Some work with OCSP

2025-07-25 18:29:51 +02:00 · 2021-06-25 19:50:47 -03:00
parent cdcf5fdb30
commit a3e74db781
5 changed files with 416 additions and 0 deletions
--- a/samples/ocsp/client.lua
+++ b/samples/ocsp/client.lua
@ -0,0 +1,54 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local ocsp   = ssl.ocsp
+
+-- Parameters
+--   * status:
+--     * nil                          (no status was sent by server)
+--     * ocsp.status.successful
+--     * ocsp.status.malformedrequest
+--     * ocsp.status.internalerror
+--     * ocsp.status.trylater
+--     * ocsp.status.sigrequired
+--     * ocsp.status.unauthorized
+--
+-- Returns
+--   * nil: on error
+--   * true: status was accepted (continue the handshake)
+--   * false: status not accepted (handshake stops with error)
+--
+local callback = function(status)
+  print("Status: ", status)
+  print("---")
+
+  if status == nil then
+    print("[WARN] No OCSP response")
+    return true
+  end
+
+  return (status == ocsp.status.successful)
+end
+
+local params = {
+   mode     = "client",
+   protocol = "tlsv1_2",
+   verify   = "none",
+   options  = "all",
+   ocsp     = callback,
+}
+
+while true do
+  local peer = socket.tcp()
+  peer:connect("127.0.0.1", 8443)
+  
+  peer = assert(ssl.wrap(peer, params))
+  assert(peer:dohandshake())
+  
+  print(peer:receive())
+  print("------------")
+  peer:close()
+end
--- a/samples/ocsp/server.lua
+++ b/samples/ocsp/server.lua
@ -0,0 +1,89 @@
+--
+-- Public domain
+--
+local socket = require("socket")
+local ssl    = require("ssl")
+
+local mime   = require("mime")
+local ltn12  = require("ltn12")
+local http   = require("socket.http")
+
+local ocsp   = ssl.ocsp
+
+--------------------------------------------------------------------------------
+
+local response
+
+function loadresponse(certfile, cafile)
+  local f = io.open(cafile)
+  local ca = f:read("*a")
+  ca = ssl.loadcertificate(ca)
+  f:close()
+ 
+  f = io.open(certfile)
+  local cert = f:read("*a")
+  cert = ssl.loadcertificate(cert)
+  f:close()
+ 
+  local res = {}
+  local req = ocsp.buildrequest(cert, ca)
+  req = mime.b64(req)
+ 
+  local a, b = http.request {
+    url = "http://zerossl.ocsp.sectigo.com/" .. req,
+    method = "GET",
+    sink = ltn12.sink.table(res),
+    header = {
+      ["Content-Type"] = "application/ocsp-request",
+      ["Host"] = "zerossl.ocsp.sectigo.com",
+    },
+  }
+ 
+  response = table.concat(res)
+
+  local thisupd, nextupd = ocsp.responsetime(response)
+  print("This update: ", thisupd)
+  print("Next update: ", nextupd)
+end
+
+--------------------------------------------------------------------------------
+
+local cafile = "ca.pem"
+local certfile = "server.pem"
+
+-- Remember to update 'response' before 'next update'
+local callback = function()
+  if not response then
+    loadresponse(certfile, cafile)
+  end
+  return response
+end
+
+local params = {
+   mode = "server",
+   protocol = "any",
+   key = "server.key",
+   certificate = certfile,
+   verify = "none",
+   options = "all",
+   ocsp = callback,
+}
+
+--------------------------------------------------------------------------------
+
+local ctx = assert(ssl.newcontext(params))
+
+local server = socket.tcp()
+server:setoption('reuseaddr', true)
+assert(server:bind("127.0.0.1", 8443))
+server:listen()
+
+while true do
+  local peer = server:accept()
+  peer = assert(ssl.wrap(peer, ctx))
+  local succ = peer:dohandshake()
+  if succ then
+    peer:send("OCSP test\n")
+    peer:close()
+  end
+end