RE: ca format of index.txt. File - IT WORKS!
Hi, Well I finally worked out what I wanted to do so I thought I'd share it with anyone out there who might be trying the same thing themselves. The tie in between the certificate whose status I am seeking an ocsp response for and the index file supplied as a parameter to the ocsp command is the serial number of the certificate - as simple as that. The fourth column in the index file contains the serial number of certificates issues by a a particular CA. The first column (V(erified(, E(xpired) and R(evoked)) represents the status of that certificate. So I can now generate OCSP responses, with a status I choose, for any certificate which I choose. I notice however that if I set the Status column to be R(evoked) I get a staus of unknown rather than revoked. Does anyone have any observations on this ? Thanks to Ted fo his input on this query. Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fitzsimons, Nick Sent: Tuesday, August 01, 2006 11:22 AM To: openssl-users@openssl.org Subject: RE: ca format of index.txt. file Hi Ted, Thanks for your reply. I see you are busy replying to several different request helps. :-) I am glad to hear that the reason I can't find the documentation is there isn't any. Your reply helps significantly. I hope you can bear with me for a follow up question. I use the following to generate an ocsp request for a cert : ocsp -issuer cacert.pem -cert cert.pem -reqout req.der I am then seeking to use the following to generate on OCSP response to the request I have just generated : ocsp -index index file -rsigner respondercert.pem -rkey responderkey.pem -CA CACert.pem -reqin req.der -respout resp.der -Cafile certchain.pem My understanding is that the contents of index file are use to check the status of the cert which is detailed in req.der. However no matter how I try to configure index file I always get a status Cert Status: unknown Given that the certificate whose status I am trying to ascertain has a Subject of : Subject: CN=Rick, O=Rick RI, L=Hamburg, C=DE what would I put in the index file to enable the ocsp command to find this certificate and return a status which I could set up in this index file ? As a first pass I have tried the following V 090705233205Z 041009233205Z 01 certs/0001 /CN=Rick V 090705233205Z 041009233205Z 02 unknown /CN=Rick/O=Rick RI/L=Hamburg/C=DE in the hope that ocsp would see the V for othe cert identified and return a status of valid. Thanks in advance if you can find the tiem to help. Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich Sent: Tuesday, August 01, 2006 11:01 AM To: openssl-users@openssl.org Subject: Re: ca format of index.txt. file Fitzsimons, Nick wrote: Hello All, Does anyone know where there is a definition of the format of the contents of the index.txt file used with the ocsp and ca commands ? (This file contains info on the revocation status of certificates). Thanks, Nick First of all the format of index.txt is undocumented. Probably because it might change sometime. Or it was a fast hack to get the demo application running. Or something like that. Having said this, it currently (openssl 0.9.8b) is a text database where a tab separates the columns and newline separates the rows. The columns are defined as #define DB_type 0 /* Status of the certificate */ #define DB_exp_date 1 /* Expiry date */ #define DB_rev_date 2 /* Revocation date */ #define DB_serial 3 /* Serial No., index - unique */ #define DB_file 4 #define DB_name 5 /* DN, index - unique when active and not disabled */ DB_type is defined as #define DB_TYPE_REV'R' /* Revoked */ #define DB_TYPE_EXP'E' /* Expired */ #define DB_TYPE_VAL'V' /* Valid */ 'E' is currently not used by openssl ca, I guess because it is redundant to DB_exp_date. So expired certificates still have status 'V' DB_file currently is always 'unknown' and not used by openssl ca. I guess the original idea was to store the filename of the generated certificate file here. The dates are in ASN1_UTCTIME-format. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List
Re: ca format of index.txt. File - IT WORKS!
Fitzsimons, Nick wrote: [...] I notice however that if I set the Status column to be R(evoked) I get a staus of unknown rather than revoked. Does anyone have any observations on this ? The relevant code goes as this (apps/ocsp.c lines 1063 and following): inf = lookup_serial(db, serial); if (!inf) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_VAL) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_GOOD, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_REV) { ASN1_OBJECT *inst = NULL; ASN1_TIME *revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single; int reason = -1; unpack_revinfo(revtm, reason, inst, invtm, inf[DB_rev_date]); single = OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_REVOKED, reason, revtm, thisupd, nextupd); if (invtm) OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); else if (inst) OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); ASN1_TIME_free(revtm); ASN1_GENERALIZEDTIME_free(invtm); } while the status-defines are #define V_OCSP_CERTSTATUS_GOOD0 #define V_OCSP_CERTSTATUS_REVOKED 1 #define V_OCSP_CERTSTATUS_UNKNOWN 2 So to me this looks like the result is UNKNOWN if the serial is not found, GOOD if status is 'V' and REVOKED if status is 'R'. But I haven't had much experience with OCSP yet... Which version of openssl are you working with (i'm looking into the source of 0.9.8b)? BTW, if there is an unexpected status (like 'E') there seems to be no response. Is this really the way it should work? Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
RE: ca format of index.txt. File - IT WORKS!
Hi Ted, I can now get the Revoked status to work properly - I simply wasn't entering a date in the column for Revoked Date : I was only putting an R in the first column. I can't get E(xpired) to work but I can live without that for now. I always get an error of some sort when the first column is an E. This does seem like a bug. Your analysis of Unknown, Good and Revoked matches my experience with testing it. I am using the utility to generate OCSP responses which I can then import into my test harness to test a DRM agent I am working on. Using OpenSSL / ocsp (eventually!) looks like it gives more flexibility for negative testing than trying to persuade a real server to reply with the responses which my test cases require. I am using version 0.9.8b, as you are. Thanks for your input here. Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich Sent: Tuesday, August 01, 2006 3:13 PM To: openssl-users@openssl.org Subject: Re: ca format of index.txt. File - IT WORKS! Fitzsimons, Nick wrote: [...] I notice however that if I set the Status column to be R(evoked) I get a staus of unknown rather than revoked. Does anyone have any observations on this ? The relevant code goes as this (apps/ocsp.c lines 1063 and following): inf = lookup_serial(db, serial); if (!inf) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_VAL) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_GOOD, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_REV) { ASN1_OBJECT *inst = NULL; ASN1_TIME *revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single; int reason = -1; unpack_revinfo(revtm, reason, inst, invtm, inf[DB_rev_date]); single = OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_REVOKED, reason, revtm, thisupd, nextupd); if (invtm) OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); else if (inst) OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); ASN1_TIME_free(revtm); ASN1_GENERALIZEDTIME_free(invtm); } while the status-defines are #define V_OCSP_CERTSTATUS_GOOD0 #define V_OCSP_CERTSTATUS_REVOKED 1 #define V_OCSP_CERTSTATUS_UNKNOWN 2 So to me this looks like the result is UNKNOWN if the serial is not found, GOOD if status is 'V' and REVOKED if status is 'R'. But I haven't had much experience with OCSP yet... Which version of openssl are you working with (i'm looking into the source of 0.9.8b)? BTW, if there is an unexpected status (like 'E') there seems to be no response. Is this really the way it should work? Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]