> Verified, by default OCSPd 2.1.0 doesn't work with Cisco cause sha256:
>
> ../VIEW_ROOT/cisco.comp/pki_ssl/src/ca/provider/revoke/ocsp/ocsp.c(2717)
> : E_DIGEST_ALG_NOT_SUPPORTED : message digest algorithms not supported
>
> However OCSPd is still using sha256 when signing the response:
>
> [pki_ocsp_resp.c:357]::DEBUG::OCSP RESP SIGN TK::Using Algorithm
> sha256WithRSAEncryption
>
> Don't know how to workaround this.
Replying to myself..
Attached is a dirty (ugly) patch to OCSP 2.1.1 source code to force
reply in sha1 for OCSPd. Better than patching libpki, but not a final
solution.
Looked into OCSP RFC and it seems that sha1 and sha256 SHALL be
supported so I will try to open a TAC Case with Cisco to see it working
in IOS.
Apart of this patch all seems to be working fine in the OCSP with Cisco.
Will be making more tests soon.
diff -ur openca-ocspd-2.1.1/src/ocspd/response.c openca-ocspd-2.1.1.patched/src/ocspd/response.c
--- openca-ocspd-2.1.1/src/ocspd/response.c 2011-05-01 07:39:32.000000000 +0200
+++ openca-ocspd-2.1.1.patched/src/ocspd/response.c 2012-04-10 01:28:28.858500687 +0200
@@ -234,6 +234,9 @@
PKI_X509_CERT_get_parsed ( tk->cert,
PKI_X509_DATA_ALGORITHM ));
*/
+
+ /* Quick and dirty patch to force SHA1 in response (Cisco devices needs it) */
+ tk->algor=PKI_ALGOR_get(PKI_ALGOR_RSA_SHA1);
PKI_log_debug("Token Algorithm: %s",
PKI_ALGOR_get_parsed ( tk->algor ));
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
