Re: Format of index.txt file
Hi Richard, thank you very much for the information. Yesterday, after I wrote the message I saw that code you send me on the apps/apps.h :) (I love the open sources projects for that). But was not documented each of the types. Again, thank you very much for the information. Kind regards, Andres. On Tue, Jan 20, 2009 at 07:45:25AM +0100, Richard Levitte wrote: It's true that it's not very well documented. The source gives some hints, though. apps/apps.h: #define DB_type 0 #define DB_exp_date 1 #define DB_rev_date 2 #define DB_serial 3 /* index - unique */ #define DB_file 4 #define DB_name 5 /* index - unique when active and not disabled */ Those are the field numbers. DB_rev_date is a field that's filled in when the certificate is revoked. DB_exp_date is simply a copy of the certificate's expiration date (ValidBefore). DB_name is a copy of the certificate's subjet. The only field that's truly unknown is DB_file. As far as I can see from the source, it's never filled with anything else. The reason it exists mostly lies in historical fog, unless someone who was more active back when this was invented has further information. Cheers, Richard In message 20090120022428.gb8...@atlantis on Tue, 20 Jan 2009 00:24:28 -0200, Andres Moreira elkpich...@gmail.com said: elkpichico Hi all, elkpichico I need to know the format of the index.txt file, becuase I have to elkpichico write on it from a python script. I was googling about it, but I don't elkpichico find too much information. elkpichico The only things I found was that: elkpichico elkpichicoField1 Field2 Field3 Field4 Field5 elkpichicoTYPE EXPDATE SERIAL Unkown Unkown elkpichico elkpichico The fields 4 and 5 I don't know what they are. elkpichico elkpichico Also I found that type ares: elkpichico V - Valid elkpichico E - Expired elkpichico R - Revoked elkpichico elkpichico So I guess that the field EXPDATE is valid only for the Valid type? elkpichico So when the database say Revokde, the EXPDATE is the revoked time ? elkpichico and when is Expired ? elkpichico elkpichico Thanks a lot if somebody can ask me some of the questions. elkpichico I really appreciate. elkpichico elkpichico Regards, elkpichico Andres. -- Richard Levitte rich...@levitte.org http://richard.levitte.org/ Life is a tremendous celebration - and I'm invited! -- from a friend's blog, translated from Swedish __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Format of index.txt file
Hi all, I need to know the format of the index.txt file, becuase I have to write on it from a python script. I was googling about it, but I don't find too much information. The only things I found was that: Field1 Field2 Field3 Field4 Field5 TYPE EXPDATE SERIAL Unkown Unkown The fields 4 and 5 I don't know what they are. Also I found that type ares: V - Valid E - Expired R - Revoked So I guess that the field EXPDATE is valid only for the Valid type? So when the database say Revokde, the EXPDATE is the revoked time ? and when is Expired ? Thanks a lot if somebody can ask me some of the questions. I really appreciate. Regards, Andres. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Format of index.txt file
It's true that it's not very well documented. The source gives some hints, though. apps/apps.h: #define DB_type 0 #define DB_exp_date 1 #define DB_rev_date 2 #define DB_serial 3 /* index - unique */ #define DB_file 4 #define DB_name 5 /* index - unique when active and not disabled */ Those are the field numbers. DB_rev_date is a field that's filled in when the certificate is revoked. DB_exp_date is simply a copy of the certificate's expiration date (ValidBefore). DB_name is a copy of the certificate's subjet. The only field that's truly unknown is DB_file. As far as I can see from the source, it's never filled with anything else. The reason it exists mostly lies in historical fog, unless someone who was more active back when this was invented has further information. Cheers, Richard In message 20090120022428.gb8...@atlantis on Tue, 20 Jan 2009 00:24:28 -0200, Andres Moreira elkpich...@gmail.com said: elkpichico Hi all, elkpichico I need to know the format of the index.txt file, becuase I have to elkpichico write on it from a python script. I was googling about it, but I don't elkpichico find too much information. elkpichico The only things I found was that: elkpichico elkpichicoField1 Field2 Field3 Field4 Field5 elkpichicoTYPE EXPDATE SERIAL Unkown Unkown elkpichico elkpichico The fields 4 and 5 I don't know what they are. elkpichico elkpichico Also I found that type ares: elkpichico V - Valid elkpichico E - Expired elkpichico R - Revoked elkpichico elkpichico So I guess that the field EXPDATE is valid only for the Valid type? elkpichico So when the database say Revokde, the EXPDATE is the revoked time ? elkpichico and when is Expired ? elkpichico elkpichico Thanks a lot if somebody can ask me some of the questions. elkpichico I really appreciate. elkpichico elkpichico Regards, elkpichico Andres. -- Richard Levitte rich...@levitte.org http://richard.levitte.org/ Life is a tremendous celebration - and I'm invited! -- from a friend's blog, translated from Swedish __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ca format of index.txt. file
Hello All, Does anyone know where there is a definition of the format of the contents of the index.txt file used with the ocsp and ca commands ? (This file contains info on the revocation status of certificates). Thanks, Nick
Re: ca format of index.txt. file
Fitzsimons, Nick wrote: Hello All, Does anyone know where there is a definition of the format of the contents of the index.txt file used with the ocsp and ca commands ? (This file contains info on the revocation status of certificates). Thanks, Nick First of all the format of index.txt is undocumented. Probably because it might change sometime. Or it was a fast hack to get the demo application running. Or something like that. Having said this, it currently (openssl 0.9.8b) is a text database where a tab separates the columns and newline separates the rows. The columns are defined as #define DB_type 0 /* Status of the certificate */ #define DB_exp_date 1 /* Expiry date */ #define DB_rev_date 2 /* Revocation date */ #define DB_serial 3 /* Serial No., index - unique */ #define DB_file 4 #define DB_name 5 /* DN, index - unique when active and not disabled */ DB_type is defined as #define DB_TYPE_REV'R' /* Revoked */ #define DB_TYPE_EXP'E' /* Expired */ #define DB_TYPE_VAL'V' /* Valid */ 'E' is currently not used by openssl ca, I guess because it is redundant to DB_exp_date. So expired certificates still have status 'V' DB_file currently is always 'unknown' and not used by openssl ca. I guess the original idea was to store the filename of the generated certificate file here. The dates are in ASN1_UTCTIME-format. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
RE: ca format of index.txt. File - IT WORKS!
Hi, Well I finally worked out what I wanted to do so I thought I'd share it with anyone out there who might be trying the same thing themselves. The tie in between the certificate whose status I am seeking an ocsp response for and the index file supplied as a parameter to the ocsp command is the serial number of the certificate - as simple as that. The fourth column in the index file contains the serial number of certificates issues by a a particular CA. The first column (V(erified(, E(xpired) and R(evoked)) represents the status of that certificate. So I can now generate OCSP responses, with a status I choose, for any certificate which I choose. I notice however that if I set the Status column to be R(evoked) I get a staus of unknown rather than revoked. Does anyone have any observations on this ? Thanks to Ted fo his input on this query. Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fitzsimons, Nick Sent: Tuesday, August 01, 2006 11:22 AM To: openssl-users@openssl.org Subject: RE: ca format of index.txt. file Hi Ted, Thanks for your reply. I see you are busy replying to several different request helps. :-) I am glad to hear that the reason I can't find the documentation is there isn't any. Your reply helps significantly. I hope you can bear with me for a follow up question. I use the following to generate an ocsp request for a cert : ocsp -issuer cacert.pem -cert cert.pem -reqout req.der I am then seeking to use the following to generate on OCSP response to the request I have just generated : ocsp -index index file -rsigner respondercert.pem -rkey responderkey.pem -CA CACert.pem -reqin req.der -respout resp.der -Cafile certchain.pem My understanding is that the contents of index file are use to check the status of the cert which is detailed in req.der. However no matter how I try to configure index file I always get a status Cert Status: unknown Given that the certificate whose status I am trying to ascertain has a Subject of : Subject: CN=Rick, O=Rick RI, L=Hamburg, C=DE what would I put in the index file to enable the ocsp command to find this certificate and return a status which I could set up in this index file ? As a first pass I have tried the following V 090705233205Z 041009233205Z 01 certs/0001 /CN=Rick V 090705233205Z 041009233205Z 02 unknown /CN=Rick/O=Rick RI/L=Hamburg/C=DE in the hope that ocsp would see the V for othe cert identified and return a status of valid. Thanks in advance if you can find the tiem to help. Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich Sent: Tuesday, August 01, 2006 11:01 AM To: openssl-users@openssl.org Subject: Re: ca format of index.txt. file Fitzsimons, Nick wrote: Hello All, Does anyone know where there is a definition of the format of the contents of the index.txt file used with the ocsp and ca commands ? (This file contains info on the revocation status of certificates). Thanks, Nick First of all the format of index.txt is undocumented. Probably because it might change sometime. Or it was a fast hack to get the demo application running. Or something like that. Having said this, it currently (openssl 0.9.8b) is a text database where a tab separates the columns and newline separates the rows. The columns are defined as #define DB_type 0 /* Status of the certificate */ #define DB_exp_date 1 /* Expiry date */ #define DB_rev_date 2 /* Revocation date */ #define DB_serial 3 /* Serial No., index - unique */ #define DB_file 4 #define DB_name 5 /* DN, index - unique when active and not disabled */ DB_type is defined as #define DB_TYPE_REV'R' /* Revoked */ #define DB_TYPE_EXP'E' /* Expired */ #define DB_TYPE_VAL'V' /* Valid */ 'E' is currently not used by openssl ca, I guess because it is redundant to DB_exp_date. So expired certificates still have status 'V' DB_file currently is always 'unknown' and not used by openssl ca. I guess the original idea was to store the filename of the generated certificate file here. The dates are in ASN1_UTCTIME-format. Hope it helps. Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users
Re: ca format of index.txt. File - IT WORKS!
Fitzsimons, Nick wrote: [...] I notice however that if I set the Status column to be R(evoked) I get a staus of unknown rather than revoked. Does anyone have any observations on this ? The relevant code goes as this (apps/ocsp.c lines 1063 and following): inf = lookup_serial(db, serial); if (!inf) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_VAL) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_GOOD, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_REV) { ASN1_OBJECT *inst = NULL; ASN1_TIME *revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single; int reason = -1; unpack_revinfo(revtm, reason, inst, invtm, inf[DB_rev_date]); single = OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_REVOKED, reason, revtm, thisupd, nextupd); if (invtm) OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); else if (inst) OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); ASN1_TIME_free(revtm); ASN1_GENERALIZEDTIME_free(invtm); } while the status-defines are #define V_OCSP_CERTSTATUS_GOOD0 #define V_OCSP_CERTSTATUS_REVOKED 1 #define V_OCSP_CERTSTATUS_UNKNOWN 2 So to me this looks like the result is UNKNOWN if the serial is not found, GOOD if status is 'V' and REVOKED if status is 'R'. But I haven't had much experience with OCSP yet... Which version of openssl are you working with (i'm looking into the source of 0.9.8b)? BTW, if there is an unexpected status (like 'E') there seems to be no response. Is this really the way it should work? Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 smime.p7s Description: S/MIME Cryptographic Signature
RE: ca format of index.txt. File - IT WORKS!
Hi Ted, I can now get the Revoked status to work properly - I simply wasn't entering a date in the column for Revoked Date : I was only putting an R in the first column. I can't get E(xpired) to work but I can live without that for now. I always get an error of some sort when the first column is an E. This does seem like a bug. Your analysis of Unknown, Good and Revoked matches my experience with testing it. I am using the utility to generate OCSP responses which I can then import into my test harness to test a DRM agent I am working on. Using OpenSSL / ocsp (eventually!) looks like it gives more flexibility for negative testing than trying to persuade a real server to reply with the responses which my test cases require. I am using version 0.9.8b, as you are. Thanks for your input here. Nick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich Sent: Tuesday, August 01, 2006 3:13 PM To: openssl-users@openssl.org Subject: Re: ca format of index.txt. File - IT WORKS! Fitzsimons, Nick wrote: [...] I notice however that if I set the Status column to be R(evoked) I get a staus of unknown rather than revoked. Does anyone have any observations on this ? The relevant code goes as this (apps/ocsp.c lines 1063 and following): inf = lookup_serial(db, serial); if (!inf) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_UNKNOWN, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_VAL) OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_GOOD, 0, NULL, thisupd, nextupd); else if (inf[DB_type][0] == DB_TYPE_REV) { ASN1_OBJECT *inst = NULL; ASN1_TIME *revtm = NULL; ASN1_GENERALIZEDTIME *invtm = NULL; OCSP_SINGLERESP *single; int reason = -1; unpack_revinfo(revtm, reason, inst, invtm, inf[DB_rev_date]); single = OCSP_basic_add1_status(bs, cid, V_OCSP_CERTSTATUS_REVOKED, reason, revtm, thisupd, nextupd); if (invtm) OCSP_SINGLERESP_add1_ext_i2d(single, NID_invalidity_date, invtm, 0, 0); else if (inst) OCSP_SINGLERESP_add1_ext_i2d(single, NID_hold_instruction_code, inst, 0, 0); ASN1_OBJECT_free(inst); ASN1_TIME_free(revtm); ASN1_GENERALIZEDTIME_free(invtm); } while the status-defines are #define V_OCSP_CERTSTATUS_GOOD0 #define V_OCSP_CERTSTATUS_REVOKED 1 #define V_OCSP_CERTSTATUS_UNKNOWN 2 So to me this looks like the result is UNKNOWN if the serial is not found, GOOD if status is 'V' and REVOKED if status is 'R'. But I haven't had much experience with OCSP yet... Which version of openssl are you working with (i'm looking into the source of 0.9.8b)? BTW, if there is an unexpected status (like 'E') there seems to be no response. Is this really the way it should work? Ted ;) -- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26 __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]