Hi, I am attempting to implement OCSP responder in Python using asn1crypto library [1]. I managed to parse OCSP request generated by openssl, but when I try to parse OCSP request generated by StrongSwan I bump into issue described at asn1crypto issue tracker [2]. They claim that the request is malformed, but that can be easily problem on my side. I manage to parse and give a response suitable for StrongSwan if I skip parsing OCSP request extensions including the nonce.
I was digging through the StrongSwan code and I discovered that OCSP reponse signature is checked, but no additional checks for nonce or timestamps are performed [3]. Could anyone of you point out what I might be doing wrong or have I found bugs in the StrongSwan's OCSP implementation? 1. https://github.com/wbond/asn1crypto/ 2. https://github.com/wbond/asn1crypto/issues/56 3. https://github.com/strongswan/strongswan/blob/master/src/libstrongswan/plugins/x509/x509_ocsp_response.c#L756 -- Lauri Võsandi tel: +372 53329412 e-mail: [email protected] blog: http://lauri.vosandi.com/
