Tree - source-git/mingw-gnutls

source-git / mingw-gnutls

Blame src/ocsptool-args.def

Blob History Raw

Packit	549fdc	`AutoGen Definitions options;`
Packit	549fdc	`prog-name = ocsptool;`
Packit	549fdc	`prog-title = "GnuTLS OCSP tool";`
Packit	549fdc	`prog-desc = "Program to handle OCSP request/responses.";`
Packit	549fdc	`detail = "ocsptool is a program that can parse and print information about`
Packit	549fdc	`OCSP requests/responses, generate requests and verify responses.";`
Packit	549fdc	`short-usage = "ocsptool [options]\nocsptool --help for usage instructions.\n";`
Packit	549fdc	`explain = "";`
Packit	549fdc
Packit	549fdc	`doc-section = {`
Packit	549fdc	`ds-type = 'DESCRIPTION';`
Packit	549fdc	`ds-format = 'texi';`
Packit	549fdc	`ds-text = <<-_EOT_`
Packit	549fdc	`@subheading On verification`
Packit	549fdc	`Responses are typically signed/issued by designated certificates or`
Packit	549fdc	`certificate authorities and thus this tool requires on verification`
Packit	549fdc	`the certificate of the issuer or the full certificate chain in order to`
Packit	549fdc	`determine the appropriate signing authority. The specified certificate`
Packit	549fdc	`of the issuer is assumed trusted.`
Packit	549fdc	`_EOT_;`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`#define INFILE_OPT 1`
Packit	549fdc	`#define OUTFILE_OPT 1`
Packit	549fdc	`#define VERBOSE_OPT 1`
Packit	549fdc	`#include args-std.def`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = ask;`
Packit	549fdc	`arg-type = string;`
Packit	549fdc	`arg-name = "server name\|url";`
Packit	549fdc	`arg-optional;`
Packit	549fdc	`descrip = "Ask an OCSP/HTTP server on a certificate validity";`
Packit	549fdc	`doc = "Connects to the specified HTTP OCSP server and queries on the validity of the loaded certificate.`
Packit	549fdc	`Its argument can be a URL or a plain server name. It can be combined with --load-chain, where it checks`
Packit	549fdc	`all certificates in the provided chain, or with --load-cert and`
Packit	549fdc	`--load-issuer options. The latter checks the provided certificate`
Packit	549fdc	`against its specified issuer certificate.";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = verify-response;`
Packit	549fdc	`value = e;`
Packit	549fdc	`descrip = "Verify response";`
Packit	549fdc	`doc = "Verifies the provided OCSP response against the system trust`
Packit	549fdc	`anchors (unless --load-trust is provided). It requires the --load-signer`
Packit	549fdc	`or --load-chain options to obtain the signer of the OCSP response.";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = request-info;`
Packit	549fdc	`value = i;`
Packit	549fdc	`descrip = "Print information on a OCSP request";`
Packit	549fdc	`doc = "Display detailed information on the provided OCSP request.";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = response-info;`
Packit	549fdc	`value = j;`
Packit	549fdc	`descrip = "Print information on a OCSP response";`
Packit	549fdc	`doc = "Display detailed information on the provided OCSP response.";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = generate-request;`
Packit	549fdc	`value = q;`
Packit	549fdc	`descrip = "Generates an OCSP request";`
Packit	549fdc	`doc = "";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = nonce;`
Packit	549fdc	`disabled = yes;`
Packit	549fdc	`disable = "no";`
Packit	549fdc	`descrip = "Use (or not) a nonce to OCSP request";`
Packit	549fdc	`doc = "";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = load-chain;`
Packit	549fdc	`arg-type = file;`
Packit	549fdc	`file-exists = yes;`
Packit	549fdc	`descrip = "Reads a set of certificates forming a chain from file";`
Packit	549fdc	`doc = "";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = load-issuer;`
Packit	549fdc	`arg-type = file;`
Packit	549fdc	`file-exists = yes;`
Packit	549fdc	`descrip = "Reads issuer's certificate from file";`
Packit	549fdc	`doc = "";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = load-cert;`
Packit	549fdc	`arg-type = file;`
Packit	549fdc	`file-exists = yes;`
Packit	549fdc	`descrip = "Reads the certificate to check from file";`
Packit	549fdc	`doc = "";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = load-trust;`
Packit	549fdc	`arg-type = file;`
Packit	549fdc	`file-exists = yes;`
Packit	549fdc	`descrip = "Read OCSP trust anchors from file";`
Packit	549fdc	`flags-cant = load-signer;`
Packit	549fdc	`doc = "When verifying an OCSP response read the trust anchors from the`
Packit	549fdc	`provided file. When this is not provided, the system's trust anchors will be`
Packit	549fdc	`used.";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = load-signer;`
Packit	549fdc	`arg-type = file;`
Packit	549fdc	`file-exists = yes;`
Packit	549fdc	`descrip = "Reads the OCSP response signer from file";`
Packit	549fdc	`flags-cant = load-trust;`
Packit	549fdc	`doc = "";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = inder;`
Packit	549fdc	`disabled;`
Packit	549fdc	`disable = "no";`
Packit	549fdc	`descrip = "Use DER format for input certificates and private keys";`
Packit	549fdc	`doc = "";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = load-request;`
Packit	549fdc	`value = Q;`
Packit	549fdc	`arg-type = file;`
Packit	549fdc	`file-exists = yes;`
Packit	549fdc	`descrip = "Reads the DER encoded OCSP request from file";`
Packit	549fdc	`doc = "";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = load-response;`
Packit	549fdc	`value = S;`
Packit	549fdc	`arg-type = file;`
Packit	549fdc	`file-exists = yes;`
Packit	549fdc	`descrip = "Reads the DER encoded OCSP response from file";`
Packit	549fdc	`doc = "";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = ignore-errors;`
Packit	549fdc	`descrip = "Ignore any verification errors";`
Packit	549fdc	`doc = "";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`flag = {`
Packit	549fdc	`name = verify-allow-broken;`
Packit	549fdc	`descrip = "Allow broken algorithms, such as MD5 for verification";`
Packit	549fdc	`doc = "This can be combined with --verify-response.";`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`doc-section = {`
Packit	549fdc	`ds-type = 'SEE ALSO';`
Packit	549fdc	`ds-format = 'texi';`
Packit	549fdc	`ds-text = <<-_EOT_`
Packit	549fdc	`certtool (1)`
Packit	549fdc	`_EOT_;`
Packit	549fdc	`};`
Packit	549fdc
Packit	549fdc	`doc-section = {`
Packit	549fdc	`ds-type = 'EXAMPLES';`
Packit	549fdc	`ds-format = 'texi';`
Packit	549fdc	`ds-text = <<-_EOF_`
Packit	549fdc	`@subheading Print information about an OCSP request`
Packit	549fdc
Packit	549fdc	`To parse an OCSP request and print information about the content, the`
Packit	549fdc	`@code{-i} or @code{--request-info} parameter may be used as follows.`
Packit	549fdc	`The @code{-Q} parameter specify the name of the file containing the`
Packit	549fdc	`OCSP request, and it should contain the OCSP request in binary DER`
Packit	549fdc	`format.`
Packit	549fdc
Packit	549fdc	`@example`
Packit	549fdc	`$ ocsptool -i -Q ocsp-request.der`
Packit	549fdc	`@end example`
Packit	549fdc
Packit	549fdc	`The input file may also be sent to standard input like this:`
Packit	549fdc
Packit	549fdc	`@example`
Packit	549fdc	`$ cat ocsp-request.der \| ocsptool --request-info`
Packit	549fdc	`@end example`
Packit	549fdc
Packit	549fdc	`@subheading Print information about an OCSP response`
Packit	549fdc
Packit	549fdc	`Similar to parsing OCSP requests, OCSP responses can be parsed using`
Packit	549fdc	`the @code{-j} or @code{--response-info} as follows.`
Packit	549fdc
Packit	549fdc	`@example`
Packit	549fdc	`$ ocsptool -j -Q ocsp-response.der`
Packit	549fdc	`$ cat ocsp-response.der \| ocsptool --response-info`
Packit	549fdc	`@end example`
Packit	549fdc
Packit	549fdc	`@subheading Generate an OCSP request`
Packit	549fdc
Packit	549fdc	`The @code{-q} or @code{--generate-request} parameters are used to`
Packit	549fdc	`generate an OCSP request. By default the OCSP request is written to`
Packit	549fdc	`standard output in binary DER format, but can be stored in a file`
Packit	549fdc	`using @code{--outfile}. To generate an OCSP request the issuer of the`
Packit	549fdc	`certificate to check needs to be specified with @code{--load-issuer}`
Packit	549fdc	`and the certificate to check with @code{--load-cert}. By default PEM`
Packit	549fdc	`format is used for these files, although @code{--inder} can be used to`
Packit	549fdc	`specify that the input files are in DER format.`
Packit	549fdc
Packit	549fdc	`@example`
Packit	549fdc	`$ ocsptool -q --load-issuer issuer.pem --load-cert client.pem \`
Packit	549fdc	`--outfile ocsp-request.der`
Packit	549fdc	`@end example`
Packit	549fdc
Packit	549fdc	`When generating OCSP requests, the tool will add an OCSP extension`
Packit	549fdc	`containing a nonce. This behaviour can be disabled by specifying`
Packit	549fdc	`@code{--no-nonce}.`
Packit	549fdc
Packit	549fdc	`@subheading Verify signature in OCSP response`
Packit	549fdc
Packit	549fdc	`To verify the signature in an OCSP response the @code{-e} or`
Packit	549fdc	`@code{--verify-response} parameter is used. The tool will read an`
Packit	549fdc	`OCSP response in DER format from standard input, or from the file`
Packit	549fdc	`specified by @code{--load-response}. The OCSP response is verified`
Packit	549fdc	`against a set of trust anchors, which are specified using`
Packit	549fdc	`@code{--load-trust}. The trust anchors are concatenated certificates`
Packit	549fdc	`in PEM format. The certificate that signed the OCSP response needs to`
Packit	549fdc	`be in the set of trust anchors, or the issuer of the signer`
Packit	549fdc	`certificate needs to be in the set of trust anchors and the OCSP`
Packit	549fdc	`Extended Key Usage bit has to be asserted in the signer certificate.`
Packit	549fdc
Packit	549fdc	`@example`
Packit	549fdc	`$ ocsptool -e --load-trust issuer.pem \`
Packit	549fdc	`--load-response ocsp-response.der`
Packit	549fdc	`@end example`
Packit	549fdc
Packit	549fdc	`The tool will print status of verification.`
Packit	549fdc
Packit	549fdc	`@subheading Verify signature in OCSP response against given certificate`
Packit	549fdc
Packit	549fdc	`It is possible to override the normal trust logic if you know that a`
Packit	549fdc	`certain certificate is supposed to have signed the OCSP response, and`
Packit	549fdc	`you want to use it to check the signature. This is achieved using`
Packit	549fdc	`@code{--load-signer} instead of @code{--load-trust}. This will load`
Packit	549fdc	`one certificate and it will be used to verify the signature in the`
Packit	549fdc	`OCSP response. It will not check the Extended Key Usage bit.`
Packit	549fdc
Packit	549fdc	`@example`
Packit	549fdc	`$ ocsptool -e --load-signer ocsp-signer.pem \`
Packit	549fdc	`--load-response ocsp-response.der`
Packit	549fdc	`@end example`
Packit	549fdc
Packit	549fdc	`This approach is normally only relevant in two situations. The first`
Packit	549fdc	`is when the OCSP response does not contain a copy of the signer`
Packit	549fdc	`certificate, so the @code{--load-trust} code would fail. The second`
Packit	549fdc	`is if you want to avoid the indirect mode where the OCSP response`
Packit	549fdc	`signer certificate is signed by a trust anchor.`
Packit	549fdc
Packit	549fdc	`@subheading Real-world example`
Packit	549fdc
Packit	549fdc	`Here is an example of how to generate an OCSP request for a`
Packit	549fdc	`certificate and to verify the response. For illustration we'll use`
Packit	549fdc	`the @code{blog.josefsson.org} host, which (as of writing) uses a`
Packit	549fdc	`certificate from CACert. First we'll use @code{gnutls-cli} to get a`
Packit	549fdc	`copy of the server certificate chain. The server is not required to`
Packit	549fdc	`send this information, but this particular one is configured to do so.`
Packit	549fdc
Packit	549fdc	`@example`
Packit	549fdc	`$ echo \| gnutls-cli -p 443 blog.josefsson.org --save-cert chain.pem`
Packit	549fdc	`@end example`
Packit	549fdc
Packit	549fdc	`The saved certificates normally contain a pointer to where the OCSP`
Packit	549fdc	`responder is located, in the Authority Information Access Information`
Packit	549fdc	`extension. For example, from @code{certtool -i < chain.pem} there is`
Packit	549fdc	`this information:`
Packit	549fdc
Packit	549fdc	`@example`
Packit	549fdc	`Authority Information Access Information (not critical):`
Packit	549fdc	`Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)`
Packit	549fdc	`Access Location URI: http://ocsp.CAcert.org/`
Packit	549fdc	`@end example`
Packit	549fdc
Packit	549fdc	`This means that ocsptool can discover the servers to contact over HTTP.`
Packit	549fdc	`We can now request information on the chain certificates.`
Packit	549fdc
Packit	549fdc	`@example`
Packit	549fdc	`$ ocsptool --ask --load-chain chain.pem`
Packit	549fdc	`@end example`
Packit	549fdc
Packit	549fdc	`The request is sent via HTTP to the OCSP server address found in`
Packit	549fdc	`the certificates. It is possible to override the address of the`
Packit	549fdc	`OCSP server as well as ask information on a particular certificate`
Packit	549fdc	`using --load-cert and --load-issuer.`
Packit	549fdc
Packit	549fdc	`@example`
Packit	549fdc	`$ ocsptool --ask http://ocsp.CAcert.org/ --load-chain chain.pem`
Packit	549fdc	`@end example`
Packit	549fdc
Packit	549fdc	`_EOF_;`
Packit	549fdc	`};`
Packit	549fdc

source-git / mingw-gnutls

Source Code

Blame src/ocsptool-args.def