Ero sivun ”OCSP” versioiden välillä
(2 välissä olevaa versiota samalta käyttäjältä ei näytetä) | |||
Rivi 11: | Rivi 11: | ||
Kun tuo urli on saatu niin voit tehdä ocsp haun käyttäen seuraavaa komentoa: | Kun tuo urli on saatu niin voit tehdä ocsp haun käyttäen seuraavaa komentoa: | ||
− | openssl ocsp -CApath certs -issuer | + | openssl ocsp -CApath certs -issuer $issuer -cert cert.pem -url $OCSP |
− | missä '''certs''' hakemistossa on vrkcqc3.pem ja vrkroot2c.pem tiedostot ja niiden symlinkit. Tuon hakemiston saa tehtyä seuraavilla komennoilla. | + | missä '''$issuer''' on oikea varmenteen myöntäjä ja missä '''certs''' hakemistossa on vrkcqc2.pem, vrkcqc3.pem vrkrootc.pem ja vrkroot2c.pem tiedostot ja niiden symlinkit. Tuon hakemiston saa tehtyä seuraavilla komennoilla. |
mkdir certs | mkdir certs | ||
− | for i in vrkroot2c vrkcqc3 | + | for i in vrkrootc vrkcqc2 vrkroot2c vrkcqc3 |
do | do | ||
echo Fetching http://proxy.fineid.fi/ca/$i.crt | echo Fetching http://proxy.fineid.fi/ca/$i.crt | ||
Rivi 32: | Rivi 32: | ||
#!/bin/sh | #!/bin/sh | ||
− | search="(&(givenname=Tero)(sn=Kivinen))" | + | if [ "x$1" = "x" ]; then |
+ | search="(&(givenname=Tero)(sn=Kivinen))" | ||
+ | else | ||
+ | search="$1" | ||
+ | fi | ||
rm -rf certs | rm -rf certs | ||
mkdir certs | mkdir certs | ||
− | for i in vrkroot2c vrkcqc3 | + | for i in vrkrootc vrkcqc2 vrkroot2c vrkcqc3 |
do | do | ||
echo Fetching http://proxy.fineid.fi/ca/$i.crt | echo Fetching http://proxy.fineid.fi/ca/$i.crt | ||
Rivi 50: | Rivi 54: | ||
while read cert | while read cert | ||
do | do | ||
− | + | num=`expr $num + 1` | |
− | + | a=`echo $cert | sed 's/.*:: //g'` | |
− | + | (echo '-----BEGIN X509 CERTIFICATE-----' ; | |
− | + | echo $a; | |
− | + | echo '-----END X509 CERTIFICATE-----') > certs/cert$num.pem | |
− | + | SUBJECT=`openssl x509 -in certs/cert$num.pem -text -noout | fgrep Subject: | sed 's/.*Subject:://g'` | |
− | + | OCSP=`openssl x509 -in certs/cert$num.pem -text -noout | fgrep OCSP | sed 's/.*URI://g'` | |
− | + | AID=`openssl x509 -in certs/cert$num.pem -text -noout | fgrep -C 1 'X509v3 Authority Key Identifier' | tail -1 | sed 's/ //g; s/keyid://g'` | |
− | + | ||
− | + | issuer="" | |
+ | for i in certs/v*.pem | ||
+ | do | ||
+ | SID=`openssl x509 -in $i -text -noout | fgrep -C 1 'X509v3 Subject Key Identifier' | tail -1 | sed 's/ //g; s/keyid://g'` | ||
+ | if [ "x$SID" = "x$AID" ]; then | ||
+ | issuer=$i | ||
+ | break | ||
+ | fi | ||
+ | done | ||
+ | if [ "x$issuer" = "x" ]; then | ||
+ | echo "Error Could not find issuer for the certificate, exiting" | ||
+ | exit 1 | ||
+ | fi | ||
+ | if [ "x$OCSP" = "x" ]; then | ||
+ | echo "No OCSP link, trying to guess from issuer" | ||
+ | case "$issuer" in | ||
+ | certs/vrkcqc2.pem) OCSP=http://ocsp.fineid.fi/vrkcqc2 ;; | ||
+ | certs/vrkcqc3.pem) OCSP=http://ocsp.fineid.fi/vrkcqc3 ;; | ||
+ | *) echo "Issuer $issuer not kwown" | ||
+ | exit 1 | ||
+ | esac | ||
+ | fi | ||
+ | echo Subject: $SUBJECT | ||
+ | echo OCPS link: $OCSP | ||
+ | echo Issuer: $issuer | ||
+ | openssl ocsp -CApath certs -issuer "$issuer" -cert certs/cert$num.pem -url $OCSP | ||
done | done | ||
</pre> | </pre> | ||
Rivi 67: | Rivi 96: | ||
<pre> | <pre> | ||
+ | ./check-ocsp.sh | ||
+ | Fetching http://proxy.fineid.fi/ca/vrkrootc.crt | ||
+ | Converting it to pem, and making CApath directory link | ||
+ | Fetching http://proxy.fineid.fi/ca/vrkcqc2.crt | ||
+ | Converting it to pem, and making CApath directory link | ||
Fetching http://proxy.fineid.fi/ca/vrkroot2c.crt | Fetching http://proxy.fineid.fi/ca/vrkroot2c.crt | ||
Converting it to pem, and making CApath directory link | Converting it to pem, and making CApath directory link | ||
Rivi 73: | Rivi 107: | ||
Subject: Subject: C = FI, serialNumber = 14683812B, GN = TERO, SN = KIVINEN, CN = KIVINEN TERO 14683812B | Subject: Subject: C = FI, serialNumber = 14683812B, GN = TERO, SN = KIVINEN, CN = KIVINEN TERO 14683812B | ||
OCPS link: http://ocsp.fineid.fi/vrkcqc2 | OCPS link: http://ocsp.fineid.fi/vrkcqc2 | ||
− | + | Issuer: certs/vrkcqc2.pem | |
+ | Response verify OK | ||
+ | certs/cert1.pem: good | ||
+ | This Update: Mar 9 14:24:17 2021 GMT | ||
+ | Next Update: Mar 9 22:24:17 2021 GMT | ||
Subject: Subject: C = FI, serialNumber = 13991724X, GN = TERO, SN = KIVINEN, CN = KIVINEN TERO 13991724X | Subject: Subject: C = FI, serialNumber = 13991724X, GN = TERO, SN = KIVINEN, CN = KIVINEN TERO 13991724X | ||
OCPS link: http://ocsp.fineid.fi/vrkcqc3 | OCPS link: http://ocsp.fineid.fi/vrkcqc3 | ||
+ | Issuer: certs/vrkcqc3.pem | ||
Response verify OK | Response verify OK | ||
− | cert2.pem: good | + | certs/cert2.pem: good |
− | This Update: Mar | + | This Update: Mar 9 14:33:44 2021 GMT |
− | Next Update: Mar | + | Next Update: Mar 9 22:33:44 2021 GMT |
Subject: Subject: C = FI, serialNumber = 133366417, GN = TERO, SN = KIVINEN, CN = KIVINEN TERO 133366417 | Subject: Subject: C = FI, serialNumber = 133366417, GN = TERO, SN = KIVINEN, CN = KIVINEN TERO 133366417 | ||
OCPS link: http://ocsp.fineid.fi/vrkcqc3 | OCPS link: http://ocsp.fineid.fi/vrkcqc3 | ||
+ | Issuer: certs/vrkcqc3.pem | ||
Response verify OK | Response verify OK | ||
− | cert3.pem: good | + | certs/cert3.pem: good |
− | This Update: Mar | + | This Update: Mar 9 14:33:44 2021 GMT |
− | Next Update: Mar | + | Next Update: Mar 9 22:33:44 2021 GMT |
</pre> | </pre> | ||
Nykyinen versio 30. maaliskuuta 2021 kello 19.22
Online Certificate Status Protocol (OCSP) on varmenteen tilan kyselyyn tarkoitettu yhteyskäytäntö.
Sisällysluettelo
OCSP:n käyttö openssl:llä
Openssl:llä voi hakea OCSP hakuja ja tarkistaa varmenteen oikeellisuuta.
Urli mistä OCSP haut tehdään löyty varmenteesta itsestään Authority Information Access nimisestä kentästä. Tuon saa haettua openssl:llä esim seuraavasti:
OCSP=`openssl x509 -in cert.pem -text -noout | fgrep OCSP | sed 's/.*URI://g'`
Kun tuo urli on saatu niin voit tehdä ocsp haun käyttäen seuraavaa komentoa:
openssl ocsp -CApath certs -issuer $issuer -cert cert.pem -url $OCSP
missä $issuer on oikea varmenteen myöntäjä ja missä certs hakemistossa on vrkcqc2.pem, vrkcqc3.pem vrkrootc.pem ja vrkroot2c.pem tiedostot ja niiden symlinkit. Tuon hakemiston saa tehtyä seuraavilla komennoilla.
mkdir certs for i in vrkrootc vrkcqc2 vrkroot2c vrkcqc3 do echo Fetching http://proxy.fineid.fi/ca/$i.crt wget --quiet http://proxy.fineid.fi/ca/$i.crt -O $i.crt echo Converting it to pem, and making CApath directory link openssl x509 -inform DER -in $i.crt -out certs/$i.pem ln -s $i.pem certs/`openssl x509 -noout -hash -in certs/$i.pem`.0 done
VRK:n varmennehierarkiassa olevien varmenteiden oikeellisuuden tarkistaminen
Seuraavalla scriptillä voi hakea varmenteita VRK:n ldap hakemistosta ja tehdä niille OCSP tarkistukset:
#!/bin/sh if [ "x$1" = "x" ]; then search="(&(givenname=Tero)(sn=Kivinen))" else search="$1" fi rm -rf certs mkdir certs for i in vrkrootc vrkcqc2 vrkroot2c vrkcqc3 do echo Fetching http://proxy.fineid.fi/ca/$i.crt wget --quiet http://proxy.fineid.fi/ca/$i.crt -O $i.crt echo Converting it to pem, and making CApath directory link openssl x509 -inform DER -in $i.crt -out certs/$i.pem ln -s $i.pem certs/`openssl x509 -noout -hash -in certs/$i.pem`.0 done num=0 ldapsearch -x -h ldap.fineid.fi -b dmdName=fineid,c=fi "$search" usercertificate | \ sed -n '1x;1!H;${g;s/\n *//g;p}' | \ fgrep 'usercertificate;binary::' | \ while read cert do num=`expr $num + 1` a=`echo $cert | sed 's/.*:: //g'` (echo '-----BEGIN X509 CERTIFICATE-----' ; echo $a; echo '-----END X509 CERTIFICATE-----') > certs/cert$num.pem SUBJECT=`openssl x509 -in certs/cert$num.pem -text -noout | fgrep Subject: | sed 's/.*Subject:://g'` OCSP=`openssl x509 -in certs/cert$num.pem -text -noout | fgrep OCSP | sed 's/.*URI://g'` AID=`openssl x509 -in certs/cert$num.pem -text -noout | fgrep -C 1 'X509v3 Authority Key Identifier' | tail -1 | sed 's/ //g; s/keyid://g'` issuer="" for i in certs/v*.pem do SID=`openssl x509 -in $i -text -noout | fgrep -C 1 'X509v3 Subject Key Identifier' | tail -1 | sed 's/ //g; s/keyid://g'` if [ "x$SID" = "x$AID" ]; then issuer=$i break fi done if [ "x$issuer" = "x" ]; then echo "Error Could not find issuer for the certificate, exiting" exit 1 fi if [ "x$OCSP" = "x" ]; then echo "No OCSP link, trying to guess from issuer" case "$issuer" in certs/vrkcqc2.pem) OCSP=http://ocsp.fineid.fi/vrkcqc2 ;; certs/vrkcqc3.pem) OCSP=http://ocsp.fineid.fi/vrkcqc3 ;; *) echo "Issuer $issuer not kwown" exit 1 esac fi echo Subject: $SUBJECT echo OCPS link: $OCSP echo Issuer: $issuer openssl ocsp -CApath certs -issuer "$issuer" -cert certs/cert$num.pem -url $OCSP done
Ja jos tuon ajaa tulee tuloksena seuraavaa:
./check-ocsp.sh Fetching http://proxy.fineid.fi/ca/vrkrootc.crt Converting it to pem, and making CApath directory link Fetching http://proxy.fineid.fi/ca/vrkcqc2.crt Converting it to pem, and making CApath directory link Fetching http://proxy.fineid.fi/ca/vrkroot2c.crt Converting it to pem, and making CApath directory link Fetching http://proxy.fineid.fi/ca/vrkcqc3.crt Converting it to pem, and making CApath directory link Subject: Subject: C = FI, serialNumber = 14683812B, GN = TERO, SN = KIVINEN, CN = KIVINEN TERO 14683812B OCPS link: http://ocsp.fineid.fi/vrkcqc2 Issuer: certs/vrkcqc2.pem Response verify OK certs/cert1.pem: good This Update: Mar 9 14:24:17 2021 GMT Next Update: Mar 9 22:24:17 2021 GMT Subject: Subject: C = FI, serialNumber = 13991724X, GN = TERO, SN = KIVINEN, CN = KIVINEN TERO 13991724X OCPS link: http://ocsp.fineid.fi/vrkcqc3 Issuer: certs/vrkcqc3.pem Response verify OK certs/cert2.pem: good This Update: Mar 9 14:33:44 2021 GMT Next Update: Mar 9 22:33:44 2021 GMT Subject: Subject: C = FI, serialNumber = 133366417, GN = TERO, SN = KIVINEN, CN = KIVINEN TERO 133366417 OCPS link: http://ocsp.fineid.fi/vrkcqc3 Issuer: certs/vrkcqc3.pem Response verify OK certs/cert3.pem: good This Update: Mar 9 14:33:44 2021 GMT Next Update: Mar 9 22:33:44 2021 GMT