ocsp signed requests - bug ?

Sun, 12 Nov 2006 17:29:00 -0800 

Hi,

Not sure if this belongs on users or dev because it might just be me not 
using openssl properly.

I have an OCSP client that signs requests but does not send the 
certificate with the request. It also leaves out the requestorName 
(optional). Note that the OpenSSL ocsp requester always adds the cert when 
it signs a request. According to rfc 2560 it should be legal to not 
include the cert (see below). I think the responder should take an 
argument to specify the request cert. Also, the client should not add the 
cert if just -signkey is specified. I asked about this in a previous post 
so I can't find this support if it is there.

The responder fails (and terminates!) with :
Waiting for OCSP client connections...
Error parsing OCSP request
3188:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field 
missing:.\crypto\asn1\tasn_dec.c:500:Field=certs, Type=OCSP_SIGNATURE
3188:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested 
asn1 error:.\crypto\asn1\tasn_dec.c:749:
3188:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested 
asn1 error:.\crypto\asn1\tasn_dec.c:578:Field=optionalSignature, 
Type=OCSP_REQUEST
Responder Error: malformedrequest (1)

Here is the request (hex):
30 3c 30 3a 30 38 30 07 06 05 2b 0e 03 02 1a 04 
14 c5 df d8 af 15 d0 a6 24 30 ab 52 b7 65 c4 2e 
2b 8d 9d da f2 04 14 c0 27 72 26 3f 50 b6 97 23 
92 87 95 e1 b6 06 c9 29 fb f7 4f 02 01 07 a0 81 
94 30 81 91 30 0b 06 09 2a 86 48 86 f7 0d 01 01 
05 03 81 81 00 59 ad a9 fc 1e 1d fe 5f 25 97 2e 
b4 1b 43 ef 02 ae 65 3b a0 3f 88 0c 4c 2d 19 9a 
51 e4 a5 8a 7e ea cd 8d 11 2e 00 e5 b2 fb 9c 8e 
e0 29 ba 5f 30 09 26 e3 a4 a3 cb 21 f4 85 ad 14 
c9 9b 8c 82 72 ee 71 de 89 89 f7 c1 8b 99 c4 8c 
ce 43 2d 4e 06 5e e0 ea 06 23 4b 65 a9 d0 1d 41 
92 7d bb 95 05 74 ec c1 85 58 00 e0 8d ad 9f 6c 
26 15 aa cf b9 65 77 48 93 c2 04 15 c6 6c 2e 01 
bb 45 3e b1 34 
(binary is attached)

resp:
30 03 0a 01 01
(responder then terminates)

ref.
>From rfc 2560:

   OCSPRequest     ::=     SEQUENCE {
       tbsRequest                  TBSRequest,
       optionalSignature   [0]     EXPLICIT Signature OPTIONAL }

So the signature block is optional - supported by OpenSSL.

And:
   Signature       ::=     SEQUENCE {
       signatureAlgorithm      AlgorithmIdentifier,
       signature               BIT STRING,
       certs               [0] EXPLICIT SEQUENCE OF Certificate
   OPTIONAL}

Which shows the certs are optional too.

Regards,

Simon McMahon.

Attachment: gskreq.der
Description: Binary data

Reply via email to