Home Contact Download

asyd.net

Welcome to Bruno Bonfils's (aka asyd homepage).

EasySSL ? A high level library to OpenSSL

I'm actually working with OpenSSL C API, to be able to add OCSP support to software like freeradius, maybe postfix, etc.. While I'm writing more and more code to send an OCSP request (~400 lines) I'm thinking to start a high level library to OpenSSL (the name easyssl is just my first thought) to help developers to doesn't care really about the complex usage of OpenSSL.

For example, I recently check a well know software which can use certificates to authenticate users. After taking a look in code, I noticed the check was sometimes only done on the DN certificate, it's a very poor test, it's may be even a serious security flaw. That's why I think it could be nice to provide developers an easy to use library, features fill (OCSP support is not often available) for SSL functions.

Here the code of main function to check a certificate by OCSP (I removed checks code)

  /* Create a new EasySSL configuration and initialize it */
  config = malloc (sizeof (ssl_config));
  init_ssl_config(config);
 
  /* Add a certificate to the CA store */
 
  /* char *cacert : path of CA certificate file to load */
  add_cert_to_CAstore(config, cacert))
 
  /* Load certificate to check from a file, since a file 
   * may contains more than one certificates, we need to 
   * use a STACK_OF(X509), check its size, and pop the uniq element */
 
  /* char *xfile: path of final certificate file to load */
  certificates = x509_load_certificates_from_file(xfile);
  {
     X509 *certificate = NULL;
     int response = -1;
 
     if (sk_num(certificates) != 1)
         goto error;
 
     /* Pop the certificate from stack of X509 */
     certificate  = (X509 *) sk_pop(certificates);
 
     /* 
      * ssl_config *config: pointer to EasySSL configuration
      * char *url: URL to use to join the OCSP responder, (eg http://pki.asyd.net/ejbca/publicweb/status/ocsp)
      * X509 *certificate: certificate to check
      * Return:
      *    < 0: Internal error 
      *      0: The certificate is valid
      *    > 0: The certificate is revoked, the return value stand for the reason
      */
     response = ocsp_check_certificate(config, url, certificate)
 
      /* Display status */
    printf("   certificate DN: %s\n",
    	   certificate->name);
 
    printf("   status: ");
 
    if (response < 0)
      printf("Internal error\n");
    else if (response == 0)
      printf("OK\n");
    else if (response > 0)
      {
	printf("revoked\n");
	printf("   reason: %s\n", OCSP_crl_reason_str(response));
      }
  }
% ./ocsp certs/cacert.pem certs/test00.pem
   certificate DN: /CN=Bruno Bonfils (test00)/O=asyd dot net/C=FR
   status: OK

% ./ocsp certs/cacert.pem certs/test01.pem
   certificate DN: /CN=Bruno Bonfils (test01)/O=asyd dot net/C=FR
   status: revoked
   reason: certificateHold

As you can see, it's very simple. I hope I'll have enough time to code the same simple function as SSL sockets frontend, but in a first time I'll add the validity check.