Re: Format of index.txt file

[Andres Moreira]

Hi Richard, 
 thank you very much for the information. 
 Yesterday, after I wrote the message I saw that code you send me on the
 apps/apps.h :) (I love the open sources projects for that). 
 But was not documented each of the types. 

 Again, thank you very much for the information.

Kind regards, 
 Andres.


On Tue, Jan 20, 2009 at 07:45:25AM +0100, Richard Levitte wrote:
 It's true that it's not very well documented.  The source gives some
 hints, though.  apps/apps.h:
 
 #define DB_type 0
 #define DB_exp_date 1
 #define DB_rev_date 2
 #define DB_serial   3   /* index - unique */
 #define DB_file 4   
 #define DB_name 5   /* index - unique when active and not 
 disabled */
 
 Those are the field numbers.  DB_rev_date is a field that's filled in
 when the certificate is revoked.  DB_exp_date is simply a copy of the
 certificate's expiration date (ValidBefore).  DB_name is a copy of the
 certificate's subjet.
 
 The only field that's truly unknown is DB_file.  As far as I can see
 from the source, it's never filled with anything else.  The reason it
 exists mostly lies in historical fog, unless someone who was more
 active back when this was invented has further information.
 
 Cheers,
 Richard
 
 In message 20090120022428.gb8...@atlantis on Tue, 20 Jan 2009 00:24:28 
 -0200, Andres Moreira elkpich...@gmail.com said:
 
 elkpichico Hi all, 
 elkpichico  I need to know the format of the index.txt file, becuase I have 
 to
 elkpichico  write on it from a python script. I was googling about it, but I 
 don't
 elkpichico  find too much information. 
 elkpichico  The only things I found was that:
 elkpichico 
 elkpichicoField1  Field2 Field3 Field4   Field5
 elkpichicoTYPE  EXPDATE  SERIAL   Unkown   Unkown
 elkpichico 
 elkpichico   The fields 4 and 5 I don't know what they are.
 elkpichico 
 elkpichico   Also I found that type ares:
 elkpichico V - Valid
 elkpichico E - Expired
 elkpichico R - Revoked
 elkpichico 
 elkpichico   So I guess that the field EXPDATE is valid only for the Valid 
 type?
 elkpichico   So when the database say Revokde, the EXPDATE is the revoked 
 time ?
 elkpichico   and when is Expired ?
 elkpichico 
 elkpichico   Thanks a lot if somebody can ask me some of the questions. 
 elkpichico   I really appreciate.
 elkpichico 
 elkpichico Regards, 
 elkpichico   Andres.
 
 -- 
 Richard Levitte rich...@levitte.org
 http://richard.levitte.org/
 
 Life is a tremendous celebration - and I'm invited!
 -- from a friend's blog, translated from Swedish
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Format of index.txt file

[Andres Moreira]

Hi all, 
 I need to know the format of the index.txt file, becuase I have to
 write on it from a python script. I was googling about it, but I don't
 find too much information. 
 The only things I found was that:

   Field1  Field2 Field3 Field4   Field5
   TYPE  EXPDATE  SERIAL   Unkown   Unkown

  The fields 4 and 5 I don't know what they are.

  Also I found that type ares:
V - Valid
E - Expired
R - Revoked

  So I guess that the field EXPDATE is valid only for the Valid type?
  So when the database say Revokde, the EXPDATE is the revoked time ?
  and when is Expired ?

  Thanks a lot if somebody can ask me some of the questions. 
  I really appreciate.

Regards, 
  Andres.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: Format of index.txt file

[Richard Levitte]

It's true that it's not very well documented.  The source gives some
hints, though.  apps/apps.h:

#define DB_type 0
#define DB_exp_date 1
#define DB_rev_date 2
#define DB_serial   3   /* index - unique */
#define DB_file 4   
#define DB_name 5   /* index - unique when active and not disabled 
*/

Those are the field numbers.  DB_rev_date is a field that's filled in
when the certificate is revoked.  DB_exp_date is simply a copy of the
certificate's expiration date (ValidBefore).  DB_name is a copy of the
certificate's subjet.

The only field that's truly unknown is DB_file.  As far as I can see
from the source, it's never filled with anything else.  The reason it
exists mostly lies in historical fog, unless someone who was more
active back when this was invented has further information.

Cheers,
Richard

In message 20090120022428.gb8...@atlantis on Tue, 20 Jan 2009 00:24:28 -0200, 
Andres Moreira elkpich...@gmail.com said:

elkpichico Hi all, 
elkpichico  I need to know the format of the index.txt file, becuase I have to
elkpichico  write on it from a python script. I was googling about it, but I 
don't
elkpichico  find too much information. 
elkpichico  The only things I found was that:
elkpichico 
elkpichicoField1  Field2 Field3 Field4   Field5
elkpichicoTYPE  EXPDATE  SERIAL   Unkown   Unkown
elkpichico 
elkpichico   The fields 4 and 5 I don't know what they are.
elkpichico 
elkpichico   Also I found that type ares:
elkpichico V - Valid
elkpichico E - Expired
elkpichico R - Revoked
elkpichico 
elkpichico   So I guess that the field EXPDATE is valid only for the Valid 
type?
elkpichico   So when the database say Revokde, the EXPDATE is the revoked time 
?
elkpichico   and when is Expired ?
elkpichico 
elkpichico   Thanks a lot if somebody can ask me some of the questions. 
elkpichico   I really appreciate.
elkpichico 
elkpichico Regards, 
elkpichico   Andres.

-- 
Richard Levitte rich...@levitte.org
http://richard.levitte.org/

Life is a tremendous celebration - and I'm invited!
-- from a friend's blog, translated from Swedish
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

ca format of index.txt. file

[Fitzsimons, Nick]

Hello 
All,
 
Does anyone know where there is a definition of the format of the contents of 
the index.txt file used with the ocsp and ca
commands 
? (This file contains info on the revocation status of 
certificates).

Thanks,

Nick

Re: ca format of index.txt. file

[Bernhard Froehlich]

Fitzsimons, Nick wrote:

Hello All,
 Does anyone know where there is a definition of the 
format of the contents of the index.txt file used with the ocsp and ca
 commands ?  (This file contains info on the revocation status of 
certificates).
 
 Thanks,
 
 Nick
First of all the format of index.txt is undocumented. Probably because 
it might change sometime. Or it was a fast hack to get the demo 
application running. Or something like that.


Having said this, it currently (openssl 0.9.8b) is a text database where 
a tab separates the columns and newline separates the rows.


The columns are defined as 
#define DB_type 0 /* Status of the certificate */

#define DB_exp_date 1 /* Expiry date */
#define DB_rev_date 2 /* Revocation date */
#define DB_serial   3   /* Serial No., index - unique */
#define DB_file 4  
#define DB_name 5   /* DN, index - unique when active and 
not disabled */


DB_type is defined as
#define DB_TYPE_REV'R' /* Revoked */
#define DB_TYPE_EXP'E' /* Expired */
#define DB_TYPE_VAL'V' /* Valid */

'E' is currently not used by openssl ca, I guess because it is 
redundant to DB_exp_date. So expired certificates still have status 'V'
DB_file currently is always 'unknown' and not used by openssl ca. I 
guess the original idea was to store the filename of the generated 
certificate file here.

The dates are in ASN1_UTCTIME-format.

Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26



smime.p7s
Description: S/MIME Cryptographic Signature

RE: ca format of index.txt. File - IT WORKS!

[Fitzsimons, Nick]

Hi,
   Well I finally worked out what I wanted to do so I thought I'd share
it with anyone out there
 who might be trying the same thing themselves.

 The tie in between the certificate whose status I am seeking an ocsp
response for and the index file
 supplied as a parameter to the ocsp command is the serial number of the
certificate - as simple as 
 that. The fourth column in the index file contains the serial number
of certificates issues by a 
 a particular CA.  The first column (V(erified(, E(xpired) and
R(evoked)) represents the status of that certificate.

 So I can now generate OCSP responses, with a status I choose, for any
certificate which I choose.

 I notice however that if I set the Status column to be R(evoked) I get
a staus of unknown rather than 
 revoked.

 Does anyone have any observations on this ?

 Thanks to Ted fo his input on this query.

 Nick
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fitzsimons, Nick
Sent: Tuesday, August 01, 2006 11:22 AM
To: openssl-users@openssl.org
Subject: RE: ca format of index.txt. file

Hi Ted,
   Thanks for your reply. I see you are busy replying to several
different  request helps. :-)

 I am glad to hear that the reason I can't find the documentation is
there isn't any.

 Your reply helps significantly. I hope you can bear with me for a
follow up question.

 I use the following to generate an ocsp request for a cert :

ocsp -issuer cacert.pem  -cert cert.pem -reqout req.der

 I am then seeking to use the following to generate on OCSP response to
the request I have  just generated :

ocsp -index index file -rsigner respondercert.pem -rkey
responderkey.pem -CA  CACert.pem
 -reqin req.der -respout resp.der -Cafile certchain.pem

 My understanding is that the contents of index file are use to check
the status of the cert which  is detailed in req.der.  However no
matter how I try to configure index file I always get a  status Cert
Status: unknown

 Given that the certificate whose status I am trying to ascertain has a
Subject of :
   Subject: CN=Rick, O=Rick RI, L=Hamburg, C=DE

 what would I put in the index file to enable the ocsp command to find
this certificate and return  a status which I could set up in this
index file ?

 As a first pass I have tried the following

 V  090705233205Z   041009233205Z   01  certs/0001  /CN=Rick
 V  090705233205Z   041009233205Z   02  unknown /CN=Rick/O=Rick
RI/L=Hamburg/C=DE

 in the hope that ocsp would see the V for othe cert identified and
return a status of valid.

 
 Thanks in advance if you can find the tiem to help.

 Nick

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich
Sent: Tuesday, August 01, 2006 11:01 AM
To: openssl-users@openssl.org
Subject: Re: ca format of index.txt. file

Fitzsimons, Nick wrote:
 Hello All,
  Does anyone know where there is a definition of the 
 format of the contents of the index.txt file used with the ocsp and ca

 commands ?  (This file contains info on the revocation status of 
 certificates).
  
  Thanks,
  
  Nick
First of all the format of index.txt is undocumented. Probably because
it might change sometime. Or it was a fast hack to get the demo
application running. Or something like that.

Having said this, it currently (openssl 0.9.8b) is a text database where
a tab separates the columns and newline separates the rows.

The columns are defined as 
#define DB_type 0 /* Status of the certificate */
#define DB_exp_date 1 /* Expiry date */
#define DB_rev_date 2 /* Revocation date */
#define DB_serial   3   /* Serial No., index - unique */
#define DB_file 4  
#define DB_name 5   /* DN, index - unique when active and 
not disabled */

DB_type is defined as
#define DB_TYPE_REV'R' /* Revoked */
#define DB_TYPE_EXP'E' /* Expired */
#define DB_TYPE_VAL'V' /* Valid */

'E' is currently not used by openssl ca, I guess because it is
redundant to DB_exp_date. So expired certificates still have status 'V'
DB_file currently is always 'unknown' and not used by openssl ca. I
guess the original idea was to store the filename of the generated
certificate file here.
The dates are in ASN1_UTCTIME-format.

Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users

Re: ca format of index.txt. File - IT WORKS!

[Bernhard Froehlich]

Fitzsimons, Nick wrote:

[...]
 I notice however that if I set the Status column to be R(evoked) I get
a staus of unknown rather than 
 revoked.


 Does anyone have any observations on this ?
  

The relevant code goes as this (apps/ocsp.c lines 1063 and following):

   inf = lookup_serial(db, serial);
   if (!inf)
   OCSP_basic_add1_status(bs, cid,
   V_OCSP_CERTSTATUS_UNKNOWN,
   0, NULL,
   thisupd, nextupd);
   else if (inf[DB_type][0] == DB_TYPE_VAL)
   OCSP_basic_add1_status(bs, cid,
   V_OCSP_CERTSTATUS_GOOD,
   0, NULL,
   thisupd, nextupd);
   else if (inf[DB_type][0] == DB_TYPE_REV)
   {
   ASN1_OBJECT *inst = NULL;
   ASN1_TIME *revtm = NULL;
   ASN1_GENERALIZEDTIME *invtm = NULL;
   OCSP_SINGLERESP *single;
   int reason = -1;
   unpack_revinfo(revtm, reason, inst, invtm, 
inf[DB_rev_date]);

   single = OCSP_basic_add1_status(bs, cid,
   V_OCSP_CERTSTATUS_REVOKED,
   reason, revtm,
   thisupd, nextupd);
   if (invtm)
   OCSP_SINGLERESP_add1_ext_i2d(single, 
NID_invalidity_date, invtm, 0, 0);

   else if (inst)
   OCSP_SINGLERESP_add1_ext_i2d(single, 
NID_hold_instruction_code, inst, 0, 0);

   ASN1_OBJECT_free(inst);
   ASN1_TIME_free(revtm);
   ASN1_GENERALIZEDTIME_free(invtm);
   }

while the status-defines are
#define V_OCSP_CERTSTATUS_GOOD0
#define V_OCSP_CERTSTATUS_REVOKED 1
#define V_OCSP_CERTSTATUS_UNKNOWN 2

So to me this looks like the result is UNKNOWN if the serial is not 
found, GOOD if status is 'V' and REVOKED if status is 'R'.

But I haven't had much experience with OCSP yet...
Which version of openssl are you working with (i'm looking into the 
source of 0.9.8b)?


BTW, if there is an unexpected status (like 'E') there seems to be no 
response. Is this really the way it should work?


Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26



smime.p7s
Description: S/MIME Cryptographic Signature

RE: ca format of index.txt. File - IT WORKS!

[Fitzsimons, Nick]

Hi Ted,
I can now get the Revoked status to work properly - I simply
wasn't entering 
 a date in the column for Revoked Date : I was only putting an R in the
first column.

 I can't get E(xpired) to work but I can live without that for now. I
always get an error of
 some sort when the first column is an E.  This does seem like a bug.
Your analysis of
 Unknown, Good and Revoked matches my experience with testing it.

 I am using the utility to generate OCSP responses which I can then
import into my test 
 harness to test a DRM agent I am working on. Using OpenSSL / ocsp
(eventually!) looks like 
 it gives more flexibility for negative testing than trying to persuade
a real server to 
 reply with the responses which my test cases require.

 I am using version 0.9.8b, as you are.

 Thanks for your input here.

 Nick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bernhard Froehlich
Sent: Tuesday, August 01, 2006 3:13 PM
To: openssl-users@openssl.org
Subject: Re: ca format of index.txt. File - IT WORKS!

Fitzsimons, Nick wrote:
 [...]
  I notice however that if I set the Status column to be R(evoked) I 
 get a staus of unknown rather than  revoked.

  Does anyone have any observations on this ?
   
The relevant code goes as this (apps/ocsp.c lines 1063 and following):

inf = lookup_serial(db, serial);
if (!inf)
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,
0, NULL,
thisupd, nextupd);
else if (inf[DB_type][0] == DB_TYPE_VAL)
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_GOOD,
0, NULL,
thisupd, nextupd);
else if (inf[DB_type][0] == DB_TYPE_REV)
{
ASN1_OBJECT *inst = NULL;
ASN1_TIME *revtm = NULL;
ASN1_GENERALIZEDTIME *invtm = NULL;
OCSP_SINGLERESP *single;
int reason = -1;
unpack_revinfo(revtm, reason, inst, invtm,
inf[DB_rev_date]);
single = OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_REVOKED,
reason, revtm,
thisupd, nextupd);
if (invtm)
OCSP_SINGLERESP_add1_ext_i2d(single,
NID_invalidity_date, invtm, 0, 0);
else if (inst)
OCSP_SINGLERESP_add1_ext_i2d(single,
NID_hold_instruction_code, inst, 0, 0);
ASN1_OBJECT_free(inst);
ASN1_TIME_free(revtm);
ASN1_GENERALIZEDTIME_free(invtm);
}

while the status-defines are
#define V_OCSP_CERTSTATUS_GOOD0
#define V_OCSP_CERTSTATUS_REVOKED 1
#define V_OCSP_CERTSTATUS_UNKNOWN 2

So to me this looks like the result is UNKNOWN if the serial is not
found, GOOD if status is 'V' and REVOKED if status is 'R'.
But I haven't had much experience with OCSP yet...
Which version of openssl are you working with (i'm looking into the
source of 0.9.8b)?

BTW, if there is an unexpected status (like 'E') there seems to be no
response. Is this really the way it should work?

Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]