ? " (critical)" : ""); + _gnutls_buffer_hexprint(str, nonce.data, + nonce.size); + adds(str, "\n"); + gnutls_free(nonce.data); + } + } else { + addf(str, "\t\tUnknown extension %s (%s):\n", + oid.data, + critical ? "critical" : "not critical"); + + adds(str, _("\t\t\tASCII: ")); + _gnutls_buffer_asciiprint(str, (char *) data.data, + data.size); + addf(str, "\n"); + + adds(str, _("\t\t\tHexdump: ")); + _gnutls_buffer_hexprint(str, (char *) data.data, + data.size); + adds(str, "\n"); + } + + gnutls_free(oid.data); + gnutls_free(data.data); } - gnutls_free (oid.data); - gnutls_free (data.data); - } - - /* Signature. */ - if (format == GNUTLS_OCSP_PRINT_FULL) - { - gnutls_datum_t sig; - - ret = gnutls_ocsp_resp_get_signature_algorithm (resp); - if (ret < 0) - addf (str, "error: get_signature_algorithm: %s\n", - gnutls_strerror (ret)); - else - { - const char *name = gnutls_sign_algorithm_get_name (ret); - if (name == NULL) - name = _("unknown"); - addf (str, _("\tSignature Algorithm: %s\n"), name); - } - if (gnutls_sign_is_secure(ret) == 0) - { - adds (str, _("warning: signed using a broken signature " - "algorithm that can be forged.\n")); - } - - ret = gnutls_ocsp_resp_get_signature (resp, &sig); - if (ret < 0) - addf (str, "error: get_signature: %s\n", gnutls_strerror (ret)); - else - { - adds (str, _("\tSignature:\n")); - _gnutls_buffer_hexdump (str, sig.data, sig.size, "\t\t"); - - gnutls_free (sig.data); - } - } - - /* certs */ - if (format == GNUTLS_OCSP_PRINT_FULL) - { - gnutls_x509_crt_t *certs; - size_t ncerts, i; - gnutls_datum_t out; - - ret = gnutls_ocsp_resp_get_certs (resp, &certs, &ncerts); - if (ret < 0) - addf (str, "error: get_certs: %s\n", gnutls_strerror (ret)); - else - { - for (i = 0; i < ncerts; i++) - { - size_t s = 0; - - ret = gnutls_x509_crt_print (certs[i], GNUTLS_CRT_PRINT_FULL, - &out); - if (ret < 0) - addf (str, "error: crt_print: %s\n", gnutls_strerror (ret)); - else - { - addf (str, "%.*s", out.size, out.data); - gnutls_free (out.data); - } - - ret = gnutls_x509_crt_export (certs[i], GNUTLS_X509_FMT_PEM, - NULL, &s); - if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) - addf (str, "error: crt_export: %s\n", gnutls_strerror (ret)); - else - { - out.data = gnutls_malloc (s); - if (out.data == NULL) - addf (str, "error: malloc: %s\n", - gnutls_strerror (GNUTLS_E_MEMORY_ERROR)); - else - { - ret = gnutls_x509_crt_export (certs[i], GNUTLS_X509_FMT_PEM, - out.data, &s); - if (ret < 0) - addf (str, "error: crt_export: %s\n", gnutls_strerror (ret)); - else - { - out.size = s; - addf (str, "%.*s", out.size, out.data); - } - gnutls_free (out.data); - } - } - - gnutls_x509_crt_deinit (certs[i]); - } - gnutls_free (certs); - } - } + /* Signature. */ + if (format == GNUTLS_OCSP_PRINT_FULL) { + gnutls_datum_t sig; + + ret = gnutls_ocsp_resp_get_signature_algorithm(resp); + if (ret < 0) + addf(str, "error: get_signature_algorithm: %s\n", + gnutls_strerror(ret)); + else { + const char *name = + gnutls_sign_algorithm_get_name(ret); + if (name == NULL) + name = _("unknown"); + addf(str, _("\tSignature Algorithm: %s\n"), name); + } + if (gnutls_sign_is_secure(ret) == 0) { + adds(str, + _("warning: signed using a broken signature " + "algorithm that can be forged.\n")); + } + + ret = gnutls_ocsp_resp_get_signature(resp, &sig); + if (ret < 0) + addf(str, "error: get_signature: %s\n", + gnutls_strerror(ret)); + else { + adds(str, _("\tSignature:\n")); + _gnutls_buffer_hexdump(str, sig.data, sig.size, + "\t\t"); + + gnutls_free(sig.data); + } + } + + /* certs */ + if (format == GNUTLS_OCSP_PRINT_FULL) { + gnutls_x509_crt_t *certs; + size_t ncerts, i; + gnutls_datum_t out; + + ret = gnutls_ocsp_resp_get_certs(resp, &certs, &ncerts); + if (ret < 0) + addf(str, "error: get_certs: %s\n", + gnutls_strerror(ret)); + else { + for (i = 0; i < ncerts; i++) { + size_t s = 0; + + ret = + gnutls_x509_crt_print(certs[i], + GNUTLS_CRT_PRINT_FULL, + &out); + if (ret < 0) + addf(str, "error: crt_print: %s\n", + gnutls_strerror(ret)); + else { + addf(str, "%.*s", out.size, + out.data); + gnutls_free(out.data); + } + + ret = + gnutls_x509_crt_export(certs[i], + GNUTLS_X509_FMT_PEM, + NULL, &s); + if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) + addf(str, + "error: crt_export: %s\n", + gnutls_strerror(ret)); + else { + out.data = gnutls_malloc(s); + if (out.data == NULL) + addf(str, + "error: malloc: %s\n", + gnutls_strerror + (GNUTLS_E_MEMORY_ERROR)); + else { + ret = + gnutls_x509_crt_export + (certs[i], + GNUTLS_X509_FMT_PEM, + out.data, &s); + if (ret < 0) + addf(str, + "error: crt_export: %s\n", + gnutls_strerror + (ret)); + else { + out.size = s; + addf(str, "%.*s", + out.size, + out.data); + } + gnutls_free(out.data); + } + } + + gnutls_x509_crt_deinit(certs[i]); + } + gnutls_free(certs); + } + } } /** @@ -607,27 +629,26 @@ print_resp (gnutls_buffer_st * str, gnutls_ocsp_resp_t resp, * negative error value. **/ int -gnutls_ocsp_resp_print (gnutls_ocsp_resp_t resp, - gnutls_ocsp_print_formats_t format, - gnutls_datum_t * out) +gnutls_ocsp_resp_print(gnutls_ocsp_resp_t resp, + gnutls_ocsp_print_formats_t format, + gnutls_datum_t * out) { - gnutls_buffer_st str; - int rc; + gnutls_buffer_st str; + int rc; - _gnutls_buffer_init (&str); + _gnutls_buffer_init(&str); - _gnutls_buffer_append_str (&str, _("OCSP Response Information:\n")); + _gnutls_buffer_append_str(&str, _("OCSP Response Information:\n")); - print_resp (&str, resp, format); + print_resp(&str, resp, format); - _gnutls_buffer_append_data (&str, "\0", 1); + _gnutls_buffer_append_data(&str, "\0", 1); - rc = _gnutls_buffer_to_datum (&str, out); - if (rc != GNUTLS_E_SUCCESS) - { - gnutls_assert (); - return rc; - } + rc = _gnutls_buffer_to_datum(&str, out); + if (rc != GNUTLS_E_SUCCESS) { + gnutls_assert(); + return rc; + } - return GNUTLS_E_SUCCESS; + return GNUTLS_E_SUCCESS; } |