OCSP support
Simon Josefsson
simon at josefsson.org
Fri Oct 28 12:16:20 CEST 2011
All,
I'm implementing Online Certificate Status Protocol (OCSP) support in
GnuTLS, sponsored by Smoothwall. I've pushed an initial branch that has
client-side functionality. The branch is called 'ocsp' and you may
browse it here:
http://git.savannah.gnu.org/cgit/gnutls.git/log/?h=ocsp
The majority of the work available so far is in this commit:
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?h=ocsp&id=5f1c585d7f25c9cdec4f64c9b56a65516fd8d0e5
There is no documentation yet, but there is a command line tool
'ocsptool' that can be used to view requests/responses and generate
requests and verify responses.
My plan is to improve the code further, add more documentation and
self-tests and then merge this onto the GnuTLS master branch. Feedback
on the API and code in general at this point is appreciated. See it as
a good opportunity to help influence the API design now, since you will
have a much harder time changing the API later on. :-)
If you are a potential user of a GnuTLS OCSP interface, please take some
time to review the API documented here:
http://josefsson.org/gnutls-ocsp/gtk-doc-api-manual/gnutls-ocsp.html
I'm including the header file below for easy quoting.
/Simon
#ifndef GNUTLS_OCSP_H
#define GNUTLS_OCSP_H
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#ifdef __cplusplus
extern "C"
{
#endif
#define GNUTLS_OCSP_NONCE "1.3.6.1.5.5.7.48.1.2"
/**
* gnutls_ocsp_print_formats_t:
* @GNUTLS_OCSP_PRINT_FULL: Full information about OCSP request/response.
*
* Enumeration of different OCSP printing variants.
*/
typedef enum gnutls_ocsp_print_formats_t
{
GNUTLS_OCSP_PRINT_FULL = 0,
} gnutls_ocsp_print_formats_t;
/**
* gnutls_ocsp_resp_status_t:
* @GNUTLS_OCSP_RESP_SUCCESSFUL: Response has valid confirmations.
* @GNUTLS_OCSP_RESP_MALFORMEDREQUEST: Illegal confirmation request
* @GNUTLS_OCSP_RESP_INTERNALERROR: Internal error in issuer
* @GNUTLS_OCSP_RESP_TRYLATER: Try again later
* @GNUTLS_OCSP_RESP_SIGREQUIRED: Must sign the request
* @GNUTLS_OCSP_RESP_UNAUTHORIZED: Request unauthorized
*
* Enumeration of different OCSP response status codes.
*/
typedef enum gnutls_ocsp_resp_status_t
{
GNUTLS_OCSP_RESP_SUCCESSFUL = 0,
GNUTLS_OCSP_RESP_MALFORMEDREQUEST = 1,
GNUTLS_OCSP_RESP_INTERNALERROR = 2,
GNUTLS_OCSP_RESP_TRYLATER = 3,
GNUTLS_OCSP_RESP_SIGREQUIRED = 5,
GNUTLS_OCSP_RESP_UNAUTHORIZED = 6
} gnutls_ocsp_resp_status_t;
/**
* gnutls_ocsp_cert_status_t:
* @GNUTLS_OCSP_CERT_GOOD: Positive response to status inquiry.
* @GNUTLS_OCSP_CERT_REVOKED: Certificate has been revoked.
* @GNUTLS_OCSP_CERT_UNKNOWN: The responder doesn't know about the
* certificate.
*
* Enumeration of different OCSP response status codes.
*/
typedef enum gnutls_ocsp_cert_status_t
{
GNUTLS_OCSP_CERT_GOOD = 0,
GNUTLS_OCSP_CERT_REVOKED = 1,
GNUTLS_OCSP_CERT_UNKNOWN = 2
} gnutls_ocsp_cert_status_t;
/**
* gnutls_x509_crl_reason_t:
* @GNUTLS_X509_CRLREASON_UNSPECIFIED: Unspecified reason.
* @GNUTLS_X509_CRLREASON_KEYCOMPROMISE: Private key compromised.
* @GNUTLS_X509_CRLREASON_CACOMPROMISE: CA compromised.
* @GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: Affiliation has changed.
* @GNUTLS_X509_CRLREASON_SUPERSEDED: Certificate superseded.
* @GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: Operation has ceased.
* @GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: Certificate is on hold.
* @GNUTLS_X509_CRLREASON_REMOVEFROMCRL: Will be removed from delta CRL.
* @GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: Privilege withdrawn.
* @GNUTLS_X509_CRLREASON_AACOMPROMISE: AA compromised.
*
* Enumeration of different reason codes. Note that this
* corresponds to the CRLReason ASN.1 enumeration type, and not the
* ReasonFlags ASN.1 bit string.
*/
typedef enum gnutls_x509_crl_reason_t
{
GNUTLS_X509_CRLREASON_UNSPECIFIED = 0,
GNUTLS_X509_CRLREASON_KEYCOMPROMISE = 1,
GNUTLS_X509_CRLREASON_CACOMPROMISE = 2,
GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED = 3,
GNUTLS_X509_CRLREASON_SUPERSEDED = 4,
GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION = 5,
GNUTLS_X509_CRLREASON_CERTIFICATEHOLD = 6,
/* -- value 7 is not used */
GNUTLS_X509_CRLREASON_REMOVEFROMCRL = 8,
GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN = 9,
GNUTLS_X509_CRLREASON_AACOMPROMISE = 10
} gnutls_x509_crl_reason_t;
/* Enumeration of OCSP verify status codes. */
#define GNUTLS_OCSP_VERIFY_SIGNER_NOT_FOUND 1
#define GNUTLS_OCSP_VERIFY_SIGNER_KEYUSAGE_ERROR 2
#define GNUTLS_OCSP_VERIFY_UNTRUSTED_SIGNER 4
#define GNUTLS_OCSP_VERIFY_INSECURE_ALGORITHM 8
#define GNUTLS_OCSP_VERIFY_SIGNATURE_FAILURE 16
#define GNUTLS_OCSP_VERIFY_CERT_NOT_ACTIVATED 32
#define GNUTLS_OCSP_VERIFY_CERT_EXPIRED 64
struct gnutls_ocsp_req_int;
typedef struct gnutls_ocsp_req_int *gnutls_ocsp_req_t;
int gnutls_ocsp_req_init (gnutls_ocsp_req_t * req);
void gnutls_ocsp_req_deinit (gnutls_ocsp_req_t req);
int gnutls_ocsp_req_import (gnutls_ocsp_req_t req,
const gnutls_datum_t * data);
int gnutls_ocsp_req_export (gnutls_ocsp_req_t req, gnutls_datum_t * data);
int gnutls_ocsp_req_print (gnutls_ocsp_req_t req,
gnutls_ocsp_print_formats_t format,
gnutls_datum_t * out);
int gnutls_ocsp_req_get_version (gnutls_ocsp_req_t req);
int gnutls_ocsp_req_get_certid (gnutls_ocsp_req_t req,
unsigned indx,
gnutls_digest_algorithm_t *digest,
gnutls_datum_t *issuer_name_hash,
gnutls_datum_t *issuer_key_hash,
gnutls_datum_t *serial_number);
int gnutls_ocsp_req_add_certid (gnutls_ocsp_req_t req,
gnutls_digest_algorithm_t digest,
const gnutls_datum_t *issuer_name_hash,
const gnutls_datum_t *issuer_key_hash,
const gnutls_datum_t *serial_number);
int gnutls_ocsp_req_add_cert (gnutls_ocsp_req_t req,
gnutls_digest_algorithm_t digest,
gnutls_x509_crt_t issuer,
gnutls_x509_crt_t cert);
int gnutls_ocsp_req_get_extension (gnutls_ocsp_req_t req,
unsigned indx,
gnutls_datum_t *oid,
unsigned int *critical,
gnutls_datum_t *data);
int gnutls_ocsp_req_get_nonce (gnutls_ocsp_req_t req,
unsigned int *critical,
gnutls_datum_t *nonce);
int gnutls_ocsp_req_set_extension (gnutls_ocsp_req_t req,
const char *oid,
unsigned int critical,
const gnutls_datum_t *data);
int gnutls_ocsp_req_set_nonce (gnutls_ocsp_req_t req,
unsigned int critical,
const gnutls_datum_t *nonce);
struct gnutls_ocsp_resp_int;
typedef struct gnutls_ocsp_resp_int *gnutls_ocsp_resp_t;
int gnutls_ocsp_resp_init (gnutls_ocsp_resp_t * resp);
void gnutls_ocsp_resp_deinit (gnutls_ocsp_resp_t resp);
int gnutls_ocsp_resp_import (gnutls_ocsp_resp_t resp,
const gnutls_datum_t * data);
int gnutls_ocsp_resp_export (gnutls_ocsp_resp_t resp,
gnutls_datum_t * data);
int gnutls_ocsp_resp_print (gnutls_ocsp_resp_t resp,
gnutls_ocsp_print_formats_t format,
gnutls_datum_t * out);
int gnutls_ocsp_resp_get_status (gnutls_ocsp_resp_t resp);
int gnutls_ocsp_resp_get_response (gnutls_ocsp_resp_t resp,
gnutls_datum_t *response_type_oid,
gnutls_datum_t *response);
int gnutls_ocsp_resp_get_version (gnutls_ocsp_resp_t resp);
int gnutls_ocsp_resp_get_responderid_dn (gnutls_ocsp_resp_t resp,
gnutls_datum_t *dn);
time_t gnutls_ocsp_resp_get_produceat (gnutls_ocsp_resp_t resp);
int gnutls_ocsp_resp_get_singleresponse (gnutls_ocsp_resp_t resp,
unsigned indx,
gnutls_digest_algorithm_t *digest,
gnutls_datum_t *issuer_name_hash,
gnutls_datum_t *issuer_key_hash,
gnutls_datum_t *serial_number,
int *cert_status,
time_t *this_update,
time_t *next_update,
time_t *revocation_time,
int *revocation_reason);
int gnutls_ocsp_resp_get_extension (gnutls_ocsp_resp_t resp,
unsigned indx,
gnutls_datum_t *oid,
unsigned int *critical,
gnutls_datum_t *data);
int gnutls_ocsp_resp_get_nonce (gnutls_ocsp_resp_t resp,
unsigned int *critical,
gnutls_datum_t *nonce);
int gnutls_ocsp_resp_get_signature_algorithm (gnutls_ocsp_resp_t resp);
int gnutls_ocsp_resp_get_signature (gnutls_ocsp_resp_t resp,
gnutls_datum_t *sig);
int gnutls_ocsp_resp_get_certs (gnutls_ocsp_resp_t resp,
gnutls_x509_crt_t ** certs,
size_t *ncerts);
int gnutls_ocsp_resp_verify (gnutls_ocsp_resp_t resp,
gnutls_x509_trust_list_t trustlist,
gnutls_x509_crt_t signercert,
unsigned *verify,
int flags);
#ifdef __cplusplus
}
#endif
#endif /* GNUTLS_OCSP_H */
More information about the Gnutls-devel
mailing list