The ocsp utility is something of a jack-of-all-trades; in addition to being able to function as an ocsp client or server (as the manual page categorizes its behavior), it can do a few things that are not really client or server behavior: generating a request but not sending it, parsing a response from file, and mucking around in the revocation database to get the status of a certificate by bypassing the protocol.
The middle case has something of a mismatch between the documentation and the code, though -- the example in the manual page seems to indicate that "openssl ocsp -respin resp.der -text" will just do a conversion of the response from DER to text form, but in actuality, the utility will also attempt to perform validation on the response, which is likely to fail since no -CApath or -CAfile argument is given. (It is possible that the default trust stores could suffice to verify the input response, but that seems unlikely in most cases.) The other two cases I mentioned above do not suffer from this ambiguity, since if a request is just generated but not sent, there is no response to attempt to validate (so the utility returns success), and if the utility is just checking the server-side database, the check "[i]f running as responder don't verify our own response" triggers an early (success) return. I see arguments on both sides (that "openssl ocsp -respin resp.der -text" should or should not attempt validation), but am currently leaning towards the status quo that the "client side" always attempts validation, for consistency and simplicity of code -- the risk of having another code path that skips validation and might be overzealous is bigger than the burden of just adding -noverify to the documented example. I've filed https://github.com/openssl/openssl/pull/650 with a commit that implements that behavior (as well as several other fixups to the ocsp utility and manual page), but am happy to modify it if an alternate resolution is preferred. -Ben -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
