Manual/OpenSSL

[OpenSSL] CMP ๋ช…๋ น์–ด ์‚ฌ์šฉ๋ฒ•

JayKim๐Ÿ™‚ 2023. 4. 7. 12:01

CMP (Certificate Management Protocol) ํ”„๋กœํ† ์ฝœ์€ OpenSSL 3.0 ๋ฒ„์ „์—์„œ ์ง€์›๋˜๋Š” ํ”„๋กœํ† ์ฝœ์ด๋‹ค.
CMP ๋ฅผ ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” OpenSSL 3.0 ์ด์ƒ ์‚ฌ์šฉํ•ด์•ผ ํ•œ๋‹ค.

https://www.openssl.org/docs/man3.0/man1/openssl-cmp.html

์‚ฌ์‹ค OpenSSL CMP ๋ช…๋ น์–ด๋Š” ์ธ์ฆ์„œ์™€ ์‚ฌ์‹ค ๊ฐœ์ธํ‚ค๊ฐ€ ๋ฏธ๋ฆฌ ๋งŒ๋“ค์–ด ๋†“๊ณ  CMP ํ”„๋กœํ† ์ฝœ๋กœ ์ „์†ก ํ•˜๊ธฐ ์œ„ํ•œ ํ…Œ์ŠคํŠธ ๋ช…๋ น์–ด์ด๋‹ค.
๊ทธ๋Ÿฌ๋‹ˆ openssl.cnf ํŒŒ์ผ๊ณผ ๋ฏธ๋ฆฌ ์ธ์ฆ์„œ์™€ ๊ฐœ์ธํ‚ค ๋“ค ๋ชจ๋‘ ์ค€๋น„ ๊ฐ€ ๋˜์–ด์•ผ ํ•œ๋‹ค.
์—ฌ๊ธฐ ์˜ˆ์ œ๋กœ ์‚ฌ์šฉ ๋œ ์ธ์ฆ์„œ์™€ ๊ฐœ์ธํ‚ค๋Š” ์•„๋ž˜ "ํ…Œ์ŠคํŠธ์šฉ ์ธ์ฆ์„œ ๋ฐ ๊ฐœ์ธํ‚ค PEM" ๋ถ€๋ถ„์˜ ๋‚ด์šฉ์„ ํŒŒ์ผ๋กœ ๋งŒ๋“ค์–ด ์“ฐ๋ฉด ๋œ๋‹ค.

CMP ์—์„œ cmd ์˜ต์…˜์— ๊ด€ํ•˜์—ฌ

ir - Initialization Request
cr - Certificate Request
p10cr - PKCS#10 Certificate Request ( for legacy support )
kur - Key Update Request
rr - Revocation Request
genm - General Message

์ธ์ฆ์„œ ํ๊ธฐ ์ด์œ 

CRLReason ::= ENUMERATED {
     unspecified             (0),
     keyCompromise           (1),
     cACompromise            (2),
     affiliationChanged      (3),
     superseded              (4),
     cessationOfOperation    (5),
     certificateHold         (6),
     -- value 7 is not used
     removeFromCRL           (8),
     privilegeWithdrawn      (9),
     aACompromise           (10)
 }

openssl.cnf ์—์„œ CMP ๊ด€๋ จ ์„ค์ • ์ •๋ณด

์„ค์ • ์ •๋ณด์—์„œ ๊ฒฝ๋กœ ์ •๋ณด๊ฐ€ ์—†๋Š” ๊ฒฝ์šฐ๋Š” opessl ๋ช…๋ น์–ด ์‹คํ–‰ ํด๋”๋ผ๊ณ  ๋ณด๋ฉด ๋œ๋‹ค.
์ฆ‰ "newkey = insta.priv.pem" ์ด๋ ‡๊ฒŒ ์„ค์ •์„ ํ•˜๋ฉด ํ˜„์žฌ ํด๋”์— insta.priv.pem ํŒŒ์ผ์„ ๊ฐ€๋ฅดํ‚จ๋‹ค.

[insta] # CMP using Insta Demo CA
# Message transfer
server = 127.0.0.1:8080 # CMP client ์—์„œ ์—ฐ๊ฒฐ ์„œ๋ฒ„ ์ •๋ณด
# proxy = # set this as far as needed, e.g., http://192.168.1.1:8080
# tls_use = 0
path = pkix/

# Server authentication
recipient = "/C=kr/CN=RSA_ROOT_CA" # or set srvcert or issuer
ignore_keyusage = 1 # potentially needed quirk
unprotected_errors = 1 # potentially needed quirk
extracertsout = insta.extracerts.pem

# Client authentication
ref = 3078 # user identification
secret = pass:insta # can be used for both client and server side

# Generic message options
cmd = ir # default operation, can be overridden on cmd line with, e.g., kur

# Certificate enrollment
subject = "/C=kr/CN=CMP_TEST" # ๋ฐœ๊ธ‰๋˜๋Š” ์ธ์ฆ์„œ์˜ DN ์ •๋ณด ๊ฐ’
newkey = insta.priv.pem
out_trusted = RSA_ROOT_CA.crt
certout = insta.cert.pem

[pbm] # Password-based protection for Insta CA
# Server and client authentication
ref = $insta::ref # 3078
secret = $insta::secret # pass:insta

[signature] # Signature-based protection for Insta CA
# Server authentication
trusted = RSA_ROOT_CA.crt # does not include keyUsage digitalSignature

# Client authentication
secret = # disable PBM
key = $insta::newkey # insta.priv.pem
cert = $insta::certout # insta.cert.pem

[ir]
cmd = ir

[cr]
cmd = cr

[kur]
# Certificate update
cmd = kur
oldcert = $insta::certout # insta.cert.pem

[rr]
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem

CMP Mock ์„œ๋ฒ„ ์‹คํ–‰

CMP ์šฉ ํ…Œ์ŠคํŠธ Mock ์„œ๋ฒ„๋ฅผ ๋›ฐ์šฐ๋Š” ๋ช…๋ น์–ด์ด๋‹ค.

openssl cmp -port 8080 -srv_trusted RSA_ROOT_CA.crt \
> -srv_key RSA_ROOT_CA_key.pem \
> -srv_cert RSA_ROOT_CA.crt \
> -srv_secret pass:insta \
> -rsp_cert insta.cert.pem

-port : ์„œ๋ฒ„ ์„œ๋น„์Šค ํฌํŠธ ๋ฒˆํ˜ธ ( ์˜ˆ: 8080 )
-srv_trusted : ์‹ ๋ขฐ ์ธ์ฆ์„œ ์ •๋ณด ํŒŒ์ผ ( ๋ฃจํŠธ ๊ฒธ CA๋ผ ์„œ๋ฒ„์™€ ๊ฐ™์ด ์‚ฌ์šฉ ํ•จ )
-srv_key : CMP ์„œ๋ฒ„์šฉ ๊ฐœ์ธํ‚ค
-srv_cer : CMP ์„œ๋ฒ„์šฉ ์ธ์ฆ์„œ
-srv_secret : ํŒจ์Šค์›Œ๋“œ๋กœ "insta" ๊ฐ’ ํ™•์ธ
-rsp_cert : ์‹ค์ œ๋กœ Mock ์„œ๋ฒ„๋Š” ์ธ์ฆ์„œ๋ฅผ ๋ฐœํ–‰์€ ํ•˜์ง€ ์•Š๊ณ  ์ด ์˜ต์…˜ ํŒŒ์ผ์— ์ธ์ฆ์„œ๋ฅผ ์ „๋‹ฌ ํ•œ๋‹ค.

CMP ํด๋ผ์ด์–ธํŠธ ๋ช…๋ น์–ด ์‹คํ–‰

openssl cmp -section insta

์ด ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰ ํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” ๋ช…๋ น์–ด ์‹คํ–‰ ํด๋”์— insta.priv.pem ๊ฐœ์ธํ‚ค ํŒŒ์ผ๊ณผ RSA_ROOT_CA.crt ํŒŒ์ผ์ด ๊ฐ™์ด ์žˆ์–ด์•ผ ํ•œ๋‹ค.
์ด insta.priv.pem ํŒŒ์ผ์€ CMP ์„œ๋ฒ„์—์„œ ๋ณด๋‚ด์˜จ insta.cert.pem ์— ์‚ฌ์šฉ๋œ ์ธ์ฆ์„œ์˜ ๊ฐœ์ธํ‚ค ํŒŒ์ผ์ด์–ด์•ผ ํ•œ๋‹ค.

์‹คํ–‰ ๊ฒฐ๊ณผ ๋ฉ”์„ธ์ง€

 openssl cmp -section insta
cmp_main:apps/cmp.c:2779:CMP info: using section(s) 'insta' of OpenSSL configuration file 'C:/msys64/home/RANIX/work/PKILib/lib/win64/openssl3/ssl/openssl.cnf'
setup_client_ctx:apps/cmp.c:1957:CMP info: will contact http://127.0.0.1:8080/pkix/
CMP info: sending IR
CMP info: received IP
CMP info: sending CERTCONF
CMP info: received PKICONF
save_free_certs:apps/cmp.c:2004:CMP info: received 0 extra certificate(s), saving to file 'insta.extracerts.pem'
save_free_certs:apps/cmp.c:2004:CMP info: received 1 enrolled certificate(s), saving to file 'insta.cert.pem'

๋ช…๋ น์–ด ์ข…๋ฅ˜์— ๋Œ€ํ•ด ๊ฐ’์ด ์—†์œผ๋ฉด ๋””ํดํŠธ๋กœ ir ๊ฐ’์„ ์‚ฌ์šฉํ•œ๋‹ค.
์‚ฌ์‹ค ์•„๋ž˜ ์ฒ˜๋Ÿผ cr ๋ช…๋ น์–ด๋ฅผ ์‚ฌ์šฉํ•ด๋„ ์ธ์ฆ์„œ๋Š” ๋˜‘๊ฐ™์ด ๋ฐœ๊ธ‰ ๋œ๋‹ค.

openssl cmp -section insta -cmd cr

์‹ค์ œ๋กœ ๋‹ค๋ฅธ ์ •๋ณด๋“ค๋„ ๋” ํ•„์š”ํ•œ๋ฐ ๊ทธ ์ •๋ณด๋“ค์€ openssl.cnf ํŒŒ์ผ ๋‚ด์— "insta" ์„น์…˜ ์ •๋ณด๋ฅผ ์ฐธ๊ณ  ํ•œ๋‹ค๊ณ  ๋ณด๋ฉด ๋œ๋‹ค.
๊ทธ๋ž˜์„œ ๊ฐ„๋‹จํžˆ ๋ช…๋ น์–ด๊ฐ€ ์‹คํ–‰์ด ๋œ๋‹ค.

ํ…Œ์ŠคํŠธ์šฉ ์ธ์ฆ์„œ ๋ฐ ๊ฐœ์ธํ‚ค PEM

RSA_ROOT_CA ์ธ์ฆ์„œ ( RSA_ROOT_CA.crt )

-----BEGIN CERTIFICATE-----
MIIDLjCCAhagAwIBAgIIX89D9VaK0iowDQYJKoZIhvcNAQELBQAwIzELMAkGA1UE
BhMCa3IxFDASBgNVBAMMC1JTQV9ST09UX0NBMB4XDTIzMDQxOTA0NTYwMFoXDTMz
MDQxOTA0NTYwMFowIzELMAkGA1UEBhMCa3IxFDASBgNVBAMMC1JTQV9ST09UX0NB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4m2uDsqzl1PR80EZzSg
8ldluWiH6yZzqdNUjjVBedriUIwyAZwzfbysWXAfBejs1FOW01Ji3RH1nEstmVxY
UilhTFhVBHxP8NQ5tvUPv7MWBl7hGK0QK1l1jjz+Jo62XjOOuxD58zYkXuCWl98P
9X4CG5ao6L3QeE0svrU8K1Ay3GBcHFoW6TmHwYaKvjiDDtm8d/vcYmv3G4G/ANns
hj3DRXLuzzgc/pqE6tuAxQrrutf0BOOir0Q/rCJ+/iCQTPYb8ZPPgGPDYSSolPdm
+9oyWhT3gT3dBMkGB0JzSQ6Tdg4DHiKANudYfhJ0m7FvZ75/AC8LUq4IdRD1uph7
dQIDAQABo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRn5FGHS37b
ka7MKwK27tUA+h1rKDAfBgNVHSMEGDAWgBRn5FGHS37bka7MKwK27tUA+h1rKDAO
BgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggEBAB3uXQclGygHVVbAN4Ab
bT3svJp3hjI9dE18bcmYT2ORsynCCgxZevO9rCq5CvFK83LyLcEz6ILdPY0jE4WE
p8NW+IoVzOkZWX5RiHMaUr43zSo5GSPs0LidRG7Vhq5ZUEat8VOJwq326qJhomXd
rOx47q7ItmXse722oQN18ybXJytvXUU+Svoeahvbqj5v5Dp3AGq04t9xqRcMu3l6
/08ZiV4WaDPJ2hOZuLIj0qE6o5GAc8CQzoLkM2FgWrFm/Gxh9TzEG9arS8yhmf2S
WLiK4kT6mA0JkjHnRipb4rPNJGupKAppylIo0qin+sQ/ikjV3tfnYjt9iLtHt/mi
+1Q=
-----END CERTIFICATE-----

RSA_ROOT_CA ๊ฐœ์ธํ‚ค (RSA_ROOT_CA_key.pem )

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAt4m2uDsqzl1PR80EZzSg8ldluWiH6yZzqdNUjjVBedriUIwy
AZwzfbysWXAfBejs1FOW01Ji3RH1nEstmVxYUilhTFhVBHxP8NQ5tvUPv7MWBl7h
GK0QK1l1jjz+Jo62XjOOuxD58zYkXuCWl98P9X4CG5ao6L3QeE0svrU8K1Ay3GBc
HFoW6TmHwYaKvjiDDtm8d/vcYmv3G4G/ANnshj3DRXLuzzgc/pqE6tuAxQrrutf0
BOOir0Q/rCJ+/iCQTPYb8ZPPgGPDYSSolPdm+9oyWhT3gT3dBMkGB0JzSQ6Tdg4D
HiKANudYfhJ0m7FvZ75/AC8LUq4IdRD1uph7dQIDAQABAoIBAFbaR2o1LZOMWmkK
3quMHyGvNAciLTec8Z0K0XeeQgbNCs29Giji5wb4UsLcKQId8Hyltbj4wqoExqqY
dNKe/Xib9lwvbMP7o8S+WTV4EGTR9Xk8St7nfsBUzClsOYS7ghdf5IonhXCPTXTM
aNcjiqTMZWjyyamhsVZMhwEUOI3xz4DPiEH630C3Zfj/GhSjwkdcIz1j5T+OH2Fe
M3gbRXUWWPbqVCw7kv3CYK+/J6Q/t3kXPQv0iNfLwxGQhi8HJoDm3+q9/yNFmnFq
kTtsYftoPviWI2N26H0bjj79CjtHXdgtdqpHC8SY6dKYKssRQ3LWOFpkhLzZYD3U
P2RNp90CgYEA3ItYkNskXztI300luYKS8JpbJrkQr2GMAiUvQj/xv3THmAZ9ioip
9PMT0zZxb3PkfyLEkAE9f2RvEW9Us6duc1UWxR5++Y8+TYjXN+LDLUtVEaUjwFT6
Om/5LIjvr651mSQckZei7+GbYTebQ2l/yyNinQNNGt1GCIJ4eNDlma8CgYEA1QtY
RHxgtJ7SDXJH6Zxolnc/ga7HoE7pKUrWF4AC6pMNXjlkfVtRVax4qnkB27uoAdr5
MpveCAylVG3KQVEv6svdL6r5FbCnvr29Nd+2/c3a4beh4Xf5FHQS4/sF8ea9yLjR
VZgMypr5+kzt1RbarNe9RN1Z3o0lQrWMgBxymhsCgYEAicR2J87s8pxLEkrT9QVv
GuOhaxgSJyxtVG28Dst5DVs6z2nGhIKIgJ5T1Q3eYHvp0c17MmXD789iXmbIZ42A
voT5u1sogGaNyctgfeWmfKXhVytsoNm0kkqeQcasy3bUuTxIqF4sB2NMN7ePwtWl
YdUR5flI8i4lcG1oKjh8JLsCgYB3ME6kmhUcV9JadXooBzo4G+Tqr5a9aAhn8pdO
NG7tP3H2KhO/UixxyvkDHoncneMDjrdmCe+w/yorzvSdkEdHi+Bl/7g0200tmEdX
8Z4V5mozZ6HoW099kubSpyiPSjEZL9Tllxho7UU3NHzGf2+9zUD1WwUhTkPvS1Sc
g83VywKBgHQj+nQ73mh4RlDfVPfXAWd102XCHKV+6O1KMgtyp8QJOtMZ3fUTOAm9
NxaZf4f4W6nm0xkQLxmhSSAe6JsED4joWbM68aGIGefG50pxVV3WRsyrUY5JG/Vo
XtZqg5n9j7S+HDuqDfrXWzhU65xX8B1Fvh1a9+YzvpkGCFRPr24t
-----END RSA PRIVATE KEY-----

CMP_TEST ์ธ์ฆ์„œ ( insta.cert.pem )

-----BEGIN CERTIFICATE-----
MIIDOTCCAiGgAwIBAgIIH9NsNJXmBvswDQYJKoZIhvcNAQELBQAwIzELMAkGA1UE
BhMCa3IxFDASBgNVBAMMC1JTQV9ST09UX0NBMB4XDTIzMDQxOTA1MzgwMFoXDTI0
MDQxOTA1MzgwMFowIDELMAkGA1UEBhMCa3IxETAPBgNVBAMMCENNUF9URVNUMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAslJQMIj5uIiB/S0k0IFJ9z6s
WbdQJ42tsCVDXVau/teJJb7KMXHx8a8sPhvxFTPTLrV20OrZN+n42al2Wz26GQyB
bDbdU61zbKFoAZbcCIZXpqbAN8365030C6SKzEDc4rlXzYYtaoEevgElOJb7puck
Xain9KrlLY3ONKKYgUa9a46zlWqMwGS7Au7uI+EHrr//rQAbMEPcai9JgkJtJGzU
eJgmSa3t1uImLkERzzIA8EVDmlzZH00mychVxyc5kEm+gMIkQQ6vUE6ZERlTy2jd
VyY+cTXLQA+1w8yjZFdvkdm4NXb7DqK447tDxDJzYeh2ky+wnHNxb3etdYIEOQID
AQABo3QwcjAdBgNVHQ4EFgQUWBt6tuThIsUz1bWUj3AzYUkHTrYwHwYDVR0jBBgw
FoAUZ+RRh0t+25GuzCsCtu7VAPodaygwDgYDVR0PAQH/BAQDAgPoMCAGA1UdJQEB
/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAs8OD
VbZBvj/1AlS3DLH+yps8XRRAMlnCM5WjwrjTmA3s0keqqwl0ptLgxE6CkObh9cZq
LeOHIX0A5qTTdrECJhZPiwfYv4b77dZw++YdqZNa3DKKELddwoH4Ro5ej40N+U9B
X/TY4g+dKFr4wKFhIdcUGqtv1048wNBexbkUDnO9PSc7EUS7Nw+GLlRRez5HAoyy
1XNg4ixJnnF5CCVi5pb3bqLRxEfieajnwkwDytMSXde5CvVQKX08N64bdMHTUmhL
n3v7eLHTgRZehsxM+u2oHqXsb6ZhQjRtRXaGdu0kkgKya0vV4Nmx778BfBQ99etA
Ty/RNRQvH0yvg9scKg==
-----END CERTIFICATE-----

CMP_TEST ๊ฐœ์ธํ‚ค ( insta.priv.pem )

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAslJQMIj5uIiB/S0k0IFJ9z6sWbdQJ42tsCVDXVau/teJJb7K
MXHx8a8sPhvxFTPTLrV20OrZN+n42al2Wz26GQyBbDbdU61zbKFoAZbcCIZXpqbA
N8365030C6SKzEDc4rlXzYYtaoEevgElOJb7puckXain9KrlLY3ONKKYgUa9a46z
lWqMwGS7Au7uI+EHrr//rQAbMEPcai9JgkJtJGzUeJgmSa3t1uImLkERzzIA8EVD
mlzZH00mychVxyc5kEm+gMIkQQ6vUE6ZERlTy2jdVyY+cTXLQA+1w8yjZFdvkdm4
NXb7DqK447tDxDJzYeh2ky+wnHNxb3etdYIEOQIDAQABAoIBAQCmmCYYoe+DSez/
RayuKwuaNHA6RPtaaI+LD9UWn4RPy7dyjwNBHG3n2DriL6KUp101twyw86dKCImX
eC194nY5Lqi/G6a8pUA/ja+oRHN+d1vt8r2DpSkx7W8BbZDKcBKssnFoLmHBra21
30YRz2R9slYUNhvrhbkkTOYH4JvPsWJ3UIxfukN4VjiX/0PCq75gyqPqOwv2PHKO
310kFo4R68PA3mRJR6DemT/xNqcW+POYSksKDqCrBzHr1TWOyajofhonfyO+/5xv
0fv6aa46eB4ws9w9Pr9o5XB0CFurV4DiqdzZ8KVFvP+2+2mKqd4Grde3ZbnjWgvL
1d9TWeJNAoGBAN6ws+Gc7lABNnFlZaPvVp8VES5aENha9q9evDM2DcRC2lF15xYo
AK04vggGI3c/pYgCNvD9ogcA1byYG0Jz7vInIO/YmPPtHC8fHemvva6IOWcbdwMi
vHn98rX6/MyoQ8H/IWf3aGIso7q1bEpNVpctPjTXZlSlOj0Tkkn4sgxLAoGBAMz+
orGOn70cMjwgQ9zY4zIDVRhoj0tS73B5FYmogZE8FBQ3Ju7572f4SmX0JCzemPv2
WyRN7LQEHgruKp8hbw/SVAAIrXeZdBK5LTDCsVPSNpAZO0RzRssvxWo2w8Gpsh0k
fjjv+/pDvw6N7Uzi8tH7AeRr6oka715nvQ1iSlcLAoGBAK6AMwT5LzmcKahkN2hl
1S/ll0gGJasUZLf5eWp70f/YDzHEPSf8gsM6cpbhEIuSYUkZyym+5mesfNBDNSE2
ragthz7LMNf8FpjKPmtvXijU8H5eZD0dzCmgGMAHhG9u72GmZewNUEuWBVr6bXgv
8EmYl2Va4QI1U1Sm8HxsmEDPAoGANhaJvueu5irmZk7tGPxxFeUjMsmD5ZAAdWC9
ehDn/vYnJh5XO37e2EP+/V+pm90v6GtcKPwWlHjxpFirDkm4ECii2U9w1bm7kqUh
c1grib5RfzvpE2qHJ113bUr9479uq5nRZByOE76ETsbL8hl/kD/2g9qli3974SDm
FP32N3kCgYAEb+4ZCwR+FEfJi8FAXbqLBTH5IdQaoRlNK+aBqvZ4GqvS4xmtSRO3
oiuSyd+4KWLUMUJIxEDL+rVHl+q5okqEzptJQ7ueaXiSmzq7CDYhaQkW/rDE0vr4
VSZW1fiVreNUr+Rbej2OUvMFgjaCU0UaaJ3WTIuPUD9ZgYYzREe9XA==
-----END RSA PRIVATE KEY-----