OpenSSL certificate revocation check in client program using OCSP brackets
I have a built-in C client program that reliably connects to the server using OpenSSL. The server provides its certificate during the handshake and the client has to check the revocation status of that certificate. I am currently doing this with OCSP.
It all works, but now I need to re-run the client revocation check with the OCSP bracket (assuming the server will start providing this).
I am currently getting the server certificate using X509 *cert = SSL_get_peer_certificate(ssl)
to check subjectAltName
on my server domain and get authorityInfoAccess
(for OCSP URI).
Assuming I have SSL * ssl;
it and I have successfully installed everything and connected through SSL_connect(ssl);
, what should I do at this point to get OCSP stitching information and verify the certificate I just received? I cannot find any sample code for how to implement it using the OpenSSL library.
source to share
There are several steps:
-
Ask the customer to submit the extension
status_request
usingSSL_set_tlsext_status_type(ssl, TLSEXT_STATUSTYPE_ocsp)
. -
Register a callback (and argument) to validate the OCSP response via
SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb)
andSSL_CTX_set_tlsext_status_arg(ctx, arg)
-
Write a callback function. The one used
s_client
demonstrates how to get response information:static int ocsp_resp_cb(SSL *s, void *arg) { const unsigned char *p; int len; OCSP_RESPONSE *rsp; len = SSL_get_tlsext_status_ocsp_resp(s, &p); BIO_puts(arg, "OCSP response: "); if (!p) { BIO_puts(arg, "no response sent\n"); return 1; } rsp = d2i_OCSP_RESPONSE(NULL, &p, len); if (!rsp) { BIO_puts(arg, "response parse error\n"); BIO_dump_indent(arg, (char *)p, len, 4); return 0; } BIO_puts(arg, "\n======================================\n"); OCSP_RESPONSE_print(arg, rsp, 0); BIO_puts(arg, "======================================\n"); OCSP_RESPONSE_free(rsp); return 1; }
source to share