Hi Jörn, Lauri, Thanks for the report and sorry for the delay.
> I'm convinced that it's a bug in strongswan. > src/libstrongswan/plugins/x509/x509_ocsp_request.c function build_nonce. > > return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid, > asn1_simple_object(ASN1_OCTET_STRING, this->nonce)); > > This creates an ASN1_SEQUENCE which contains the extension OID and an > ASN1_OCTET_STRING with the nonce. > > Correct behaviour would be to wrap the OctetString in another > OctetString. Agreed. > Correct code may look like this (Better triple check it, I'm mostly guessing > here!): > > return asn1_wrap(ASN1_SEQUENCE, "cm", ASN1_nonce_oid, > asn1_wrap(ASN1_OCTET_STRING, "m", asn1_simple_object( > ASN1_OCTET_STRING, this->nonce))); Looks about right :) Pushed to master [1]. Regards, Tobias [1] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=d7dc677e
