Guillaume Tamboise wrote: [...]
If I read ocsp_response.c correctly, line 148 attempts to set the invalidity date in the OCSP response just because there are extensions in the CRL. It is not looking specifically for the extension "Invalidity Date" in the CRL:
[...]
As a result, OCSP returns a field for "Invalidity Date" but with an empty content. Cisco IOS considers this response as invalid, and here I am (the OpenSSL OCSP client does not seem to care).
You are right, I added the check before adding the extension, this should prevent the adding of the invalidity date with empty value. [...]
BTW, it is too bad that the status that OCSPd returns (REVOKED, unknown or VALID) is only reachable through DEBUG. I definitely have an interest in a configuration flags that would enable logging of REVOKED and/or VALID and/or unknown responses.
I fixed this by reporting the status of a certificate when the verbose is
used (not only in DEBUG mode). I attach the ocsp_response.c modified file,
try it and, if it works properly, we'll make a new fix release for the
OCSP (maybe the 1.1.1).
Let me know,
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883
PKI/Trust - Office 062 Work Phone: +1 (603) 646-9226
--o------------------------------------------------------------------------
/* src/net/ocsp_response.c
* ============================================================
* OCSP Responder
* (c) 2001 by Massimiliano Pala
* OpenCA released software
* ============================================================
*/
#include "general.h"
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openssl/txt_db.h>
#include <openssl/x509.h>
// #include <openssl/asn1.h>
#include "support.h"
#include "ocsp_db.h"
#include "ocsp_response.h"
/* External General Variables */
extern int debug;
extern int verbose;
int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
OCSPD_CONFIG *conf ) {
OCSP_CERTID *cid = NULL;
OCSP_BASICRESP *bs = NULL;
/* BIO *derbio = NULL; */
int i, id_count, ret = 1;
ASN1_GENERALIZEDTIME *thisupd = NULL;
ASN1_GENERALIZEDTIME *nextupd = NULL;
/* ASN1_GENERALIZEDTIME *producedAt = NULL; */
id_count = OCSP_request_onereq_count(req);
if (id_count <= 0) {
*resp = OCSP_response_create(
OCSP_RESPONSE_STATUS_MALFORMEDREQUEST, NULL);
goto end;
}
bs = OCSP_BASICRESP_new();
if (conf->set_nextUpdate)
nextupd = X509_gmtime_adj(NULL, conf->nmin * 60 +
conf->ndays * 3600 * 24 );
#ifdef DEBUG
derbio = BIO_new_file("/tmp/ocsp_req.der", "wb");
i2d_OCSP_REQUEST_bio(derbio, req);
BIO_free(derbio);
#endif
/* Examine each certificate id in the request */
for (i = 0; i < id_count; i++) {
OCSP_ONEREQ *one = NULL;
ASN1_INTEGER *serial = NULL;
CA_LIST_ENTRY *ca = NULL;
X509_REVOKED *entry = NULL;
/*
char inf;
int cnt, validity;
BIO *bio;
*/
one = OCSP_request_onereq_get0(req, i);
cid = OCSP_onereq_get0_id(one);
/* Get basic request info */
OCSP_id_get0_info(NULL, NULL, NULL, &serial, cid);
if( verbose ) {
syslog( LOG_INFO, "request for certificate serial %ld",
ASN1_INTEGER_get( serial ) );
}
/*
fprintf( stderr, "Requested CA nameHash ");
bio = BIO_new ( BIO_s_file());
BIO_set_fp( bio, stderr, BIO_NOCLOSE);
i2a_ASN1_STRING(bio, cid->issuerNameHash, V_ASN1_OCTET_STRING );
fprintf( stderr, "Requested CA nameHash ");
i2a_ASN1_STRING(bio, cid->issuerKeyHash, V_ASN1_OCTET_STRING );
*/
/* Is this request about our CA? */
if ((ca = ocspd_CA_ENTRY_find( conf, cid )) == NULL) {
if (verbose) {
syslog( LOG_INFO,
"request for non reckognized CA [serial %ld]",
ASN1_INTEGER_get(serial) );
}
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,0,NULL,
X509_gmtime_adj(NULL, 0),nextupd);
continue;
}
// if( (validity = check_crl_validity ( ca )) != CRL_OK ) {
if( ca->crl_status != CRL_OK ) {
*resp = OCSP_response_create(
OCSP_RESPONSE_STATUS_TRYLATER, NULL);
goto end;
}
/* Get the entry from the CRL data, if NULL then the
certificate is not revoked */
entry = ocspd_X509_REVOKED_find( ca, serial );
/* Sets thisUpdate field to the value of the loaded CRL */
thisupd = M_ASN1_TIME_dup(ca->lastUpdate);
if( entry ) {
OCSP_SINGLERESP *single = NULL;
int reason = -1;
/* If extensions are found, process them */
if( entry->extensions ) {
ASN1_ENUMERATED *asn = NULL;
if( (asn = X509_REVOKED_get_ext_d2i( entry,
NID_crl_reason,NULL,NULL )) != NULL ) {
reason = ASN1_ENUMERATED_get( asn );
ASN1_ENUMERATED_free( asn );
}
}
single = OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_REVOKED,
reason,
entry->revocationDate,
thisupd, nextupd);
if( !single ) {
syslog( LOG_ERR, " %s:%d Error in generating basic response", __FILE__, __LINE__ );
}
/* Check and add the invalidity date */
if ( entry->extensions ) {
void *ext = NULL;
ext = X509_REVOKED_get_ext_d2i( entry,
NID_invalidity_date, NULL, NULL );
if ( ext != NULL ) {
OCSP_SINGLERESP_add1_ext_i2d(single,
NID_invalidity_date, ext, 0, 0);
}
}
if( verbose )
syslog( LOG_INFO, "Status for %ld is REVOKED",
ASN1_INTEGER_get(serial) );
} else if (ca == NULL ) {
if( verbose ) {
syslog( LOG_INFO, "status unknown for %ld ",
ASN1_INTEGER_get(serial) );
}
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_UNKNOWN,0,NULL,
thisupd,nextupd);
} else {
if( verbose ) {
syslog( LOG_INFO, "status VALID for %ld",
ASN1_INTEGER_get(serial) );
}
OCSP_basic_add1_status(bs, cid,
V_OCSP_CERTSTATUS_GOOD, 0, NULL,
thisupd, nextupd);
}
}
OCSP_copy_nonce(bs, req);
OCSP_basic_sign(bs, conf->ocspd_cert, conf->ocspd_pkey,
conf->digest, conf->other_certs, conf->flags);
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
end:
if(thisupd) ASN1_GENERALIZEDTIME_free(thisupd);
if(nextupd) ASN1_GENERALIZEDTIME_free(nextupd);
if(bs) OCSP_BASICRESP_free(bs);
return ret;
}
smime.p7s
Description: S/MIME Cryptographic Signature
