OCSP response handling in /apps/ocsp.c ---------- 2014-06-25 The OCSP Documentation States https://www.openssl.org/docs/apps/ocsp.html "Otherwise the OCSP responder certificate's CA is checked against the issuing CA certificate in the request. If there is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify succeeds."
--Assumptions-- The flag '-issuer' in openSSL's ocsp application is what the responder's certificate's CA is checking against. The 'responder's certificate's CA' means the certificate authority that is issuer of the ocsp signing certificate. --What Happens-- When running the command: openssl ocsp -no_nonce -issuer <intermediary.cer> -cert <leaf.cer> -CA <root.cer> -url http://<ocsp.url> Validation of the OCSP responder certificate fails unless the issuer's cert is also in the file containing the root CA cert. The error messages are: Response Verify Failure 8604:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:.\crypto\ocsp\ocsp_vfy.c:126:Verify error:unable to get local issuer certificate However, if you specify a -CAfile that includes the same cert from the '-issuer' flag and the root CA cert that is the root of trust for the ocsp responder cert, you will get back a 'Response verify OK' --What Should Happen-- If the certificate provided in the '-issuer' flag matches the CA certificate referenced in the OCSP responder's issuer field, the OCSP verify should succeed. There should be no need to chain up to the root in this case as it would be a waste of time since that evaluation is already done on the issuer certificate provided with the '-issuer' flag when evaluating the chain of the certificate provided by the '-cert' flag outside of the OCSP validation process. If the leaf validation fails, there is no need to validate the OCSP chain, the connection will fail regardless. However, if the anyone feels that the full chain needs to be validated, the validation procedure should be able to bridge the cert included on the '-issuer' flag with a single root specified on the '-CA' flag. (It currently does not.) -cem ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
