1
Download Security Toolkit
Transcript
Request/Response Protocol Sessions 113 private-key keyset) to the session since SSL/TLS uses certificates for the access control functionality. You can specify the public-key keyset to use for checking incoming connections with the CRYPT_SESSINFO_KEYSET attribute: CRYPT_SESSION cryptSession; /* Create the session */ cryptCreateSession( &cryptSession, cryptUser, CRYPT_SESSION_SSL_SERVER ); /* Add the server key and public-key keyset and activate the session */ cryptSetAttribute( cryptSession, CRYPT_SESSINFO_PRIVATEKEY, privateKey ); cryptSetAttribute( cryptSession, CRYPT_SESSINFO_KEYSET, cryptKeyset ); cryptSetAttribute( cryptSession, CRYPT_SESSINFO_ACTIVE, 1 ); When you set this attribute for a server session, cryptlib will require the use of client c e r t i f i c a t e sf orc o nn e c t i o nst ot hes e r v e r , a ndwon ’ ta l l owc onn e c t i o nsf r o mc l i e nt s t ha ta r e n ’ ta bl et oa u t h e nt i c a t et he ms e l v e sus i ngac e r t i f i c a t et h a twa spr e v i o us l y added to the keyset. Request/Response Protocol Sessions cryptlib supports a variety of request/response protocols including protocols such as the certificate management protocol (CMP), simple certificate enrolment protocol (SCEP), real-time certificate status protocol (RTCS), online certificate status protocol (OCSP), and timestamping protocol (TSP). CMP, SCEP, RTCS, and OCSP client s e s s i onsa r ec e r t i f i c a t ema na g e me nts e r v i c e st ha ta r ec ov e r e di n“ Obtaining Certificates using CMP” , “ Obtaining Certificates using SCEP” , “ Certificate Status Checking using RTCS” , a nd“ Certificate Revocation Checking using OCSP”on pages 157, 152, 152, and 158, and a TSP client session is an S/MIME service which i sc ov e r e di n“ Timestamping”onpa g e84. RTCS, OCSP and TSP server sessions are standard session types and are also covered here, CMP and SCEP server sessions are s ome wha tmor ec o mp l e xa n da r ec ov e r e di n“ Managing a CA using CMP or SCEP” on page 166. RTCS Server Sessions An RTCS server session is a protocol-specific session type that returns a real-time certificate status to a client. RTCS client sessions are used for certificate status c he c k sa n da r ede s c r i be di n“ Certificate Status Checking using RTCS”onpa g e152. Establishing an RTCS server session requires adding a certificate store that cryptlib can query for certificate status information, specified as the CRYPT_SESSINFO_KEYSET attribute, and an optional RTCS responder key/certificate if you want cryptlib to sign the responses it provides. Certificate stores are described in more de t a i li n“ Managing a Certification Authority”onpa g e161.Onc ey ou’ v ea d de dt h i s information you can activate the session and wait for incoming connections: CRYPT_SESSION cryptSession; /* Create the session */ cryptCreateSession( &cryptSession, cryptUser, CRYPT_SESSION_RTCS_SERVER ); /* Add the certificate store and activate the session */ cryptSetAttribute( cryptSession, CRYPT_SESSINFO_KEYSET, cryptCertStore ); cryptSetAttribute( cryptSession, CRYPT_SESSINFO_ACTIVE, 1 ); Once you activate the session, cryptlib will block until an incoming client connection arrives, at which point it will read the RTCS request from the client and return a response optionally signed with the RTCS responder key.
