summaryrefslogtreecommitdiffstats
path: root/functions/ocsp.php
diff options
context:
space:
mode:
Diffstat (limited to 'functions/ocsp.php')
-rw-r--r--functions/ocsp.php209
1 files changed, 135 insertions, 74 deletions
diff --git a/functions/ocsp.php b/functions/ocsp.php
index 299a1fd..c9d43eb 100644
--- a/functions/ocsp.php
+++ b/functions/ocsp.php
@@ -15,92 +15,153 @@
// along with this program. If not, see <http://www.gnu.org/licenses/>.
function ocsp_stapling($host, $port){
- $result = "";
- $output = shell_exec('echo | timeout 2 openssl s_client -connect "' . escapeshellcmd($host) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"');
- if (strpos($output, "no response sent") !== false) {
- $result = array("working" => 0,
- "cert_status" => "No response sent");
- return;
- }
- if (strpos($output, "OCSP Response Data:") !== false) {
- $lines = array();
- $output = preg_replace("/[[:blank:]]+/"," ", $output);
- $stapling_status_lines = explode("\n", $output);
- $stapling_status_lines = array_map('trim', $stapling_status_lines);
- foreach($stapling_status_lines as $line) {
- if(endsWith($line, ":") == false) {
- list($k, $v) = explode(":", $line);
- $lines[trim($k)] = trim($v);
- }
- }
- $result = array("working" => 1,
- "Cert Status" => $lines["Cert Status"],
- "This Update" => $lines["This Update"],
- "Next Update" => $lines["Next Update"],
- "Responder ID" => $lines["Responder Id"],
- "Hash Algorithm" => $lines["Hash Algorithm"],
- "Signature Algorithm" => $lines["Signature Algorithm"],
- "Issuer Name Hash" => $lines["Issuer Name Hash"]);
+ $result = "";
+ $output = shell_exec('echo | timeout 2 openssl s_client -connect "' . escapeshellcmd($host) . ':' . escapeshellcmd($port) . '" -tlsextdebug -status 2>&1 | sed -n "/OCSP response:/,/---/p"');
+ if (strpos($output, "no response sent") !== false) {
+ $result = array("working" => 0,
+ "cert_status" => "No response sent");
+ return;
+ }
+ if (strpos($output, "OCSP Response Data:") !== false) {
+ $lines = array();
+ $output = preg_replace("/[[:blank:]]+/"," ", $output);
+ $stapling_status_lines = explode("\n", $output);
+ $stapling_status_lines = array_map('trim', $stapling_status_lines);
+ foreach($stapling_status_lines as $line) {
+ if(endsWith($line, ":") == false) {
+ list($k, $v) = explode(":", $line);
+ $lines[trim($k)] = trim($v);
+ }
}
- return $result;
+ $result = array("working" => 1,
+ "Cert Status" => $lines["Cert Status"],
+ "This Update" => $lines["This Update"],
+ "Next Update" => $lines["Next Update"],
+ "Responder ID" => $lines["Responder Id"],
+ "Hash Algorithm" => $lines["Hash Algorithm"],
+ "Signature Algorithm" => $lines["Signature Algorithm"],
+ "Issuer Name Hash" => $lines["Issuer Name Hash"]);
+ }
+ return $result;
}
function ocsp_verify($raw_cert_data, $raw_next_cert_data) {
- global $random_blurp;
- $cert_data = openssl_x509_parse($raw_cert_data);
- $tmp_dir = '/tmp/';
- $root_ca = getcwd() . '/cacert.pem';
-
- $pem_issuer = "";
- $pem_client = "";
- $ocsp_uri = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess'])[1];
- $ocsp_uri = explode("\n", $ocsp_uri)[0];
- $ocsp_uri = explode(" ", $ocsp_uri)[0];
- if (empty($ocsp_uri) ) {
- $result = array('unknown' => "Could not find OCSP URI", );
- return $result;
+ global $random_blurp;
+ $cert_data = openssl_x509_parse($raw_cert_data);
+ $tmp_dir = '/tmp/';
+ $root_ca = getcwd() . '/cacert.pem';
+
+ $pem_issuer = "";
+ $pem_client = "";
+ $ocsp_uri = explode("OCSP - URI:", $cert_data['extensions']['authorityInfoAccess'])[1];
+ $ocsp_uri = explode("\n", $ocsp_uri)[0];
+ $ocsp_uri = explode(" ", $ocsp_uri)[0];
+ if (empty($ocsp_uri) ) {
+ $result = array('unknown' => "Could not find OCSP URI", );
+ return $result;
+ }
+ openssl_x509_export($raw_cert_data, $pem_client);
+ openssl_x509_export($raw_next_cert_data, $pem_issuer);
+ openssl_x509_export_to_file($raw_next_cert_data, $tmp_dir.$random_blurp.'.cert_issuer.pem');
+ openssl_x509_export_to_file($raw_cert_data, $tmp_dir.$random_blurp.'.cert_client.pem');
+
+ // Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround.
+ $ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST);
+
+ //echo '<pre>' . htmlspecialchars('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1') . '</pre>';
+
+ $output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1');
+ $filter_output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"');
+
+
+
+ $lines = array();
+ $output = preg_replace("/[[:blank:]]+/"," ", $output);
+ $ocsp_status_lines = explode("\n", $output);
+ $ocsp_status_lines = array_map('trim', $ocsp_status_lines);
+ foreach($ocsp_status_lines as $line) {
+ if(endsWith($line, ":") == false) {
+ list($k, $v) = explode(":", $line, 2);
+ $lines[trim($k)] = trim($v);
}
- openssl_x509_export($raw_cert_data, $pem_client);
- openssl_x509_export($raw_next_cert_data, $pem_issuer);
- openssl_x509_export_to_file($raw_next_cert_data, $tmp_dir.$random_blurp.'.cert_issuer.pem');
- openssl_x509_export_to_file($raw_cert_data, $tmp_dir.$random_blurp.'.cert_client.pem');
+ }
- // Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround.
- $ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST);
+ $result = array("This Update" => $lines["This Update"],
+ "Next Update" => $lines["Next Update"],
+ "Reason" => $lines["Reason"],
+ "Revocation Time" => $lines["Revocation Time"],
+ "ocsp_verify_status" => $lines[$tmp_dir . $random_blurp . ".cert_client.pem"]);
+ if ($result["ocsp_verify_status"] == "good") {
+ $result["good"] = $filter_output;
+ } else if ($result["ocsp_verify_status"] == "revoked") {
+ $result["revoked"] = $filter_output;
+ } else {
+ $result["unknown"] = $filter_output;
+ }
+ unlink($tmp_dir.$random_blurp.'.cert_client.pem');
+ unlink($tmp_dir.$random_blurp.'.cert_issuer.pem');
+ return $result;
+}
- //echo '<pre>' . htmlspecialchars('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1') . '</pre>';
- $output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1');
- $filter_output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"');
+function ocsp_verify_json($raw_cert_data, $raw_next_cert_data, $ocsp_uri) {
+ global $random_blurp;
+ $result = array();
+ $tmp_dir = '/tmp/';
+ $root_ca = getcwd() . '/cacert.pem';
+ $pem_issuer = "";
+ $pem_client = "";
+ openssl_x509_export($raw_cert_data, $pem_client);
+ openssl_x509_export($raw_next_cert_data, $pem_issuer);
+ openssl_x509_export_to_file($raw_next_cert_data, $tmp_dir.$random_blurp.'.cert_issuer.pem');
+ openssl_x509_export_to_file($raw_cert_data, $tmp_dir.$random_blurp.'.cert_client.pem');
+ // Some OCSP's want HTTP/1.1 but OpenSSL does not do that. Add Host header as workaround.
+ $ocsp_host = parse_url($ocsp_uri, PHP_URL_HOST);
+ $output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1');
+
+ $filter_output = shell_exec('openssl ocsp -no_nonce -CAfile '.$root_ca.' -issuer '.$tmp_dir.$random_blurp.'.cert_issuer.pem -cert '.$tmp_dir.$random_blurp.'.cert_client.pem -url "'. escapeshellcmd($ocsp_uri) . '" -header "HOST" "'. escapeshellcmd($ocsp_host) . '" 2>&1 | grep -v -e "to get local issuer certificate" -e "signer certificate not found" -e "Response Verify" -e "'. $tmp_dir.$random_blurp.'.cert_client.pem"');
- $lines = array();
- $output = preg_replace("/[[:blank:]]+/"," ", $output);
- $ocsp_status_lines = explode("\n", $output);
- $ocsp_status_lines = array_map('trim', $ocsp_status_lines);
- foreach($ocsp_status_lines as $line) {
- if(endsWith($line, ":") == false) {
- list($k, $v) = explode(":", $line, 2);
- $lines[trim($k)] = trim($v);
- }
- }
-
- $result = array("This Update" => $lines["This Update"],
- "Next Update" => $lines["Next Update"],
- "Reason" => $lines["Reason"],
- "Revocation Time" => $lines["Revocation Time"],
- "ocsp_verify_status" => $lines[$tmp_dir . $random_blurp . ".cert_client.pem"]);
- if ($result["ocsp_verify_status"] == "good") {
- $result["good"] = $filter_output;
- } else if ($result["ocsp_verify_status"] == "revoked") {
- $result["revoked"] = $filter_output;
- } else {
- $result["unknown"] = $filter_output;
+ $output = preg_replace("/[[:blank:]]+/"," ", $output);
+ $ocsp_status_lines = explode("\n", $output);
+ $ocsp_status_lines = array_map('trim', $ocsp_status_lines);
+ foreach($ocsp_status_lines as $line) {
+ if(endsWith($line, ":") == false) {
+ list($k, $v) = explode(":", $line, 2);
+ if (trim($k)) {
+ $lines[trim($k)] = trim($v);
+ }
}
- unlink($tmp_dir.$random_blurp.'.cert_client.pem');
- unlink($tmp_dir.$random_blurp.'.cert_issuer.pem');
- return $result;
+ }
+
+ if ($lines[$tmp_dir . $random_blurp . ".cert_client.pem"] == "good") {
+ $result["status"] = "good";
+ } else if ($lines[$tmp_dir . $random_blurp . ".cert_client.pem"] == "revoked") {
+ $result["status"] = "revoked";
+ } else {
+ $result["error"] = $filter_output;
+ $result["status"] = "unknown";
+ }
+
+ if (isset($lines["This Update"])) {
+ $result["this_update"] = $lines["This Update"];
+ }
+ if (isset($lines["Next Update"])) {
+ $result["next_update"] = $lines["Next Update"];
+ }
+ if (isset($lines["Reason"])) {
+ $result["reason"] = $lines["Reason"];
+ }
+ if (isset($lines["Revocation Time"])) {
+ $result["revocation_time"] = $lines["Revocation Time"];
+ }
+ $result["ocsp_uri"] = $ocsp_uri;
+
+ unlink($tmp_dir.$random_blurp.'.cert_client.pem');
+ unlink($tmp_dir.$random_blurp.'.cert_issuer.pem');
+
+ return $result;
}
?> \ No newline at end of file
generated by cgit v1.1 at 2025-05-11 21:20:34 +0000