Hi!! Finally I installed the ocsp server in my machine and now I'm doing several test... and I think there is a problem between the openssl ocsp client and the openca ocsp server or a bug in the openca ocsp server code
I have a PKI test with only 6 certificates, an OpenCA OCSPServer listen in port 2560 and a OpenSSL OCSPServer listen in 8888. All is OK, but when I request for a certificate that doesn't exist in my PKI there is a problem. When I request with the openssl client: /usr/local/ssl/bin/openssl ocsp -issuer cacerts/cacert.pem -cert certs/03.pem -serial 10 -CAfile cacerts/cacert.pem -url http://localhost:2560 -respout ./response_openca.der -reqout ./request_openca.der -text > ./ocsp_openca.txt the response is certs/03.pem: good This Update: Jul 17 18:00:37 2003 GMT Next Update: Jul 17 18:05:37 2003 GMT 10: good This Update: Jul 17 18:00:37 2003 GMT Next Update: Jul 17 18:05:37 2003 GMT but I haven't any certificate with serial number 10!!. With the openssl ocsp server the request is /usr/local/ssl/bin/openssl ocsp -issuer cacerts/cacert.pem -cert certs/03.pem -serial 10 -CAfile cacerts/cacert.pem -url http://localhost:8888 -respout ./response_openssl.der -reqout ./request_openssl.der -text > ./ocsp_openssl.txt and the response is: certs/03.pem: good This Update: Jul 17 17:49:27 2003 GMT 10: unknown This Update: Jul 17 17:49:27 2003 GMT So, I think there is a bug in the OpenCA OCSPServer :( or, can anybody explain me this OpenCA OCSPServer behaviour? Thanks Lucio.
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 02E798C281867EA15BAE0A2C11E8910B3131BE4F
Issuer Key Hash: C06E244F10D69F51BB78399E453B5BDCF37BE571
Serial Number: 03
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 02E798C281867EA15BAE0A2C11E8910B3131BE4F
Issuer Key Hash: C06E244F10D69F51BB78399E453B5BDCF37BE571
Serial Number: 0A
Request Extensions:
OCSP Nonce:
C97CA5469D5415BAACA8F5EE5A50A77C
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = ES, O = LCCert, OU = Internet, CN = OCSPResponder, serialNumber
= 6
Produced At: Jul 17 18:16:21 2003 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 02E798C281867EA15BAE0A2C11E8910B3131BE4F
Issuer Key Hash: C06E244F10D69F51BB78399E453B5BDCF37BE571
Serial Number: 03
Cert Status: good
This Update: Jul 17 18:16:21 2003 GMT
Next Update: Jul 17 18:21:21 2003 GMT
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 02E798C281867EA15BAE0A2C11E8910B3131BE4F
Issuer Key Hash: C06E244F10D69F51BB78399E453B5BDCF37BE571
Serial Number: 0A
Cert Status: good
This Update: Jul 17 18:16:21 2003 GMT
Next Update: Jul 17 18:21:21 2003 GMT
Response Extensions:
OCSP Nonce:
C97CA5469D5415BAACA8F5EE5A50A77C
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ES, O=LCIngenieria, OU=LCCert, CN=ca/[EMAIL PROTECTED]
Validity
Not Before: Jul 16 20:29:41 2003 GMT
Not After : Jul 15 20:29:41 2004 GMT
Subject: C=ES, O=LCCert, OU=Internet, CN=OCSPResponder/serialNumber=6
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e6:6e:0a:ab:dd:b8:c3:ff:ce:8a:16:7e:05:ce:
da:f2:ba:22:a3:a0:3a:9c:d0:bd:b3:38:93:2f:03:
1e:46:a4:d2:50:15:41:87:60:7d:6b:70:aa:2b:73:
7a:56:13:35:4f:40:37:c8:d5:73:e5:48:34:d5:8b:
a5:f2:0f:69:7d:95:c9:32:16:de:13:2c:c5:f2:92:
05:fb:d5:22:1a:78:0a:75:8a:86:19:bc:fc:2e:d8:
75:09:ad:5e:6a:15:7b:8d:82:be:f8:84:c5:6d:a1:
ed:a6:58:3d:56:6a:63:d3:ff:62:72:1e:b2:27:4c:
c9:c8:f9:1b:28:08:05:a4:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, OCSP Signing
Netscape Comment:
OCSPResponder Certificate of LCCert, for testing only!!
X509v3 Subject Key Identifier:
DA:6B:7F:98:4D:7C:38:3A:D9:CB:BF:84:2D:17:20:BB:76:4D:73:B1
X509v3 Authority Key Identifier:
keyid:C0:6E:24:4F:10:D6:9F:51:BB:78:39:9E:45:3B:5B:DC:F3:7B:E5:71
DirName:/C=ES/O=LCIngenieria/OU=LCCert/CN=ca/[EMAIL PROTECTED]
serial:00
X509v3 Subject Alternative Name:
email:[EMAIL PROTECTED]
X509v3 Issuer Alternative Name:
email:[EMAIL PROTECTED]
Netscape CA Revocation Url:
http/ca.lccert.lcingenieria.com:8002/pub/crl/cacrl.crl
Netscape Revocation Url:
http://ca.lccert.lcingenieria.com:8002/pub/crl/cacrl.crl
X509v3 CRL Distribution Points:
URI:http://ca.lccert.lcingenieria.com:8002/pub/crl/cacrl.crl
Signature Algorithm: sha1WithRSAEncryption
5c:0e:5c:3f:18:97:ad:55:44:51:ae:e3:9f:3e:1c:0f:4f:c5:
e6:ef:46:5e:35:27:fc:b6:48:9e:63:66:9a:a7:ee:51:f0:72:
19:49:c3:cc:84:a1:f4:72:7f:e4:bc:6a:4b:14:b9:6d:23:86:
e7:c2:45:31:59:68:46:35:44:0c:58:87:21:a6:14:b7:51:37:
31:63:38:3d:b5:d1:f9:d5:04:9a:44:a9:2f:17:6c:4b:40:57:
17:e6:2a:f8:0b:4e:47:db:15:73:f5:6c:d0:fb:d1:b5:47:ed:
85:1f:59:b6:6d:2c:ef:57:92:32:90:e3:56:14:e3:14:5e:f6:
ea:09:1c:f5:e7:b6:49:03:45:ac:72:d3:cd:d2:1e:5d:86:ce:
b4:7d:9c:f8:e2:fa:77:10:f7:5f:17:39:88:34:4e:47:5c:ac:
8f:1f:73:86:ea:39:b0:bb:13:60:5e:be:77:fd:7f:c8:16:3a:
ef:61:b4:33:79:e5:90:b5:38:bd:ab:72:22:e6:24:00:b7:bc:
aa:59:38:29:79:f4:a4:4c:b4:bb:d2:3c:b0:52:5e:bc:12:54:
b3:1b:33:b3:7f:b9:78:fa:50:c7:9b:6d:1c:43:8f:f0:0b:e6:
d5:dd:3a:07:2f:94:34:8a:a4:18:aa:f1:d4:cd:5b:de:73:ba:
b4:b4:63:40
-----BEGIN CERTIFICATE-----
MIIFRzCCBC+gAwIBAgIBBjANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJFUzEV
MBMGA1UEChMMTENJbmdlbmllcmlhMQ8wDQYDVQQLEwZMQ0NlcnQxCzAJBgNVBAMT
AmNhMS8wLQYJKoZIhvcNAQkBFiBjYS5hZG1pbkBsY2NlcnQubGNpbmdlbmllcmlh
LmNvbTAeFw0wMzA3MTYyMDI5NDFaFw0wNDA3MTUyMDI5NDFaMFUxCzAJBgNVBAYT
AkVTMQ8wDQYDVQQKEwZMQ0NlcnQxETAPBgNVBAsTCEludGVybmV0MRYwFAYDVQQD
Ew1PQ1NQUmVzcG9uZGVyMQowCAYDVQQFEwE2MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDmbgqr3bjD/86KFn4FztryuiKjoDqc0L2zOJMvAx5GpNJQFUGHYH1r
cKorc3pWEzVPQDfI1XPlSDTVi6XyD2l9lckyFt4TLMXykgX71SIaeAp1ioYZvPwu
2HUJrV5qFXuNgr74hMVtoe2mWD1WamPT/2JyHrInTMnI+RsoCAWkQwIDAQABo4IC
hjCCAoIwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgTw
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDCTBGBglghkgBhvhCAQ0EORY3
T0NTUFJlc3BvbmRlciBDZXJ0aWZpY2F0ZSBvZiBMQ0NlcnQsIGZvciB0ZXN0aW5n
IG9ubHkhITAdBgNVHQ4EFgQU2mt/mE18ODrZy7+ELRcgu3ZNc7EwgZ0GA1UdIwSB
lTCBkoAUwG4kTxDWn1G7eDmeRTtb3PN75XGhd6R1MHMxCzAJBgNVBAYTAkVTMRUw
EwYDVQQKEwxMQ0luZ2VuaWVyaWExDzANBgNVBAsTBkxDQ2VydDELMAkGA1UEAxMC
Y2ExLzAtBgkqhkiG9w0BCQEWIGNhLmFkbWluQGxjY2VydC5sY2luZ2VuaWVyaWEu
Y29tggEAMCcGA1UdEQQgMB6BHG9jc3BAbGNjZXJ0LmxjaW5nZW5pZXJpYS5jb20w
KwYDVR0SBCQwIoEgY2EuYWRtaW5AbGNjZXJ0LmxjaW5nZW5pZXJpYS5jb20wRQYJ
YIZIAYb4QgEEBDgWNmh0dHAvY2EubGNjZXJ0LmxjaW5nZW5pZXJpYS5jb206ODAw
Mi9wdWIvY3JsL2NhY3JsLmNybDBHBglghkgBhvhCAQMEOhY4aHR0cDovL2NhLmxj
Y2VydC5sY2luZ2VuaWVyaWEuY29tOjgwMDIvcHViL2NybC9jYWNybC5jcmwwSQYD
VR0fBEIwQDA+oDygOoY4aHR0cDovL2NhLmxjY2VydC5sY2luZ2VuaWVyaWEuY29t
OjgwMDIvcHViL2NybC9jYWNybC5jcmwwDQYJKoZIhvcNAQEFBQADggEBAFwOXD8Y
l61VRFGu458+HA9PxebvRl41J/y2SJ5jZpqn7lHwchlJw8yEofRyf+S8aksUuW0j
hufCRTFZaEY1RAxYhyGmFLdRNzFjOD210fnVBJpEqS8XbEtAVxfmKvgLTkfbFXP1
bND70bVH7YUfWbZtLO9XkjKQ41YU4xRe9uoJHPXntkkDRaxy083SHl2GzrR9nPji
+ncQ918XOYg0TkdcrI8fc4bqObC7E2Bevnf9f8gWOu9htDN55ZC1OL2rciLmJAC3
vKpZOCl59KRMtLvSPLBSXrwSVLMbM7N/uXj6UMebbRxDj/AL5tXdOgcvlDSKpBiq
8dTNW95zurS0Y0A=
-----END CERTIFICATE-----
certs/03.pem: good
This Update: Jul 17 18:16:21 2003 GMT
Next Update: Jul 17 18:21:21 2003 GMT
10: good
This Update: Jul 17 18:16:21 2003 GMT
Next Update: Jul 17 18:21:21 2003 GMT
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 02E798C281867EA15BAE0A2C11E8910B3131BE4F
Issuer Key Hash: C06E244F10D69F51BB78399E453B5BDCF37BE571
Serial Number: 03
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 02E798C281867EA15BAE0A2C11E8910B3131BE4F
Issuer Key Hash: C06E244F10D69F51BB78399E453B5BDCF37BE571
Serial Number: 0A
Request Extensions:
OCSP Nonce:
106E02979372FFAAE6D57CC094D5FF5C
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = ES, O = LCCert, OU = Internet, CN = OCSPResponder, serialNumber
= 6
Produced At: Jul 17 18:16:52 2003 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 02E798C281867EA15BAE0A2C11E8910B3131BE4F
Issuer Key Hash: C06E244F10D69F51BB78399E453B5BDCF37BE571
Serial Number: 03
Cert Status: good
This Update: Jul 17 18:16:52 2003 GMT
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 02E798C281867EA15BAE0A2C11E8910B3131BE4F
Issuer Key Hash: C06E244F10D69F51BB78399E453B5BDCF37BE571
Serial Number: 0A
Cert Status: unknown
This Update: Jul 17 18:16:52 2003 GMT
Response Extensions:
OCSP Nonce:
106E02979372FFAAE6D57CC094D5FF5C
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=ES, O=LCIngenieria, OU=LCCert, CN=ca/[EMAIL PROTECTED]
Validity
Not Before: Jul 16 20:29:41 2003 GMT
Not After : Jul 15 20:29:41 2004 GMT
Subject: C=ES, O=LCCert, OU=Internet, CN=OCSPResponder/serialNumber=6
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:e6:6e:0a:ab:dd:b8:c3:ff:ce:8a:16:7e:05:ce:
da:f2:ba:22:a3:a0:3a:9c:d0:bd:b3:38:93:2f:03:
1e:46:a4:d2:50:15:41:87:60:7d:6b:70:aa:2b:73:
7a:56:13:35:4f:40:37:c8:d5:73:e5:48:34:d5:8b:
a5:f2:0f:69:7d:95:c9:32:16:de:13:2c:c5:f2:92:
05:fb:d5:22:1a:78:0a:75:8a:86:19:bc:fc:2e:d8:
75:09:ad:5e:6a:15:7b:8d:82:be:f8:84:c5:6d:a1:
ed:a6:58:3d:56:6a:63:d3:ff:62:72:1e:b2:27:4c:
c9:c8:f9:1b:28:08:05:a4:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, OCSP Signing
Netscape Comment:
OCSPResponder Certificate of LCCert, for testing only!!
X509v3 Subject Key Identifier:
DA:6B:7F:98:4D:7C:38:3A:D9:CB:BF:84:2D:17:20:BB:76:4D:73:B1
X509v3 Authority Key Identifier:
keyid:C0:6E:24:4F:10:D6:9F:51:BB:78:39:9E:45:3B:5B:DC:F3:7B:E5:71
DirName:/C=ES/O=LCIngenieria/OU=LCCert/CN=ca/[EMAIL PROTECTED]
serial:00
X509v3 Subject Alternative Name:
email:[EMAIL PROTECTED]
X509v3 Issuer Alternative Name:
email:[EMAIL PROTECTED]
Netscape CA Revocation Url:
http/ca.lccert.lcingenieria.com:8002/pub/crl/cacrl.crl
Netscape Revocation Url:
http://ca.lccert.lcingenieria.com:8002/pub/crl/cacrl.crl
X509v3 CRL Distribution Points:
URI:http://ca.lccert.lcingenieria.com:8002/pub/crl/cacrl.crl
Signature Algorithm: sha1WithRSAEncryption
5c:0e:5c:3f:18:97:ad:55:44:51:ae:e3:9f:3e:1c:0f:4f:c5:
e6:ef:46:5e:35:27:fc:b6:48:9e:63:66:9a:a7:ee:51:f0:72:
19:49:c3:cc:84:a1:f4:72:7f:e4:bc:6a:4b:14:b9:6d:23:86:
e7:c2:45:31:59:68:46:35:44:0c:58:87:21:a6:14:b7:51:37:
31:63:38:3d:b5:d1:f9:d5:04:9a:44:a9:2f:17:6c:4b:40:57:
17:e6:2a:f8:0b:4e:47:db:15:73:f5:6c:d0:fb:d1:b5:47:ed:
85:1f:59:b6:6d:2c:ef:57:92:32:90:e3:56:14:e3:14:5e:f6:
ea:09:1c:f5:e7:b6:49:03:45:ac:72:d3:cd:d2:1e:5d:86:ce:
b4:7d:9c:f8:e2:fa:77:10:f7:5f:17:39:88:34:4e:47:5c:ac:
8f:1f:73:86:ea:39:b0:bb:13:60:5e:be:77:fd:7f:c8:16:3a:
ef:61:b4:33:79:e5:90:b5:38:bd:ab:72:22:e6:24:00:b7:bc:
aa:59:38:29:79:f4:a4:4c:b4:bb:d2:3c:b0:52:5e:bc:12:54:
b3:1b:33:b3:7f:b9:78:fa:50:c7:9b:6d:1c:43:8f:f0:0b:e6:
d5:dd:3a:07:2f:94:34:8a:a4:18:aa:f1:d4:cd:5b:de:73:ba:
b4:b4:63:40
-----BEGIN CERTIFICATE-----
MIIFRzCCBC+gAwIBAgIBBjANBgkqhkiG9w0BAQUFADBzMQswCQYDVQQGEwJFUzEV
MBMGA1UEChMMTENJbmdlbmllcmlhMQ8wDQYDVQQLEwZMQ0NlcnQxCzAJBgNVBAMT
AmNhMS8wLQYJKoZIhvcNAQkBFiBjYS5hZG1pbkBsY2NlcnQubGNpbmdlbmllcmlh
LmNvbTAeFw0wMzA3MTYyMDI5NDFaFw0wNDA3MTUyMDI5NDFaMFUxCzAJBgNVBAYT
AkVTMQ8wDQYDVQQKEwZMQ0NlcnQxETAPBgNVBAsTCEludGVybmV0MRYwFAYDVQQD
Ew1PQ1NQUmVzcG9uZGVyMQowCAYDVQQFEwE2MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDmbgqr3bjD/86KFn4FztryuiKjoDqc0L2zOJMvAx5GpNJQFUGHYH1r
cKorc3pWEzVPQDfI1XPlSDTVi6XyD2l9lckyFt4TLMXykgX71SIaeAp1ioYZvPwu
2HUJrV5qFXuNgr74hMVtoe2mWD1WamPT/2JyHrInTMnI+RsoCAWkQwIDAQABo4IC
hjCCAoIwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgTw
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDCTBGBglghkgBhvhCAQ0EORY3
T0NTUFJlc3BvbmRlciBDZXJ0aWZpY2F0ZSBvZiBMQ0NlcnQsIGZvciB0ZXN0aW5n
IG9ubHkhITAdBgNVHQ4EFgQU2mt/mE18ODrZy7+ELRcgu3ZNc7EwgZ0GA1UdIwSB
lTCBkoAUwG4kTxDWn1G7eDmeRTtb3PN75XGhd6R1MHMxCzAJBgNVBAYTAkVTMRUw
EwYDVQQKEwxMQ0luZ2VuaWVyaWExDzANBgNVBAsTBkxDQ2VydDELMAkGA1UEAxMC
Y2ExLzAtBgkqhkiG9w0BCQEWIGNhLmFkbWluQGxjY2VydC5sY2luZ2VuaWVyaWEu
Y29tggEAMCcGA1UdEQQgMB6BHG9jc3BAbGNjZXJ0LmxjaW5nZW5pZXJpYS5jb20w
KwYDVR0SBCQwIoEgY2EuYWRtaW5AbGNjZXJ0LmxjaW5nZW5pZXJpYS5jb20wRQYJ
YIZIAYb4QgEEBDgWNmh0dHAvY2EubGNjZXJ0LmxjaW5nZW5pZXJpYS5jb206ODAw
Mi9wdWIvY3JsL2NhY3JsLmNybDBHBglghkgBhvhCAQMEOhY4aHR0cDovL2NhLmxj
Y2VydC5sY2luZ2VuaWVyaWEuY29tOjgwMDIvcHViL2NybC9jYWNybC5jcmwwSQYD
VR0fBEIwQDA+oDygOoY4aHR0cDovL2NhLmxjY2VydC5sY2luZ2VuaWVyaWEuY29t
OjgwMDIvcHViL2NybC9jYWNybC5jcmwwDQYJKoZIhvcNAQEFBQADggEBAFwOXD8Y
l61VRFGu458+HA9PxebvRl41J/y2SJ5jZpqn7lHwchlJw8yEofRyf+S8aksUuW0j
hufCRTFZaEY1RAxYhyGmFLdRNzFjOD210fnVBJpEqS8XbEtAVxfmKvgLTkfbFXP1
bND70bVH7YUfWbZtLO9XkjKQ41YU4xRe9uoJHPXntkkDRaxy083SHl2GzrR9nPji
+ncQ918XOYg0TkdcrI8fc4bqObC7E2Bevnf9f8gWOu9htDN55ZC1OL2rciLmJAC3
vKpZOCl59KRMtLvSPLBSXrwSVLMbM7N/uXj6UMebbRxDj/AL5tXdOgcvlDSKpBiq
8dTNW95zurS0Y0A=
-----END CERTIFICATE-----
certs/03.pem: good
This Update: Jul 17 18:16:52 2003 GMT
10: unknown
This Update: Jul 17 18:16:52 2003 GMT
request_openca.der
Description: Binary data
request_openssl.der
Description: Binary data
response_openca.der
Description: Binary data
response_openssl.der
Description: Binary data
