|
geeklog 2005/09/19 08:24 |
geeklog 2008/10/03 08:25 current |
| - | ====== September, 19th ======= | + | =====EasySSL ? A high level library to OpenSSL===== |
| | + | |
| | + | I'm actually working with OpenSSL C API, to be able to add |
| | + | OCSP support to software like freeradius, maybe postfix, etc.. |
| | + | While I'm writing more and more code to send an OCSP request (~400 lines) |
| | + | I'm thinking to start a high level library to OpenSSL (the name easyssl |
| | + | is just my first thought) to help developers to doesn't care really |
| | + | about the complex usage of OpenSSL. |
| | + | |
| | + | For example, I recently check |
| | + | a well know software which can use certificates to authenticate users. After taking a look |
| | + | in code, I noticed the check was sometimes only done on the DN certificate, it's a very poor test, it's may be even a serious security flaw. That's why I think it could be nice to provide developers an easy to use library, features fill (OCSP support is not often available) for SSL functions. |
| | + | |
| | + | Here the code of main function to check a certificate by OCSP (I removed |
| | + | checks code) |
| | + | |
| | + | <code c> |
| | + | /* Create a new EasySSL configuration and initialize it */ |
| | + | config = malloc (sizeof (ssl_config)); |
| | + | init_ssl_config(config); |
| | + | |
| | + | /* Add a certificate to the CA store */ |
| | + | |
| | + | /* char *cacert : path of CA certificate file to load */ |
| | + | add_cert_to_CAstore(config, cacert)) |
| | + | |
| | + | /* Load certificate to check from a file, since a file |
| | + | * may contains more than one certificates, we need to |
| | + | * use a STACK_OF(X509), check its size, and pop the uniq element */ |
| | + | |
| | + | /* char *xfile: path of final certificate file to load */ |
| | + | certificates = x509_load_certificates_from_file(xfile); |
| | + | { |
| | + | X509 *certificate = NULL; |
| | + | int response = -1; |
| | + | |
| | + | if (sk_num(certificates) != 1) |
| | + | goto error; |
| | + | |
| | + | /* Pop the certificate from stack of X509 */ |
| | + | certificate = (X509 *) sk_pop(certificates); |
| | + | |
| | + | /* |
| | + | * ssl_config *config: pointer to EasySSL configuration |
| | + | * char *url: URL to use to join the OCSP responder, (eg http://pki.asyd.net/ejbca/publicweb/status/ocsp) |
| | + | * X509 *certificate: certificate to check |
| | + | * Return: |
| | + | * < 0: Internal error |
| | + | * 0: The certificate is valid |
| | + | * > 0: The certificate is revoked, the return value stand for the reason |
| | + | */ |
| | + | response = ocsp_check_certificate(config, url, certificate) |
| | + | |
| | + | /* Display status */ |
| | + | printf(" certificate DN: %s\n", |
| | + | certificate->name); |
| | + | |
| | + | printf(" status: "); |
| | + | |
| | + | if (response < 0) |
| | + | printf("Internal error\n"); |
| | + | else if (response == 0) |
| | + | printf("OK\n"); |
| | + | else if (response > 0) |
| | + | { |
| | + | printf("revoked\n"); |
| | + | printf(" reason: %s\n", OCSP_crl_reason_str(response)); |
| | + | } |
| | + | } |
| | + | </code> |
| | + | |
| | + | <code> |
| | + | % ./ocsp certs/cacert.pem certs/test00.pem |
| | + | certificate DN: /CN=Bruno Bonfils (test00)/O=asyd dot net/C=FR |
| | + | status: OK |
| | + | |
| | + | % ./ocsp certs/cacert.pem certs/test01.pem |
| | + | certificate DN: /CN=Bruno Bonfils (test01)/O=asyd dot net/C=FR |
| | + | status: revoked |
| | + | reason: certificateHold |
| | + | </code> |
| | + | |
| | + | As you can see, it's **very simple**. I hope I'll have enough time to code the same |
| | + | simple function as SSL sockets frontend, but in a first time I'll add the validity |
| | + | check. |
| | + | |
| | + | |
| | + | //[[geeklog:2006:12:28:easyssl|Permanent link and discussions]]// |
| | + | |
| | + | |
| | + | ===== Interview ===== |
| | + | |
| | + | |
| | + | //[[geeklog:2006/12/04:interview|Permanent link and discussions]] // |
| | + | |
| | + | |
| | + | ===== Logicial if solaris ===== |
| | + | |
| | + | |
| | + | //[[geeklog:2006/10/25:logicial_if_solaris|Permanent link and discussions]] // |
| | + | |
| | + | |
| | + | ===== Solaris zsh ===== |
| | + | |
| | + | |
| | + | //[[geeklog:2006/09/07:solaris_zsh|Permanent link and discussions]] // |
| | + | |
| | + | |
| | + | ===== Pkgsrc pgsql ===== |
| | + | |
| | + | |
| | + | //[[geeklog:2006/09/06:pkgsrc_pgsql|Permanent link and discussions]] // |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | + | |
| | | | |
| - | =====Small useful applications====== | |
| | | | |
| - | * [[http://freshmeat.net/redir/brack/55828/url_homepage/programs|Brack]] is a small php application which help to manage rack, it have interesting features (like a Service tag field for Dell hardware), and can be easily hack. | |
| - | * [[http://www.redferni.uklinux.net/dia/|Sheets in color for Dia]], which include all Cisco sheets in colors (I don't understand why this package is not include in the upstream) | |
| | | | |
| - | [[geeklog:comments:20050919|Comments]] | |
