RE: ca format of index.txt. File - IT WORKS!

2006-08-01 Thread Fitzsimons, Nick 
Hi,
   Well I finally worked out what I wanted to do so I thought I'd share
it with anyone out there
 who might be trying the same thing themselves.

 The tie in between the certificate whose status I am seeking an ocsp
response for and the index file
 supplied as a parameter to the ocsp command is the serial number of the
certificate - as simple as 
 that. The fourth column in the index file contains the serial number
of certificates issues by a 
 a particular CA.  The first column (V(erified(, E(xpired) and
R(evoked)) represents the status of that certificate.

 So I can now generate OCSP responses, with a status I choose, for any
certificate which I choose.

 I notice however that if I set the Status column to be R(evoked) I get
a staus of unknown rather than 
 revoked.

 Does anyone have any observations on this ?

 Thanks to Ted fo his input on this query.

 Nick
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fitzsimons, Nick
Sent: Tuesday, August 01, 2006 11:22 AM
To: openssl-users@openssl.org
Subject: RE: ca format of index.txt. file

Hi Ted,
   Thanks for your reply. I see you are busy replying to several
different  request helps. :-)

 I am glad to hear that the reason I can't find the documentation is
there isn't any.

 Your reply helps significantly. I hope you can bear with me for a
follow up question.

 I use the following to generate an ocsp request for a cert :

ocsp -issuer cacert.pem  -cert cert.pem -reqout req.der

 I am then seeking to use the following to generate on OCSP response to
the request I have  just generated :

ocsp -index index file -rsigner respondercert.pem -rkey
responderkey.pem -CA  CACert.pem
 -reqin req.der -respout resp.der -Cafile certchain.pem

 My understanding is that the contents of index file are use to check
the status of the cert which  is detailed in req.der.  However no
matter how I try to configure index file I always get a  status Cert
Status: unknown

 Given that the certificate whose status I am trying to ascertain has a
Subject of :
   Subject: CN=Rick, O=Rick RI, L=Hamburg, C=DE

 what would I put in the index file to enable the ocsp command to find
this certificate and return  a status which I could set up in this
index file ?

 As a first pass I have tried the following

 V  090705233205Z   041009233205Z   01  certs/0001  /CN=Rick
 V  090705233205Z   041009233205Z   02  unknown /CN=Rick/O=Rick
RI/L=Hamburg/C=DE

 in the hope that ocsp would see the V for othe cert identified and
return a status of valid.

 
 Thanks in advance if you can find the tiem to help.

 Nick

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich
Sent: Tuesday, August 01, 2006 11:01 AM
To: openssl-users@openssl.org
Subject: Re: ca format of index.txt. file

Fitzsimons, Nick wrote:
 Hello All,
  Does anyone know where there is a definition of the 
 format of the contents of the index.txt file used with the ocsp and ca

 commands ?  (This file contains info on the revocation status of 
 certificates).
  
  Thanks,
  
  Nick
First of all the format of index.txt is undocumented. Probably because
it might change sometime. Or it was a fast hack to get the demo
application running. Or something like that.

Having said this, it currently (openssl 0.9.8b) is a text database where
a tab separates the columns and newline separates the rows.

The columns are defined as 
#define DB_type 0 /* Status of the certificate */
#define DB_exp_date 1 /* Expiry date */
#define DB_rev_date 2 /* Revocation date */
#define DB_serial   3   /* Serial No., index - unique */
#define DB_file 4  
#define DB_name 5   /* DN, index - unique when active and 
not disabled */

DB_type is defined as
#define DB_TYPE_REV'R' /* Revoked */
#define DB_TYPE_EXP'E' /* Expired */
#define DB_TYPE_VAL'V' /* Valid */

'E' is currently not used by openssl ca, I guess because it is
redundant to DB_exp_date. So expired certificates still have status 'V'
DB_file currently is always 'unknown' and not used by openssl ca. I
guess the original idea was to store the filename of the generated
certificate file here.
The dates are in ASN1_UTCTIME-format.

Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing List

Re: ca format of index.txt. File - IT WORKS!

2006-08-01 Thread Bernhard Froehlich 

Fitzsimons, Nick wrote:

[...]
 I notice however that if I set the Status column to be R(evoked) I get
a staus of unknown rather than 
 revoked.


 Does anyone have any observations on this ?
  

The relevant code goes as this (apps/ocsp.c lines 1063 and following):

   inf = lookup_serial(db, serial);
   if (!inf)
   OCSP_basic_add1_status(bs, cid,
   V_OCSP_CERTSTATUS_UNKNOWN,
   0, NULL,
   thisupd, nextupd);
   else if (inf[DB_type][0] == DB_TYPE_VAL)
   OCSP_basic_add1_status(bs, cid,
   V_OCSP_CERTSTATUS_GOOD,
   0, NULL,
   thisupd, nextupd);
   else if (inf[DB_type][0] == DB_TYPE_REV)
   {
   ASN1_OBJECT *inst = NULL;
   ASN1_TIME *revtm = NULL;
   ASN1_GENERALIZEDTIME *invtm = NULL;
   OCSP_SINGLERESP *single;
   int reason = -1;
   unpack_revinfo(revtm, reason, inst, invtm, 
inf[DB_rev_date]);

   single = OCSP_basic_add1_status(bs, cid,
   V_OCSP_CERTSTATUS_REVOKED,
   reason, revtm,
   thisupd, nextupd);
   if (invtm)
   OCSP_SINGLERESP_add1_ext_i2d(single, 
NID_invalidity_date, invtm, 0, 0);

   else if (inst)
   OCSP_SINGLERESP_add1_ext_i2d(single, 
NID_hold_instruction_code, inst, 0, 0);

   ASN1_OBJECT_free(inst);
   ASN1_TIME_free(revtm);
   ASN1_GENERALIZEDTIME_free(invtm);
   }

while the status-defines are
#define V_OCSP_CERTSTATUS_GOOD0
#define V_OCSP_CERTSTATUS_REVOKED 1
#define V_OCSP_CERTSTATUS_UNKNOWN 2

So to me this looks like the result is UNKNOWN if the serial is not 
found, GOOD if status is 'V' and REVOKED if status is 'R'.

But I haven't had much experience with OCSP yet...
Which version of openssl are you working with (i'm looking into the 
source of 0.9.8b)?


BTW, if there is an unexpected status (like 'E') there seems to be no 
response. Is this really the way it should work?


Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26



smime.p7s
Description: S/MIME Cryptographic Signature

RE: ca format of index.txt. File - IT WORKS!

2006-08-01 Thread Fitzsimons, Nick 
Hi Ted,
I can now get the Revoked status to work properly - I simply
wasn't entering 
 a date in the column for Revoked Date : I was only putting an R in the
first column.

 I can't get E(xpired) to work but I can live without that for now. I
always get an error of
 some sort when the first column is an E.  This does seem like a bug.
Your analysis of
 Unknown, Good and Revoked matches my experience with testing it.

 I am using the utility to generate OCSP responses which I can then
import into my test 
 harness to test a DRM agent I am working on. Using OpenSSL / ocsp
(eventually!) looks like 
 it gives more flexibility for negative testing than trying to persuade
a real server to 
 reply with the responses which my test cases require.

 I am using version 0.9.8b, as you are.

 Thanks for your input here.

 Nick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich
Sent: Tuesday, August 01, 2006 3:13 PM
To: openssl-users@openssl.org
Subject: Re: ca format of index.txt. File - IT WORKS!

Fitzsimons, Nick wrote:
 [...]
  I notice however that if I set the Status column to be R(evoked) I 
 get a staus of unknown rather than  revoked.

  Does anyone have any observations on this ?
   
The relevant code goes as this (apps/ocsp.c lines 1063 and following):

inf = lookup_serial(db, serial);
if (!inf)
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL,
thisupd, nextupd);
else if (inf[DB_type][0] == DB_TYPE_VAL)
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_GOOD,
0, NULL,
thisupd, nextupd);
else if (inf[DB_type][0] == DB_TYPE_REV)
{
ASN1_OBJECT *inst = NULL;
ASN1_TIME *revtm = NULL;
ASN1_GENERALIZEDTIME *invtm = NULL;
OCSP_SINGLERESP *single;
int reason = -1;
unpack_revinfo(revtm, reason, inst, invtm,
inf[DB_rev_date]);
single = OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_REVOKED,
reason, revtm,
thisupd, nextupd);
if (invtm)
OCSP_SINGLERESP_add1_ext_i2d(single,
NID_invalidity_date, invtm, 0, 0);
else if (inst)
OCSP_SINGLERESP_add1_ext_i2d(single,
NID_hold_instruction_code, inst, 0, 0);
ASN1_OBJECT_free(inst);
ASN1_TIME_free(revtm);
ASN1_GENERALIZEDTIME_free(invtm);
}

while the status-defines are
#define V_OCSP_CERTSTATUS_GOOD0
#define V_OCSP_CERTSTATUS_REVOKED 1
#define V_OCSP_CERTSTATUS_UNKNOWN 2

So to me this looks like the result is UNKNOWN if the serial is not
found, GOOD if status is 'V' and REVOKED if status is 'R'.
But I haven't had much experience with OCSP yet...
Which version of openssl are you working with (i'm looking into the
source of 0.9.8b)?

BTW, if there is an unexpected status (like 'E') there seems to be no
response. Is this really the way it should work?

Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]