From: <ope...@li...> - 2005-04-27 13:34:11
|
Update of /cvsroot/openca/openca-0.9/src/ocspd/docs In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv12301/docs Modified Files: Makefile.in ocspd.conf.3 ocspd.conf.3.pod Log Message: Major Fixes and enhancements: - Fixed memory leakage with multiple CAs configured - Added downloading of CRLs from HTTP - Daemon binary moved from openca-ocspd to ocspd - Updated rcd script and spec file (now to build rpms, simply use the command `rpmbuild -ta OpenCA-OCSPD-${ver}.tar.gz` ) - Updated man pages and example configuration file with all the new options - Updated the ChangeLog with all major improvements Author of changes: madwolf Index: Makefile.in =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/docs/Makefile.in,v retrieving revision 1.15 retrieving revision 1.16 diff -C2 -d -r1.15 -r1.16 *** Makefile.in 2 Feb 2005 18:12:44 -0000 1.15 --- Makefile.in 27 Apr 2005 13:33:46 -0000 1.16 *************** *** 69,72 **** --- 69,73 ---- CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ + CHMOD = @CHMOD@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ Index: ocspd.conf.3 =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/docs/ocspd.conf.3,v retrieving revision 1.3 retrieving revision 1.4 diff -C2 -d -r1.3 -r1.4 *** ocspd.conf.3 28 Feb 2003 17:33:12 -0000 1.3 --- ocspd.conf.3 27 Apr 2005 13:33:46 -0000 1.4 *************** *** 1,7 **** ! .\" Automatically generated by Pod::Man version 1.15 ! .\" Fri Feb 28 18:41:50 2003 .\" .\" Standard preamble: ! .\" ====================================================================== .de Sh \" Subsection heading .br --- 1,6 ---- ! .\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14 .\" .\" Standard preamble: ! .\" ======================================================================== .de Sh \" Subsection heading .br *************** *** 16,25 **** .if n .sp .. - .de Ip \" List item - .br - .ie \\n(.$>=3 .ne \\$3 - .el .ne 3 - .IP "\\$1" \\$2 - .. .de Vb \" Begin verbatim text .ft CW --- 15,18 ---- *************** *** 29,33 **** .de Ve \" End verbatim text .ft R - .fi .. --- 22,25 ---- *************** *** 35,41 **** .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. | will give a ! .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used ! .\" to do unbreakable dashes and therefore won't be available. \*(C` and ! .\" \*(C' expand to `' in nroff, nothing in troff, for use with C<> .tr \(*W-|\(bv\*(Tr .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' --- 27,33 ---- .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. | will give a ! .\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to ! .\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C' ! .\" expand to `' in nroff, nothing in troff, for use with C<>. .tr \(*W-|\(bv\*(Tr .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' *************** *** 57,64 **** 'br\} .\" ! .\" If the F register is turned on, we'll generate index entries on stderr ! .\" for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and ! .\" index entries marked with X<> in POD. Of course, you'll have to process ! .\" the output yourself in some meaningful fashion. .if \nF \{\ . de IX --- 49,56 ---- 'br\} .\" ! .\" If the F register is turned on, we'll generate index entries on stderr for ! .\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index ! .\" entries marked with X<> in POD. Of course, you'll have to process the ! .\" output yourself in some meaningful fashion. .if \nF \{\ . de IX *************** *** 69,74 **** .\} .\" ! .\" For nroff, turn off justification. Always turn off hyphenation; it ! .\" makes way too many mistakes in technical documents. .hy 0 .if n .na --- 61,66 ---- .\} .\" ! .\" For nroff, turn off justification. Always turn off hyphenation; it makes ! .\" way too many mistakes in technical documents. .hy 0 .if n .na *************** *** 76,80 **** .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. - .bd B 3 . \" fudge factors for nroff and troff .if n \{\ --- 68,71 ---- *************** *** 136,144 **** .\} .rm #[ #] #H #V #F C ! .\" ====================================================================== .\" .IX Title "ocspd.conf.3 3" ! .TH ocspd.conf.3 3 "openca-ocspd 0.3.51" "2003-02-28" "OpenCA Contributed Manual" ! .UC .SH "NAME" .Vb 1 --- 127,134 ---- .\} .rm #[ #] #H #V #F C ! .\" ======================================================================== .\" .IX Title "ocspd.conf.3 3" ! .TH ocspd.conf.3 3 "2005-04-27" "openca-ocspd 1.0.2" "OpenCA Contributed Manual" .SH "NAME" .Vb 1 *************** *** 177,181 **** or \fB${section::name}\fR. By using the form \fB$ENV::name\fR environment variables can be substituted. It is also possible to assign values to ! environment variables by using the name \fB\s-1ENV:\s0:name\fR, this will work if the program looks up environment variables using the \fB\s-1CONF\s0\fR library instead of calling \fB\f(BIgetenv()\fB\fR directly. --- 167,171 ---- or \fB${section::name}\fR. By using the form \fB$ENV::name\fR environment variables can be substituted. It is also possible to assign values to ! environment variables by using the name \fBENV::name\fR, this will work if the program looks up environment variables using the \fB\s-1CONF\s0\fR library instead of calling \fB\f(BIgetenv()\fB\fR directly. *************** *** 201,211 **** --- 191,204 ---- \& # All rights reserved .Ve + .PP .Vb 2 \& [ ocspd ] \& default_ocspd = OCSPD_default .Ve + .PP .Vb 1 \& [ OCSPD_default ] .Ve + .PP .Vb 3 \& dir = /usr/local/etc/ocspd *************** *** 213,216 **** --- 206,210 ---- \& md = sha1 .Ve + .PP .Vb 4 \& ca_certificate = $dir/certs/cacert.pem *************** *** 219,222 **** --- 213,217 ---- \& pidfile = $dir/ocspd.pid .Ve + .PP .Vb 6 \& user = ocspd *************** *** 227,241 **** --- 222,244 ---- \& max_req_size = 8192 .Ve + .PP .Vb 2 \& request = ocsp_req \& response = ocsp_response .Ve + .PP .Vb 2 \& dbms = dbms_ldap # Example using the LDAP for CRL \& # retrivial .Ve + .PP .Vb 1 \& #dbms = dbms_file # Example using file for CRL .Ve + .PP + .Vb 1 + \& engine = HSM # ENGINE section + .Ve + .PP .Vb 3 \& #################################################################### *************** *** 243,246 **** --- 246,250 ---- \& default_keyfile = key.pem .Ve + .PP .Vb 7 \& #################################################################### *************** *** 252,264 **** \& next_update_mins = 5 .Ve .Vb 2 \& #################################################################### \& [ dbms_ldap ] .Ve ! .Vb 2 ! \& # You can have the CRL on a simple file ! \& # crl_url = file:///usr/local/etc/ocspd/crl.pem ! .Ve ! .Vb 8 \& # You can store the CRL into an LDAP server, simply \& # store it in certificateRevocationList;binary attribute --- 256,289 ---- \& next_update_mins = 5 .Ve + .PP .Vb 2 \& #################################################################### \& [ dbms_ldap ] .Ve ! .PP ! .Vb 31 ! \& # It is possible to use an URI to identify a CRL and/or the ! \& # CA certificate, the general format is: ! \& # ! \& # [protocol]://[user[:pwd]@]server[:port]/[path] ! \& # ! \& # where: ! \& # protocol - specifies the protocol to be used, supported are ! \& # file, ldap, http ! \& # user - is the user for auth (meaningful only if ldap or ! \& # http is used) ! \& # pwd - password used for auth (meaningful only if ldap ! \& # or http is used) ! \& # port - port to connect to (meaningful only if ldap or ! \& # http is used) ! \& # path - complete path to the object (meaningful only if ! \& # http is used) ! \& # ! \& # You can have the CRLs/CA certificates on a simple file ! \& # crl_url = file:///usr/local/etc/ocspd/crl.pem ! \& # ! \& # You can retrieve the CRLs/CA certificates from a web server ! \& # crl_urt = http://server/ca/cacert.der ! \& # \& # You can store the CRL into an LDAP server, simply \& # store it in certificateRevocationList;binary attribute *************** *** 270,273 **** --- 295,299 ---- \& crl_url = ldap://localhost .Ve + .PP .Vb 5 \& # The CRL entry DN is the DN to look for when retrieving the *************** *** 277,298 **** \& o=Organization, c=IT" .Ve .Vb 2 \& #################################################################### \& [ dbms_file ] .Ve .Vb 2 \& # You can have the CRL on a simple file in PEM format \& crl_url = file:///usr/local/etc/ocspd/crl.pem .Ve Let's analyze the options in detail. ! .Ip "\fBdefault_ocspd section\fR" .IX Item "default_ocspd section" In this section of the configuration file are set the general options used by the responder, some of which are available using the command line options too ( see \fIocspd\fR\|(3)). ! .Ip "\fBdir\fR" 6 .IX Item "dir" specifies the directory where everything is kept. ! .Ip "\fBdb\fR" 6 .IX Item "db" specifies the db where info about issued certificates are kept. Right --- 303,336 ---- \& o=Organization, c=IT" .Ve + .PP .Vb 2 \& #################################################################### \& [ dbms_file ] .Ve + .PP .Vb 2 \& # You can have the CRL on a simple file in PEM format \& crl_url = file:///usr/local/etc/ocspd/crl.pem .Ve + .PP + .Vb 5 + \& [ HSM ] + \& # Hardware accelerators support via the ENGINE interface + \& engine_id = MyAccelerator + \& 0.engine_pre = login:1:10:11:myPassword + \& # 0.engine_post = logout:1:10:11 + .Ve + .PP Let's analyze the options in detail. ! .RE ! .IP "\fBdefault_ocspd section\fR" .IX Item "default_ocspd section" In this section of the configuration file are set the general options used by the responder, some of which are available using the command line options too ( see \fIocspd\fR\|(3)). ! .IP "\fBdir\fR" 6 .IX Item "dir" specifies the directory where everything is kept. ! .IP "\fBdb\fR" 6 .IX Item "db" specifies the db where info about issued certificates are kept. Right *************** *** 300,356 **** To reload the certificate's db simply send a \s-1SIGHUP\s0 to the main process ( kill \-s \s-1SIGHUP\s0 pid ). ! .Ip "\fBmd\fR" 6 .IX Item "md" specifies the digest to be used. Default is sha1. ! .Ip "\fBca_certificate\fR" 6 .IX Item "ca_certificate" path to the \s-1CA\s0's certificate. ! .Ip "\fBocspd_certificate\fR" 6 .IX Item "ocspd_certificate" path to the certificate to be used by the responder. ! .Ip "\fBocspd_key\fR" 6 .IX Item "ocspd_key" path to the private key file to be used by the responder. ! .Ip "\fBpidfile\fR" 6 .IX Item "pidfile" path to the pid file where the responder will write its pid when starting. ! .Ip "\fBuser\fR" 6 .IX Item "user" user id the responder will try to run as, this must be a valid \s-1UID\s0. If not specified the responder will run as the user who started the daemon. ! .Ip "\fBgroup\fR" 6 .IX Item "group" group id the responder will try to run as, this must be a valid \s-1GID\s0. If not specified the responder will run as the user who started the daemon. ! .Ip "\fBbind\fR" 6 .IX Item "bind" address to listen to. You can force the responder to listen to just one of the available addresses. If you want the responder to listen to every available interface, simply use '*' (default). ! .Ip "\fBport\fR" 6 .IX Item "port" specifies the port to listen to. ! .Ip "\fBmax_childs_num\fR" 6 .IX Item "max_childs_num" maximum number of process spawned to respond to concurrent requests. A \fIfork()\fR is used for spwaning processes. ! .Ip "\fBmax_req_size\fR" 6 .IX Item "max_req_size" maximum size of received request, if a received request is bigger it will be trashed. Usually simple requests are 200/300 bytes long (more or less). ! .Ip "\fBrequest section\fR" .IX Item "request section" Currently not used ! .Ip "\fBresponse section\fR" .IX Item "response section" Here are kept options tied to responses' building. ! .Ip "\fBdbms section\fR" .IX Item "dbms section" Here are kept options tied to the revoked certificates' list. ! .Ip "\fBocsp_add_response_certs\fR" 4 .IX Item "ocsp_add_response_certs" specifies path to a file containing certificates to be added to the --- 338,397 ---- To reload the certificate's db simply send a \s-1SIGHUP\s0 to the main process ( kill \-s \s-1SIGHUP\s0 pid ). ! .IP "\fBmd\fR" 6 .IX Item "md" specifies the digest to be used. Default is sha1. ! .IP "\fBca_certificate\fR" 6 .IX Item "ca_certificate" path to the \s-1CA\s0's certificate. ! .IP "\fBocspd_certificate\fR" 6 .IX Item "ocspd_certificate" path to the certificate to be used by the responder. ! .IP "\fBocspd_key\fR" 6 .IX Item "ocspd_key" path to the private key file to be used by the responder. ! .IP "\fBpidfile\fR" 6 .IX Item "pidfile" path to the pid file where the responder will write its pid when starting. ! .IP "\fBuser\fR" 6 .IX Item "user" user id the responder will try to run as, this must be a valid \s-1UID\s0. If not specified the responder will run as the user who started the daemon. ! .IP "\fBgroup\fR" 6 .IX Item "group" group id the responder will try to run as, this must be a valid \s-1GID\s0. If not specified the responder will run as the user who started the daemon. ! .IP "\fBbind\fR" 6 .IX Item "bind" address to listen to. You can force the responder to listen to just one of the available addresses. If you want the responder to listen to every available interface, simply use '*' (default). ! .IP "\fBport\fR" 6 .IX Item "port" specifies the port to listen to. ! .IP "\fBmax_childs_num\fR" 6 .IX Item "max_childs_num" maximum number of process spawned to respond to concurrent requests. A \fIfork()\fR is used for spwaning processes. ! .IP "\fBmax_req_size\fR" 6 .IX Item "max_req_size" maximum size of received request, if a received request is bigger it will be trashed. Usually simple requests are 200/300 bytes long (more or less). ! .RE ! .IP "\fBrequest section\fR" .IX Item "request section" Currently not used ! .RE ! .IP "\fBresponse section\fR" .IX Item "response section" Here are kept options tied to responses' building. ! .RE ! .IP "\fBdbms section\fR" .IX Item "dbms section" Here are kept options tied to the revoked certificates' list. ! .IP "\fBocsp_add_response_certs\fR" 4 .IX Item "ocsp_add_response_certs" specifies path to a file containing certificates to be added to the *************** *** 358,384 **** be in \s-1PEM\s0 format one after another (a simple cat of the certificates will do fine). ! .Ip "\fBocsp_add_response_keyid\fR" 4 .IX Item "ocsp_add_response_keyid" specifies if adding of the key id to the response. ! .Ip "\fBnext_update_days\fR" 4 .IX Item "next_update_days" specifies the number of days till next update is available. A response will be valid in the period following the request till the days+mins. ! .Ip "\fBnext_update_mins\fR" 4 .IX Item "next_update_mins" specifies the number of minutes till next update is available. A response will be valid in the period following the request till the days+mins. ! .Ip "\fBcrl_url\fR" 4 .IX Item "crl_url" specifies the \s-1URI\s0 where the \s-1CRL\s0 (list of revoked certificates, ! actually used for building responses) is located. Two different ! resources are actually implemented ( file:// or ldap:// ). If ! file is chosen, then the parameter should have the path to the ! crl file (i.e. file:///usr/local/etc/cacrl.pem). If ldap is ! chosen, you can specify the address, and the port of the server where to connect to (i.e. ldap://server.addr:port). ! .Ip "\fBcrl_entry_dn\fR" 4 .IX Item "crl_entry_dn" specifies, if ldap:// protocol is chosen within the \fBcrl_url\fR --- 399,433 ---- be in \s-1PEM\s0 format one after another (a simple cat of the certificates will do fine). ! .IP "\fBocsp_add_response_keyid\fR" 4 .IX Item "ocsp_add_response_keyid" specifies if adding of the key id to the response. ! .IP "\fBnext_update_days\fR" 4 .IX Item "next_update_days" specifies the number of days till next update is available. A response will be valid in the period following the request till the days+mins. ! .IP "\fBnext_update_mins\fR" 4 .IX Item "next_update_mins" specifies the number of minutes till next update is available. A response will be valid in the period following the request till the days+mins. ! .IP "\fBca_url\fR" 4 ! .IX Item "ca_url" ! specifies the \s-1URI\s0 where the \s-1CA\s0 certificate (which identifies the ! single \s-1CA\s0) is located. Three different protocols are implemented ! ( file:// http:// or ldap:// ). If file is chosen, then the parameter ! should carry the path to the \s-1CA\s0 file (i.e. file:///usr/local/etc/ca.pem). ! If ldap or http is chosen, you can specify the address, and the port ! of the server where to connect to (i.e. ldap://server.addr:port). ! .IP "\fBcrl_url\fR" 4 .IX Item "crl_url" specifies the \s-1URI\s0 where the \s-1CRL\s0 (list of revoked certificates, ! actually used for building responses) is located. Three different ! protocols are actually implemented ( file:// http:// or ldap:// ). ! If file is chosen, then the parameter should have the path to the ! crl file (i.e. file:///usr/local/etc/cacrl.pem). If ldap or http ! is chosen, you can specify the address, and the port of the server where to connect to (i.e. ldap://server.addr:port). ! .IP "\fBcrl_entry_dn\fR" 4 .IX Item "crl_entry_dn" specifies, if ldap:// protocol is chosen within the \fBcrl_url\fR *************** *** 387,390 **** --- 436,461 ---- the base of the \s-1LDAP\s0 tree, but different installations are also possible). + .IP "\fBengine_id\fR" 4 + .IX Item "engine_id" + Specifies the \s-1ENGINE\s0 id to be used \- check OpenSSL and your \s-1HSM\s0 + vendor to get more info about this parameter. + .IP "\fBengine_pre\fR" 4 + .IX Item "engine_pre" + Some \s-1HSM\s0 need initialisation before access to the crypto accelerated + functions is granted. It is possible, by using the 'engine_pre' options + to issue needed commands directly to the \s-1HSM\s0. + .Sp + The format is as follows: + 0.engine_pre = cmd:values + 1.engine_pre = cmd2:values + ... + It is possible to have as many commands as needed. + .IP "\fBengine_post\fR" 4 + .IX Item "engine_post" + Some HSMs need to perform commands after the \s-1ENGINE\s0 initialisation + which are taken from the 'engine_post' option. Usage and format + is exactly the same as 'engine_pre', the difference is that commands + are sent to the \s-1HSM\s0 after the \fIENGINE_init()\fR function. Refer to your + \&\s-1HSM\s0 documentation for more informations .SH "AUTHOR" .IX Header "AUTHOR" Index: ocspd.conf.3.pod =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/docs/ocspd.conf.3.pod,v retrieving revision 1.3 retrieving revision 1.4 diff -C2 -d -r1.3 -r1.4 *** ocspd.conf.3.pod 28 Feb 2003 17:33:12 -0000 1.3 --- ocspd.conf.3.pod 27 Apr 2005 13:33:46 -0000 1.4 *************** *** 92,95 **** --- 92,97 ---- #dbms = dbms_file # Example using file for CRL + + engine = HSM # ENGINE section #################################################################### *************** *** 108,114 **** [ dbms_ldap ] ! # You can have the CRL on a simple file ! # crl_url = file:///usr/local/etc/ocspd/crl.pem ! # You can store the CRL into an LDAP server, simply # store it in certificateRevocationList;binary attribute --- 110,136 ---- [ dbms_ldap ] ! # It is possible to use an URI to identify a CRL and/or the ! # CA certificate, the general format is: ! # ! # [protocol]://[user[:pwd]@]server[:port]/[path] ! # ! # where: ! # protocol - specifies the protocol to be used, supported are ! # file, ldap, http ! # user - is the user for auth (meaningful only if ldap or ! # http is used) ! # pwd - password used for auth (meaningful only if ldap ! # or http is used) ! # port - port to connect to (meaningful only if ldap or ! # http is used) ! # path - complete path to the object (meaningful only if ! # http is used) ! # ! # You can have the CRLs/CA certificates on a simple file ! # crl_url = file:///usr/local/etc/ocspd/crl.pem ! # ! # You can retrieve the CRLs/CA certificates from a web server ! # crl_urt = http://server/ca/cacert.der ! # # You can store the CRL into an LDAP server, simply # store it in certificateRevocationList;binary attribute *************** *** 132,135 **** --- 154,163 ---- crl_url = file:///usr/local/etc/ocspd/crl.pem + [ HSM ] + # Hardware accelerators support via the ENGINE interface + engine_id = MyAccelerator + 0.engine_pre = login:1:10:11:myPassword + # 0.engine_post = logout:1:10:11 + Let's analyze the options in detail. *************** *** 246,257 **** the days+mins. =item B<crl_url> specifies the URI where the CRL (list of revoked certificates, ! actually used for building responses) is located. Two different ! resources are actually implemented ( file:// or ldap:// ). If ! file is chosen, then the parameter should have the path to the ! crl file (i.e. file:///usr/local/etc/cacrl.pem). If ldap is ! chosen, you can specify the address, and the port of the server where to connect to (i.e. ldap://server.addr:port). --- 274,294 ---- the days+mins. + =item B<ca_url> + + specifies the URI where the CA certificate (which identifies the + single CA) is located. Three different protocols are implemented + ( file:// http:// or ldap:// ). If file is chosen, then the parameter + should carry the path to the CA file (i.e. file:///usr/local/etc/ca.pem). + If ldap or http is chosen, you can specify the address, and the port + of the server where to connect to (i.e. ldap://server.addr:port). + =item B<crl_url> specifies the URI where the CRL (list of revoked certificates, ! actually used for building responses) is located. Three different ! protocols are actually implemented ( file:// http:// or ldap:// ). ! If file is chosen, then the parameter should have the path to the ! crl file (i.e. file:///usr/local/etc/cacrl.pem). If ldap or http ! is chosen, you can specify the address, and the port of the server where to connect to (i.e. ldap://server.addr:port). *************** *** 266,269 **** --- 303,337 ---- =back + =item B<ENGINE section> + + =over 6 + + =item B<engine_id> + + Specifies the ENGINE id to be used - check OpenSSL and your HSM + vendor to get more info about this parameter. + + =item B<engine_pre> + + Some HSM need initialisation before access to the crypto accelerated + functions is granted. It is possible, by using the 'engine_pre' options + to issue needed commands directly to the HSM. + + The format is as follows: + 0.engine_pre = cmd:values + 1.engine_pre = cmd2:values + ... + It is possible to have as many commands as needed. + + =item B<engine_post> + + Some HSMs need to perform commands after the ENGINE initialisation + which are taken from the 'engine_post' option. Usage and format + is exactly the same as 'engine_pre', the difference is that commands + are sent to the HSM after the ENGINE_init() function. Refer to your + HSM documentation for more informations + + =back + =head1 AUTHOR |