Skip to content
This repository has been archived by the owner on Mar 11, 2023. It is now read-only.
/ libx509crc Public archive

A library for certificate revocation checking

License

BSD-2-Clause, Unknown licenses found

Licenses found

BSD-2-Clause
LICENSE
Unknown
COPYING
6 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

danielcary/libx509crc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
python
python
 
 
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
COPYING
COPYING
 
 
Doxyfile
Doxyfile
 
 
INSTALL.md
INSTALL.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

libx509crc

NCSU Senior Design 2018 Spring Team 13 - Daniel Cary, Brian Hogan, Joseph Tew

The libx509crc project's goal is to provide developers working with OpenSSL applications a way to easily implement certificate revocation checking in their projects. Our library supports revocation checking via CRLs, OCSP, and OCSP stapling. There is also support for Certificate Transparency, the library is capable of obtaining all SCTs for a certificate and then ensures that no SCTs were issued in the future, as well as that each SCT has a logID of a known CT log.

libx509crc is intended to be used as is, or as reference implementation.

Requirements

libx509crc, at the time of writing, works with OpenSSL v1.1.1-pre1 and up.

Installation

Please refer to INSTALL.md for installation and setup.

Usage

Library Usage

Once installed the lib.h header file can be included to use the library. Please refer to the driver program code or the Doxygen documentation which can be generated by running doxygen.

Example usage for OCSP revocation checking:

SSL* ssl = foo_connect_ssl();

int retval = validate_ocsp(ssl, NULL);
if(retval == 0) {
	printf(“Not Revoked\n”);
} else if(retval == 1) {
	printf(“Revoked\n”);
} else {
	printf("Error! - %s\n", X509CRC_err_to_str(retval));
}

Command Line Interface Usage

Once compiled (check the Installation Guide) the command line interface can be used to perform Certificate Revocation Lists (CRL), Online Certificate Status Protocol (OCSP), and OCSP stapling revocation checks. The CLI will set-up its own SSL connection and will print the revocation test(s) output to the command line. Note that not all hosts support all of the revocation testing methods (for example, Google does not implement OCSP Stapling), in such cases the program will report this. If a connection cannot be made to the desired host over the desired port, the program will terminate. All arguments are optional, but if no tests are specifically requested, the program will setup an SSL/TLS connection, close it, and then terminate.

Usage: ./driverprogram [-u hostname] [-p port] [-o] [-c] [-s] [-t] [-d]

  • -u --url
  • -p --port
    • Set the port of the host to connect to (default: 443)
  • -o --ocsp
    • Perform OCSP revocation checking
  • -c --crl
    • Perform CRL revocation checking
  • -s --stapling
    • Perform OCSP Stapling revocation checking
  • -t --transparency
    • Perform Certificate Transparency SCT checks
  • -v --verbose
    • Verbose mode. Has more output, including printing the entire X.509 certificate, to help track down bugs

About

A library for certificate revocation checking

Topics

openssl crl ocsp revocation

Resources

Readme

License

BSD-2-Clause, Unknown licenses found

Licenses found

BSD-2-Clause
LICENSE
Unknown
COPYING
Activity

Stars

6 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases 1

First Release Latest
May 9, 2018

Packages

No packages published

Languages