Duplicate of #2206 ?

On 05/09/14 08:35, Mehner, Carl via RT wrote:
OCSP response handling in /apps/ocsp.c

The OCSP Documentation States
"Otherwise the OCSP responder certificate's CA is checked against the issuing CA 
certificate in the request. If there is a match and the OCSPSigning extended key usage is 
present in the OCSP responder certificate then the OCSP verify succeeds."

The flag '-issuer' in openSSL's ocsp application is what the responder's 
certificate's CA is checking against.
The 'responder's certificate's CA' means the certificate authority that is 
issuer of the ocsp signing certificate.

--What Happens--
When running the command:
openssl ocsp -no_nonce -issuer <intermediary.cer> -cert <leaf.cer> -CA <root.cer> 
-url http://<ocsp.url>

Validation of the OCSP responder certificate fails unless the issuer's cert is 
also in the file containing the root CA cert. The error messages are:
Response Verify Failure
8604:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify 
error:.\crypto\ocsp\ocsp_vfy.c:126:Verify error:unable to get local issuer 

However, if you specify a -CAfile that includes the same cert from the 
'-issuer' flag and the root CA cert that is the root of trust for the ocsp 
responder cert, you will get back a 'Response verify OK'

--What Should Happen--
If the certificate provided in the '-issuer' flag matches the CA certificate 
referenced in the OCSP responder's issuer field, the OCSP verify should succeed.

There should be no need to chain up to the root in this case as it would be a 
waste of time since that evaluation is already done on the issuer certificate 
provided with the '-issuer' flag when evaluating the chain of the certificate 
provided by the '-cert' flag outside of the OCSP validation process. If the 
leaf validation fails, there is no need to validate the OCSP chain, the 
connection will fail regardless.

However, if the anyone feels that the full chain needs to be validated, the 
validation procedure should be able to bridge the cert included on the 
'-issuer' flag with a single root specified on the '-CA' flag. (It currently 
does not.)


Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to