Merge branch 'patch-1' of https://github.com/bes-internal/exim into master-bes-rateli...
[exim.git] / src / util / ocsp_fetch.pl
1 #!/usr/bin/perl
2 # Copyright (C) 2012 Wizards Internet Ltd
3 # License GPLv2: GNU GPL version 2 <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
4 use strict;
5 use Getopt::Std;
6 $Getopt::Std::STANDARD_HELP_VERSION=1;
7 use IO::Handle;
8 use Date::Parse;
9 my ($o,$i,$s,$f,$t,$u,$VERSION);
10 $VERSION='1.0';
11 $o={'m'=>10};
12 getopts("c:i:u:a:o:m:fv",$o);
13 usage('No issuer specified') if ! $o->{'i'} && ! -f $o->{'i'};
14 usage('No certificate specified') if ! $o->{'c'} && ! -f $o->{'c'};
15 usage('No CA chain specified') if ! $o->{'a'} && ! -f $o->{'a'};
16 usage('No OCSP file specified') if ! $o->{'o'};
17 usage('No URL specified') if ! $o->{'u'};
18 $o->{'t'}=$o->{'o'}.'.tmp';
19
20 # check if we need to
21 if ( $o->{'f'}
22 || ! -f $o->{'o'}
23 || ( -M $o->{'o'} > 0 )
24 )
25 {
26 $i = new IO::Handle;
27 open( $i, "openssl ocsp -issuer $o->{'i'} -cert $o->{'c'} -url $o->{'u'} -CAfile $o->{'a'} -respout $o->{'t'} 2>/dev/null |" ) || die 'Unable to execute ocsp command';
28 $s = <$i> || die 'Unable to read status';
29 $f = <$i> || die 'Unable to read update time';
30 $t = <$i> || die 'Unable to read next update time';
31 close $i;
32 # Status ok ?
33 chomp($s);
34 chomp($f);
35 chomp($t);
36 $s =~ s/[^:]*: //;
37 $f =~ s/[^:]*: //;
38 $t =~ s/[^:]*: //;
39 $t = str2time($t);
40 die "OCSP status is $s" if $s ne 'good';
41 warn "Next Update $t" if $o->{'v'};
42 # response is good, adjust mod time and move into place.
43 $u = $t - $o->{'m'} * (($t - time)/100);
44 utime $u,$u,$o->{'t'};
45 rename $o->{'t'},$o->{'o'};
46 }
47 exit;
48
49 sub
50 usage
51 {
52 my $m = shift;
53 print STDERR "$m\n" if $m;
54 HELP_MESSAGE(\*STDERR);
55 die;
56 }
57 sub
58 HELP_MESSAGE
59 {
60 my $h = shift;
61 print $h <<EOF
62 Usage: $0 -i issuer -c certificate -u ocsp_url -a ca_certs -o response [-v] [-f]
63
64 For a certificate "www.example.com.pem"
65 signed by "signing.example.net.pem"
66 signed by root CA "ca.example.net.pem"
67 with OCSP server http://ocsp.example.net/
68
69 Ensure there is a file with the signing chain
70
71 cat ca.example.net.pem signing.example.net.pem >chain.pem
72
73 The update procedure would be
74
75 ocsp_fetch -i signing.example.net.pem \
76 -c www.example.com.pem \
77 -u http://ocsp.example.net/ \
78 -a chain.pem \
79 -o www.example.com.ocsp.der
80 EOF
81 }
82 # vi: aw ai sw=4
83 # End of File