The libx509crc project's goal is to provide developers working with OpenSSL applications a way to easily implement certificate revocation checking in their projects. Our library supports revocation checking via CRLs, OCSP, and OCSP stapling. There is also support for Certificate Transparency, the library is capable of obtaining all SCTs for a certificate and then ensures that no SCTs were issued in the future, as well as that each SCT has a logID of a known CT log.
libx509crc is intended to be used as is, or as reference implementation.
libx509crc, at the time of writing, works with OpenSSL v1.1.1-pre1 and up.
Please refer to INSTALL.md for installation and setup.
Once installed the lib.h header file can be included to use the library. Please refer to the driver program code or the Doxygen documentation which can be generated by running doxygen.
Example usage for OCSP revocation checking:
SSL* ssl = foo_connect_ssl();
int retval = validate_ocsp(ssl, NULL);
if(retval == 0) {
printf(“Not Revoked\n”);
} else if(retval == 1) {
printf(“Revoked\n”);
} else {
printf("Error! - %s\n", X509CRC_err_to_str(retval));
}
Once compiled (check the Installation Guide) the command line interface can be used to perform Certificate Revocation Lists (CRL), Online Certificate Status Protocol (OCSP), and OCSP stapling revocation checks. The CLI will set-up its own SSL connection and will print the revocation test(s) output to the command line. Note that not all hosts support all of the revocation testing methods (for example, Google does not implement OCSP Stapling), in such cases the program will report this. If a connection cannot be made to the desired host over the desired port, the program will terminate. All arguments are optional, but if no tests are specifically requested, the program will setup an SSL/TLS connection, close it, and then terminate.
Usage: ./driverprogram [-u hostname] [-p port] [-o] [-c] [-s] [-t] [-d]
- -u --url
- Set the URL or hostname of the host to connect to (default: https://www.cisco.com)
- -p --port
- Set the port of the host to connect to (default: 443)
- -o --ocsp
- Perform OCSP revocation checking
- -c --crl
- Perform CRL revocation checking
- -s --stapling
- Perform OCSP Stapling revocation checking
- -t --transparency
- Perform Certificate Transparency SCT checks
- -v --verbose
- Verbose mode. Has more output, including printing the entire X.509 certificate, to help track down bugs