To finish this, find the code below using MSCAPI to verify the ocsp sig. Most MSCAPI function are wrapped in classes but i think you will get the point.
HTH, Sascha bool OcspResponse::ValidateSignature() { DWORD cbDer = 0; PBYTE pbDer = NULL; PCCERT_CONTEXT certContext = NULL; HCRYPTKEY certPubKey = NULL; do { if(m_sigvalidated) break; if(m_rootcert == NULL) break; certContext = m_rootcert->ToCertContext(); if(certContext == NULL) break; ALG_ID sigAlgId = Oid::GetAlgId(m_signaturealgorithm.Oid); if(sigAlgId == 0) break; // gets the DER-formated RespData of the OCSP response pbDer = m_respdata->GetBytes(cbDer); CryptProvider cryptProvider; cryptProvider.Load(); CryptImportPublicKeyInfo( cryptProvider, X509_ASN_ENCODING, &certContext->pCertInfo->SubjectPublicKeyInfo, &certPubKey ); if(certPubKey == NULL) break; GenericHash hash(sigAlgId, &cryptProvider); hash.Create(); hash.Update(pbDer, cbDer); // skip the unused-bits byte Memory::ByteBuffer sig(m_signature.ToPointer()+1, m_signature.Size()-1); sig.Reverse(); // reverse byte-order m_sigvalidated = CryptVerifySignature( hash, sig.ToPointer(), sig.Size(), certPubKey, NULL, 0 ) != 0; } while(false); Memory::SecFree(pbDer); if(certPubKey != NULL) CryptDestroyKey(certPubKey); if(certContext != NULL) CertFreeCertificateContext(certContext); return m_sigvalidated; } > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer > Sent: Dienstag, 1. Mai 2007 11:02 > To: openssl-dev@openssl.org > Subject: RE: OCSP Response Signature > > Maybe i figured it out: > The first byte of a bit string tells the number of unused > bits in the last byte of the bit string, right? > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer > > Sent: Dienstag, 1. Mai 2007 09:08 > > To: openssl-dev@openssl.org > > Subject: RE: OCSP Response Signature > > > > Thanks for the hint. > > I found out that i looked at the right signature value. > > The only difference is that my signature starts with '00'H > (it always > > does). > > Looking at the actually OCSP binary response shows me that > this '00'H > > is really part of the data but it is somehow skipped by the openssl > > implemenation. > > My question now is: why is the '00'H part of the asn.1 > stream but not > > used at all? > > > > Openssl signature value: > > > > 0000: 0d 68 18 d4 8a 35 b0 a4 - 40 79 af c3 a1 93 6f ea > > [EMAIL PROTECTED] > > 0010: 2a 91 51 e4 f6 07 6c a2 - 8e 52 5d 07 87 77 0e 2c > > *æQõ÷.lóÄR].çw., > > 0020: bb 26 4e 07 e1 46 c5 fc - ad 56 ad b2 6a b4 12 fe > > +&N.ßF+³¡V¡¦j¦.¦ > > 0030: c4 0d 89 3f 83 32 6f 5e - 05 eb 10 0b 21 4a ba 56 > > -.ë?â2o^.Ù..!J¦V > > 0040: f8 53 0a 13 0d e3 57 87 - 0f e0 80 d3 a7 f9 a2 78 > > °S...ÒWç.ÓÇ˺¨óx > > 0050: bd 40 dc 4e 95 e3 ca 0a - 4c 02 08 c0 de 5f b9 72 > > [EMAIL PROTECTED] > > 0060: 4e b7 16 7f 10 76 89 0f - ee 59 6c 5c 48 4a cb cb > > NÀ.¦.vë.¯Yl\HJ-- > > 0070: 5e e7 f6 82 8d b5 e0 97 - 8b 80 38 5c c7 81 a5 e5 > > ^þ÷éìÁÓùïÇ8\ÃüÑÕ > > > > My signature value: > > > > 0000: 00 0d 68 18 d4 8a 35 b0 - a4 40 79 af c3 a1 93 6f > > [EMAIL PROTECTED] > > 0010: ea 2a 91 51 e4 f6 07 6c - a2 8e 52 5d 07 87 77 0e > > Û*æQõ÷.lóÄR].çw. > > 0020: 2c bb 26 4e 07 e1 46 c5 - fc ad 56 ad b2 6a b4 12 > > ,+&N.ßF+³¡V¡¦j¦. > > 0030: fe c4 0d 89 3f 83 32 6f - 5e 05 eb 10 0b 21 4a ba > > ¦-.ë?â2o^.Ù..!J¦ > > 0040: 56 f8 53 0a 13 0d e3 57 - 87 0f e0 80 d3 a7 f9 a2 > > V°S...ÒWç.ÓÇ˺¨ó > > 0050: 78 bd 40 dc 4e 95 e3 ca - 0a 4c 02 08 c0 de 5f b9 > > [EMAIL PROTECTED] > > 0060: 72 4e b7 16 7f 10 76 89 - 0f ee 59 6c 5c 48 4a cb > > rNÀ.¦.vë.¯Yl\HJ- > > 0070: cb 5e e7 f6 82 8d b5 e0 - 97 8b 80 38 5c c7 81 a5 > > -^þ÷éìÁÓùïÇ8\ÃüÑ > > 0080: e5 - Õ > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Dr. > > Stephen Henson > > > Sent: Freitag, 27. April 2007 20:36 > > > To: openssl-dev@openssl.org > > > Subject: Re: OCSP Response Signature > > > > > > On Fri, Apr 27, 2007, Sascha Kiefer wrote: > > > > > > > Thanks for your response. > > > > Please see the other mail i wrote in response. > > > > The one that has the complete ocsp response dump. > > > > > > > > > > You should be able to use the OpenSSL ocsp utility to test > > that stuff, > > > including (with a debugger or printf) the expected hash > > value of the > > > response. > > > > > > Steve. > > > -- > > > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see > > homepage OpenSSL > > > project core developer and freelance consultant. > > > Funding needed! Details on homepage. > > > Homepage: http://www.drh-consultancy.demon.co.uk > > > > > > ______________________________________________________________________ > > > OpenSSL Project > > http://www.openssl.org > > > Development Mailing List > > openssl-dev@openssl.org > > > Automated List Manager > > [EMAIL PROTECTED] > > > > > > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > > Development Mailing List > openssl-dev@openssl.org > > Automated List Manager > [EMAIL PROTECTED] > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]