On Mon, Nov 13, 2006, Simon McMahon wrote: > Hi, > > Not sure if this belongs on users or dev because it might just be me not > using openssl properly. > > I have an OCSP client that signs requests but does not send the > certificate with the request. It also leaves out the requestorName > (optional). Note that the OpenSSL ocsp requester always adds the cert when > it signs a request. According to rfc 2560 it should be legal to not > include the cert (see below). I think the responder should take an > argument to specify the request cert. Also, the client should not add the > cert if just -signkey is specified. I asked about this in a previous post > so I can't find this support if it is there. >
Note that requestorName is mandatory if the request is signed: see RFC2560 4.1.2. The certificate should be omitted from the request if the -no_certs option is given. > The responder fails (and terminates!) with : Well it is more a test utility than a responder. It is possible to make it continue after an error with the -ignore_err command line option. > Waiting for OCSP client connections... > Error parsing OCSP request > 3188:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field > missing:.\crypto\asn1\tasn_dec.c:500:Field=certs, Type=OCSP_SIGNATURE > 3188:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested > asn1 error:.\crypto\asn1\tasn_dec.c:749: > 3188:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested > asn1 error:.\crypto\asn1\tasn_dec.c:578:Field=optionalSignature, > Type=OCSP_REQUEST > Responder Error: malformedrequest (1) > Ah that's a bug in the ASN1 module associated with the OCSP request. I'll look into fixing that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
