Monthly Archives: November 2010

OCSP Queries Via OpenSSL

On November 20, 2010 by Paul Kehrer With 1 Comments - Posts

OpenSSL has an ocsp querying facility that can be useful if you’re testing a responder or just curious how the online certificate status protocol works. To use it:

openssl ocsp -issuer IssuingCert.txt -cert ServerCert.txt -url http://ocsp.wherever.com -CAfile CAchain.txt

Argument Breakdown

  • -issuer is the issuing CA for the certificate you want to check (called IssuingCert.txt above). This can be a self-signed root or a subroot.
  • -cert is the certificate you want to verify. If you know the serial number and don’t want to provide the cert file itself you can use -serial instead.
  • -url is the URL of the OCSP responder for your cert. You can parse the certificate to find the end point. It will be under the Authority Information Access node inside the x509 extensions
  • -CAfile is only required if you want to verify the response of the OCSP server.1 You’ll need to place the self-signed root + whatever intermediates are necessary for the OCSP signing cert from the server to chain up to it.
  • There are many other optional args, so check out the list just by typing “openssl ocsp”

OCSP Response

Here’s an example response where the certificate has been marked as revoked.

Response verify OK
ServerCert.txt: revoked
This Update: Nov 20 15:43:49 2010 GMT
Next Update: Dec  4 17:43:49 2010 GMT
Reason: unspecified
Revocation Time: Mar 31 21:37:52 2009 GMT

And one marked as acceptable.

Response verify OK
ServerCert.txt: good
This Update: Nov 20 11:20:51 2010 GMT
Next Update: Nov 27 11:20:51 2010 GMT

Responses can have several error status codes. Here’s the list of possible errors from RFC 2560.

malformedRequest      (1),  --Illegal confirmation request
internalError         (2),  --Internal error in issuer
tryLater              (3),  --Try again later
                            --(4) is not used
sigRequired           (5),  --Must sign the request
unauthorized          (6)   --Request unauthorized
  1. If you don’t want to verify, use -noverify
,

pbpaste & pbcopy in Mac OS X (or: Terminal + Clipboard = Fun!)

On November 14, 2010 by Paul Kehrer With 1 Comments - Posts

The OS X shell is very powerful, but some wonderfully useful commands are almost entirely unknown to the community at large. Two of these forgotten commands are pbcopy and pbpaste. Let’s take a quick look at what they can do.

pbcopy

This command allows you to copy text from stdin into the clipboard1 buffer. Trivial example:

echo 'Hello World!' | pbcopy

“Hello World!” is now in your clipboard.

pbpaste

Pastes from your clipboard to stdout. Trivial example:

echo `pbpaste`

This will echo the contents of your clipboard. If you’re following along you’ll see “Hello World!”.

What Can I Do With These?

What can’t you do! Oh, you want examples? Well…

  • You could grab the output of a grep/awk/sed to paste into IM/IRC.
  • You could use a macro tool (like iKey, QS, et cetera) to create text modifying workflows that grab highlighted text, manipulate it, and replace it inline.
  • You could pull changelogs from svn into the clipboard when tagging for release so you could email them to coworkers.

Let me know what amazing things you come up with to enhance your own productivity!

  1. or pasteboard, hence the prefix “pb”
,

AvianSafari 1.1.0

On November 14, 2010 by Paul Kehrer With 0 Comments - Posts

I’ve just released AvianSafari 1.1.0.

Features

  • Significant performance improvements
  • Support for “Snowflake” 64-bit status IDs
  • Fixes for timestamps in View Thread

Get it now! Or check out the updated source.

, ,