[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_7-62-g5f944be
|
From: |
Simon Josefsson |
|
Subject: |
[SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_7-62-g5f944be |
|
Date: |
Thu, 10 Nov 2011 14:17:19 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=5f944be2aea6b3ea8fd82de1d0d1d7b289c96d5b
The branch, ocsp has been updated
via 5f944be2aea6b3ea8fd82de1d0d1d7b289c96d5b (commit)
via 8dbade055cf6f4c7372a26492845119df310fa49 (commit)
from 0e55ae5b0caf878d6dd4128727f9fb696d7136a0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 5f944be2aea6b3ea8fd82de1d0d1d7b289c96d5b
Author: Simon Josefsson <address@hidden>
Date: Thu Nov 10 15:16:46 2011 +0100
Start OCSP manual.
commit 8dbade055cf6f4c7372a26492845119df310fa49
Author: Simon Josefsson <address@hidden>
Date: Thu Nov 10 13:26:41 2011 +0100
Adapt code to merged master.
-----------------------------------------------------------------------
Summary of changes:
doc/cha-bib.texi | 7 ++++
doc/cha-cert-auth.texi | 87 ++++++++++++++++++++++++++++++++++++++++++++++++
lib/x509/ocsp_output.c | 27 +++++++--------
3 files changed, 107 insertions(+), 14 deletions(-)
diff --git a/doc/cha-bib.texi b/doc/cha-bib.texi
index b9791df..d517289 100644
--- a/doc/cha-bib.texi
+++ b/doc/cha-bib.texi
@@ -176,4 +176,11 @@ John Wiley \& Sons, Inc., 2001.
M. Mathis, J. Heffner, "Packetization Layer Path MTU Discovery", March 2007,
available from @url{http://www.ietf.org/rfc/rfc4821.txt}.
address@hidden @anchor{RIVESTCRL}[RIVESTCRL]
+R. L. Rivest, "Can We Eliminate Certificate Revocation Lists?",
+Proceedings of Financial Cryptography '98; Springer Lecture Notes in
+Computer Science No. 1465 (Rafael Hirschfeld, ed.), February 1998),
+pages 178--183, available from
address@hidden://people.csail.mit.edu/rivest/Rivest-CanWeEliminateCertificateRevocationLists.pdf}.
+
@end table
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index 26a23e7..e479638 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -33,6 +33,7 @@ acceptable. The framework is illustrated on @ref{fig:x509}.
* X.509 certificate structure::
* Verifying X.509 certificate paths::
* Verifying a certificate in the context of TLS session::
+* Certificate status::
* Certificate requests::
* PKCS 12 structures::
@end menu
@@ -195,6 +196,92 @@ about the peer's identity. It is required to verify if the
certificate's owner is the one you expect. For more information
consult @xcite{RFC2818} and section @ref{ex:verify} for an example.
address@hidden Certificate status
address@hidden OCSP certificate status checking
address@hidden certificate status
address@hidden Online Certificate Status Protocol
address@hidden OCSP
+
+Certificates may be revoked before their expiration time has been
+reached. There are several reasons for revoking certificates, but a
+typical example is if the private key associated with a certificate
+has been compromised. Traditionally Certificate Revocation Lists
+(CRLs) has been used by application to implement revocation checking,
+however several disadvantages with CRLs have been identified, see for
+example @xcite{RIVESTCRL}.
+
+The Online Certificate Status Protocol (@acronym{OCSP}) is widely
+implemented protocol to perform certificate (revocation) status
+checking. An application that wishes to verify the identity of a peer
+will check the certificate against a set of trusted certificates and
+then also check whether the certificate is listed in a CRL and/or
+perform an OCSP check of the certificate.
+
+Before performing the OCSP query, the application will need to figure
+out the address of the OCSP server. The OCSP server information can
+be provided by the user in manual configuration. It may also be
+provided in the certificate that is being checked. There is an
+extension field called the Authority Information Access (AIA) which
+has an access method called @code{id-ad-ocsp} that holds the location
+of the OCSP responder. There is a function for extracting this
+information from a certificate.
+
address@hidden
+
+There are several functions in GnuTLS for creating and manipulating
+OCSP requests and responses. The idea is that a client application
+create an OCSP request object, store some information about the
+certificate to check in the request, and then export the request in
+DER format. The request will then need to be sent to the OCSP
+responder, and normally an OCSP response is received that the
+application will need to import into an OCSP response object. The
+digital signature in the OCSP response needs to be verified before the
+information in the response can be trusted.
+
+The ASN.1 structure of OCSP requests are briefly as follows. It is
+useful to review the structures to get an understanding of which
+fields are modified by GnuTLS functions.
+
address@hidden
+OCSPRequest ::= SEQUENCE @{
+ tbsRequest TBSRequest,
+ optionalSignature [0] EXPLICIT Signature OPTIONAL @}
+
+TBSRequest ::= SEQUENCE @{
+ version [0] EXPLICIT Version DEFAULT v1,
+ requestorName [1] EXPLICIT GeneralName OPTIONAL,
+ requestList SEQUENCE OF Request,
+ requestExtensions [2] EXPLICIT Extensions OPTIONAL @}
+
+Request ::= SEQUENCE @{
+ reqCert CertID,
+ singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL @}
+
+CertID ::= SEQUENCE @{
+ hashAlgorithm AlgorithmIdentifier,
+ issuerNameHash OCTET STRING, -- Hash of Issuer's DN
+ issuerKeyHash OCTET STRING, -- Hash of Issuers public key
+ serialNumber CertificateSerialNumber @}
address@hidden example
+
+The basic functions to initialize, import, export and deallocate OCSP
+requests are the following.
+
address@hidden,
+ gnutls_ocsp_req_deinit,
+ gnutls_ocsp_req_import,
+ gnutls_ocsp_req_export,
+ gnutls_ocsp_req_print}
+
+There are two interfaces for setting the identity of a certificate in
+a OCSP request, the first being a low-level function when you have the
+issuer name hash, issuer key hash, and certificate serial number in
+binary form. The second is usually more useful if you have the
+certificate (and its issuer) in a @code{gnutls_x509_crt_t} type.
+
address@hidden,
+ gnutls_ocsp_req_add_cert}
+
@node Certificate requests
@subsection @acronym{PKCS} #10 certificate requests
@cindex certificate requests
diff --git a/lib/x509/ocsp_output.c b/lib/x509/ocsp_output.c
index e8b683a..8443227 100644
--- a/lib/x509/ocsp_output.c
+++ b/lib/x509/ocsp_output.c
@@ -28,7 +28,6 @@
#include <libtasn1.h>
#include <gnutls_pk.h>
#include "algorithms.h"
-#include "output.h"
#include <gnutls/ocsp.h>
@@ -77,15 +76,15 @@ print_req (gnutls_buffer_st * str, gnutls_ocsp_req_t req)
_gnutls_digest_get_name (digest));
adds (str, "\t\t\tIssuer Name Hash: ");
- hexprint (str, in.data, in.size);
+ _gnutls_buffer_hexprint (str, in.data, in.size);
adds (str, "\n");
adds (str, "\t\t\tIssuer Key Hash: ");
- hexprint (str, ik.data, ik.size);
+ _gnutls_buffer_hexprint (str, ik.data, ik.size);
adds (str, "\n");
adds (str, "\t\t\tSerial Number: ");
- hexprint (str, sn.data, sn.size);
+ _gnutls_buffer_hexprint (str, sn.data, sn.size);
adds (str, "\n");
gnutls_free (in.data);
@@ -127,7 +126,7 @@ print_req (gnutls_buffer_st * str, gnutls_ocsp_req_t req)
else
{
addf (str, "\t\tNonce%s: ", critical ? " (critical)" : "");
- hexprint (str, nonce.data, nonce.size);
+ _gnutls_buffer_hexprint (str, nonce.data, nonce.size);
adds (str, "\n");
}
}
@@ -137,11 +136,11 @@ print_req (gnutls_buffer_st * str, gnutls_ocsp_req_t req)
critical ? "critical" : "not critical");
addf (str, _("\t\t\tASCII: "));
- asciiprint (str, data.data, data.size);
+ _gnutls_buffer_asciiprint (str, data.data, data.size);
addf (str, "\n");
addf (str, _("\t\t\tHexdump: "));
- hexprint (str, data.data, data.size);
+ _gnutls_buffer_hexprint (str, data.data, data.size);
adds (str, "\n");
}
@@ -341,15 +340,15 @@ print_resp (gnutls_buffer_st * str, gnutls_ocsp_resp_t
resp)
_gnutls_digest_get_name (digest));
adds (str, "\t\t\tIssuer Name Hash: ");
- hexprint (str, in.data, in.size);
+ _gnutls_buffer_hexprint (str, in.data, in.size);
adds (str, "\n");
adds (str, "\t\t\tIssuer Key Hash: ");
- hexprint (str, ik.data, ik.size);
+ _gnutls_buffer_hexprint (str, ik.data, ik.size);
adds (str, "\n");
adds (str, "\t\t\tSerial Number: ");
- hexprint (str, sn.data, sn.size);
+ _gnutls_buffer_hexprint (str, sn.data, sn.size);
adds (str, "\n");
gnutls_free (in.data);
@@ -467,7 +466,7 @@ print_resp (gnutls_buffer_st * str, gnutls_ocsp_resp_t resp)
else
{
addf (str, "\t\tNonce%s: ", critical ? " (critical)" : "");
- hexprint (str, nonce.data, nonce.size);
+ _gnutls_buffer_hexprint (str, nonce.data, nonce.size);
adds (str, "\n");
}
}
@@ -477,11 +476,11 @@ print_resp (gnutls_buffer_st * str, gnutls_ocsp_resp_t
resp)
critical ? "critical" : "not critical");
addf (str, _("\t\t\tASCII: "));
- asciiprint (str, data.data, data.size);
+ _gnutls_buffer_asciiprint (str, data.data, data.size);
addf (str, "\n");
addf (str, _("\t\t\tHexdump: "));
- hexprint (str, data.data, data.size);
+ _gnutls_buffer_hexprint (str, data.data, data.size);
adds (str, "\n");
}
@@ -516,7 +515,7 @@ print_resp (gnutls_buffer_st * str, gnutls_ocsp_resp_t resp)
else
{
adds (str, _("\tSignature:\n"));
- hexdump (str, sig.data, sig.size, "\t\t");
+ _gnutls_buffer_hexdump (str, sig.data, sig.size, "\t\t");
gnutls_free (sig.data);
}
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, ocsp, updated. gnutls_3_0_7-62-g5f944be,
Simon Josefsson <=