Addition to GO based service to add chain verification and signature verification for X509, CRL and OCSP
$250-750 USD
In Bearbeitung
Veröffentlicht vor mehr als 11 Jahren
$250-750 USD
Bezahlt bei Lieferung
The existing API looks like this:
Decode an X509 certificate
curl --fail -F "content=@[login to view URL]" "[login to view URL]"
Request and issue an X509 certificate
openssl genrsa -out [login to view URL] 2048
openssl req -config [login to view URL] -subj "/CN=[login to view URL]" -new -x509 -set_serial 01 -days 1 -key [login to view URL] -out [login to view URL]
curl --fail -F "content=@[login to view URL]" "[login to view URL]"
Decode a set of X509 certificates
curl --fail -F "content=@[login to view URL]" "[login to view URL]"
Decode an X509 crl
curl --fail -F "content=@[login to view URL]" "[login to view URL]"
Decode an OCSP response
openssl ocsp -noverify -no_nonce -respout [login to view URL] -reqout [login to view URL] -issuer [login to view URL] -cert [login to view URL] -url "[login to view URL]" -header "HOST" "[login to view URL]" -text
curl --fail -F "content=@[login to view URL]" "[login to view URL]"
I want the following added:
----- X509Certificate\action=verify
[login to view URL]
[login to view URL]
[login to view URL]
[login to view URL]
curl --fail -F "content=@[login to view URL]" [login to view URL],example.com&time=zzz
action = verify -- generic certificate validation
Passin:
A certificate to be verified
A bag of certificates that may be usefull for validating the certificate to be verified (aka a bag of intermediate CA certificates)
Hostnames to make sure the certificte is good for (Only required for action eku=ExtKeyUsageServerAuth)
ku=KeyUsageDigitalSignature,KeyUsageContentCommitment,KeyUsageKeyEncipherment,KeyUsageDataEncipherment,KeyUsageKeyAgreement,KeyUsageCertSign,KeyUsageCRLSign,KeyUsageEncipherOnly,KeyUsageDecipherOnly,
eku=ExtKeyUsageAny, ExtKeyUsageServerAuth, ExtKeyUsageClientAuth, ExtKeyUsageCodeSigning, ExtKeyUsageEmailProtection, ExtKeyUsageTimeStamping, ExtKeyUsageOCSPSigning
time=time
If hostnames passed in call VerifyHostname if verify passes
If eku=ExtKeyUsageServerAuth and no hostname error
If hostnames provided they go in [login to view URL]
If time not specified use current time.
Use host side configured nss roots as trust anchors
Passout:
Success / Fail
If fail why:
CANotAuthorizedForThisName, Expired, NotAuthorizedToSign, TooManyIntermediates, HostnameError, ConstraintViolationError, CertificateInvalidError(Reason), UnhandledCriticalExtension, UnknownAuthorityError
Returns bags of PEM encoded certificates, each bag representing a chain, bag is ordered.
----- X509crl\action=verify
Call [login to view URL]
Passin:
A certificate to be verified
A certificate to verify against
time=time
Passout:
Success / Fail
If fail why:
Invalid siganture, unsupported algorithm, expired,
---- X509ocsp\action=verify&type=response
Passin:
A ocsp response to be verified
time=time
Passout:
Success / Fail
If fail why:
Invalid siganture, unsupported algorithm, expired,