Hi Steve, Your prompt assistance is much appreciated!
> Well it is more a test utility than a responder. No worries, that's exactly how we use it too and it is excellent for that purpose. That is why we are getting into all these corner cases and obscure features. I personally can't see much point in request- signing in the OCSP protocol when ssl with client auth would have done the same thing. > Ah that's a bug in the ASN1 module associated with the OCSP request. I'll look into fixing that. Thanks. My other post shows the openssl request (with -no_certs) includes an empty sequence for 'certs' which the responder must be looking for. I'm still not sure how or if the responder is validating the request in the -no_certs case. I used a cert that the responder could not have known and it still responded 'good'. I.e. no error regarding request validation. Cheers, Simon McMahon "Dr. Stephen Henson" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11/13/2006 11:56 AM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: ocsp signed requests - bug ? On Mon, Nov 13, 2006, Simon McMahon wrote: > Hi, > > Not sure if this belongs on users or dev because it might just be me not > using openssl properly. > > I have an OCSP client that signs requests but does not send the > certificate with the request. It also leaves out the requestorName > (optional). Note that the OpenSSL ocsp requester always adds the cert when > it signs a request. According to rfc 2560 it should be legal to not > include the cert (see below). I think the responder should take an > argument to specify the request cert. Also, the client should not add the > cert if just -signkey is specified. I asked about this in a previous post > so I can't find this support if it is there. > Note that requestorName is mandatory if the request is signed: see RFC2560 4.1.2. The certificate should be omitted from the request if the -no_certs option is given. > The responder fails (and terminates!) with : Well it is more a test utility than a responder. It is possible to make it continue after an error with the -ignore_err command line option. > Waiting for OCSP client connections... > Error parsing OCSP request > 3188:error:0D078079:asn1 encoding routines:ASN1_ITEM_EX_D2I:field > missing:.\crypto\asn1\tasn_dec.c:500:Field=certs, Type=OCSP_SIGNATURE > 3188:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested > asn1 error:.\crypto\asn1\tasn_dec.c:749: > 3188:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested > asn1 error:.\crypto\asn1\tasn_dec.c:578:Field=optionalSignature, > Type=OCSP_REQUEST > Responder Error: malformedrequest (1) > Ah that's a bug in the ASN1 module associated with the OCSP request. I'll look into fixing that. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]