I have here an OCSP script in PHP. It is not needed if you use the apache modified distribution from FedICT:ocsp is included in apache. But if you use a standard distribution that is automatically updated against new security treats (like me!), you need this. (Probably OCSP will be included in apache 2.4?):
// User variables:
$dir = '/path/to/temp/'; // Directory where apache has access to (chmod 777).
$BelgiumCA = '/path/to/BelgiumRoot.cer'; // Points to the Belgian Root CA in PEM format.
// Script:
$a = rand(1000,99999); // Needed if you expect more page clicks in one second!
file_put_contents($dir.$a.'cert_i.pem', $_SERVER['SSL_CLIENT_CERT_CHAIN_0']); // Issuer certificate.
file_put_contents($dir.$a.'cert_c.pem', $_SERVER['SSL_CLIENT_CERT']); // Client (authentication) certificate.
$output = shell_exec('openssl ocsp -CAfile '.$BelgiumCA.' -issuer '.$dir.$a.'cert_i.pem -cert '.$dir.$a.'cert_c.pem -url http://ocsp.eid.belgium.be');
$output2 = preg_split('/[\r\n]/', $output);
$output3 = preg_split('/: /', $output2[0]);
$ocsp = $output3[1];
echo "OCSP status: ".$ocsp; // will be "good", "revoked", or "unknown"
unlink($dir.$a.'cert_i.pem');
unlink($dir.$a.'cert_c.pem');
No comments:
Post a Comment