Manual/OpenSSL

[OpenSSL] OCSP ์™€ TSP ๋ช…๋ น์–ด

JayKim๐Ÿ™‚ 2023. 4. 7. 10:18

OCSP ๋Š” RFC2560 ์—์„œ ์ •์˜ ๋œ Online Certificate Status Protocol ์˜ ์•ฝ์ž์ด๋‹ค.
TSP ๋Š” RFC3161 ์—์„œ ์ •์˜ ๋œ Time Stamp Protocol ์˜ ์•ฝ์ž์ด๋‹ค.

OpenSSL ์—์„œ ์ธ์ฆ์„œ ์ƒํƒœ ์ •๋ณด ํ”„๋กœํ† ์ฝœ์ธ OCSP ๊ด€๋ จ ๋ฉ”๋‰ด์–ผ
https://www.openssl.org/docs/man3.0/man1/openssl-ocsp.html

ํƒ€์ž„์Šคํƒฌํ”„ ๊ด€๋ จ ๋ฉ”๋‰ด์–ผ
https://www.openssl.org/docs/man3.0/man1/openssl-ts.html

OCSP ( Online Certificate Status Protocol )

OCSP Request ์ƒ์„ฑ

openssl ocsp -issuer ECDSA_CA.crt -cert CMS_Signer.crt -reqout ocsp-req.ber

OCSP ์ธ์ฆ์„œ ๊ฒ€์ฆ

์œ„์—์„œ ์ƒ์„ฑํ•œ ocsp-req.ber ํŒŒ์ผ์„ ์ฝ์–ด์„œ -url ๋กœ ์ง€์ •๋œ OCSP ์„œ๋ฒ„์—๊ฒŒ ๊ฒ€์ฆ ์š”์ฒญ

openssl ocsp -reqin ocsp-req.ber -text -url http://ocsp.test.com:8080/ocsp

๊ฒ€์ฆํ•  ์ธ์ฆ์„œ๋ฅผ ์ฝ์–ด์„œ ๊ฒ€์ฆ ์š”์ฒญ

openssl ocsp -issuer ECDSA_CA.crt -cert CMS_Signer.crt  -text -url http://ocsp.test.com:8080/ocsp

OCSP Reuqest ์ •๋ณด ๋ณด๊ธฐ

openssl ocsp -reqin ocsp-req.ber -text

OCSP Request ์ •๋ณด ๊ฒฐ๊ณผ

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: B16FA4BFB9B4ECE5D00CB47BE64CB710BFEFB3EC
          Issuer Key Hash: 613273786D3E2FEC12ADAF15524AF02B79B0EE11
          Serial Number: 0BC6CA62C4BD687B
    Request Extensions:
        OCSP Nonce:
            0410563B7D447966E7140E57FD776BAF0C7F

TSP ( Time Stamp Protocol )

TSP ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•˜๊ธฐ ์ „์— openssl.cnf ํŒŒ์ผ์— ์„ค์ •์ด ๋˜์–ด์•ผ ํ•œ๋‹ค.

openssl.cnf ์— TSP ๊ด€๋ จ ์„ค์ •

[ tsa ]

default_tsa = tsa_config1   # the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir     = /d/pvd_certs/xca      # TSA root directory
serial      = $dir/tsaserial    # The current serial number (mandatory)
crypto_device   = builtin       # OpenSSL engine to use for signing
signer_cert = $dir/OCSP_TSA.crt     # The TSA signing certificate
                    # (optional)
certs       = $dir/chain.crt    # Certificate chain to include in reply
                    # (optional)
signer_key  = $dir/OCSP_TSA_pri.pem # The TSA private key (optional)
signer_digest  = sha256         # Signing digest to use. (Optional)
default_policy  = tsa_policy1       # Policy if request did not specify it
                    # (optional)
other_policies  = tsa_policy2, tsa_policy3  # acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
accuracy    = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits  = 0 # number of digits after dot. (optional)
ordering        = yes   # Is ordering defined for timestamps?
                # (optional, default: no)
tsa_name        = yes   # Must the TSA name be included in the reply?
                # (optional, default: no)
ess_cert_id_chain   = no    # Must the ESS cert id chain be included?
                # (optional, default: no)
ess_cert_id_alg     = sha1  # algorithm to compute certificate
                # identifier (optional, default: sha1)

TS ์ƒ์„ฑ

openssl ts -query -data mydata.txt -no_nonce -sha1 -out design1.tsq

TS ์ •๋ณด Print

openssl ts -query -in design1.tsq -text

TS ์ •๋ณด ๋ฉ”์„ธ์ง€ ๋ณด๊ธฐ

Version: 1
Hash Algorithm: sha1
Message data:
    0000 - f5 72 d3 96 fa e9 20 66-28 71 4f b2 ce 00 f7 2e   .r.... f(qO.....
    0010 - 94 f2 25 8f                                       ..%.
Policy OID: unspecified
Nonce: unspecified
Certificate required: no
Extensions:

TSA์™€ TSP ์šฉ์–ด๋ฅผ ํ˜ผํ•ฉ ํ•˜์—ฌ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์€๋ฐ
TSA ๋Š” Time Stamp Authority ์˜ ์•ฝ์ž๋กœ์„œ ํƒ€์ž„์Šคํƒฌํ•‘ ๊ธฐ๊ด€์ด๋ผ๋Š” ๋œป์œผ๋กœ ๋ณด๋Š”๋ฐ
์‚ฌ์‹ค TSA์—์„œ ์‚ฌ์šฉํ•˜๋Š” ๋ฉ”์„ธ์ง€ ํ”„๋กœํ† ์ฝœ์ด TSP ์ด๋‹ค.