Addition to GO based service to add chain verification and signature verification for X509, CRL and OCSP

Completed Posted Sep 15, 2012 Paid on delivery
Completed Paid on delivery

The existing API looks like this:

Decode an X509 certificate

curl --fail -F "content=@[url removed, login to view]" "[url removed, login to view]"

Request and issue an X509 certificate

openssl genrsa -out [url removed, login to view] 2048

openssl req -config [url removed, login to view] -subj "/CN=[url removed, login to view]" -new -x509 -set_serial 01 -days 1 -key [url removed, login to view] -out [url removed, login to view]

curl --fail -F "content=@[url removed, login to view]" "[url removed, login to view]"

Decode a set of X509 certificates

curl --fail -F "content=@[url removed, login to view]" "[url removed, login to view]"

Decode an X509 crl

curl --fail -F "content=@[url removed, login to view]" "[url removed, login to view]"

Decode an OCSP response

openssl ocsp -noverify -no_nonce -respout [url removed, login to view] -reqout [url removed, login to view] -issuer [url removed, login to view] -cert [url removed, login to view] -url "[url removed, login to view]" -header "HOST" "[url removed, login to view]" -text

curl --fail -F "content=@[url removed, login to view]" "[url removed, login to view]"

I want the following added:

----- X509Certificate\action=verify

[url removed, login to view]

[url removed, login to view]

[url removed, login to view]

[url removed, login to view]

curl --fail -F "content=@[url removed, login to view]" [url removed, login to view],example.com&time=zzz

action = verify -- generic certificate validation

Passin:

A certificate to be verified

A bag of certificates that may be usefull for validating the certificate to be verified (aka a bag of intermediate CA certificates)

Hostnames to make sure the certificte is good for (Only required for action eku=ExtKeyUsageServerAuth)

ku=KeyUsageDigitalSignature,KeyUsageContentCommitment,KeyUsageKeyEncipherment,KeyUsageDataEncipherment,KeyUsageKeyAgreement,KeyUsageCertSign,KeyUsageCRLSign,KeyUsageEncipherOnly,KeyUsageDecipherOnly,

eku=ExtKeyUsageAny, ExtKeyUsageServerAuth, ExtKeyUsageClientAuth, ExtKeyUsageCodeSigning, ExtKeyUsageEmailProtection, ExtKeyUsageTimeStamping, ExtKeyUsageOCSPSigning

time=time

If hostnames passed in call VerifyHostname if verify passes

If eku=ExtKeyUsageServerAuth and no hostname error

If hostnames provided they go in [url removed, login to view]

If time not specified use current time.

Use host side configured nss roots as trust anchors

Passout:

Success / Fail

If fail why:

CANotAuthorizedForThisName, Expired, NotAuthorizedToSign, TooManyIntermediates, HostnameError, ConstraintViolationError, CertificateInvalidError(Reason), UnhandledCriticalExtension, UnknownAuthorityError

Returns bags of PEM encoded certificates, each bag representing a chain, bag is ordered.

----- X509crl\action=verify

Call [url removed, login to view]

Passin:

A certificate to be verified

A certificate to verify against

time=time

Passout:

Success / Fail

If fail why:

Invalid siganture, unsupported algorithm, expired,

---- X509ocsp\action=verify&type=response

Passin:

A ocsp response to be verified

time=time

Passout:

Success / Fail

If fail why:

Invalid siganture, unsupported algorithm, expired,

Computer Security Golang Software Architecture

Project ID: #2489735

About the project

1 proposal Remote project Active Sep 16, 2012

Awarded to:

efrey

I look forward to the prospect of working on this project.

$600 USD in 4 days
(1 Review)
4.1