2010/04/12

"ocsp" "-rsigner"

OCSP は Online Certificate Status Protocol の略です。
証明が失効されてるか有効かをオンラインで調べる為のものです。
例えば
$ openssl s_client -connect www.google.com:443 </dev/null | openssl x509 -noout -text
(前略)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
URI:http://crl.thawte.com/ThawteSGCCA.crl

X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto
Authority Information Access:
OCSP - URI:http://ocsp.thawte.com
CA Issuers - URI:http://www.thawte.com/repository/Thawte_SGC_CA.crt
(後略)
のように http://ocsp.thawte.com が OCSP サーバだと分かります

openssl も ocsp というコマンドを持っているので
例えば
$ openssl s_client -connect www.google.com:443 -showcerts < /dev/null
などで google と thawte の証明書を取ってくれば
$ openssl ocsp -issuer thawte.crt -cert google.crt -url http://ocsp.thawte.com -resp_text -CAfile thawte.crt 
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC OCSP Responder
Produced At: Apr 12 11:09:20 2010 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 1E9209AA713C794BCA1E931A0A61AD3FD0BA6083
Issuer Key Hash: 3B349A709173B28A1B0CF4E937CDB370329E1854
Serial Number: 2FDFBCF6AE91526D0F9AA3DF40343E9A
Cert Status: good
This Update: Apr 12 11:09:20 2010 GMT
Next Update: Apr 19 11:09:20 2010 GMT

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7c:ec:c6:3e:2b:8d:3e:ad:f6:ba:ce:11:13:1a:b7:73
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC CA
Validity
Not Before: Feb 13 00:00:00 2010 GMT
Not After : May 14 23:59:59 2010 GMT
Subject: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte SGC OCSP Responder
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d3:2f:7e:60:63:4c:bb:b9:98:84:91:23:d8:f0:
e9:d9:0f:35:42:40:dc:d5:75:d5:cf:4e:a0:3b:50:
e6:85:fa:38:27:bc:cb:8f:7e:34:8d:ed:8d:19:27:
9a:cb:9c:84:82:3c:3a:ed:7a:ba:2b:75:b1:74:c9:
32:7d:7d:11:bb:d2:7d:8b:c4:3c:03:7d:4f:22:c0:
03:82:26:b9:8e:ce:4a:21:0e:9c:ef:b8:e7:81:af:
a7:0a:14:c6:04:a0:94:05:44:e2:e2:fc:b0:71:2a:
98:f3:6f:d2:1c:46:ab:af:7d:ea:22:ab:3e:a1:94:
28:eb:91:67:61:a3:58:4b:ed
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Key Usage:
Digital Signature
OCSP No Check:

X509v3 Subject Alternative Name:
DirName:/CN=OCSP5-TGV-4-109
Signature Algorithm: sha1WithRSAEncryption
b7:7e:90:32:f5:5e:73:86:d3:3a:f9:27:ea:95:0c:70:b8:80:
e4:8e:83:9e:36:f5:8a:c4:c2:5f:a3:df:01:ed:24:03:dd:de:
c1:41:56:5a:92:48:0b:8e:cc:67:9a:53:a5:9c:ea:e5:36:7f:
4b:07:cc:9e:40:9a:fb:d3:cd:b2:df:de:87:f6:89:cf:5b:94:
80:06:d7:d8:aa:db:35:8c:7b:46:84:e6:37:41:e7:d9:07:1e:
7d:79:34:e1:18:91:b0:e8:fd:40:1b:eb:63:ef:6b:3a:2a:30:
ad:48:0e:9e:8e:de:61:92:c1:c2:0d:d1:f3:6d:d5:db:4b:e5:
82:25
-----BEGIN CERTIFICATE-----
MIICkjCCAfugAwIBAgIQfOzGPiuNPq32us4RExq3czANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMDAyMTMwMDAwMDBaFw0x
MDA1MTQyMzU5NTlaMFgxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u
c3VsdGluZyAoUHR5KSBMdGQuMSIwIAYDVQQDExlUaGF3dGUgU0dDIE9DU1AgUmVz
cG9uZGVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTL35gY0y7uZiEkSPY
8OnZDzVCQNzVddXPTqA7UOaF+jgnvMuPfjSN7Y0ZJ5rLnISCPDrterordbF0yTJ9
fRG70n2LxDwDfU8iwAOCJrmOzkohDpzvuOeBr6cKFMYEoJQFROLi/LBxKpjzb9Ic
Rquvfeoiqz6hlCjrkWdho1hL7QIDAQABo2kwZzAJBgNVHRMEAjAAMBMGA1UdJQQM
MAoGCCsGAQUFBwMJMAsGA1UdDwQEAwIHgDAPBgkrBgEFBQcwAQUEAgUAMCcGA1Ud
EQQgMB6kHDAaMRgwFgYDVQQDEw9PQ1NQNS1UR1YtNC0xMDkwDQYJKoZIhvcNAQEF
BQADgYEAt36QMvVec4bTOvkn6pUMcLiA5I6Dnjb1isTCX6PfAe0kA93ewUFWWpJI
C47MZ5pTpZzq5TZ/SwfMnkCa+9PNst/eh/aJz1uUgAbX2KrbNYx7RoTmN0Hn2Qce
fXk04RiRsOj9QBvrY+9rOiowrUgOno7eYZLBwg3R823V20vlgiU=
-----END CERTIFICATE-----
WARNING: no nonce in response
Response verify OK
google.crt: good
This Update: Apr 12 11:09:20 2010 GMT
Next Update: Apr 19 11:09:20 2010 GMT
good と言われてるので有効な証明書であることが確認できます

また、-index というオプションがあり
これで openssl ca コマンドで利用する index file を指定してやると
OCSP Responder としても動作させることができます
-rsigner ってのは response に署名する証明書を指定する為のものでした。

-reqin -reqout で OCSP のリクエストフォーマットのデータの入出力
-respin -respout で OCSP のレスポンスフォーマットのデータの入出力
ができるので、個別にリクエスト・レスポンスを作成・保存したりもできます。

0 件のコメント:

コメントを投稿