OCSP ๋ RFC2560 ์์ ์ ์ ๋ Online Certificate Status Protocol ์ ์ฝ์์ด๋ค.
TSP ๋ RFC3161 ์์ ์ ์ ๋ Time Stamp Protocol ์ ์ฝ์์ด๋ค.
OpenSSL ์์ ์ธ์ฆ์ ์ํ ์ ๋ณด ํ๋กํ ์ฝ์ธ OCSP ๊ด๋ จ ๋ฉ๋ด์ผ
https://www.openssl.org/docs/man3.0/man1/openssl-ocsp.html
ํ์์คํฌํ ๊ด๋ จ ๋ฉ๋ด์ผ
https://www.openssl.org/docs/man3.0/man1/openssl-ts.html
OCSP ( Online Certificate Status Protocol )
OCSP Request ์์ฑ
openssl ocsp -issuer ECDSA_CA.crt -cert CMS_Signer.crt -reqout ocsp-req.ber
OCSP ์ธ์ฆ์ ๊ฒ์ฆ
์์์ ์์ฑํ ocsp-req.ber ํ์ผ์ ์ฝ์ด์ -url ๋ก ์ง์ ๋ OCSP ์๋ฒ์๊ฒ ๊ฒ์ฆ ์์ฒญ
openssl ocsp -reqin ocsp-req.ber -text -url http://ocsp.test.com:8080/ocsp
๊ฒ์ฆํ ์ธ์ฆ์๋ฅผ ์ฝ์ด์ ๊ฒ์ฆ ์์ฒญ
openssl ocsp -issuer ECDSA_CA.crt -cert CMS_Signer.crt -text -url http://ocsp.test.com:8080/ocsp
OCSP Reuqest ์ ๋ณด ๋ณด๊ธฐ
openssl ocsp -reqin ocsp-req.ber -text
OCSP Request ์ ๋ณด ๊ฒฐ๊ณผ
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: B16FA4BFB9B4ECE5D00CB47BE64CB710BFEFB3EC
Issuer Key Hash: 613273786D3E2FEC12ADAF15524AF02B79B0EE11
Serial Number: 0BC6CA62C4BD687B
Request Extensions:
OCSP Nonce:
0410563B7D447966E7140E57FD776BAF0C7F
TSP ( Time Stamp Protocol )
TSP ๋ช ๋ น์ด๋ฅผ ์ฌ์ฉํ๊ธฐ ์ ์ openssl.cnf ํ์ผ์ ์ค์ ์ด ๋์ด์ผ ํ๋ค.
openssl.cnf ์ TSP ๊ด๋ จ ์ค์
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = /d/pvd_certs/xca # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/OCSP_TSA.crt # The TSA signing certificate
# (optional)
certs = $dir/chain.crt # Certificate chain to include in reply
# (optional)
signer_key = $dir/OCSP_TSA_pri.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
TS ์์ฑ
openssl ts -query -data mydata.txt -no_nonce -sha1 -out design1.tsq
TS ์ ๋ณด Print
openssl ts -query -in design1.tsq -text
TS ์ ๋ณด ๋ฉ์ธ์ง ๋ณด๊ธฐ
Version: 1
Hash Algorithm: sha1
Message data:
0000 - f5 72 d3 96 fa e9 20 66-28 71 4f b2 ce 00 f7 2e .r.... f(qO.....
0010 - 94 f2 25 8f ..%.
Policy OID: unspecified
Nonce: unspecified
Certificate required: no
Extensions:
TSA์ TSP ์ฉ์ด๋ฅผ ํผํฉ ํ์ฌ ์ฌ์ฉํ๋ ๊ฒฝ์ฐ๊ฐ ๋ง์๋ฐ
TSA ๋ Time Stamp Authority ์ ์ฝ์๋ก์ ํ์์คํฌํ ๊ธฐ๊ด์ด๋ผ๋ ๋ป์ผ๋ก ๋ณด๋๋ฐ
์ฌ์ค TSA์์ ์ฌ์ฉํ๋ ๋ฉ์ธ์ง ํ๋กํ ์ฝ์ด TSP ์ด๋ค.
'Manual > OpenSSL' ์นดํ ๊ณ ๋ฆฌ์ ๋ค๋ฅธ ๊ธ
[OpenSSL] CMP ๋ช ๋ น์ด ์ฌ์ฉ๋ฒ (0) | 2023.04.07 |
---|---|
[OpenSSL] RSA์ฉ RootCA ์์ฑ ๋ฐ SSL ์ธ์ฆ์ ๋ง๋ค๊ธฐ (0) | 2023.04.07 |
[OpenSSL] PKCS#12 (PFX) ํ์ผ ๋ง๋ค๊ธฐ ๋ช ๋ น์ด (0) | 2023.04.07 |
[OpenSSL] CMS ( Cryptographic Message Syntax ) ๋ช ๋ น์ด ์ฌ์ฉ๋ฒ (3) | 2023.04.06 |
[OpenSSL] RSA ๊ฐ์ธํค (PrivateKey) ์์ฑ ๋ช ๋ น์ด (0) | 2023.04.06 |