Thanks Steve and Erwann,
Putting the OCSP response inside a tagged object did the job for OpenSSL
recognizing the OtherRevocationInfoFormat.
BouncyCastle also changed the CMS version to 5 automatically when I did
it, and I've changed the OID to the proper one (id-ri-ocsp-response).
Now OpenSSL is complaining about a wrong tag :(
But I've re-checked the structure, and it seem fine now.
Here goes the logs:
gabriel@gag-desktop:~/bin/openssl_src$ ~/bin/viewCert.sh
/tmp/sig3/META-INF/BR-ecdsaTest.EC
Error reading S/MIME message
3076483816:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:1319:
3076483816:error:0D06C03A:asn1 encoding
routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:831:
3076483816:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:751:Field=otherRevInfoFormat,
Type=CMS_OtherRevocationInfoFormat
3076483816:error:0D08303A:asn1 encoding
routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:737:
In the source, this is thrown when the asn1_check_tlen(/*Check an ASN1
tag and length*/) function is called and return an error, so I've added
a printf to get more details (as there's no verbose flag to openssl cms):
if (exptag >= 0)
{
if ((exptag != ptag)
printf("exptag %d\n", exptag);
printf("ptag %d\n", ptag);
...
exptag 6
ptag 16
Error reading S/MIME message...
And if I issue 'openssl ocsp -respin resp.der' the response contents are
printed just fine, so it is ok.
resp.der has the same binary contents of the "response as received" tag
below:
______________________ references
RFC 2560 4.2.1:
OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
OCSPResponseStatus ::= ENUMERATED {
successful (0), --Response has valid confirmations
malformedRequest (1), --Illegal confirmation request
RFC 5652 10.2.1:
For example, Online Certificate Status Protocol (OCSP) Responses [OCSP]
can be supported using the OtherRevocationInfoFormat.
...
OtherRevocationInfoFormat ::= SEQUENCE {
otherRevInfoFormat OBJECT IDENTIFIER,
otherRevInfo ANY DEFINED BY otherRevInfoFormat }
_______________________ generated structure
SEQUENCE(2 elem) //Modified CMS structure with an embedded OCSP response
- OpenSSL don't like it
OBJECT IDENTIFIER 1.2.840.113549.1.7.2 //signedData PKCS #7
[0] (1) //SignedData
SEQUENCE(6 elem) //RFC 3852
INTEGER 5 //CMS version - now correct
SET (1 elem) //folded - digest algs.
SEQUENCE(1 elem) //folded - encap. content info
[0](2) //folded - certificates
[1](1) //CRLS
[1](1) //OtherRevocationInfoFormat
SEQUENCE (2 elem) //OCSP response
OBJECT IDENTIFIER 1.3.6.1.5.5.7.16.2 //
id-ri-ocsp-response
SEQUENCE (2 elem) // <-- response as received -
rfc2560 item 4.2.1
ENUMERATED (0) // Response has valid
confirmations
[0] //EXPLICIT ResponseBytes
SEQUENCE (2 elem)
OBJECT IDENTIFIER
1.3.6.1.5.5.7.48.1.1 // ocspBasic
OCTET STRING (1 elem) //folded -
issuer identification and certificate
SEQUENCE(4 elem)
SEQUENCE(4 elem)
[0](1) //version
[1](1) //folded -
issuer info - Thawte SGC OCSP Responder
GeneralizedTime
2011-09-20 05:51:40 UTC //issued time
SEQUENCE (1 elem)
//status info and hashes
SEQUENCE(2 elem) //sig. alg
BIT STRING(1024 bit)
[0](1) //signature
SET(1 elem) //folded - CMS signer info
Thanks for any comment.
On 22-09-2011 11:48, Erwann Abalea wrote:
Le 22/09/2011 16:10, Dr. Stephen Henson a écrit :
On Thu, Sep 22, 2011, Erwann Abalea wrote:
------------------------------------------------------------------------
*Gabriel Marques*
R&D Technical Leader
Fundação CERTI
CCD
g...@certi.org.br <mailto:g...@certi.org.br>
www.certi.org.br <http://www.certi.org.br>
Fone: +55 48 3239-2163
Fax: +55 48 3239-2009
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
