=====EasySSL ? A high level library to OpenSSL=====
I'm actually working with OpenSSL C API, to be able to add
OCSP support to software like freeradius, maybe postfix, etc..
While I'm writing more and more code to send an OCSP request (~400 lines)
I'm thinking to start a high level library to OpenSSL (the name easyssl
is just my first thought) to help developers to doesn't care really
about the complex usage of OpenSSL.
For example, I recently check
a well know software which can use certificates to authenticate users. After taking a look
in code, I noticed the check was sometimes only done on the DN certificate, it's a very poor test, it's may be even a serious security flaw. That's why I think it could be nice to provide developers an easy to use library, features fill (OCSP support is not often available) for SSL functions.
Here the code of main function to check a certificate by OCSP (I removed
checks code)
/* Create a new EasySSL configuration and initialize it */
config = malloc (sizeof (ssl_config));
init_ssl_config(config);
/* Add a certificate to the CA store */
/* char *cacert : path of CA certificate file to load */
add_cert_to_CAstore(config, cacert))
/* Load certificate to check from a file, since a file
* may contains more than one certificates, we need to
* use a STACK_OF(X509), check its size, and pop the uniq element */
/* char *xfile: path of final certificate file to load */
certificates = x509_load_certificates_from_file(xfile);
{
X509 *certificate = NULL;
int response = -1;
if (sk_num(certificates) != 1)
goto error;
/* Pop the certificate from stack of X509 */
certificate = (X509 *) sk_pop(certificates);
/*
* ssl_config *config: pointer to EasySSL configuration
* char *url: URL to use to join the OCSP responder, (eg http://pki.asyd.net/ejbca/publicweb/status/ocsp)
* X509 *certificate: certificate to check
* Return:
* < 0: Internal error
* 0: The certificate is valid
* > 0: The certificate is revoked, the return value stand for the reason
*/
response = ocsp_check_certificate(config, url, certificate)
/* Display status */
printf(" certificate DN: %s\n",
certificate->name);
printf(" status: ");
if (response < 0)
printf("Internal error\n");
else if (response == 0)
printf("OK\n");
else if (response > 0)
{
printf("revoked\n");
printf(" reason: %s\n", OCSP_crl_reason_str(response));
}
}
% ./ocsp certs/cacert.pem certs/test00.pem
certificate DN: /CN=Bruno Bonfils (test00)/O=asyd dot net/C=FR
status: OK
% ./ocsp certs/cacert.pem certs/test01.pem
certificate DN: /CN=Bruno Bonfils (test01)/O=asyd dot net/C=FR
status: revoked
reason: certificateHold
As you can see, it's **very simple**. I hope I'll have enough time to code the same
simple function as SSL sockets frontend, but in a first time I'll add the validity
check.
//[[geeklog:2006:12:28:easyssl|Permanent link and discussions]]//
===== Interview =====
//[[geeklog:2006/12/04:interview|Permanent link and discussions]] //
===== Logicial if solaris =====
//[[geeklog:2006/10/25:logicial_if_solaris|Permanent link and discussions]] //
===== Solaris zsh =====
//[[geeklog:2006/09/07:solaris_zsh|Permanent link and discussions]] //
===== Pkgsrc pgsql =====
//[[geeklog:2006/09/06:pkgsrc_pgsql|Permanent link and discussions]] //