Reputation: 91
How to verify certificate with ocsp using openssl
I have a problem. I am using openssl for validate my cert - x509_verify_cert(). But this function doesn't use ocsp. So it can be a problem if there is no crl. In openssl errors i found this define - x509_err_ocsp_verify_needed, but i don't understand how it uses. It seems that may be exists some kind of callback for my connecting to ocsp server function or something like that. Also i found it which i can use, as i understand, for my own validate function, but i want only ocsp check.
So my question is: is it possible ask openssl use ocsp for validation and how?
Upvotes: 1
Views: 27159
Answers (3)
Reputation: 19
This worked for me against a Hashicorp Vault Server:
openssl ocsp \
-noverify \
-no_nonce \
-issuer pki_root_ca_chain.pem \
-cert usercert.pem \
-url http://test.this.out:8200/v1/pki/ocsp
The above command has a space and slashes at each line's end except for the last line. Below is a one-liner of the same command.
openssl ocsp -noverify -no_nonce -issuer pki_root_ca_chain.pem -cert usercert.pem -url http://test.this.out:8200/v1/pki/ocsp
Upvotes: 1
Reputation: 14158
OpenSSL API does not provide a single API to do OCSP validation. The OpenSSL API provides the primitives so that you can implement your own validation. There are details you need to fill to the implementation which may depend on your situation you are trying to solve.
I would suggest that you get to know the openssl ocsp command as a basis of your understanding. Reading the links from Sanjeev's answer gives you examples of using this command as well.
To implement OCSP validation you will need to:
- Extract server and issuer certificates from somewhere (SSL connection most likely)
- Extract the OCSP server list from the server certificate
- Generate a OCSP request using the server and issuer certificates
- Send the request to the OCSP server and get a response back
- Optionally validate the response
- Extract the certificate status
Optionally you can also cache the result with the response update date range so that you can shortcut the above procedure if you see the certificate again.
You can also group a bunch of server certificates to the same OCSP server into a single request as well.
Of note is that the OCSP server link may not be HTTP and you may need to support whatever link type the certificate may have. For example in windows AD enterprise setups, the server OCSP may only have LDAP OCSP server links.
You may also like to see my answer to a question where I go into code examples of OCSP request and response handling.
UPDATE:
If you want to check the whole chain, you will have to do the above one certificate at a time (although the certificates operations can be overlapped). As far as I know, there is no way to check a whole chain at once. Also, you may find that a lot of intermediate certificates don't provide OCSP links anyway so there is no way to check. If you need to do this then it would be a good idea to cache the results as you will come across the same intermediate certificates all the time. In fact you could schedule to do this ahead of time for "known" intermediate certificates that you come across all this time.
You also keep pointing to "x509_verify_cert" check I quote:
Applications rarely call this function directly but it is used by OpenSSL internally for certificate validation, in both the S/MIME and SSL/TLS code.
So you shouldn't be calling this yourself anyway.
It seems that may be exists some kind of callback for my connecting to ocsp server function or something like that.
- X509_STORE_CTX_set_verify_cb - used to set a callback to do your own custom verification - used a lot in server SSL setups
- X509_STORE_CTX_set_ex_data - used to add custom argument values used by the callback
- X509_VERIFY_PARAM_set_flags - used to setup flags (e.g. X509_V_FLAG_CRL_CHECK or X509_V_FLAG_CRL_CHECK_ALL)
In openssl errors i found this define - x509_err_ocsp_verify_needed
X509_V_ERR_OCSP_VERIFY_NEEDED is defined and never used in the openssl codebase. It is meant to returned from a verify callback function that the user provides (i.e. X509_STORE_CTX_set_verify_cb) to indicate that verification should fail with that error. What you do with that information is up to you. If you supply a callback and return that error from a openssl SSL connection that the SSL connection will terminate.
Also of note, if you do add a custom verification callback that does do full OCSP checking, it will slow down the SSL connection setup a lot. This is why most browsers don't do this by default as it slows down the user experience to much.
Upvotes: 1
Reputation: 1575
It is possible :
openssl ocsp -issuer certchain.pem -cert cert.pem -text -url <the ocsp responder URL>
Some links to articles with more details:
https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html
https://akshayranganath.github.io/OCSP-Validation-With-Openssl/
Upvotes: 2
Related Questions
- x509 certificate verification in C
- Programmatically verify a X509 certificate and private key match
- How to create ocsp request using openssl in c++?
- c++ code for ceating X509 certificate and verify it
- how to verify a P12 certificate using openssl?
- How to verify a X509 certificate in C
- Reading and Verifying Certificates
- Verifying a certificate with Verisign OCSP Server
- How to use X509_verify()
- how can i verify the self signed certificate using openssl library in C++?