OpenSSL Developers -
Attached please find a compressed tar file containing patches and
sources implementing with the OpenSSL libraries:
http://www.ietf.org/internet-drafts/draft-ietf-pkix-ocsp-07.txt
These patches create a new, top-level ocsp library which implements
an API you can use to generate, parse, sign, and verify OCSP requests
and responses. The sources include a command-line driver in the mode
of the command-line "apps" utilities gathered together under the openssl
command. When combined with a command-line web tool like the mks
toolkit web command, you can use this utility to create and send ocsp
queries to ocsp responders and parse and print the ocsp responder
responses.
Thanks to Ambarish Malpani and the OCSP responder at Valicert, which
I used to test and debug this library. Hopefully, we at CertCo will
be able to follow his lead, soon.
A brief overview follows. Email me ([EMAIL PROTECTED]) if you
need more information or can't follow my instructions. Apologies
in advance for posting such a womping email. Until the dev team
makes up its mind about accepting contributions from the US, we're
on our own when it comes to sharing and maintaining contributions
like these... :) Thanks also to Dr. Steve Henson for pointers
about build infrastructure and other OpenSSL arcana.
TT
Apologies to unixers in advance. The following instructions,
development, and testing have only been performed on NT. On the
other hand, with the latest mks toolkit, I seem to be able to
do most of the tricks the big kids can do, too. So hopefully
most of what follows can be easily revised to work in either
environment. You'll need a "patch" command to apply the patches
and a "sh" command to run the script.
To start, you need an OpenSSL-0.9.2b source tree. All the diffs
were done from the 0.9.2b tarball, so you'd be best off using
those sources as your starting point, too.
Create a top-level directory into which you'll untar the attachment,
e.g. "patch". I created the tar file using the mks command "tar -czvf
ocsp.tar", so you should be able to untar it with "tar -xzvf ocsp.tar"
Here's a summary of the files you get:
Makefile.org.patch add new directory, library
Makefile.ssl.patch add ocsp to errgen target for asn1 err codes
VC-32.pl.patch make ocsp turn into ocsp32 on NT
asn1.err.patch ocsp asn1 error codes (probably unnecessary)
asn1.h.patch ocsp asn1 error codes
asn1_err.c.patch ocsp asn1 error codes
cert.pem example self-signed cert for testing
err.h.patch add constant and macro for OCSP error macro
key.pem example for signing requests and responses
libeay.num.patch numbers for x509v3 extension enc/dec rtns
makefile.ssl ocsp directory makefile
mk1mf.pl.patch clone rules to build library for ocsp
mkfiles.pl.patch add ocsp to directory list
nonce.txt sample for ocsp request
obj_dat.h.patch ocsp oids and nids
objects.h.patch ocsp oids and nids
ocsp.c encode/decode routines for ocsp ASN.1
ocsp.cnf sample configuration file for test app
ocsp.err ocsp errors (probably unnecessary)
ocsp.h constants and API declarations
ocsp_ext.c encode/decode routines for ocsp extn ASN.1
ocsp_lib.c create/parse/sign/verify APIs for req/rsp
ocspapp.c command-line utility
ocsperr.c errors
req.pem sample request from application
rsp.pem sample response from application
ssleay.ec.patch add ocsp directory to list of libraries
update.sh patch and install script
v3_ad.c access description extension for serviceloc
x509v3.h.patch access description and supporting type decls
x509v3Makefile.ssl.patch add v3_ad.c to list of files to build
Run the update.sh script to apply the patches and copy the new files to
the appropriate directories. I'll append the output from when I run this
on my machine.
Re-configure and build from scratch. The exact steps you follow vary
per platform. On NT, what I do is:
cd <root of tree>
perl configure VC-WIN32
ms\do_nt.bat
nmake -f ms\nt.mak
I've successfully run the tests with the resulting executables, but you
should probably do the same when you rebuild your libraries.
When you finish (and assuming everything went according to plan:) you
should find the ocspapp executable in the output directory along with
all the other apps. Pass it a bogus switch and it'll tell you it's
troubled and rather bizarre command-line syntax:
-> ocspapp.exe -help
unknown option -help
specify type (request|response)
./ocspapp.exe request|response [options] <infile >outfile
where options are
-config file configuration file
-section arg override defaults "request" and "response"
-inform arg input format - one of DER or PEM
-outform arg output format - one of DER or PEM
-in arg inout file
-out arg output file
-md arg digest algorithm for cert id in request or response, default is s
ha1
-id arg responder id (key vs. name, default: name)
-text print input file
-create create new ocsp request or response from one or more files
-verify verify signature in request or response
-key file private key for leaf cert
-certs file PEM with self-signed cert or PKCS#7 file with chain of certs, sort
ed with leaf last.
-status arg top-level status for ocsp response, number or one of
OCSPResponseStatus enumerated values, successful,
malformedRequest, internalError, tryLater, sigRequired,
unauthorized (default: good).
-cert file[,status[,reason],date[,date]] cert file, possibly more than
one, for new response, each with associated status, good,
revoked, unknown, where revoked includes additional
specifier: unspecified, keyCompromise, cACompromise,
affiliationChanged, superseded, cessationOfOperation,
certificateHold, removeFromCRL, and dates are dates of
this CRL and (optionally) next CRL, in YYYYMMDDHHMMSSZ
format.
For request, no -key and no -certs means unsigned with no requestorName,
no -key and -certs means unsigned with requestorName,
-key and -certs means signed with requestorName.
A couple hints: Ignore the bit about specifying certs on the command
line and put 'em in the configuration file instead. See the sample
for the syntax. You should be able to use the sample cert.pem and key.pem
files to re-create the sample req.pem and rsp.pem files using the commands:
-> openssl request -config ocsp.cnf -create -key key.pem
-> openssl response -config ocsp.cnf -create -key key.pem
The passphrase for the private key is just "xxxx" (without the quotes,
of course).
To view the contents of a request or response, type:
-> openssl request -in req.pem -text
-> openssl response -in rsp.pem -text
Error reporting by the command-line utility is abysmal. Sorry.
The API is a *very* simple-minded implementation of the ASN.1
from the draft rfc. If something doesn't make sense or if it
seems like it could easily have been done more simply, check out
the spec first. There's little more to this than a direct mapping
of the ASN.1 syntax to an API.
The API for managing requests is:
OCSP_REQUEST *OCSP_request_new(X509_NAME* name, STACK *extensions);
int OCSP_request_add(OCSP_REQUEST *req,
OCSP_CERTID *cid,
STACK *extensions);
int OCSP_request_sign(OCSP_REQUEST *req,
EVP_PKEY *key,
EVP_MD *dgst,
STACK *certs);
int OCSP_request_verify(OCSP_REQUEST *req, EVP_PKEY *pkey);
To build a request, you first call OCSP_request_new to create an
empty one, then call OCSP_request_add to add in OCSP_CERTIDs. Use
OCSP_cert_id_new() to create a new CERT_ID:
OCSP_CERTID *OCSP_cert_id_new(EVP_MD *dgst,
X509_NAME *issuerName,
ASN1_BIT_STRING* issuerKey,
ASN1_INTEGER *serialNumber);
The same is true of the response, although there's an extra step
at the end where you pack up your basic response into a generic
response:
OCSP_BASICRESP *OCSP_basic_response_new(int tag,X509* cert,STACK *extensions);
int OCSP_basic_response_add(OCSP_BASICRESP *rsp,
OCSP_CERTID *cid,
OCSP_CERTSTATUS *cst,
char *thisUpdate,
char *nextUpdate,
STACK *extensions);
int OCSP_basic_response_sign(OCSP_BASICRESP *brsp,
EVP_PKEY *key,
EVP_MD *dgst,
STACK *certs);
int OCSP_response_verify(OCSP_RESPONSE *rsp, EVP_PKEY *pkey);
int OCSP_basic_response_verify(OCSP_BASICRESP *rsp, EVP_PKEY *pkey);
OCSP_RESPONSE *OCSP_response_new(int status,
int nid,
int (*i2d)(),
char *data);
The response equivalent to OCSP_CERTID is OCSP_CERTSTATUS (surprise):
OCSP_CERTSTATUS *OCSP_cert_status_new(int status, int reason, char *time);
Then there are routines for creating, parsing, and viewing the extensions
and various helpers for reading and writing to and from DER and PEM files.
See the header file and the sample application for details.
Here's the sample output from the update script:
$ sh -x update.sh
+ patch -i Makefile.org.patch ../Makefile.org
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/Makefile.org Mon Mar 22 11:27:02 1999
|--- ./openssl-0.9.2b-ocsp-patch/Makefile.org Wed Mar 31 13:39:16 1999
--------------------------
Patching file ../Makefile.org using Plan A...
Hunk #1 succeeded at 126.
Hunk #2 succeeded at 149.
done
+ patch -i Makefile.ssl.patch ../crypto/Makefile.ssl
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/Makefile.ssl Mon Mar 22 07:21:16 1999
|--- ./openssl-0.9.2b-ocsp-patch/crypto/Makefile.ssl Wed Mar 31 13:42:40 1999
--------------------------
Patching file ../crypto/Makefile.ssl using Plan A...
Hunk #1 succeeded at 148.
done
+ patch -i ssleay.ec.patch ../crypto/err/ssleay.ec
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/err/ssleay.ec Sun Jan 24 12:50:30 1999
|--- ./openssl-0.9.2b-ocsp-patch/crypto/err/ssleay.ec Wed Mar 31 13:47:40 1999
--------------------------
Patching file ../crypto/err/ssleay.ec using Plan A...
Hunk #1 succeeded at 8.
done
+ patch -i err.h.patch ../crypto/err/err.h
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/err/err.h Sun Jan 24 12:50:30 1999
|--- ./openssl-0.9.2b-ocsp-patch/crypto/err/err.h Wed Mar 31 13:49:24 1999
--------------------------
Patching file ../crypto/err/err.h using Plan A...
Hunk #1 succeeded at 117.
Hunk #2 succeeded at 144.
done
+ patch -i mkfiles.pl.patch ../util/mkfiles.pl
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/util/mkfiles.pl Sat Feb 13 18:12:30 1999
|--- ./openssl-0.9.2b-ocsp-patch/util/mkfiles.pl Wed Mar 31 13:50:56 1999
--------------------------
Patching file ../util/mkfiles.pl using Plan A...
Hunk #1 succeeded at 41.
done
+ patch -i objects.h.patch ../crypto/objects/objects.h
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/objects/objects.h Thu Feb 18 20:29:26 1999
|--- ./openssl-0.9.2b-ocsp-patch/crypto/objects/objects.h Wed Mar 31 14:11:52 1999
--------------------------
Patching file ../crypto/objects/objects.h using Plan A...
Hunk #1 succeeded at 678.
Hunk #2 succeeded at 723.
Hunk #3 succeeded at 750.
done
+ patch -i obj_dat.h.patch ../crypto/objects/obj_dat.h
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/objects/obj_dat.h Thu Feb 18 20:29:26 1999
|--- ./openssl-0.9.2b-ocsp-patch/crypto/objects/obj_dat.h Thu Apr 1 13:07:02 1999
--------------------------
Patching file ../crypto/objects/obj_dat.h using Plan A...
Hunk #1 succeeded at 61.
Hunk #2 succeeded at 168.
Hunk #3 succeeded at 377.
Hunk #4 succeeded at 443.
Hunk #5 succeeded at 510.
Hunk #6 succeeded at 558.
Hunk #7 succeeded at 591.
Hunk #8 succeeded at 610.
Hunk #9 succeeded at 716.
Hunk #10 succeeded at 740.
Hunk #11 succeeded at 772.
Hunk #12 succeeded at 786.
Hunk #13 succeeded at 825.
Hunk #14 succeeded at 842.
done
+ patch -i mk1mf.pl.patch ../util/mk1mf.pl
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/util/mk1mf.pl Mon Mar 22 10:44:10 1999
|--- ./openssl-0.9.2b-ocsp-patch/util/mk1mf.pl Wed Mar 31 14:15:28 1999
--------------------------
Patching file ../util/mk1mf.pl using Plan A...
Hunk #1 succeeded at 117.
Hunk #2 succeeded at 327.
Hunk #3 succeeded at 348.
Hunk #4 succeeded at 367.
Hunk #5 succeeded at 572.
done
+ patch -i VC-32.pl.patch ../util/pl/VC-32.pl
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/util/pl/VC-32.pl Tue Mar 9 20:37:32 1999
|--- ./openssl-0.9.2b-ocsp-patch/util/pl/VC-32.pl Wed Mar 31 14:21:04 1999
--------------------------
Patching file ../util/pl/VC-32.pl using Plan A...
Hunk #1 succeeded at 3.
done
+ patch -i asn1.h.patch ../crypto/asn1/asn1.h
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/asn1/asn1.h Mon Mar 8 17:46:50 1999
|--- ./openssl-0.9.2b-ocsp-patch/crypto/asn1/asn1.h Wed Mar 31 16:27:08 1999
--------------------------
Patching file ../crypto/asn1/asn1.h using Plan A...
Hunk #1 succeeded at 698.
Hunk #2 succeeded at 725.
Hunk #3 succeeded at 755.
Hunk #4 succeeded at 821.
done
+ patch -i asn1_err.c.patch ../crypto/asn1/asn1_err.c
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/asn1/asn1_err.c Wed Feb 17 18:22:54 1999
|--- ./openssl-0.9.2b-ocsp-patch/crypto/asn1/asn1_err.c Wed Mar 31 16:27:08 1999
--------------------------
Patching file ../crypto/asn1/asn1_err.c using Plan A...
Hunk #1 succeeded at 67.
Hunk #2 succeeded at 94.
Hunk #3 succeeded at 124.
Hunk #4 succeeded at 190.
done
+ patch -i asn1.err.patch ../crypto/asn1/asn1.err
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/asn1/asn1.err Wed Feb 17 18:22:54 1999
|--- ./openssl-0.9.2b-ocsp-patch/crypto/asn1/asn1.err Wed Mar 31 16:26:36 1999
--------------------------
Patching file ../crypto/asn1/asn1.err using Plan A...
Hunk #1 succeeded at 5.
Hunk #2 succeeded at 32.
Hunk #3 succeeded at 62.
Hunk #4 succeeded at 128.
done
+ patch -i x509v3.h.patch ../crypto/x509v3/x509v3.h
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/x509v3/x509v3.h Mon Mar 8 17:46:54 1999
|--- ./openssl-0.9.2b-ocsp-patch/crypto/x509v3/x509v3.h Wed Mar 31 15:47:20 1999
--------------------------
Patching file ../crypto/x509v3/x509v3.h using Plan A...
Hunk #1 succeeded at 173.
Hunk #2 succeeded at 234.
Hunk #3 succeeded at 314.
done
+ patch -i x509v3Makefile.ssl.patch ../crypto/x509v3/Makefile.ssl
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/crypto/x509v3/Makefile.ssl Mon Mar 22 07:22:00 1999
|--- ./openssl-0.9.2b-ocsp-patch/crypto/x509v3/Makefile.ssl Wed Mar 31 15:48:48 1999
--------------------------
Patching file ../crypto/x509v3/Makefile.ssl using Plan A...
Hunk #1 succeeded at 24.
done
+ patch -i libeay.num.patch ../util/libeay.num
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** ./openssl-0.9.2b/util/libeay.num Mon Mar 8 17:46:56 1999
|--- ./openssl-0.9.2b-ocsp-patch/util/libeay.num Wed Mar 31 16:05:36 1999
--------------------------
Patching file ../util/libeay.num using Plan A...
Hunk #1 succeeded at 1229.
done
+ mkdir ../ocsp
+ cp cert.pem key.pem nonce.txt ocsp.c ocsp.cnf ocsp.err ocsp.h ocsp_ext.c ocsp_lib.c
+ocspapp.c ocsperr.c makefile.ssl cert.pem key.pem req.pem rsp.pem ../ocsp
+ cp ./v3_ad.c ../crypto/x509v3/v3_ad.c
OpenSSL patch implementing PKIX OCSP ASN.1.
