search

mpeylo / cmpossl

An OpenSSL-based implementation of the Certificate Management Protocol (CMP), defined in IETF RFCs 4210, 4211, and 6712. It is being extended according to the emerging RFCs 'CMP Updates' (CMPv3), 'CMP Algorithms', and 'Lightweight CMP Profile'.
https://github.com/mpeylo/cmpossl/wiki
Other
35 stars 13 forks source link

Allow flexible configuration of cert revocation status checking for TLS, CMP, and/or new certs #143

Open DDvO opened 6 years ago

DDvO commented 6 years ago

Improve the configurability of the cert status checking code (CRL use, OCSP, stapling) such that it does not any more depend on global configuration variables but on flags and potentially further entries in the respective X509_STORE. New flags and further options needed:

#define X509_V_FLAG_OCSP_STAPLING    ... /* Use OCSP stapling (for TLS) */
#define X509_V_FLAG_OCSP_CHECK       ... /* Check certificates with OCSP */
#define X509_V_FLAG_OCSP_LAST        ... /* Try OCSP last (after CRLs) */
#define X509_V_FLAG_STATUS_CHECK_ALL X509_V_FLAG_CRL_CHECK_ALL /* full chain */
#define X509_V_FLAG_STATUS_CHECK_ANY ... /* any cert containing CDP/AIA */

#define X509_STORE_EX_DATA_OCSP_URL     ...
#define X509_STORE_EX_DATA_OCSP_TIMEOUT ...

Supersede legacy CLI options -crl_check and -crl_check_all and replace current options -crl_download, -ocsp_check_all, -ocsp_use_aia, and -ocsp_status by 

-revcheck_tls (none|leaf|any|full)[:(crls|ocsp|ocsp_last|stapling)]
-revcheck_cmp (none|leaf|any|full)[:(crls|ocsp|ocsp_last)]
-revcheck_new (none|leaf|any|full)[:(crls|ocsp|ocsp_last)]

Which allows configuring the checking individualy for the following three levels: CMP, TLS, and newly enrolled cert. The options -crls, -crl_timeout, -ocsp_url, and -ocsp_timeout should remain. For instance: cmp -revcheck_cmp any:ocsp checks revocation using OCSP of those certs in the chain of the CMP server cert for which AIA entries are present.