2 # Copyright (C) 2012 Wizards Internet Ltd
3 # License GPLv2: GNU GPL version 2 <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
4 # SPDX-License-Identifier: GPL-2.0-only
7 BEGIN { pop @INC if $INC[-1] eq '.' };
9 $Getopt::Std::STANDARD_HELP_VERSION=1;
12 my ($o,$i,$s,$f,$t,$u,$VERSION);
15 getopts("c:i:u:a:o:m:fv",$o);
16 usage('No issuer specified') if ! $o->{'i'} && ! -f $o->{'i'};
17 usage('No certificate specified') if ! $o->{'c'} && ! -f $o->{'c'};
18 usage('No CA chain specified') if ! $o->{'a'} && ! -f $o->{'a'};
19 usage('No OCSP file specified') if ! $o->{'o'};
20 usage('No URL specified') if ! $o->{'u'};
21 $o->{'t'}=$o->{'o'}.'.tmp';
26 || ( -M $o->{'o'} > 0 )
30 open( $i, "openssl ocsp -issuer $o->{'i'} -cert $o->{'c'} -url $o->{'u'} -CAfile $o->{'a'} -respout $o->{'t'} 2>/dev/null |" ) || die 'Unable to execute ocsp command';
31 $s = <$i> || die 'Unable to read status';
32 $f = <$i> || die 'Unable to read update time';
33 $t = <$i> || die 'Unable to read next update time';
43 die "OCSP status is $s" if $s ne 'good';
44 warn "Next Update $t" if $o->{'v'};
45 # response is good, adjust mod time and move into place.
46 $u = $t - $o->{'m'} * (($t - time)/100);
47 utime $u,$u,$o->{'t'};
48 rename $o->{'t'},$o->{'o'};
56 print STDERR "$m\n" if $m;
57 HELP_MESSAGE(\*STDERR);
65 Usage: $0 -i issuer -c certificate -u ocsp_url -a ca_certs -o response [-v] [-f]
67 For a certificate "www.example.com.pem"
68 signed by "signing.example.net.pem"
69 signed by root CA "ca.example.net.pem"
70 with OCSP server http://ocsp.example.net/
72 Ensure there is a file with the signing chain
74 cat ca.example.net.pem signing.example.net.pem >chain.pem
76 The update procedure would be
78 ocsp_fetch -i signing.example.net.pem \
79 -c www.example.com.pem \
80 -u http://ocsp.example.net/ \
82 -o www.example.com.ocsp.der