在客户端程序的OpenSSL证书吊销检查使用OCSP装订 [英] OpenSSL certificate revocation check in client program using OCSP stapling
问题描述
我有一个安全的连接到使用OpenSSL服务器的嵌入式C客户端程序。服务器握手过程中提供其证书,客户必须检查该证书的吊销状态。目前我使用OCSP做到这一点。
I have an embedded C client program that securely connects to a server using OpenSSL. The server provides its certificate during the handshake and the client has to check the revocation status of this certificate. Currently I do this by using OCSP.
所有这些工作,但现在我需要使用 OCSP装订重新实现客户的吊销检查一>(假设服务器将开始提供这一点)。
All of this works, but now I need to re-implement the client's revocation check using OCSP stapling (assuming the server will start providing this).
目前,我得到使用 X509服务器证书*证书= SSL_get_peer_certificate(SSL)
来检查的SubjectAltName
对我服务器的域名,并获得 authorityInfoAccess
(OCSP的URI)。
Currently I get the server certificate using X509 *cert = SSL_get_peer_certificate(ssl)
to check the subjectAltName
against my server's domain and get the authorityInfoAccess
(for OCSP URI).
假设我有一个 SSL * SSL;
和我通过所以SSL_connect(SSL)成功地把一切都连接;
,我该怎么办在这一点上,我们就到OCSP装订信息和验证我刚刚收到的证书?我找不到任何样品code为如何真正实现这一点使用OpenSSL库。
Assuming I have an SSL * ssl;
and I successfully set everything up and connected via SSL_connect(ssl);
, what do I do at this point to get at the OCSP stapling information and verify the certificate I just received? I can't find any sample code for how to actually implement this using the OpenSSL library.
推荐答案
有几个步骤:
-
在客户端通过
SSL_set_tlsext_status_type(SSL,TLSEXT_STATUSTYPE_ocsp)
发送status_request
扩展。
注册一个回调(和参数)审查通过 SSL_CTX_set_tlsext_status_cb OCSP响应(CTX,ocsp_resp_cb)
和 SSL_CTX_set_tlsext_status_arg(CTX,ARG )
Register a callback (and argument) to examine the OCSP response via SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb)
and SSL_CTX_set_tlsext_status_arg(ctx, arg)
写的回调函数。通过的s_client.First
使用的一种演示了如何获得的响应信息:
Write the callback function. The one used by s_client
demonstrates how to get at the response information:
static int ocsp_resp_cb(SSL *s, void *arg)
{
const unsigned char *p;
int len;
OCSP_RESPONSE *rsp;
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
BIO_puts(arg, "OCSP response: ");
if (!p)
{
BIO_puts(arg, "no response sent\n");
return 1;
}
rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
if (!rsp)
{
BIO_puts(arg, "response parse error\n");
BIO_dump_indent(arg, (char *)p, len, 4);
return 0;
}
BIO_puts(arg, "\n======================================\n");
OCSP_RESPONSE_print(arg, rsp, 0);
BIO_puts(arg, "======================================\n");
OCSP_RESPONSE_free(rsp);
return 1;
}
这篇关于在客户端程序的OpenSSL证书吊销检查使用OCSP装订的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!