Commit | Line | Data |
---|---|---|
880496ef JH |
1 | #!/usr/bin/perl |
2 | # Copyright (C) 2012 Wizards Internet Ltd | |
3 | # License GPLv2: GNU GPL version 2 <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> | |
4 | use strict; | |
5 | use Getopt::Std; | |
6 | $Getopt::Std::STANDARD_HELP_VERSION=1; | |
7 | use IO::Handle; | |
8 | use Date::Parse; | |
9 | my ($o,$i,$s,$f,$t,$u,$VERSION); | |
10 | $VERSION='1.0'; | |
11 | $o={'m'=>10}; | |
12 | getopts("c:i:u:a:o:m:fv",$o); | |
13 | usage('No issuer specified') if ! $o->{'i'} && ! -f $o->{'i'}; | |
14 | usage('No certificate specified') if ! $o->{'c'} && ! -f $o->{'c'}; | |
15 | usage('No CA chain specified') if ! $o->{'a'} && ! -f $o->{'a'}; | |
16 | usage('No OCSP file specified') if ! $o->{'o'}; | |
17 | usage('No URL specified') if ! $o->{'u'}; | |
18 | $o->{'t'}=$o->{'o'}.'.tmp'; | |
19 | ||
20 | # check if we need to | |
21 | if ( $o->{'f'} | |
22 | || ! -f $o->{'o'} | |
23 | || ( -M $o->{'o'} > 0 ) | |
24 | ) | |
25 | { | |
26 | $i = new IO::Handle; | |
27 | open( $i, "openssl ocsp -issuer $o->{'i'} -cert $o->{'c'} -url $o->{'u'} -CAfile $o->{'a'} -respout $o->{'t'} 2>/dev/null |" ) || die 'Unable to execute ocsp command'; | |
28 | $s = <$i> || die 'Unable to read status'; | |
29 | $f = <$i> || die 'Unable to read update time'; | |
30 | $t = <$i> || die 'Unable to read next update time'; | |
31 | close $i; | |
32 | # Status ok ? | |
33 | chomp($s); | |
34 | chomp($f); | |
35 | chomp($t); | |
36 | $s =~ s/[^:]*: //; | |
37 | $f =~ s/[^:]*: //; | |
38 | $t =~ s/[^:]*: //; | |
39 | $t = str2time($t); | |
40 | die "OCSP status is $s" if $s ne 'good'; | |
41 | warn "Next Update $t" if $o->{'v'}; | |
42 | # response is good, adjust mod time and move into place. | |
43 | $u = $t - $o->{'m'} * (($t - time)/100); | |
44 | utime $u,$u,$o->{'t'}; | |
45 | rename $o->{'t'},$o->{'o'}; | |
46 | } | |
47 | exit; | |
48 | ||
49 | sub | |
50 | usage | |
51 | { | |
52 | my $m = shift; | |
53 | print STDERR "$m\n" if $m; | |
54 | HELP_MESSAGE(\*STDERR); | |
55 | die; | |
56 | } | |
57 | sub | |
58 | HELP_MESSAGE | |
59 | { | |
60 | my $h = shift; | |
61 | print $h <<EOF | |
62 | Usage: $0 -i issuer -c certificate -u ocsp_url -a ca_certs -o response [-v] [-f] | |
63 | ||
64 | For a certificate "www.example.com.pem" | |
65 | signed by "signing.example.net.pem" | |
66 | signed by root CA "ca.example.net.pem" | |
67 | with OCSP server http://ocsp.example.net/ | |
68 | ||
69 | Ensure there is a file with the signing chain | |
70 | ||
71 | cat ca.example.net.pem signing.example.net.pem >chain.pem | |
72 | ||
73 | The update procedure would be | |
74 | ||
75 | ocsp_fetch -i signing.example.net.pem \ | |
76 | -c www.example.com.pem \ | |
77 | -u http://ocsp.example.net/ \ | |
78 | -a chain.pem \ | |
79 | -o www.example.com.ocsp.der | |
80 | EOF | |
81 | } | |
82 | # vi: aw ai sw=4 | |
83 | # End of File |