How to create ocsp request using openssl in c++?

2019-08-27 20:19发布

问题:

I am trying to send a ocsp request to an ocsp server using C++, but I can't find anything to prepare the request. In the documentation I found the following functions

long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);
long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len);

How can I add the certificate and set the nonce for the request?

回答1:

Want you are trying to do is generate C++ code for the openssl OCSP command:

openssl ocsp -issuer issuer.pem -cert alice.pem -cert bob.pem -reqout ocspreq.der

The main OPENSSL API's you need are:

  • PEM_read_bio_X509 - reading certificates
  • OCSP_REQUEST_new - generating the OCSP request
  • OCSP_request_add0_id - adding certificate to request
  • i2d_OCSP_REQUEST_bio - write request out in DER format

The API's used may vary depending on certificate formats you wish to read in and write out.

An example of the above openssl command turned in simple C++ code is:

template<typename T, typename D>
std::unique_ptr<T, D> make_handle(T* handle, D deleter)
{
    return std::unique_ptr<T, D>{handle, deleter};
}

bool generate_ocsp_request()
{
    // load issuer certificate
    auto file = make_handle(BIO_new_file("issuer.pem", "r"), BIO_free);
    if(!file) return false;
    auto const issuer = make_handle(PEM_read_bio_X509(file.get(), nullptr, nullptr, nullptr), X509_free);
    if(!issuer) return false;

    // setup OCSP request
    auto const request = make_handle(OCSP_REQUEST_new(), OCSP_REQUEST_free);
    if(!request) return false;

    auto const cert_id_md = EVP_sha1();

    // add alice certificate to OCSP request
    file = make_handle(BIO_new_file("alice.pem", "r"), BIO_free);
    if(!file) return false;
    auto cert = PEM_read_bio_X509(file.get(), nullptr, nullptr, nullptr);

    auto id = OCSP_cert_to_id(cert_id_md, cert, issuer.get());
    if (id == nullptr) return false;
    if (!OCSP_request_add0_id(request.get(), id)) return false;

    // add bob certificate to OCSP request
    file = make_handle(BIO_new_file("bob.pem", "r"), BIO_free);
    if(!file) return false;
    cert = PEM_read_bio_X509(file.get(), nullptr, nullptr, nullptr);

    id = OCSP_cert_to_id(cert_id_md, cert, issuer.get());
    if (id == nullptr) return false;
    if (!OCSP_request_add0_id(request.get(), id)) return false;

    // write the request out in DER format
    file = make_handle(BIO_new_file("ocspreq.der", "wb"), BIO_free);
    if(!file) return false;

    // the below doesn't compile in C++ :(
    // return i2d_OCSP_REQUEST_bio(file.get(), request.get()) != 0;

    // go around the macro's that cause the problem in C++ because it will not automatically convert void* to unsigned char* like in C
    return ASN1_i2d_bio(reinterpret_cast<i2d_of_void *>(i2d_OCSP_REQUEST), file.get(), reinterpret_cast<unsigned char*>(request.get())) != 0;
}

UPDATE:

Reading the response gets a little involved.

The main apis used to process a response would be:

  • d2i_OCSP_RESPONSE_bio - loading response in DER format
  • OCSP_response_get1_basic - extract response information
  • OCSP_check_nonce - check the response is for the request (optional)
  • OCSP_basic_verify - verify the response is valid (optional)

There is no "text" that can be extracted, you need to extract specifically what you want from the response.

The below code is a example of this command basically

openssl ocsp -respin ocspresp.der -reqin ocspreq.der -issuer issuer.pem -cert alice.pem -cert bob.pem

bool read_ocsp_response()
{
    // load ocsp request (der format)
    auto file = make_handle(BIO_new_file("ocspreq.der", "rb"), BIO_free);
    if(!file) return false;
    auto const request = make_handle(d2i_OCSP_REQUEST_bio(file.get(), nullptr), OCSP_REQUEST_free);
    if(!request) return false;

    // load ocsp response (der format)
    file = make_handle(BIO_new_file("ocspresp.der", "rb"), BIO_free);
    if(!file) return false;
    auto const response = make_handle(d2i_OCSP_RESPONSE_bio(file.get(), nullptr), OCSP_RESPONSE_free);
    if(!response) return false;
    file.reset();

    // was the server response ok?
    if(OCSP_response_status(response.get()) != OCSP_RESPONSE_STATUS_SUCCESSFUL) return false;

    // verify response
    auto const basic_response = make_handle(OCSP_response_get1_basic(response.get()), OCSP_BASICRESP_free);
    if(!basic_response) return false;

    // check that the response is for the expected request
    auto const nonce_check_result = OCSP_check_nonce(request.get(), basic_response.get());
    if(nonce_check_result <= 0)
    {
        if(nonce_check_result == -1)
        {
            puts("WARNING: no nonce in response");
        }
        else
        {
            return false;
        }
    }

    // verify the response against the issuer certificate
    auto const issuers_certificate_stack = make_handle(sk_X509_new_null(), [](auto handle){ sk_X509_pop_free(handle, X509_free); });
    if(!issuers_certificate_stack) return false;

    file = make_handle(BIO_new_file("issuer.pem", "r"), BIO_free);
    if(!file) return false;

    auto const issuer = PEM_read_bio_X509(file.get(), nullptr, nullptr, nullptr);
    if(!issuer) return false;
    file.reset();

    sk_X509_push(issuers_certificate_stack.get(), issuer);

    // load default certificate store
    auto const store = make_handle(X509_STORE_new(), X509_STORE_free);
    if(!store) return false;
    auto const lookup = X509_STORE_add_lookup(store.get(), X509_LOOKUP_file());
    if(lookup == nullptr) return false;

    if(OCSP_basic_verify(basic_response.get(), issuers_certificate_stack.get(), store.get(), OCSP_TRUSTOTHER) != 1) return false;

    // check that all the certificates have a status ok results
    if(OCSP_resp_count(basic_response.get() == 0) return false;
    for (auto i = 0; i < OCSP_resp_count(basic_response.get()); i++)
    {
        auto const single_response = OCSP_resp_get0(basic_response.get(), i);
        if(single_response == nullptr) return false;

        if(OCSP_single_get0_status(single_response, nullptr, nullptr, nullptr, nullptr) != V_OCSP_CERTSTATUS_GOOD) return false;
    }

    return true;
}

If you want to find the status for a specific certificate like alice.pem, then you use OCSP_CERTID returned from OCSP_cert_to_id (see generating request) and use it with OCSP_resp_find_status API to find the status for that certificate rather that enumerating all the certificates like I'm doing in the code above.

If you are going to query the certificate(s) on a regular basis, you may like to use the next update time stamps returned from the status to schedule when to do the next check call.



标签: c++ openssl ocsp