tor-browser

GenerateOCSPResponse.cpp (5924B)

---

/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set ts=2 sw=2 tw=80 et: */
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/* This simple program takes a database directory, and one or more tuples like
* <typeOfResponse> <CertNick> <ExtraCertNick> <outPutFilename>
* to generate (one or more) ocsp responses.
*/

#include "cert.h"
#include "nspr.h"
#include "nss.h"
#include "plarenas.h"
#include "prerror.h"
#include "ssl.h"
#include "secerr.h"

#include "OCSPCommon.h"
#include "ScopedNSSTypes.h"
#include "TLSServer.h"

using namespace mozilla;
using namespace mozilla::test;

struct OCSPResponseName {
 const char* mTypeString;
 const OCSPResponseType mORT;
};

const static OCSPResponseName kOCSPResponseNameList[] = {
   {"good", ORTGood},                         // the certificate is good
   {"good-delegated", ORTDelegatedIncluded},  // the certificate is good, using
                                              // a delegated signer
   {"revoked", ORTRevoked},                // the certificate has been revoked
   {"unknown", ORTUnknown},                // the responder doesn't know if the
                                           //   cert is good
   {"goodotherca", ORTGoodOtherCA},        // the wrong CA has signed the
                                           //   response
   {"expiredresponse", ORTExpired},        // the signature on the response has
                                           //   expired
   {"oldvalidperiod", ORTExpiredFreshCA},  // fresh signature, but old validity
                                           //   period
   {"empty", ORTEmpty},                    // an empty stapled response

   {"malformed", ORTMalformed},         // the response from the responder
                                        //   was malformed
   {"serverr", ORTSrverr},              // the response indicates there was a
                                        //   server error
   {"trylater", ORTTryLater},           // the responder replied with
                                        //   "try again later"
   {"resp-unsigned", ORTNeedsSig},      // the response needs a signature
   {"unauthorized", ORTUnauthorized},   // the responder does not know about
                                        //   the cert
   {"bad-signature", ORTBadSignature},  // the response has a bad signature
   {"longvalidityalmostold",
    ORTLongValidityAlmostExpired},  // the response is
                                    // still valid, but the generation
                                    // is almost a year old
   {"ancientstillvalid", ORTAncientAlmostExpired},  // The response is still
                                                    // valid but the generation
                                                    // is almost two years old
};

bool StringToOCSPResponseType(const char* respText,
                             /*out*/ OCSPResponseType* OCSPType) {
 if (!OCSPType) {
   return false;
 }
 for (auto ocspResponseName : kOCSPResponseNameList) {
   if (strcmp(respText, ocspResponseName.mTypeString) == 0) {
     *OCSPType = ocspResponseName.mORT;
     return true;
   }
 }
 return false;
}

bool WriteResponse(const char* filename, const SECItem* item) {
 if (!filename || !item || !item->data) {
   PR_fprintf(PR_STDERR, "invalid parameters to WriteResponse");
   return false;
 }

 UniquePRFileDesc outFile(
     PR_Open(filename, PR_WRONLY | PR_CREATE_FILE | PR_TRUNCATE, 0644));
 if (!outFile) {
   PrintPRError("cannot open file for writing");
   return false;
 }
 int32_t rv = PR_Write(outFile.get(), item->data, item->len);
 if (rv < 0 || (uint32_t)rv != item->len) {
   PrintPRError("File write failure");
   return false;
 }

 return true;
}

int main(int argc, char* argv[]) {
 if (argc < 7 || (argc - 7) % 5 != 0) {
   PR_fprintf(
       PR_STDERR,
       "usage: %s <NSS DB directory> <responsetype> "
       "<cert_nick> <extranick> <this_update_skew> <outfilename> [<resptype> "
       "<cert_nick> <extranick> <this_update_skew> <outfilename>]* \n",
       argv[0]);
   exit(EXIT_FAILURE);
 }
 SECStatus rv = InitializeNSS(argv[1]);
 if (rv != SECSuccess) {
   PR_fprintf(PR_STDERR, "Failed to initialize NSS\n");
   exit(EXIT_FAILURE);
 }
 UniquePLArenaPool arena(PORT_NewArena(256 * argc));
 if (!arena) {
   PrintPRError("PORT_NewArena failed");
   exit(EXIT_FAILURE);
 }

 for (int i = 2; i + 3 < argc; i += 5) {
   const char* ocspTypeText = argv[i];
   const char* certNick = argv[i + 1];
   const char* extraCertname = argv[i + 2];
   const char* skewChars = argv[i + 3];
   const char* filename = argv[i + 4];

   OCSPResponseType ORT;
   if (!StringToOCSPResponseType(ocspTypeText, &ORT)) {
     PR_fprintf(PR_STDERR, "Cannot generate OCSP response of type %s\n",
                ocspTypeText);
     exit(EXIT_FAILURE);
   }

   UniqueCERTCertificate cert(PK11_FindCertFromNickname(certNick, nullptr));
   if (!cert) {
     PrintPRError("PK11_FindCertFromNickname failed");
     PR_fprintf(PR_STDERR, "Failed to find certificate with nick '%s'\n",
                certNick);
     exit(EXIT_FAILURE);
   }

   time_t skew = static_cast<time_t>(atoll(skewChars));

   SECItemArray* response =
       GetOCSPResponseForType(ORT, cert, arena, extraCertname, skew);
   if (!response) {
     PR_fprintf(PR_STDERR,
                "Failed to generate OCSP response of type %s "
                "for %s\n",
                ocspTypeText, certNick);
     exit(EXIT_FAILURE);
   }

   if (!WriteResponse(filename, &response->items[0])) {
     PR_fprintf(PR_STDERR, "Failed to write file %s\n", filename);
     exit(EXIT_FAILURE);
   }
 }
 return 0;
}