Manual/OpenSSL

[OpenSSL] OCSP 와 TSP λͺ…λ Ήμ–΄

JayKimπŸ™‚ 2023. 4. 7. 10:18

OCSP λŠ” RFC2560 μ—μ„œ μ •μ˜ 된 Online Certificate Status Protocol 의 μ•½μžμ΄λ‹€.
TSP λŠ” RFC3161 μ—μ„œ μ •μ˜ 된 Time Stamp Protocol 의 μ•½μžμ΄λ‹€.

OpenSSL μ—μ„œ μΈμ¦μ„œ μƒνƒœ 정보 ν”„λ‘œν† μ½œμΈ OCSP κ΄€λ ¨ 메뉴얼
https://www.openssl.org/docs/man3.0/man1/openssl-ocsp.html

νƒ€μž„μŠ€νƒ¬ν”„ κ΄€λ ¨ 메뉴얼
https://www.openssl.org/docs/man3.0/man1/openssl-ts.html

OCSP ( Online Certificate Status Protocol )

OCSP Request 생성

openssl ocsp -issuer ECDSA_CA.crt -cert CMS_Signer.crt -reqout ocsp-req.ber

OCSP μΈμ¦μ„œ 검증

μœ„μ—μ„œ μƒμ„±ν•œ ocsp-req.ber νŒŒμΌμ„ μ½μ–΄μ„œ -url 둜 μ§€μ •λœ OCSP μ„œλ²„μ—κ²Œ 검증 μš”μ²­

openssl ocsp -reqin ocsp-req.ber -text -url http://ocsp.test.com:8080/ocsp

검증할 μΈμ¦μ„œλ₯Ό μ½μ–΄μ„œ 검증 μš”μ²­

openssl ocsp -issuer ECDSA_CA.crt -cert CMS_Signer.crt  -text -url http://ocsp.test.com:8080/ocsp

OCSP Reuqest 정보 보기

openssl ocsp -reqin ocsp-req.ber -text

OCSP Request 정보 κ²°κ³Ό

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: B16FA4BFB9B4ECE5D00CB47BE64CB710BFEFB3EC
          Issuer Key Hash: 613273786D3E2FEC12ADAF15524AF02B79B0EE11
          Serial Number: 0BC6CA62C4BD687B
    Request Extensions:
        OCSP Nonce:
            0410563B7D447966E7140E57FD776BAF0C7F

TSP ( Time Stamp Protocol )

TSP λͺ…λ Ήμ–΄λ₯Ό μ‚¬μš©ν•˜κΈ° 전에 openssl.cnf νŒŒμΌμ— 섀정이 λ˜μ–΄μ•Ό ν•œλ‹€.

openssl.cnf 에 TSP κ΄€λ ¨ μ„€μ •

[ tsa ]

default_tsa = tsa_config1   # the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir     = /d/pvd_certs/xca      # TSA root directory
serial      = $dir/tsaserial    # The current serial number (mandatory)
crypto_device   = builtin       # OpenSSL engine to use for signing
signer_cert = $dir/OCSP_TSA.crt     # The TSA signing certificate
                    # (optional)
certs       = $dir/chain.crt    # Certificate chain to include in reply
                    # (optional)
signer_key  = $dir/OCSP_TSA_pri.pem # The TSA private key (optional)
signer_digest  = sha256         # Signing digest to use. (Optional)
default_policy  = tsa_policy1       # Policy if request did not specify it
                    # (optional)
other_policies  = tsa_policy2, tsa_policy3  # acceptable policies (optional)
digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
accuracy    = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits  = 0 # number of digits after dot. (optional)
ordering        = yes   # Is ordering defined for timestamps?
                # (optional, default: no)
tsa_name        = yes   # Must the TSA name be included in the reply?
                # (optional, default: no)
ess_cert_id_chain   = no    # Must the ESS cert id chain be included?
                # (optional, default: no)
ess_cert_id_alg     = sha1  # algorithm to compute certificate
                # identifier (optional, default: sha1)

TS 생성

openssl ts -query -data mydata.txt -no_nonce -sha1 -out design1.tsq

TS 정보 Print

openssl ts -query -in design1.tsq -text

TS 정보 메세지 보기

Version: 1
Hash Algorithm: sha1
Message data:
    0000 - f5 72 d3 96 fa e9 20 66-28 71 4f b2 ce 00 f7 2e   .r.... f(qO.....
    0010 - 94 f2 25 8f                                       ..%.
Policy OID: unspecified
Nonce: unspecified
Certificate required: no
Extensions:

TSA와 TSP μš©μ–΄λ₯Ό ν˜Όν•© ν•˜μ—¬ μ‚¬μš©ν•˜λŠ” κ²½μš°κ°€ λ§Žμ€λ°
TSA λŠ” Time Stamp Authority 의 μ•½μžλ‘œμ„œ νƒ€μž„μŠ€νƒ¬ν•‘ κΈ°κ΄€μ΄λΌλŠ” 뜻으둜 λ³΄λŠ”λ°
사싀 TSAμ—μ„œ μ‚¬μš©ν•˜λŠ” 메세지 ν”„λ‘œν† μ½œμ΄ TSP 이닀.

μ €μž‘μžν‘œμ‹œ (μƒˆμ°½μ—΄λ¦Ό)