Generate a CRL from an OCSP request

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Generate a CRL from an OCSP request

Julien VEHENT
Hi all,

I'm having an OCSP Responder on my CA and i want to use it in order to generate
CRL's on others servers.

So the idea is:

+-----+
| CA &|<====ocsp request====(1)===+-----------+>>(3)>\
|ocsp |...........................|openvpn srv|......(CRL GENERATION)
+-----+=====ocsp response===(2)==>+-----------+<<(4)</

and with the ocsp response i want to generate a CRL.

For the ocsp resquest, i'm using the openssl toolkit with a cron. But i have
several problems:

_How can i request all certificates managed by my CA in one ocsp request ?
(i don't want to copy all of these signed certificates on all of my openvpn
servers)

_How can i encode the response in PEM format in order to use it with OpenVPN ?

I really want to use the OCSP protocol for several reason (including security
consideration) so publication through HTTP protocol is not a good solution for
me.


Could you help me ?... :)


------------------------------------------------------------------
J. VEHENT
[hidden email]




------------------------------------------------------------------
  Microgate |      02.47.66.95.01    |     www.microgate.fr

attachment0 (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Generate a CRL from an OCSP request

Dr. Stephen Henson
On Wed, Jun 01, 2005, Julien VEHENT wrote:

> Hi all,
>
> I'm having an OCSP Responder on my CA and i want to use it in order to generate
> CRL's on others servers.
>
> So the idea is:
>
> +-----+
> | CA &|<====ocsp request====(1)===+-----------+>>(3)>\
> |ocsp |...........................|openvpn srv|......(CRL GENERATION)
> +-----+=====ocsp response===(2)==>+-----------+<<(4)</
>
> and with the ocsp response i want to generate a CRL.
>
> For the ocsp resquest, i'm using the openssl toolkit with a cron. But i have
> several problems:
>
> _How can i request all certificates managed by my CA in one ocsp request ?
> (i don't want to copy all of these signed certificates on all of my openvpn
> servers)
>
> _How can i encode the response in PEM format in order to use it with OpenVPN ?
>
> I really want to use the OCSP protocol for several reason (including security
> consideration) so publication through HTTP protocol is not a good solution for
> me.
>
>
> Could you help me ?... :)

OCSP can't really be used that way unless you include the serial numbers of
*all* that CAs certificates in the request. That could result in a very large
request and responder overhead.

What is your problem with HTTP? A CRL is digitally signed so it can't be
tampered with.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Generate a CRL from an OCSP request

Julien VEHENT
"Dr. Stephen Henson" <[hidden email]> a écrit :

> On Wed, Jun 01, 2005, Julien VEHENT wrote:
>
>> Hi all,
>>
>> I'm having an OCSP Responder on my CA and i want to use it in order
>> to generate
>> CRL's on others servers.
>>
>> So the idea is:
>>
>> +-----+
>> | CA &|<====ocsp request====(1)===+-----------+>>(3)>
>> |ocsp |...........................|openvpn srv|......(CRL GENERATION)
>> +-----+=====ocsp response===(2)==>+-----------+<<(4)</
>>
>> and with the ocsp response i want to generate a CRL.
>>
>> For the ocsp resquest, i'm using the openssl toolkit with a cron. But i have
>> several problems:
>>
>> _How can i request all certificates managed by my CA in one ocsp request ?
>> (i don't want to copy all of these signed certificates on all of my openvpn
>> servers)
>>
>> _How can i encode the response in PEM format in order to use it with
>> OpenVPN ?
>>
>> I really want to use the OCSP protocol for several reason (including
>> security
>> consideration) so publication through HTTP protocol is not a good
>> solution for
>> me.
>>
>>
>> Could you help me ?... :)
>
> OCSP can't really be used that way unless you include the serial numbers of
> *all* that CAs certificates in the request. That could result in a very large
> request and responder overhead.
>
> What is your problem with HTTP? A CRL is digitally signed so it can't be
> tampered with.



I don't want to use HTTP just because web server are to much attacked.
Moreover,
OCSP is very interesting for the student that i am :)

OK so if i use a "boring script" which request 100 serial in one line,
what is
the correct syntax to generate a CRL using the OpenSSL OCSP request ?

I've tried to use the -respout argument and a crl conversion (with openssl crl
-inform DER [...] -outform PEM [...] ) but it doesn't work...

the error message is : unable to load CRL

And the openssl ocsp --help doesn't speak about CRL generation......






Thank you very much for your answers :)




------------------------------------------------------------------
J. VEHENT

Student in Computer Security

[hidden email]





------------------------------------------------------------------
  Microgate |      02.47.66.95.01    |     www.microgate.fr


attachment0 (196 bytes) Download Attachment
attachment1 (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Re: Generate a CRL from an OCSP request

Erwann ABALEA
Hodie post. Kal. Iun. MMV est, Julien VEHENT scripsit:
> "Dr. Stephen Henson" <[hidden email]> a écrit :
>
> >On Wed, Jun 01, 2005, Julien VEHENT wrote:
> >
> >>I'm having an OCSP Responder on my CA and i want to use it in order
> >>to generate
> >>CRL's on others servers.

Usually, it's the other way around: provide an OCSP service based on a
CRL.
In fact, what you're trying to do is impossible to do. An OCSP
response can't be transformed into a valid CRL.

> I don't want to use HTTP just because web server are to much attacked.

Then use a small web server, and apply the necessary security patches.
Isn't your OCSP responder attacked?

--
Erwann ABALEA <[hidden email]>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Generate a CRL from an OCSP request

Jason Haar
In reply to this post by Julien VEHENT
Julien VEHENT wrote:

>
> I don't want to use HTTP just because web server are to much attacked.
> Moreover,
> OCSP is very interesting for the student that i am :)
>
> OK so if i use a "boring script" which request 100 serial in one
> line,  what is
> the correct syntax to generate a CRL using the OpenSSL OCSP request ?

I don't think you can do what you want anyway - you have a chicken-n-egg
problem.

As far as I'm aware, an OCSP environment implies the following. You
(e.g. the HTTPS server) are asked to interact with a remote cert, you
can tell it was signed by a CA you trust - but you don't know if it
hasn't been revoked. So you call OCSP and say "is serial 7423342 still
valid" and it answers yes or no.

So for you to dump all the revoked certs contained within a OCSP db,
you'd need to know all of the serial numbers in advance. And the only
thing that know all the assigned serial numbers - is the CA itself. So
now what do you do? Log into the CA and dump the serial numbers, copy
them over to the box and then use OCSP to recursively do the lookups?!?!
A waste of time - you could have just grabbed the CRL file in the first
place.

What we do is have a distribution of "CRL Servers". Simply Apache server
with a copy of our CRL (rsync'ed onto the Apache servers from the CA on
an hourly basis). As Stephen said, all CRLs are digitally signed by the
CA - so THEY CANNOT BE ALTERED.

Worst case scenario is that the Web server is compromised and...? The
CRL is deleted...? Corrupted? It can't be altered. I mean if you're Web
server is compromised, the integrity of your CRL file is irrelevant

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Generate a CRL from an OCSP request

Julien VEHENT
Jason Haar <[hidden email]> a écrit :

> Julien VEHENT wrote:
>
>>
>> I don't want to use HTTP just because web server are to much
>> attacked. Moreover,
>> OCSP is very interesting for the student that i am :)
>>
>> OK so if i use a "boring script" which request 100 serial in one
>> line,  what is
>> the correct syntax to generate a CRL using the OpenSSL OCSP request ?
>
> I don't think you can do what you want anyway - you have a
> chicken-n-egg problem.
>
> As far as I'm aware, an OCSP environment implies the following. You
> (e.g. the HTTPS server) are asked to interact with a remote cert, you
> can tell it was signed by a CA you trust - but you don't know if it
> hasn't been revoked. So you call OCSP and say "is serial 7423342
> still valid" and it answers yes or no.
>
> So for you to dump all the revoked certs contained within a OCSP db,
> you'd need to know all of the serial numbers in advance. And the only
> thing that know all the assigned serial numbers - is the CA itself.
> So now what do you do? Log into the CA and dump the serial numbers,
> copy them over to the box and then use OCSP to recursively do the
> lookups?!?! A waste of time - you could have just grabbed the CRL
> file in the first place.
>
> What we do is have a distribution of "CRL Servers". Simply Apache
> server with a copy of our CRL (rsync'ed onto the Apache servers from
> the CA on an hourly basis). As Stephen said, all CRLs are digitally
> signed by the CA - so THEY CANNOT BE ALTERED.
>
> Worst case scenario is that the Web server is compromised and...? The
> CRL is deleted...? Corrupted? It can't be altered. I mean if you're
> Web server is compromised, the integrity of your CRL file is
> irrelevant
Thanks for your very interesting answer...

Now I understand that the use of OCSP request with openvpn is not the
better way
for me...

Perhaps, in a next release, openvpn dev will include the ocsp support ;)





------------------------------------------------------------------
J. VEHENT
[hidden email]




------------------------------------------------------------------
  Microgate |      02.47.66.95.01    |     www.microgate.fr


attachment0 (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Is this a memory leak?

David Brock
In reply to this post by Dr. Stephen Henson
When I run valgrind (valgrind --leak-check=full --leak-resolution=high
-v) I'm getting the following three memory leak errors reported. I
believe I am shutting OpenSSL down correctly and freeing all of the
memory I get back from these calls. Does anyone have any thoughts or
suggestions?

==30637== 268 bytes in 1 blocks are definitely lost in loss record 61 of
78^M
==30637==    at 0x1B9052E4: malloc (vg_replace_malloc.c:130)^M
==30637==    by 0x807A17F: default_malloc_ex (mem.c:79)^M
==30637==    by 0x807A6B4: CRYPTO_malloc (mem.c:304)^M
==30637==    by 0x8084BB6: BUF_MEM_grow (buffer.c:110)^M
==30637==    by 0x809E1CF: X509_NAME_oneline (x509_obj.c:85)^M
==30637==    by 0x8095EC0: x509_cb (x_x509.c:101)^M
==30637==    by 0x80999B1: ASN1_item_ex_d2i (tasn_dec.c:398)^M
==30637==    by 0x8099FFF: ASN1_item_d2i (tasn_dec.c:115)^M
==30637==    by 0x809611A: d2i_X509 (x_x509.c:125)^M
==30637==    by 0x809CFA2: PEM_ASN1_read_bio (pem_oth.c:80)^M
==30637==    by 0x809CF44: PEM_read_bio_X509 (pem_x509.c:68)^M

==30637== 1252 (84 direct, 1168 indirect) bytes in 1 blocks are
definitely lost in loss record 68 of 78^M
==30637==    at 0x1B9052E4: malloc (vg_replace_malloc.c:130)^M
==30637==    by 0x807A17F: default_malloc_ex (mem.c:79)^M
==30637==    by 0x807A6B4: CRYPTO_malloc (mem.c:304)^M
==30637==    by 0x8082E59: RSA_new_method (rsa_lib.c:132)^M
==30637==    by 0x80830EC: RSA_new (rsa_lib.c:76)^M
==30637==    by 0x8083684: rsa_cb (rsa_asn1.c:80)^M
==30637==    by 0x8096CC4: asn1_item_ex_combine_new (tasn_new.c:160)^M
==30637==    by 0x8099DEF: ASN1_item_ex_d2i (tasn_dec.c:317)^M
==30637==    by 0x8099FFF: ASN1_item_d2i (tasn_dec.c:115)^M
==30637==    by 0x808374A: d2i_RSAPublicKey (rsa_asn1.c:111)^M
==30637==    by 0x80C7DAF: d2i_PublicKey (d2i_pu.c:93)^M
==30637==    by 0x80C6F07: X509_PUBKEY_get (x_pubkey.c:220)^M

==30637== 3942 (84 direct, 3858 indirect) bytes in 1 blocks are
definitely lost in loss record 72 of 78^M
==30637==    at 0x1B9052E4: malloc (vg_replace_malloc.c:130)^M
==30637==    by 0x807A17F: default_malloc_ex (mem.c:79)^M
==30637==    by 0x807A6B4: CRYPTO_malloc (mem.c:304)^M
==30637==    by 0x8096DDB: asn1_item_ex_combine_new (tasn_new.c:170)^M
==30637==    by 0x8099DEF: ASN1_item_ex_d2i (tasn_dec.c:317)^M
==30637==    by 0x8099FFF: ASN1_item_d2i (tasn_dec.c:115)^M
==30637==    by 0x809611A: d2i_X509 (x_x509.c:125)^M
==30637==    by 0x8073B14: ssl3_connect (s3_clnt.c:812)^M
==30637==    by 0x806273F: SSL_connect (ssl_lib.c:825)^M
==30637==    by 0x805F862: ssl23_connect (s23_clnt.c:504)^M
==30637==    by 0x806273F: SSL_connect (ssl_lib.c:825)^M

Thank you in advance!

                           -David-

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Is this a memory leak?

JoelKatz

> When I run valgrind (valgrind --leak-check=full --leak-resolution=high
> -v) I'm getting the following three memory leak errors reported. I
> believe I am shutting OpenSSL down correctly and freeing all of the
> memory I get back from these calls. Does anyone have any thoughts or
> suggestions?

        The textbook answer is to do whatever you did *twice* and if the numbers
don't double, it wasn't a leak. The first looks like it might be a leak. The
second and third don't look at all like a leak.

        DS



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Cert memory leak ...

David Brock
In reply to this post by David Brock
I'm still trying to track down some memory leaks and using the following
code I'm see leaks in the OpenSSL library. Could some one please let me
know if I'm making these calls incorrectly, or if there are any patches
(other then upgrading to 0.9.8) that can be applied to fix the leaks. We
are currently using 0.9.7g.
void
process(EVP_PKEY **pubKey)
{
        X509 *rootCert = NULL;
        FILE *fp;
        BIO *fileBio = NULL;
        fp =
fopen("/home/dbrock/src/GMSModule/certs/production/cacert.pem","r");
        if (fp == NULL)
        {
                printf("Error could not open root cert\n");
                return -1;
        }
        fileBio = BIO_new(BIO_s_file());
        BIO_set_fp(fileBio,fp,BIO_NOCLOSE);
        rootCert = PEM_read_bio_X509(fileBio,NULL, NULL, NULL);
        if (rootCert == NULL)
        {
                printf("Error could not open root cert\n");
                return -1;
        }
        /* Pull out the public key */
        if ((*pubKey = X509_get_pubkey(rootCert)) == NULL)
        {
                printf("Error could not get public key\n");
                return -1;
        }
        BIO_free(fileBio);
        fileBio = NULL;
        (void) fclose(fp);
        fp = NULL;
        OPENSSL_free(rootCert);
        return 0;
}

int
main (int argc, char **argv)
{
        EVP_PKEY *pubKey = NULL;
        process(&pubKey);
        OPENSSL_free(pubKey);
        return 0;
}

Valgrind reports:
==7340==    by 0x805B8DD: ASN1_template_new (tasn_new.c:271)
==7340==    by 0x805B704: asn1_item_ex_combine_new (tasn_new.c:178)
==7340==    by 0x805E7DF: ASN1_item_ex_d2i (tasn_dec.c:317)
==7340==    by 0x805E9EF: ASN1_item_d2i (tasn_dec.c:115)
==7340==    by 0x805AD9A: d2i_X509 (x_x509.c:125)
==7340==    by 0x804D0A2: PEM_ASN1_read_bio (pem_oth.c:80)
==7340==    by 0x804D044: PEM_read_bio_X509 (pem_x509.c:68)
==7340==    by 0x8048FFC: process (hashtest.c:118)
==7340==
==7340==
==7340== 1904 (112 direct, 1792 indirect) bytes in 7 blocks are
definitely lost in loss record 24 of 50
==7340==    at 0x1B9052E4: malloc (vg_replace_malloc.c:130)
==7340==    by 0x804912F: default_malloc_ex (mem.c:79)
==7340==    by 0x8049664: CRYPTO_malloc (mem.c:304)
==7340==    by 0x805FB26: ASN1_STRING_type_new (asn1_lib.c:377)
==7340==    by 0x805B776: asn1_item_ex_combine_new (tasn_new.c:327)
==7340==    by 0x805B8DD: ASN1_template_new (tasn_new.c:271)
==7340==    by 0x805B704: asn1_item_ex_combine_new (tasn_new.c:178)
==7340==    by 0x805E7DF: ASN1_item_ex_d2i (tasn_dec.c:317)
==7340==    by 0x805E9EF: ASN1_item_d2i (tasn_dec.c:115)
==7340==    by 0x805AD9A: d2i_X509 (x_x509.c:125)
==7340==    by 0x804D0A2: PEM_ASN1_read_bio (pem_oth.c:80)
==7340==    by 0x804D044: PEM_read_bio_X509 (pem_x509.c:68)
==7340==
==7340==
==7340== 1876 bytes in 7 blocks are definitely lost in loss record 46 of 50
==7340==    at 0x1B9052E4: malloc (vg_replace_malloc.c:130)
==7340==    by 0x804912F: default_malloc_ex (mem.c:79)
==7340==    by 0x8049664: CRYPTO_malloc (mem.c:304)
==7340==    by 0x80545D6: BUF_MEM_grow (buffer.c:110)
==7340==    by 0x804DEBF: X509_NAME_oneline (x509_obj.c:85)
==7340==    by 0x805AB40: x509_cb (x_x509.c:101)
==7340==    by 0x805E3A1: ASN1_item_ex_d2i (tasn_dec.c:398)
==7340==    by 0x805E9EF: ASN1_item_d2i (tasn_dec.c:115)
==7340==    by 0x805AD9A: d2i_X509 (x_x509.c:125)
==7340==    by 0x804D0A2: PEM_ASN1_read_bio (pem_oth.c:80)
==7340==    by 0x804D044: PEM_read_bio_X509 (pem_x509.c:68)
==7340==    by 0x8048FFC: process (hashtest.c:118)
==7340==
==7340==
==7340== 2800 (588 direct, 2212 indirect) bytes in 7 blocks are
definitely lost in loss record 48 of 50
==7340==    at 0x1B9052E4: malloc (vg_replace_malloc.c:130)
==7340==    by 0x804912F: default_malloc_ex (mem.c:79)
==7340==    by 0x8049664: CRYPTO_malloc (mem.c:304)
==7340==    by 0x806D519: RSA_new_method (rsa_lib.c:132)
==7340==    by 0x806D7AC: RSA_new (rsa_lib.c:76)
==7340==    by 0x806DD44: rsa_cb (rsa_asn1.c:80)
==7340==    by 0x805B6B4: asn1_item_ex_combine_new (tasn_new.c:160)
==7340==    by 0x805E7DF: ASN1_item_ex_d2i (tasn_dec.c:317)
==7340==    by 0x805E9EF: ASN1_item_d2i (tasn_dec.c:115)
==7340==    by 0x806DE0A: d2i_RSAPublicKey (rsa_asn1.c:111)
==7340==    by 0x805B2CF: d2i_PublicKey (d2i_pu.c:93)
==7340==    by 0x8059C17: X509_PUBKEY_get (x_pubkey.c:220)
==7340==
==7340== LEAK SUMMARY:
==7340==    definitely lost: 2912 bytes in 35 blocks.
==7340==    indirectly lost: 17626 bytes in 630 blocks.
==7340==      possibly lost: 0 bytes in 0 blocks.
==7340==    still reachable: 340 bytes in 14 blocks.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Cert memory leak ...

Goetz Babin-Ebell
David Brock wrote:

> I'm still trying to track down some memory leaks and using the following
> code I'm see leaks in the OpenSSL library. Could some one please let me
> know if I'm making these calls incorrectly, or if there are any patches
> (other then upgrading to 0.9.8) that can be applied to fix the leaks. We
> are currently using 0.9.7g.
> void
> process(EVP_PKEY **pubKey)
> {
>        X509 *rootCert = NULL;
>        FILE *fp;
>        BIO *fileBio = NULL;
>        fp =
> fopen("/home/dbrock/src/GMSModule/certs/production/cacert.pem","r");
>        if (fp == NULL)
>        {
>                printf("Error could not open root cert\n");
>                return -1;
>        }
>        fileBio = BIO_new(BIO_s_file());
>        BIO_set_fp(fileBio,fp,BIO_NOCLOSE);
Why don't you simply do a
        BIO *fileBio = BIO_new_file("/home/dbrock/src/GMSModule/certs/production/cacert.pem","r");
        if (!fileBio)
                ...

>        rootCert = PEM_read_bio_X509(fileBio,NULL, NULL, NULL);
>        if (rootCert == NULL)
>        {
>                printf("Error could not open root cert\n");
>                return -1;
>        }
>        /* Pull out the public key */
>        if ((*pubKey = X509_get_pubkey(rootCert)) == NULL)
>        {
>                printf("Error could not get public key\n");
>                return -1;
>        }
>        BIO_free(fileBio);
>        fileBio = NULL;
>        (void) fclose(fp);
>        fp = NULL;
>        OPENSSL_free(rootCert);
X509_free(rootcert);

>        return 0;
> }
>
> int
> main (int argc, char **argv)
> {
>        EVP_PKEY *pubKey = NULL;
>        process(&pubKey);
>        OPENSSL_free(pubKey);

EVP_PKEY_free(pubkey);

>        return 0;
> }

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

smime.p7s (4K) Download Attachment