| 1 | #!/usr/bin/perl |
| 2 | # Copyright (C) 2012 Wizards Internet Ltd |
| 3 | # License GPLv2: GNU GPL version 2 <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> |
| 4 | use strict; |
| 5 | use Getopt::Std; |
| 6 | $Getopt::Std::STANDARD_HELP_VERSION=1; |
| 7 | use IO::Handle; |
| 8 | use Date::Parse; |
| 9 | my ($o,$i,$s,$f,$t,$u,$VERSION); |
| 10 | $VERSION='1.0'; |
| 11 | $o={'m'=>10}; |
| 12 | getopts("c:i:u:a:o:m:fv",$o); |
| 13 | usage('No issuer specified') if ! $o->{'i'} && ! -f $o->{'i'}; |
| 14 | usage('No certificate specified') if ! $o->{'c'} && ! -f $o->{'c'}; |
| 15 | usage('No CA chain specified') if ! $o->{'a'} && ! -f $o->{'a'}; |
| 16 | usage('No OCSP file specified') if ! $o->{'o'}; |
| 17 | usage('No URL specified') if ! $o->{'u'}; |
| 18 | $o->{'t'}=$o->{'o'}.'.tmp'; |
| 19 | |
| 20 | # check if we need to |
| 21 | if ( $o->{'f'} |
| 22 | || ! -f $o->{'o'} |
| 23 | || ( -M $o->{'o'} > 0 ) |
| 24 | ) |
| 25 | { |
| 26 | $i = new IO::Handle; |
| 27 | open( $i, "openssl ocsp -issuer $o->{'i'} -cert $o->{'c'} -url $o->{'u'} -CAfile $o->{'a'} -respout $o->{'t'} 2>/dev/null |" ) || die 'Unable to execute ocsp command'; |
| 28 | $s = <$i> || die 'Unable to read status'; |
| 29 | $f = <$i> || die 'Unable to read update time'; |
| 30 | $t = <$i> || die 'Unable to read next update time'; |
| 31 | close $i; |
| 32 | # Status ok ? |
| 33 | chomp($s); |
| 34 | chomp($f); |
| 35 | chomp($t); |
| 36 | $s =~ s/[^:]*: //; |
| 37 | $f =~ s/[^:]*: //; |
| 38 | $t =~ s/[^:]*: //; |
| 39 | $t = str2time($t); |
| 40 | die "OCSP status is $s" if $s ne 'good'; |
| 41 | warn "Next Update $t" if $o->{'v'}; |
| 42 | # response is good, adjust mod time and move into place. |
| 43 | $u = $t - $o->{'m'} * (($t - time)/100); |
| 44 | utime $u,$u,$o->{'t'}; |
| 45 | rename $o->{'t'},$o->{'o'}; |
| 46 | } |
| 47 | exit; |
| 48 | |
| 49 | sub |
| 50 | usage |
| 51 | { |
| 52 | my $m = shift; |
| 53 | print STDERR "$m\n" if $m; |
| 54 | HELP_MESSAGE(\*STDERR); |
| 55 | die; |
| 56 | } |
| 57 | sub |
| 58 | HELP_MESSAGE |
| 59 | { |
| 60 | my $h = shift; |
| 61 | print $h <<EOF |
| 62 | Usage: $0 -i issuer -c certificate -u ocsp_url -a ca_certs -o response [-v] [-f] |
| 63 | |
| 64 | For a certificate "www.example.com.pem" |
| 65 | signed by "signing.example.net.pem" |
| 66 | signed by root CA "ca.example.net.pem" |
| 67 | with OCSP server http://ocsp.example.net/ |
| 68 | |
| 69 | Ensure there is a file with the signing chain |
| 70 | |
| 71 | cat ca.example.net.pem signing.example.net.pem >chain.pem |
| 72 | |
| 73 | The update procedure would be |
| 74 | |
| 75 | ocsp_fetch -i signing.example.net.pem \ |
| 76 | -c www.example.com.pem \ |
| 77 | -u http://ocsp.example.net/ \ |
| 78 | -a chain.pem \ |
| 79 | -o www.example.com.ocsp.der |
| 80 | EOF |
| 81 | } |
| 82 | # vi: aw ai sw=4 |
| 83 | # End of File |